Home Affairs CommitteeWritten evidence submitted by the Serious Organised Crime Agency [EC 01]


1. This submission sets out the Serious Organised Crime Agency’s (SOCA) written evidence to the Home Affairs Select Committee’s inquiry into e-crime. In the terms of this response we will refer to e-crime as cyber crime throughout the submission.

2. The submission outlines the current level of knowledge within the organisation on cyber crime. This submission has been written in coordination with the Home Office, and should be considered supplementary to its submission.

What e-crime is understood to be and how this affects crime recording

3. SOCA works with its partners, under the Home Office’s Organised Crime Strategy (“Local to Global”), to address the threat of organised cyber crime. Under the Strategy, the multi-agency Cyber Threat Reduction Board1 (TRB), chaired by SOCA, adopted the following definition of cyber crime in November 2011:

“pure” online crimes, where a digital system is the target as well as the means of attack. These include attacks on computer systems to disrupt IT infrastructure, and stealing data over a network using malware (the purpose of the data theft is usually to enable further crime);

“existing” crimes that have been transformed in scale or form by their use of the internet. The growth of the internet has allowed these crimes to be carried out on an industrial scale; and

use of the internet to facilitate drug dealing, people smuggling and many other “traditional” types of crime.

The extent and nature of the threats on which e-crime policy is based and how well they are understood by policy makers

4. Organised crime is increasingly globalised and IT-enabled, a trend inevitably accelerating with society’s dependence on the internet. Organised criminals operate their own self-regulated market for cyber crime goods and services, including stolen data, malicious software, technical infrastructure and money laundering: and they operate on an industrial scale. As more data is acquired, stored and shared and ever increasing use is made of mobile devices, so the risk increases. SOCA contributed to the development of the Government’s Cyber Security Strategy which was published in November 2011. The Strategy references research suggesting that the costs to the UK of cyber crime could be in the order of £27 billion per year.2

5. SOCA, along with other departments and agencies, has also played a part in contributing to activity led by the Department of Business, Innovation and Skills (BIS), helping to raise awareness at a senior level within private sector organisations of the threat posed by on-line crime to business performance, shareholder value, reputation, intellectual property and the security of information systems.

The effectiveness of current law enforcement and legislative capabilities, including local and regional capabilities and the potential impacts of proposed organisational change

6. Key activity aligned to the Organised Crime Strategy in respect of cyber crime includes:

improving the understanding of, and intelligence about, cyber crime in order to identify changes to drive the response;

ensuring that the operational response to cyber crime is being coordinated effectively and is reducing the risk to the UK of cyber crime; and

providing assurance that identified organised crime groups are subject to an appropriate level of operational response and that the maximum impact against the threat area is being achieved, improving our understanding of the threat that impacts on the UK.

7. SOCA responded to the Government’s National Cyber Security Programme by expanding its current cyber capability, including the posting of dedicated Cyber Liaison Officers in key locations overseas.

8. Recent successes achieved against cyber crime include:

a SOCA led global day of action took place on the 25 April 2012 to tackle Automated Vending Cart (AVC)3 websites selling compromised financial data. Two UK arrests were made and SOCA intelligence assisted the US in seizing data for 26 AVCs and 36 domains. In addition, as a direct result of eight alerts issued, a further 44 AVCs have been taken down—resulting in significant disruption.

in 2011–12 SOCA and its partners seized over 1,200,000 items of compromised card data from cybercriminals and passed these details to industry via the Alerts system.

as a result of SOCA operational activity two men who provided a range of services to credit card fraudsters were sentenced to almost five years imprisonment after facilitating fraud valued at more than £26 million. Both pleaded guilty to a range of fraud, money laundering and computer misuse offences, and were sentenced at Bristol Crown Court to three years and 21 months respectively. Forensic analysis revealed payment card details of more than 340,000 individuals. The estimated losses are a conservative figure and the actual loss is likely to be considerably more. In addition, the information brokered would also have been sufficient to enable fake bank accounts to be set up, which could be used to commit further fraud, such as cheque or identity fraud.

9. SOCA has been involved in dealing with cyber crime on an international level as well. Cyber crime investigations almost inevitably have an international element, with criminals, data and infrastructure typically based across multiple jurisdictions. SOCA has therefore developed close working relationships with many foreign partners, which enables intelligence sharing, evidence gathering—support with the preservation of data in particular—and operational engagement. Recent examples include joint working on the selling of compromised financial data online. A coalition of overseas partners worked together to make arrests and take down websites, multiplying the effectiveness of UK law enforcement activity. Tackling cyber crime internationally will also require new ways of working. The UK is working closely with Interpol, Europol and United States partners to establish more innovative approaches to tackling cyber crime.

