Home Affairs CommitteeWritten evidence submitted by the City of London Police [EC 07]

SUBMITTED BY THE OFFICE OF THE CITY REMEMBRANCER

1. Introduction

1.1 The internet has revolutionised society, and provided communities and business with great opportunities, and usage is set for a further prodigious increase over the next few years. The internet has encouraged and assisted new businesses by promoting innovation and the sharing of ideas, which has also boosted both the economy and job growth. It has allowed businesses to lower their costs, promote their brand and increase efficiency, and gives customers immeasurable choice and access to better, cheaper and more convenient services. The UK economy is very dependent on the internet as a basis for business and communications which is exemplified by the fact that in 2010, three quarters of UK consumers shopped online, spending nearly £60 billion, while 42% of all UK adults bank online.

1.2 These benefits, however, also provide opportunities for criminals. It allows them to exploit new ideas for fraud, identity theft, intellectual property theft and other forms of crime on an unprecedented scale through access to victims, data and commodities. They have done this by using a variety of cyber tools, techniques and online services. Criminals also utilise international boundaries to develop inventive and complex infrastructures that enable them to commit e-Crime. They have done this by using a variety of cyber tools, techniques and online services. Criminals are also adopting new technology to enhance their operational security or improve the efficiency of their operations.

1.3 The City of London Police (CoLP) has led the implementation of the National Fraud Intelligence Bureau (NFIB) since 2010. Prior to this, due to its unique relationships with the financial community in the City and the specialist fraud investigations skills and experience of its detectives, the City Police had been designated the National “Lead (Police) Force (NLF)” for fraud since 2003. The force receives additional funding from the Home Office to investigate serious and complex fraud and also to run the National Fraud Intelligence Bureau. These fraud functions come together as the Force’s Economic Crime Directorate (ECD) and are match funded by the City of London Corporation. Within policing, the force leads the Association of Chief Police Officers (ACPO) Economic Crime Portfolio and has been working with Chief Constables across the country over the passed 12 months to define a new model for recording and investigating fraud.

1.4 The NLF provides specialist advice on law enforcement dealing with often highly complicated and detailed criminality. Its objectives are to provide advice to all police forces, industry investigators and other law enforcement agencies to disseminate best practice, deliver training and act in an independent advisory capacity to other forces on request. The NLF provides a national investigative capacity to deal with all types of fraud (subject to agreed case acceptance criteria) and to assist other police forces in local investigations, and act as a single point of contact for anti-fraud advice.

1.5 As a result of the Fraud Review in 2006, the concept of the National Fraud Intelligence Bureau (NFIB) was created along with Action Fraud (the brand name of the National Fraud Reporting Centre launched and run by the National Fraud Authority) to help UK law enforcement agencies and their partners catch and disrupt criminals and to alert communities to fraud threats. The NFIB gathers a large volume of information on suspected fraud from both public and private sector sources, much of which is not reported to, or made routinely accessible to the police. This is analysed and turned into intelligence such as the identification of the scale of fraudsters’ criminal activities. The intelligence is used to support law enforcement operations and also provide prevention advice to industry.

1.6 The Government’s National Security Strategy, published in 2010, ranked UK cyber security (of which e-Crime is an element) as a Tier 1 national security priority. As a result of this threat, the Government has committed £650 million to the National Cyber Security Programme (NCSP). The City Police is one of a number of organisations that has received funding to help deliver this programme.

1.7 At the end of 2011, the Government published its Cyber Security Strategy, which illustrated how the UK will support the economy; protect national security and safeguard communities by building a secure and resilient digital environment.

