E-crime - Home Affairs Committee Contents

Conclusions and recommendations

C&R Sub heading

1.  Crimes that have been transformed by the internet and those unique to electronic networks should continue to be defined and recorded as e-crime. This will enable the police to develop an appropriate level of sophisticated technical resource to respond to these crimes. (Paragraph 12)

2.  The ever- increasing incidence of the use of the internet in some form in traditional crimes indicates the futility of special categorisation for such offences. We recommend that more police officers are trained in digital crime detection and equipped with digital forensic skills. These should become standard skills for officers undertaking relevant investigations. (Paragraph 13)

3.  It is of great concern that the majority of cyber crime could be prevented by better awareness by the user. Whilst the sophisticated threats will remain, we must do more to protect our information online. The Government and the private sector both have a strong incentive to educate users and maintain awareness of cyber crime. We recommend that, through its various channels, all organisations, businesses and schools must provide users with appropriate information and risk management training. (Paragraph 22)

4.  We regard as very serious indeed the words of the most senior policeman in the country on online fraud, Commissioner Leppard of City of London Police who told the Committee that we are not winning the war on E-crime. (Paragraph 23)

5.  Commissioner Leppard told us that a quarter of the 800 specialist internet crime officers could be axed as spending is cut. We agree with him that this is a very worrying trend. At a time when fraud and e-crime is going up, the capability of the country to address it is going down. (Paragraph 24)

6.  Ministers have acknowledged the increasing threat of E-crime but it is clear that sufficient funding and resources have not been allocated to the law enforcement responsible for tackling it. Professor Ross Anderson told us that "we should be putting more of the cyber budget into policing and less of it into the intelligence sphere, into cyber war." We also note as a principle, that if personal data is held in any database, no matter how secure, there is a risk of it being accessed inappropriately, either through human error or malice. The only way to ensure data does not leak is not to collect it. (Paragraph 25)

7.  We note the increasing threat posed by state industrial espionage, and international e-crime committed for political purposes, such as the purported attacks on the Guardian from Syria and attacks from China on the US media. The Government must not underestimate the danger such attacks pose to our infrastructure and take firm action with offending countries to cease their activities, using international forums to raise these issues. (Paragraph 30)

8.  We recommend the establishment of a dedicated espionage response team that British companies, media, and institutions can immediately contact to report an attack and who can also provide training in order to counter attacks. (Paragraph 31)

9.  We understand that any measure of crime will always be subject to challenge and e-crime even more so. However we are puzzled that the Government continues to use highly controversial figures, in which independent experts or indeed other government departments such as the Ministry of Defence have little confidence, as its basis for policy-making. (Paragraph 38)

10.  Improving the way in which e-crime is reported and recorded is key to improving Parliament's and the public's understanding of it. It is important that policy makers have an up to date and accurate estimate of the threats from e-crime. We therefore recommend that the Government publicly distances itself from the £27bn estimate of the annual cost of e-crime to the UK economy. (Paragraph 39)

11.  We recommend that the Government commission a working group of experts, drawing on existing good practice already developed by academia and industry, to produce annual figures which show the incidence of e-crime and any observable trends. This group should include representatives from the cyber security industry and independent experts to ensure the figures are robust. (Paragraph 40)

12.  We welcome the steps being taken by Government to bring together different cyber crime units into the NCA to form a single National Cyber Crime Unit. This rationalises the current confusing plethora of different agencies and police organisations involved and should enable a more co-ordinated approach, strong strategic leadership and development of the elite level of skill required to tackle this cyber war. (Paragraph 53)

13.  We were concerned however that the National Fraud Reporting Centre and the National Fraud Intelligence Bureau based in the City of London Police were not being transferred into the NCA. In our view it makes sense to concentrate the national reporting, investigative and intelligence structures for e-crime in one organisation. We were surprised at the decision given the formation of the new economic crime command in the NCA and given we were told that the UK was the main online target of gangs in 25 countries. (Paragraph 54)

14.  The Committee's report on grooming published earlier this year found that sexually exploited children were still being failed by statutory agencies, and the recent court cases of Mark Bridger and Stuart Hazell have highlighted the role of online indecent images in child abuse. An NSPCC Freedom of Information request revealed that five police forces alone had seized 26 million indecent child images and 2,312 people were arrested for such offences last year. CEOP also estimates there 50,000 indecent child images on Peer2Peer networks. We are therefore alarmed that CEOP is having its budget cut by 10% over 4 years, its experienced Chief Executive is leaving and it could lose its laser-like focus when merged with the NCA. (Paragraph 55)

15.  We also note DCS McMurdie's comments that e-crime sentences are too lenient. We were surprised by the fact Anonymous hackers who cost Paypal over £3.5m were given sentences of 7 and 18 months and do not believe they would have received such sentences had they physically robbed a bank of £3.5 million. The DPP should review the sentencing guidance and ensure e-criminals receive the same sentences as if they had stolen that amount of money or data offline. (Paragraph 56)

16.  We welcome the establishment of regional hubs to support and develop local capacity and skills. Mainstreaming e-crime investigative skills throughout the police force is key to improving capacity across the board. We welcome the work currently being undertaken by Police Central e-crime Unit and others in this area. (Paragraph 59)

