Conclusions and recommendations
C&R Sub heading
1. Crimes
that have been transformed by the internet and those unique to
electronic networks should continue to be defined and recorded
as e-crime. This will enable the police to develop an appropriate
level of sophisticated technical resource to respond to these
crimes. (Paragraph 12)
2. The ever- increasing
incidence of the use of the internet in some form in traditional
crimes indicates the futility of special categorisation for such
offences. We recommend that more police officers are trained
in digital crime detection and equipped with digital forensic
skills. These should become standard skills for officers undertaking
relevant investigations. (Paragraph 13)
3. It is of great
concern that the majority of cyber crime could be prevented by
better awareness by the user. Whilst the sophisticated threats
will remain, we must do more to protect our information online.
The Government and the private sector both have a strong incentive
to educate users and maintain awareness of cyber crime. We recommend
that, through its various channels, all organisations, businesses
and schools must provide users with appropriate information and
risk management training. (Paragraph 22)
4. We regard as very
serious indeed the words of the most senior policeman in the country
on online fraud, Commissioner Leppard of City of London Police who told
the Committee that we are not winning the war on E-crime. (Paragraph
23)
5. Commissioner Leppard told
us that a quarter of the 800 specialist internet crime officers
could be axed as spending is cut. We agree with him that this
is a very worrying trend. At a time when fraud and e-crime is
going up, the capability of the country to address it is going
down. (Paragraph 24)
6. Ministers have
acknowledged the increasing threat of E-crime but it is clear
that sufficient funding and resources have not been allocated
to the law enforcement responsible for tackling it. Professor
Ross Anderson told us that "we should be putting more of
the cyber budget into policing and less of it into the intelligence
sphere, into cyber war." We also note as a principle, that
if personal data is held in any database, no matter how secure,
there is a risk of it being accessed inappropriately, either through
human error or malice. The only way to ensure data does not leak
is not to collect it. (Paragraph 25)
7. We note the increasing
threat posed by state industrial espionage, and international
e-crime committed for political purposes, such as the purported
attacks on the Guardian from Syria and attacks from China on
the US media. The Government must not underestimate the danger
such attacks pose to our infrastructure and take firm action with
offending countries to cease their activities, using international
forums to raise these issues. (Paragraph 30)
8. We recommend the
establishment of a dedicated espionage response team that British
companies, media, and institutions can immediately contact to
report an attack and who can also provide training in order to
counter attacks. (Paragraph 31)
9. We understand that
any measure of crime will always be subject to challenge and e-crime
even more so. However we are puzzled that the Government continues
to use highly controversial figures, in which independent experts
or indeed other government departments such as the Ministry of
Defence have little confidence, as its basis for policy-making.
(Paragraph 38)
10. Improving the
way in which e-crime is reported and recorded is key to improving
Parliament's and the public's understanding of it. It is important
that policy makers have an up to date and accurate estimate of
the threats from e-crime. We therefore recommend that the Government
publicly distances itself from the £27bn estimate of the
annual cost of e-crime to the UK economy. (Paragraph 39)
11. We recommend that
the Government commission a working group of experts, drawing
on existing good practice already developed by academia and industry,
to produce annual figures which show the incidence of e-crime
and any observable trends. This group should include representatives
from the cyber security industry and independent experts to ensure
the figures are robust. (Paragraph 40)
12. We welcome the
steps being taken by Government to bring together different cyber
crime units into the NCA to form a single National Cyber Crime
Unit. This rationalises the current confusing plethora of different
agencies and police organisations involved and should enable a
more co-ordinated approach, strong strategic leadership and development
of the elite level of skill required to tackle this cyber war.
(Paragraph 53)
13. We were concerned
however that the National Fraud Reporting Centre and the National
Fraud Intelligence Bureau based in the City of London Police were
not being transferred into the NCA. In our view it makes sense
to concentrate the national reporting, investigative and intelligence
structures for e-crime in one organisation. We were surprised
at the decision given the formation of the new economic crime
command in the NCA and given we were told that the UK was the
main online target of gangs in 25 countries. (Paragraph 54)
14. The Committee's
report on grooming published earlier this year found that sexually
exploited children were still being failed by statutory agencies,
and the recent court cases of Mark Bridger and Stuart Hazell have
highlighted the role of online indecent images in child abuse.
An NSPCC Freedom of Information request revealed that five police
forces alone had seized 26 million indecent child images and 2,312
people were arrested for such offences last year. CEOP also estimates
there 50,000 indecent child images on Peer2Peer networks. We
are therefore alarmed that CEOP is having its budget cut by 10%
over 4 years, its experienced Chief Executive is leaving and it
could lose its laser-like focus when merged with the NCA. (Paragraph
55)
15. We also note DCS
McMurdie's comments that e-crime sentences are too lenient. We
were surprised by the fact Anonymous hackers who cost Paypal over
£3.5m were given sentences of 7 and 18 months and do not
believe they would have received such sentences had they physically
robbed a bank of £3.5 million. The DPP should review the
sentencing guidance and ensure e-criminals receive the same sentences
as if they had stolen that amount of money or data offline. (Paragraph
56)
16. We welcome the
establishment of regional hubs to support and develop local capacity
and skills. Mainstreaming e-crime investigative skills throughout
the police force is key to improving capacity across the board.