2. What is e-Crime understood to be and how does this affect crime recording?

Types of e-Crime

2.1 The NFIB sees e-Crime (also variously described as internet crime, cyber crime and technology enabled crime) at two levels. At the simplest level, it is crime that exists only because of computer technology, for example hacking of email accounts, denial of service attacks and the production and deployment of malicious software (“malware”). These offences are largely covered by the Computer Misuse Act 1990. Additionally, there is “electronic” or cyber-enabled crime which can be described as the use of the internet to enable other crimes to be committed. The latter features particularly strongly within the NFIB’s remit as cyber enabled fraud. The most damaging cyber enabled frauds are those where the ease of communications through the internet has allowed an existing type of fraud to be attempted much more easily (for example, advanced fee or “419 letter”1 frauds have developed and grown into fraud perpetrated by “phishing”2 emails) or frauds exploiting the methods of genuine e-business such as ticketing fraud using bogus websites or online shopping fraud.

2.2 The bulk of e-Crime data that NFIB assesses is received from Action Fraud. Action Fraud records crime aligned to the Home Office Counting Rules for Fraud and Forgery, which includes crimes committed under the Computer Misuse Act 1990. However the reports it receives at present are limited to individual calls or reports from the public. Police forces still represent the bulk reporting for fraud and the service recognises that through the complex method of cyber crime and also because of jurisdictional issues, victims can receive a very different service depending on how or where they report their crime. Chief Constables have therefore agreed to a new business model lead by the City of London Police which will involve a national reporting and case allocation model to offer victims, a more professional service.

Recording

2.3 The recording of crime by the police is governed by the National Crime Recording Standard (NCRS) and the Home Office Counting Rules (HOCR). These set out the principles under which reports received from victims are recorded. Crime statistics that are recorded by police are based on a notifiable list of offences. The HOCR set out the classification groups into which offences are managed for statistical purposes.

2.4 However, individual police forces record crimes, particularly those enabled by technology, in different ways. This is because there is no such crime type as an “e-Crime” formally defined in legislation. The use of a computer or other cyber technology is an enabler to the crime, and not a crime type in its own right. Therefore, it is not centrally recorded. This presents difficulties to the law enforcement community in assessing the scale and nature of the e-Crime threat.

2.5 The City of London Police is currently leading a programme of work to introduce Action Fraud reporting to all police forces in England and Wales. This will reduce some of the issues created by the lack of harmonisation that currently exists by creating a national call centre and on line facility to report fraud and cyber crime.

2.6 Over the coming months, Action Fraud, in partnership with the National Fraud Intelligence Bureau, will press ahead with the “roll out” of an improved crime reporting capability with the support of all UK police forces. Within this programme is the development of an enhanced reporting method for businesses who are victims of cyber crime. This will ensure the police, through the NFIB, will have the capacity and capability to analyse all fraud and cyber crime data from one source, allowing for a much better understanding of the extent and nature of the e-Crime threat, and also provide for an enhanced service to victims.

2.7 New crime recording classifications have also been introduced by the Home Office to enable law enforcement agencies to capture specific cyber crime offences as laid out in the Computer Misuse Act (1990), but many crimes committed online are also prosecuted under existing legislation such as the Fraud Act (2006) or the Communications Act (2003).

3. What is the extent and the nature of the threats on which e-crime policy is based?

3.1 The significance of cyber criminals has grown in line with the development of online technology and the proliferation of electronically held data. Although it is difficult to estimate accurately the scale of losses to the UK economy as a result of e-Crime, one report puts the figure at £27 billion per year.3 Whatever the true cost, its reach is known to be extensive, affecting individuals, businesses and government institutions.

3.2 The Government has expressed the need for partnership with the private sector and academia to combat crime. The City of London Police enjoy close working relationships with the private sector (who are represented at the ACPO Economic Crime Portfolio meetings), through private data sharing agreements with the NFIB and also through industry funded police investigation units such as the Insurance and Cheque Fraud investigation units. There is a very clear common message concerning the co-ordination of engagement with the private sector across government. Whilst government policy has provided a useful high level perspective, they have only resulted in bespoke isolated programmes of engagement and there are still no clearly identified “nodes” for the formulation of policy, strategic forecasting and operational collaboration with the private sector on a national scale. Given this confused picture, there may be merit in an initial “mapping” exercise to identify the optimal mechanisms for engagement that already cut across different government departments.