17.  However commitments to improve mainstream skill levels have been around for years and practice has not so far matched rhetoric. We hope to see clear evidence that the work promised is being undertaken and clear benchmarks to measure if skills are improving. (Paragraph 60)

18.  We welcome the development of specialist Digital Scenes of Crime and forensic officers and note that the search and seizure of digital material should only be done when it is proportionate. (Paragraph 64)

19.  We were alarmed to hear from police witnesses that they often experienced difficulty in retrieving data from sites based abroad. We hope that such companies will adopt a more constructive attitude going forward and be willing to engage with public authorities. They reap huge financial benefits from the public entrusting them with their data and they should be willing to be open and accountable for the actions they take with it. (Paragraph 69)

20.  The international scope of e-crime provides a strong argument that the UK should focus on increasing cooperation between police forces in other states and making these mechanisms as effective as possible. As the proportion and volume of crime with an online element increases, we expect more police investigations to straddle international boundaries, and more evidence relating to the offences against the UK and its residents to be located in overseas jurisdictions. (Paragraph 72)

21.  To this end, we cannot understand why the UK has refused to support funding for the new Europol CyberCrime Centre C3 which facilitates vital cross-Europe information sharing. E-crime does not recognise country borders and it is essential that we have strong international cooperation to ensure offenders are brought to justice and citizens protected. Strengthening our defences and international investigation capacity will save money in the long term and we recommend that the UK supports additional EU funding for the Centre. (Paragraph 73)

22.  We are deeply concerned that EU partner countries are not doing enough to prevent cyber attacks from criminals within their countries on the UK. We will return to this matter in our inquiry into the proposal to opt out of the EU police and criminal justice measures which were adopted before the Treaty of Lisbon entered into force. (Paragraph 74)

23.  We welcome the online Action Fraud reporting function. We recommend that a clear link to the Action Fraud website is placed on websites where people are likely to experience attempted fraud or visit when they believe they have been a victim of online fraud such as police forces, banks, email providers, trading standards. (Paragraph 82)

24.  Current recording practises are inadequate to give an accurate picture of the extent to which reported crime is committed over the internet. We recommend the introduction of an additional field on crime reporting forms to indicate whether or not there was digital evidence relating to a crime. This would help the police to understand the extent of the problem they were facing and to make sure they have the appropriate resources in place. (Paragraph 83)

25.  We are very concerned that there appears to be a 'black hole' where low-level e-crime is committed with impunity. Criminals who defraud victims of a small amount of money are often not reported to or investigated by law enforcement and banks simply reimburse victims. Criminals who commit a high volume of low level fraud can still make huge profits. Banks must be required to report all e-crime fraud to law enforcement and log details of where attacks come from. The perceived untouchable nature of these low-level criminal acts is exemplified by the adverts RSA noted on Facebook advertising 'fraud as a service'. (Paragraph 84)

26.  Online services should be 'secure by design' e.g. new account settings should be set by default to private with the user sharing information with friends or publicly only if they actively choose to do so. Users should not be asked to submit personal details that are known to be helpful to fraudsters. For example, users should be discouraged from giving their date of birth. (Paragraph 101)

27.  We recommend that providers of web services take users through a short explanation when they sign up for an account about how to keep their data secure and how criminals could use certain data against them. Users should not be asked to provide such valuable personal data. (Paragraph 102)

28.  We are concerned that many users may not grasp the full extent of the data they are sharing with private companies. The interest in and opposition to plans to increase data availability to the Government (e.g. witness the fate of the proposed Data Communication Bill) makes us question whether public are really relaxed about sharing so much data or if they are simply unaware they are doing so. (Paragraph 103)

29.  We are deeply concerned that it is still too easy for people to access inappropriate online content, particularly indecent images of children, terrorism incitement and sites informing people how to commit online crime. There is no excuse for complacency. We urge those responsible to take stronger action to remove such content. We reiterate our recommendation that the Government should draw up a mandatory code of conduct with internet companies to remove material which breaches acceptable behavioural standards. (Paragraph 104)

30.  We note those companies that donate to the Internet Watch Foundation, and encourage them to increase their contributions. Additionally, we recommend that the Government should look at setting up a similar organisation focused on reporting and removing online terrorist content. (Paragraph 105)

31.  We are concerned to note the Minister's assertion that off the shelf hacking software is increasingly available to untrained criminals and recommend the Government funds a law enforcement team which is focused on disrupting supply. (Paragraph 106)

32.  We recommend that software for key infrastructure be provably secure, by using mathematical approaches to writing code. (Paragraph 112)

33.  We recommend that guidance about keeping personal data secure should be incorporated into all online services that request personal data from their users. (Paragraph 119)

34.  It is as important that children learn about staying safe online as it is that they learn about crossing the road safely. We welcome teaching about online safety and security taking place in schools and initiatives such as 'safer internet week'. (Paragraph 120)

35.  The children we spoke to believed an important part of learning to stay safe online was being taught to respect others online and not to say things that you wouldn't say to their face and we agree. (Paragraph 121)

previous page contents next page

© Parliamentary copyright 2013
Prepared 30 July 2013