10. Mainstreaming of cyber capabilities is underway within SOCA, and will harness the potential of every investigator to use cyber crime tools, not solely those from dedicated cyber units. All officers will receive training on cyber crime, internet security, open source capabilities and online investigation techniques, following the completion of a comprehensive training needs analysis. SOCA operational teams have embedded officers specialising in digital forensics and open source research, making these techniques more readily available at every stage of an investigation. In addition, officers with a dedicated cyber remit have also been placed within other key business areas enabling cyber mainstreaming to grow from within departments.

11. Going forward, the National Crime Agency (NCA) presents the UK with the opportunity to improve its national law enforcement response to crime perpetrated in cyber space or enabled by the internet, through the establishment of a National Cyber Crime Unit (NCCU). The NCCU will act as a centre of expertise for tackling cyber crime. The NCA will have the specialist operational capabilities and the latest technology to ensure that its intelligence gathering and analytical capabilities match the threat posed by cyber criminals. It will bring together the digital investigation capabilities of SOCA and the MPS Police Central e-crime Unit (PCeU) to provide an enhanced response to the cyber crime threat.

Whether there are any gaps in the response to e-crime and, if so how they should be addressed

12. There are a number of factors that can hinder law enforcement in the response to cyber crime. For example, the majority of cyber criminals are not within UK jurisdiction, and international barriers inhibit their identification and prosecution. Differing domestic legislation is also an issue, for example in some countries cyber crime is not recognised in domestic legislation.

13. In response SOCA has worked closely with the Foreign and Commonwealth Office and other government departments to encourage the implementation of legislation and recognition of cyber crime in key countries. For example the Commonwealth Initiative has agreed to target priority countries for assistance.4 SOCA Cyber Liaison Officers overseas will work to ensure that cyber crime is also identified as a priority and enhance overall international relations.

14. The UK is also working with global partners to encourage wider adoption of the Budapest Convention on cyber crime, putting in place compatible frameworks of law that enable effective cross-border law enforcement and deny safe havens to cyber criminals.5

15. Beyond those law enforcement agencies with a specialist role there is also a general lack of awareness of cyber crime, which hinders the ability to investigate and target both “pure” cyber crime and “digitally enabled crime”. It is essential that the message is conveyed across the whole law enforcement community that cyber crime is a priority. The establishment of the NCCU in the NCA, bringing together SOCA and other cyber law enforcement units, will help to further improve the UK’s response.

Options for addressing key emerging issues that will affect the public such as liability over personal computer security, personal data held by social networking sites and its vulnerability to criminal use. The effectiveness of current initiatives to promote awareness of using the internet safety and the implications of peoples’ online behaviours for related public policy

16. The Government’s Organised Crime Strategy identified “Safeguarding” as one of the key themes for tackling organised crime by reducing the vulnerability of communities, business and the state to become victims of crime. In line with this theme SOCA supports raising awareness of cyber crime to prevent consumers becoming victim to cyber criminals. For example, Get Safe Online (GSOL) is one a number of initiatives between the Government, SOCA, and the private sector. This highlighted the increased use of smart phone malware during “Get Safe Online Week” in November 2011. Criminals use online application stores to entice smart phone users to download rogue applications. The malware is often disguised as “free levels” to popular and legitimate games, or even as security tools. Users are often unaware that fraudsters have control of their phone (and access to personal and payment data) until they receive their monthly bills or otherwise find themselves victims of identity crime. GSOL has produced a free download, The Rough Guide to Online Safety, in order to reduce the threat.

11 July 2012

1 Threat Reduction Boards were established under the Government’s Organised Crime Strategy to provide focus for law enforcement partners including HMRC, SOCA and UKBA. Each board is chaired by a senior operational partner, responsible for assessing operational and intelligence activity against the three themes set out in the Organised Crime Strategy (stem, strengthen, safeguard). The activities of the boards are subject to scrutiny by the senior officials group and Ministerial structure

2 “The Cost of Cyber Crime”, Detica—14 February 2011

3 Automated Vending Cart (AVC) is a term coined by SOCA (and now adopted internationally) to describe click and buy e-commerce websites that automate the sale of compromised personal financial data

4 The Commonwealth Initiative is a new multi-stakeholder approach to developing a safe cyberspace internationally, drawing together the combined mandates of existing organisations such as the Internet Corporation for Assigned Names and Numbers (ICANN), the United Nations Office on Drugs and Crime (UNODC), Council of Europe, International Telecommunications Union (ITU) and Commonwealth Secretariat to develop and implement coherent, holistic cyber capacity building programmes for developing Commonwealth states. It is co-funded by the UK Government (Department of Culture Media and Sport). SOCA chairs the Executive Board

5 The Budapest Convention on Cyber Crime is the first international treaty on crimes committed via the internet and other computer networks, dealing particularly with infringements of copyright, computer-related fraud, child pornography and violations of network security. It also contains a series of powers and procedures such as the search of computer networks and interception.

Prepared 29th July 2013