3.3 The rapid pace of change in terms of technology and techniques used by cyber criminals make mitigating e-Crime a unique challenge. The ever-increasing amount of public and private data held online and the significant increase of internet usage, both privately and commercially, also allows for an increase in opportunities for criminals to exploit weaknesses. Further evidence of the threat posed was illustrated in a BBC report in July 2012,4 which shows fraudsters traded 12 million pieces of stolen personal information online between January and April 2012. The figure represents a threefold increase on 2010. Credit-checking company Experian, which produced the figures, said the increase was partly due to consumers having a growing number of online accounts. Consumers now have an average of 26 separate online logins but just five different passwords. Experian said many people were unaware their identity had been stolen until they were refused credit cards or phone contracts.

3.4 Attacks on businesses have risen markedly over the past year, with most UK based companies reporting malicious software infections. The 2010 Information Security Breaches Survey5 found that 90% of “large” organisations and 74% of “small” organisations had experienced a malicious security incident within the last year, including hacking, viruses, data theft and fraud.

3.5 In August 2011, Action Fraud launched the capability to record the enablers of fraud within fraud reporting. Since August to the end of the financial year, the NFIB have received a total of 49,037 fraud and internet crime reports from Action Fraud of which 45% were enabled6 online.7 The highest volume of frauds reported to Action Fraud are concerned with online shopping and auctions, many of which are linked to organised crime. As an indication of the scale of only one aspect of e-Crime, over 25,000 “phishing” emails were forwarded by members of the public to the NFIB in less than one week during the Office of Fair Trading’s SCAMNESTY campaign. The majority of traditional frauds have been eclipsed by an internet enabled variant and all forms of legitimate internet commerce are vulnerable.

3.6 In considering the impact of e-Crime, the experience and effect on fraud victims has also to be considered. It is the experience of the City of London Police, that, a large number of victims have found fraud to be as harmful to them as violent crime, with tens of thousands of victims requiring medical intervention for psychological and physical stress related injury each year as a direct result of being defrauded.

4. What is the effectiveness of current law enforcement and legislative capabilities, including local and regional capabilities and what are the potential impacts of proposed organisational change?

Are there any gaps in the response to e-crime and, if so, how should they be addressed?

Effectiveness of current law enforcement and legislative capabilities

4.1 The Serious and Organised Crime Agency (SOCA) and the Police Central e-Crime Unit (PCeU), hosted by the Metropolitan Police Service, undertake national e-Crime investigation and international joint investigation. The introduction of the new National Crime Agency (NCA) in 2013, which will replace SOCA, will continue with and expand on this role. Whilst the NCA is not yet operationally effective, the activity and linkage currently being initiated in the build up to the 2013 start date indicates that the operational response will be enhanced. Within the Shadow Command of the NCA, the City of London Police is member of the Economic Crime Coordination Board (ECCB) and also supports the three sub groups; Prevention, Intelligence and Enforcement. Early pathfinder joint operations have targeted criminals who are using the internet to facilitate money laundering and fraud.

4.2 The development of the partnership and coordinating functions of the National Cyber Crime Unit (NCCU) being established within the NCA will also provide a better-coordinated and standardised approach to the e-Crime threat. Many of the concerns and issues will, in part, be addressed by the unit, which draws together and adds to the work currently carried out by SOCA’s Cyber Unit and the PCeU.

4.3 The NCCU will focus its resources and skills on the most sophisticated areas of cyber crime, whilst supporting the NCA and wider law enforcement to take responsibility for tackling cyber-enabled crime. This principle of supporting law enforcement to take responsibility for tackling cyber-enabled crime will underpin the work of the NCCU. Cyber crime that is facilitated by the internet will continue to be investigated by the police.

4.4 The creation of the NCCU is a critical part of the Government’s wider National Cyber Security Programme (NCSP). It will consolidate the national law enforcement response to cyber crime into one unit. The NCCU will work closely with other partners to strengthen the UK’s overall response to e-Crime and ensure individuals and industry can utilise the opportunities presented by the internet. The NCCU is responsible for building the cyber capability of the NCA, across all four operational commands to manage high impact incidents of cyber and cyber-enabled crime.

