Criminal Justice Bill

Written evidence submitted by Gary Lilburn, Cyber Defence Alliance, to the Criminal Justice Bill Public Bill Committee (CJB35)

1 Executive Summary

 

The Cyber Defence Alliance (CDA) is a non-profit organisation working within the UK’s financial sector. They collaborate with many domestic and international policing Forces and Agencies.

They collect and analyse intelligence relating to cyber criminals and their activities. This includes but is not limited to threat actors who conduct offences relating to DDoS, CMA, malware, botnets and particularly attacks against the banking sector and their customers.

The CDA broadly welcomes legislation to allow UK law enforcement agencies, ( including the National Crime Agency (NCA), UK police forces, HM Revenue & Customs (HMRC), and the Serious Fraud Office, and other departments and agencies responsible for tackling crime ) to be able to take control of malicious domains and IPs including domains yet to be registered (DGA domains) .

The CDA support the creation of a power allowing the same law enforcement agencies to provide an order to preserve data .

The CDA also support the creation of a criminal offence of possession of data obtained as a consequence of a CMA offence but believe t here should be two offences of simple possession an d aggravated possession – without a lawful authority or reasonable excuse . A lawful excuse should be specified . This specified lawful excuse should include possession for the purpose of detecting, preventing crime or the investigation of offences.

More detailed answers to each consultation proposal and their associated questions can be found below .

2 Who are the Cyber Defence Alliance

 

2.1 The Cyber Defence Alliance (CDA) is a non-profit company in the UK working with 13 financial organisations. Our area of work relates to Cyber Threat Intelligence (CTI) particularly in relation to network defence and disrupting online cybercrime.

2.2 The CDA is staffed by a number of threat intelligence analysts and a fraud and cyber investigation team (FACIT). Those FACIT staff are all former law enforcement officers and an analyst with considerable fraud/cyber investigation experience. CDA CEO and Deputy have a combined experience in LE of 65 years and have led teams in the UK and Internationally dealing with complex cyber and fraud cases as well as widescale abuse of the financial system. This offending included the use of malware and botnets to conduct infections and CMA offences.

2.3 As part of their work, the CDA seek to collect and develop intelligence relating to threat actors conducting cyber and frauds offending against targets in the UK. This can range from bank account takeovers, mobile malware, large scale botnets and malware infections created to commit DDoS, banking frauds, and other CMA offences. This intelligence gives the CDA insight into criminal methodologies targeting the UK financial sector.

2.4 The CDA work closely with UK and International law enforcement partners, having numerous sharing and collaboration agreements & arrangements with those Forces and Agencies, including the national policing leads: NCA and City of London Police.

3 Domain name and IP address takedown and seizure

 

3.1 Consultation Proposal:

1. Mandatory takedown (Domain de-registration and/or website):

Any domain/IP that is being used to conduct or facilitate any criminal offence (one that carries a maximum penalty of up to 12 months, or more, in prison on a summary conviction, or two years on indictment).

The application would have to show that the action is a proportional response to the criminal activity that is being investigated.

Unless good reasons apply, a voluntary takedown should have been sought first and only if that is unsuccessful (within 72 hours) should a mandatory takedown be sought. ‘Good reasons apply’– this could include that the relevant registrar is known to be non-co-operative.

An Inspector’s (or equivalent rank) authority would be required to request such action/order.

Guidance should be provided to law enforcement: Policy should dictate that such action should only be undertaken by a dedicated unit.

Such orders should be available from magistrates and not limited to crown court orders.

2. Takeovers, prevention of domain creation and sinkholing:

Any domain/IP that is being used to conduct or facilitate any serious criminal offence (one that carries a penalty of 5 years or more on indictment).

Court authority / warrant should be required.

The application would have to show that the action is a proportional response to the criminal activity that is being investigated.

A Superintendent’s authority would be required to make such an application.

Guidance should be provided to law enforcement: Policy should dictate that such action should only be undertaken be a dedicated unit.

NB, such a request can also include taking control of domains not yet registered e.g. where a Domain Generation Algorithm (DGA) is known to be used to create domains for controlling botnets/malware then all potential domains that could be created from the DGA should be subject of such an order.

UK law enforcement agencies, including the National Crime Agency (NCA), UK police forces, HM Revenue & Customs (HMRC), and the Serious Fraud Office, and other departments and agencies with investigatory powers responsible for tackling crime should have such powers.

Currently, when the requesting of a voluntary arrangement may alert criminals to proposed law enforcement action or whereby domains/IPs are hosted by bullet proof hosters or where the trustworthiness of the hoster is in doubt or unknown this will create a power.