We welcome the work currently being undertaken by Police Central
e-crime Unit and others in this area. (Paragraph 59)
17. However commitments
to improve mainstream skill levels have been around for years
and practice has not so far matched rhetoric. We hope to see clear
evidence that the work promised is being undertaken and clear
benchmarks to measure if skills are improving. (Paragraph 60)
18. We welcome the
development of specialist Digital Scenes of Crime and forensic
officers and note that the search and seizure of digital material
should only be done when it is proportionate. (Paragraph 64)
19. We were alarmed
to hear from police witnesses that they often experienced difficulty
in retrieving data from sites based abroad. We hope that such
companies will adopt a more constructive attitude going forward
and be willing to engage with public authorities. They reap huge
financial benefits from the public entrusting them with their
data and they should be willing to be open and accountable for
the actions they take with it. (Paragraph 69)
20. The international
scope of e-crime provides a strong argument that the UK should
focus on increasing cooperation between police forces in other
states and making these mechanisms as effective as possible. As
the proportion and volume of crime with an online element increases,
we expect more police investigations to straddle international
boundaries, and more evidence relating to the offences against
the UK and its residents to be located in overseas jurisdictions.
(Paragraph 72)
21. To this end, we
cannot understand why the UK has refused to support funding for
the new Europol CyberCrime Centre C3 which facilitates vital cross-Europe
information sharing. E-crime does not recognise country borders
and it is essential that we have strong international cooperation
to ensure offenders are brought to justice and citizens protected.
Strengthening our defences and international investigation capacity
will save money in the long term and we recommend that the UK
supports additional EU funding for the Centre. (Paragraph 73)
22. We are deeply
concerned that EU partner countries are not doing enough to prevent
cyber attacks from criminals within their countries on the UK.
We will return to this matter in our inquiry into the proposal
to opt out of the EU police and criminal justice measures which
were adopted before the Treaty of Lisbon entered into force.
(Paragraph 74)
23. We welcome the
online Action Fraud reporting function. We recommend that a clear
link to the Action Fraud website is placed on websites where people
are likely to experience attempted fraud or visit when they
believe they have been a victim of online fraud such as police
forces, banks, email providers, trading standards. (Paragraph
82)
24. Current recording
practises are inadequate to give an accurate picture of the extent
to which reported crime is committed over the internet. We recommend
the introduction of an additional field on crime reporting forms
to indicate whether or not there was digital evidence relating
to a crime. This would help the police to understand the extent
of the problem they were facing and to make sure they have the
appropriate resources in place. (Paragraph 83)
25. We are very concerned
that there appears to be a 'black hole' where low-level e-crime
is committed with impunity. Criminals who defraud victims of a
small amount of money are often not reported to or investigated
by law enforcement and banks simply reimburse victims. Criminals
who commit a high volume of low level fraud can still make huge
profits. Banks must be required to report all e-crime fraud to
law enforcement and log details of where attacks come from. The
perceived untouchable nature of these low-level criminal acts
is exemplified by the adverts RSA noted on Facebook advertising
'fraud as a service'. (Paragraph 84)
26. Online services
should be 'secure by design' e.g. new account settings should
be set by default to private with the user sharing information
with friends or publicly only if they actively choose to do so.
Users should not be asked to submit personal details that are
known to be helpful to fraudsters. For example, users should be
discouraged from giving their date of birth. (Paragraph 101)
27. We recommend that
providers of web services take users through a short explanation
when they sign up for an account about how to keep their data
secure and how criminals could use certain data against them.
Users should not be asked to provide such valuable personal data.
(Paragraph 102)
28. We are concerned
that many users may not grasp the full extent of the data they
are sharing with private companies. The interest in and opposition
to plans to increase data availability to the Government (e.g.
witness the fate of the proposed Data Communication Bill) makes
us question whether public are really relaxed about sharing so
much data or if they are simply unaware they are doing so. (Paragraph
103)
29. We are deeply
concerned that it is still too easy for people to access inappropriate
online content, particularly indecent images of children, terrorism
incitement and sites informing people how to commit online crime.
There is no excuse for complacency. We urge those responsible
to take stronger action to remove such content. We reiterate our
recommendation that the Government should draw up a mandatory
code of conduct with internet companies to remove material which
breaches acceptable behavioural standards. (Paragraph 104)
30. We note those
companies that donate to the Internet Watch Foundation, and encourage
them to increase their contributions. Additionally, we recommend
that the Government should look at setting up a similar organisation
focused on reporting and removing online terrorist content. (Paragraph
105)
31. We are concerned
to note the Minister's assertion that off the shelf hacking software
is increasingly available to untrained criminals and recommend
the Government funds a law enforcement team which is focused on
disrupting supply. (Paragraph 106)
32. We recommend that
software for key infrastructure be provably secure, by using mathematical
approaches to writing code. (Paragraph 112)
33. We recommend that
guidance about keeping personal data secure should be incorporated
into all online services that request personal data from their
users. (Paragraph 119)
34. It is as important
that children learn about staying safe online as it is that they
learn about crossing the road safely. We welcome teaching about
online safety and security taking place in schools and initiatives
such as 'safer internet week'. (Paragraph 120)
35. The children we
spoke to believed an important part of learning to stay safe online
was being taught to respect others online and not to say things
that you wouldn't say to their face and we agree. (Paragraph 121)
|