4.5 An improved response to e-Crime can also be seen with the development of the Cyber Crime Threat Reduction Board (TRB), and of the Fraud Threat Reduction Board. These were established under the Government’s organised crime strategy8 which provides an operational context in which law enforcement and intelligence agencies can assess operational and intelligence activity against the “Stem, Strengthen and Safeguard” themes of the Organised Crime Strategy. Both of these boards bring together representatives from key organisations to tackle specific issues within their remit, with a partnership-based approach. Whilst only recently established, both TRBs have already made significant progress, assisted by the Threat Reduction Assurance Forum, which oversees and links the work of both these boards, alongside the other seven TRBs responsible for their respective crime types. The Threat Reduction Action Plans, identified and implemented on a bespoke basis by both boards, ensures clarity, effectiveness and coordination for the first time.

4.6 The ECCB has also produced several significant products in 2012 that have allowed a greater understanding of the fraud threat, identified gaps in knowledge, and highlighted key threats and risks. The intelligence gap analysis report and Strategic Threat Assessment are now being used to inform the formulating of a Control Strategy to manage economic crime nationally in a coordinated, effective and efficient way. These products incorporate e-Crime.

4.7 A significant amount of e-Crime is also the responsibility of the NFIB, and the police service as a whole. This has resource and capability implications as it lands alongside other priorities as part of the general demand on policing. As an intelligence bureau, the NFIB assesses the crimes it receives and then distributes them to the appropriate police force or law enforcement agency for investigation; this can include PCeU and SOCA. In reality, due to competing priorities, and the complexity and resources often required, many police forces have difficulty in investigating e-Crime.9

4.8 Police forces across England and Wales are faced with a 20% reduction in national funding in the period 2011–2014. This means that resources for targeting financial crime, including much e-Crime are likely to be reduced in some regions. The City of London Police has proposed a joint funding initiative with the Government and the banking sector to fund additional police resources in the 10 ACPO police regions to investigate fraud, a great proportion of which is now conducted through the internet. These resources would complement the existing regional units that investigate organised crime and asset recovery, and would also be closely aligned to the NCA build, including the specialist PCeU resources. Initial first year funding has been approved by the Home Office, resulting in intelligence officers being deployed in the 10 ACPO regions, to liaise with the NFIB and assist further in identifying and understanding the associated regional fraud threats. If further funding for an additional two years is approved, the intelligence officers will work alongside new regional fraud enforcement teams to provide a comprehensive intelligence-led response on a regional to national level.

4.9 Whilst individual police forces do provide a local response to e-Crime, this can be uncoordinated and inconsistent, with many factors impacting on a variable policing response from region to region. A project has been developed by PCeU to provide additional regional resources that are effectively trained and equipped. The National e-Crime Programme has delivered three pilot PCeU “hubs” to address a lack of regional focus. The “hubs” enhance existing PCeU national operational capability to respond and investigate cyber crime. The regional “hubs” are based in the North West, East Midlands and Yorkshire & the Humber. The “hubs” were launched in February 2012 and are already providing a fast and effective response. The PCeU “hubs” have enhanced the local policing response but further dedicated resources are still required to investigate the underlying fraud offences.

4.10 The publication of the Strategic Policing Requirement (SPR) will support national co-ordination and collaboration between police forces to respond to serious and cross-border criminality. The SPR is also intended to ensure local policing plans account for cyber capability, and that local police forces can access the necessary specialist services required.

4.11 The introduction of Police and Crime Commissioners (PCCs) in late 2012 is intended to provide strong local representation, with the PCCs able to set the priorities for the police force within their force area, respond to the needs and demands of their communities more effectively, set the force budget and priorities, and hold the local Chief Officer to account for delivery and performance. With the extent of internet enabled crime effecting local communities, fraud and e-Crime should be seen as a serious and growing problem that needs to be addressed.