The statutory power can create an offence for breach of court order to provide increased likelihood of compliance. It would also support Mutual Legal Assistance Treaty requests (MLATs) and other international requests to have action taken in other jurisdictions e.g. if that offence does not exist in UK law it cannot be requested by UK law enforcement to a foreign law enforcement agency, in another jurisdiction, for action.

Such a mandatory request could be accompanied by a request for additional information about the site e.g. registrant details etc that may not be held on the infrastructure itself.

Additionally, it can be a power that ensures the registrar does not notify the impacted user of this law enforcement approach until after seizure/control has taken.

Any proposed legislation should articulate that voluntary processes are preferred and should be sought, and orders only sought where unavoidable: Law enforcement guidance should suggest that unless good reason exists, voluntarily agreements should be sought first.

Seizure should mean legal control and ownership. Temporary action control would not allow law enforcement to react to criminals’ later attempts to evade/mitigate the sought outcome.

The governance of this legal control should be passed to a designated organisation or authority, with appropriate experience within the UK, to act on behalf of law enforcement. This will provide a framework for timely reviews, extensions and other associated governance.

Law Enforcement should pay for the lease only where takedown had been wrongly sought.

Law Enforcement should be empowered to allow other designated group (e.g. Microsoft) to take control and manage the re-routing of IP data or other such action.

Control should be allowed to be extended beyond the lease period where an operational necessity is made out.

One application should lead to multiple orders when required: Malicious infrastructure can be spread across multiples of domains and IPs.

There should be a provision for renewals/amendments to an application if new related infrastructure is identified at a later date.

Applicants should have the ability to submit an application where domains are not yet created and to also request control or bar the creation of a domain that follows a set algorithm, such as DGAs.

Where immediate action is operational necessary to prevent loss of data/control, an interim order should be possible for the more serious cases whilst a full order is sought.

This should be time limited, awaiting a full order e.g. 72 hours.

All applications should be extendable, including interim orders, if extenuating circumstance exist.

4 Power to preserve data

 

UK law enforcement agencies, including the National Crime Agency (NCA), UK police forces, HM Revenue & Customs (HMRC), and the Serious Fraud Office, and other departments and agencies responsible for tackling crime. This should include any agency that has investigatory powers should have the power to request the preservation of data.

Data can be set to ‘disappear’ after a set time. A preservation order request should include a power to disable any ‘disappearing’ data settings.

The preservation order should also allow the request to remove a capability for a (criminal) user to be able to access and/or delete data.

This power could lead to hosters encrypting data, as a business model, whereby they themselves are unable to extract an unencrypted version of the data thereby rendering this power ineffective, in those cases.

90 days is reasonable however an extension beyond 90days should be available in extenuating circumstances.

Law enforcement should not be held financially responsible if the data holder is suspected of hosting criminal data.

Police and Criminal Evidence Act 1984 Schedule 1 was principally intended for occasions where officers are at a scene and there is considerable material to sift and assess for seizure. This new power should be able to cover those occasions where law enforcement may be made aware of new facts of the case at a later time but the opportunity to preserve the data has passed.

This will also allow data to be preserved without taking the more intrusive step of examining the data until more facts are established thereby reducing privacy intrusion.

5 Data Copying

 

There is a need for ‘Possessing, without reasonable excuse, data obtained as a consequence of an offence under the CMA’.

Reasonable excuse should include and be specified as including: possession for the purposes of prevention or detection of crimes or the investigation, apprehension or prosecution of offenders.

Although possession of CMA data may, in some circumstance, be covered by other legislation such as the Fraud Act there can be occasions whereby possession, for other unethical means, is not covered by existing legislation.

Possession of such data is often only an offence under the Fraud Act only when the mens rea of a suspect can be proved. This can be increasingly difficult to prove to a criminal standard and many criminals are aware of this and exploit that difficulty.

If no offence exists for simply possession of such data (without a reasonable excuse) then it can be problematic seeking other action such as MLATs.

A new offence should be created to include simple ‘possession (without a lawful authority or reasonable excuse)’ and a more serious aggravated offence of ‘possession with intent to commit an indictable offence’.

A lawful excuse should also be articulated by the legislation e.g. obtained for the purpose of detecting, preventing crime or the investigation of offences. This would allow organisations, such as banks or their contractor, to recover data dumped on the dark web or other site, for the purpose of identifying impacted victims/customer accounts for the purpose of mitigation, prevent of crime, investigating the cause and those responsible.

Simple possession should have a maximum sentence of 5 years. Aggravated possession: 10 years.

December 2023.