Gaps in response to e-Crime

4.12 The greatest challenge to an effective response by UK law enforcement agencies is the globalised nature of the threat. The most effective e-Crime groups are organisations that operate internationally, separating the component parts of their criminal enterprise across different countries for their utility and selecting jurisdictions for their permissiveness. There are challenges associated with delivering an effective solution in this environment due to the current varying international police response and enforcement. Differences in legislative, regulatory and practical arrangements for managing cyber security have potentially serious implications for all organisations. Whilst there is not necessarily the need for new international legislation, the promotion of standards and norms could help to strengthen the global threat mitigation architecture. Lessons can be learned from examining best practice in some sectors, and from the experiences of international partners. There is also a need to consider intelligence requirements through a global perspective.

4.13 In addressing the issue of e-Crime, the use of terminology needs to be clearer and more consistently used. There is a requirement for a common understanding of some of the general terms and an agreed list of the cyber crime techniques and tools, and the criminal infrastructure that poses the most risk to the UK. Both public and private sectors are the victims of cyber crime, but these are very wide categories and in the first instance prioritisation should be given to specific parts within these sectors that face the most risk and harm. A common understanding of terminology both in terms of threats and mitigation is a vital component of the UK response.

4.14 The current challenges in assessing the scale and nature of the UK e-Crime threat affects both the policy around e-Crime and the operational response to it.10 The impact of this is magnified by the tendency of cyber criminals to be highly adaptive and innovative. As a result, they can often be a few steps ahead of the law enforcement community’s ability to respond and are often in the process of exploiting the next criminal opportunity whilst law enforcement is trying to target the previous one. An effective law enforcement response is challenged further by the need for many industries to harness new technology to enable a more efficient and effective service. For example, new payment technologies and alternative banking mechanisms are rapidly evolving both in the UK and overseas. In a highly competitive market, the desire (and need) to generate new products rapidly makes delivering comprehensive security controls for these products a formidable challenge. Many organisations’ decision-making in relation to innovation is heavily driven by market forces and ease of use, with security concerns sometimes taking second place.

4.15 Key risk areas that need to be prioritised for affirmative action include online tax and benefit/tax credit systems (Universal Credit) in the public sector, banking and payments and retail (the UK has the second largest in the world) for the private sector, and personal computers and devices used to access public and private sector systems. The means by which these systems are accessed are often the weak links which cyber criminals attack. Government has a key role to play in working with the private sector to mitigate the threat posed by these systems.

5. How effective are current initiatives to promote awareness of using the internet safely and what are the implications of peoples’ online behaviours for related public policy?

5.1 Whilst the UK has seen some recent initiatives to promote awareness of internet safety, it is clear that more needs to be done within this area.

5.2 Through its regional hubs, the PCeU have worked hard to mainstream cyber awareness, capacity and capability since its inception.

5.3 The National Fraud Authority (NFA) as part of the “Shadow” NCA—ECCB Prevention Sub Group, plays a key national preventative role, in terms of reducing repeat victimisation by advising callers to Action Fraud. This service also plays a vital role for crime victims by offering reassurance and other advice through a bespoke service in partnership with Victim Support. The NFA also initiated and developed the “Devil’s in Your Detail” campaign, a joint initiative between the NFA and private sector organisations from the banking and telecoms industries. The campaign was video-driven and raised awareness of the importance of protecting personal information. The campaign reached over four million people through initiatives involving social media. Subsequent analysis of 4,000 people who watched the videos resulted in over 60% stating that they would take more steps to protect themselves from fraud.

6. What are the options for addressing key emerging issues that will affect the public such as liability over personal computer security, personal data held by social networking sites and its vulnerability to criminal use?

6.1 The key to addressing e-Crime effectively is through greater collaboration, effective intelligence sharing, improved engagement with business, and a comprehensive awareness programme. Prevention is a vital theme that threads through all of these areas.

Greater Collaboration

6.2 The Government’s National Cyber Security Strategy makes clear, and this is applicable to information security in general, that it is only through engagement between government, law enforcement and the private sector that the UK will become more resilient from attack, shaping an open and stable environment and developing our skills base. As criminals will target a range of industries it will be vital for all sectors to come together to share experiences and develop common strategies for addressing threats. A particular focus must lie in the security of the millions of personal information records held by both the public and private sector. There is a wealth of intelligence from various sources that this data is being targeted, stolen and traded as a commodity by criminal gangs. A comprehensive approach to the threat is required and collaboration is the key to success. Ad hoc groups promoting collaboration across the sectors do exist however, there is a need for a stronger coordinated and formalised process across both the public and private sectors.

6.3 Collaboration can come in many forms, and the proposed City of London Police joint funding initiative to provide a national policing capability for fraud would provide a very effective specialist resource, aligned to the national law enforcement picture on a local, regional and national basis, and tackling an area of crime that has had limited resources. Whilst already supported by ACPO and all police chiefs, such a venture needs the financial support of the Government and the banking sector. Whilst the three-year pilot requires investment, the benefits to potential supporters, and the UK as a whole, are expected to be commensurately higher.

6.4 Criminals may target third parties, partner companies and other industries to access data. Advances in technology, such as the development of Cloud Computing, are also a source of new risk as well as opportunity. There is a wealth of expertise and information across all sectors in the UK that could greatly enhance protection against such wide-ranging threats, and collaboration must be co-ordinated across the wider private sector and government. To facilitate such comprehensive co-ordination and collaboration, there is a need for a point of focus around which stakeholders can rally.

Improved intelligence sharing

6.5 An improved and more effective intelligence sharing protocol between law enforcement agencies would also have a great impact on preventing e-Crime. There is still much to be done in this area, and many agencies could collaborate and share their intelligence more effectively. The fact they are not is due to many reasons, including cost, culture, and their respective regulations, but none are insurmountable, and a greater effort is required from all agencies to share the intelligence they possess.

6.6 The National Fraud Intelligence Bureau (NFIB) is an example where intelligence sharing can lead to an effective preventative response. It disseminates products, including alerts, as a result of analysing intelligence provided by a range of organisations and industry sectors. This collaborative approach has been extended further with some also providing staff to work within the bureau. The NFIB works with private sector partners to close down criminally managed websites. Between January to April 2012, 261 websites were sent for suspension request. Between April to August 2012, 52 websites have been confirmed as suspended. In September 2012, 152 have been sent for suspension, with 143 being confirmed as suspended. Between January to August 2012, 248 telephone numbers were identified for suspension. The submission of bank account alerts was instigated from April 2012 and since this date 221 account details have been disseminated to the banking industry in 177 alerts. These are sent to the banking industry for intelligence purposes, and an example of the impact that these alerts provide was when a single customer had £70,000 prevented from being defrauded in September 2012. These timely actions are calculated to have saved the finance sector millions of pounds.

6.7 In May 2012 alone, the NFIB developed and disseminated 449 crime investigation packages, 28 tactical intelligence products and 112 alerts via a new partnership with the British Bankers Association. Whilst the work of the NFIB encompasses all areas of fraud, this approach should be expanded upon, and further supported, to encourage greater intelligence sharing of e-Crime related threats.

Engagement with business

6.8 The majority of victims of banking and plastic card fraud are protected by compensation from the finance and banking industry. Whilst much is done within this sector, the industry needs to continue to be supported and encouraged to provide enhanced and effective security to mitigate the ever changing and often innovative exploitation by criminals and criminal finance. A robust coordinated approach by Government, law enforcement and business will ensure a better understanding of the true level of crime and raise public awareness to the threat and how to reduce it.

Education

6.9 The safe use of the internet requires a continuous, pervasive and constantly updated approach to education. This needs to be mainstreamed throughout an individual’s lifetime education. This would need to be on the scale of other public safety education, such as road safety and “stranger danger”, with initiatives seeking message adoption and understanding through all sectors of society. Although public awareness of “cyber enabled fraud” has greatly improved (for example the significant amount of education built into the school curriculum to manage children’s online behaviour by the Child Exploitation and Online Protection Centre), increasingly sophisticated attacks continue to target home computer users, and much more coordinated work is required.

October 2012