Progress of MPS e-crime strategy

Report: 10
Date: 25 January 2007
By: Deputy Commissioner on behalf of the Commissioner

Summary

The Metropolitan Police Service (MPS) is currently subject to a Metropolitan Police Authority (MPA) scrutiny on e-crime (now nationally referred to as ‘e-crime’). This report provides an update on the developments and implementation of the MPS e-crime strategy. The purpose of the e-crime strategy is to assimilate and co-ordinate best practice, training, industry liaison and intelligence for the benefit of existing MPS units, industry and public.

A. Recommendation

That members

1. note the assessment of the external and internal e-crime issues confronting the MPS detailed in this report;
2. note the current progress of the developing MPS e- crime strategy; and
3. members note the national issues and the MPS position in relation to them.

B. Supporting information

Definition

1. ACPO have redefined e-crime as:

‘The use of networked computers, telephony or Internet technology to commit or facilitate the commission of crime.’

The definition encompasses technical crimes against computer systems, such as hacking or denial of service attacks as well as conventional criminal investigations, which feature technical elements e.g. the use of technology to commit crime, the retrieval of digital evidence or tracing suspects through electronic means.

Overview

2. ‘Measuring’ the extent of e-crime within London and/or affecting Londoners and the UK is a huge challenge due to its’ global, borderless character but the overall impact can be broadly assessed. A US survey identified the global cost of e-crime as £1 trillion annually. Lloyds of London estimated that the recent “I Love You” virus cost the global economy $10 Billion [1]. A recent report by the DTI/Price Waterhouse Coopers (PWC) indicated that 84% of large UK businesses had a malicious security incident last year and that 21% of respondents to a Government survey felt ‘at risk’ to e-crime whereas only 16% worried more about a burglary [2]. Over 60% of the 7.4 million population of London utilise networked computers either in business, school or home environments.

3. UK consumers spent £7.5 billion on the Internet over the 2006 Christmas period, a 50% increase over the preceding year, which has been partly attributed to the increasing use of broadband. The number of British households with broadband Internet access is predicted to rise to 21 million by 2010, as dial up access becomes redundant. This increase will permit greater criminal exploitation and network disruption through the use of viruses’, Trojans and BotNet programs, which will utilise the increased speed and bandwidth to propagate criminal enterprise.

4. There is an issue of under reporting across the UK. There is an unspoken public perception that e-crime is so pervasive that the police service does not have the capacity to investigate each individual allegation. The public have reported difficulties in reporting e-crime to the police. Also,, many organisations and individuals may be unaware of their computer being compromised, making it difficult to establish definitive annual financial harm.

5. In response to the changing and emerging threat, the policing of e-crime within the UK (and indeed the world) is developing. It is widely recognized that e-crime is the most rapidly expanding form of criminality, encompassing both new criminal offences in relation to computers (viruses and hacking etc.) and ‘old’ crimes (fraud, harassment etc.), committed using digital or computer technology. The MPS assessment is that specialist e-crime units can no longer cope with all e-crime. The ability of law enforcement to investigate all types of e-crime locally and globally must be ‘mainstreamed’ as an integral part of every investigation, whether it be specialist, or murder, robbery, extortion demands, identity theft or fraud.

6. The policing of e-crime faces the challenge of keeping pace with technological advances. Hackers and virus writers have evolved from largely enthusiastic amateur ‘criminals’ to financially motivated, organised global criminal enterprises. Computer businesses and businesses that rely on computers (Internet Service providers – ISPs. Anti-Virus companies, industry and commerce) are constantly devising ways of coping with attacks on their systems and products. Prosecutions of virus writers and hackers in the UK have been infrequent up to now. However, the motivation of such offenders has now migrated from the curious adolescent to the profile of the financially motivated professional, often with organized crime links. Examples of investigations of globally financially motivated organised crime groups can be found at Appendix 1.

7. Whilst it is clear that industry demonstrates the most obvious losses as a result of e-crime attack (average total cost of worst incident suffered of between £65,000 - £130,000 for a large business – this increases to up to £1 million for very large businesses), private individuals in all communities are increasingly likely to become victims of organized e-crime. Incidents range from massive ‘spamming’ attacks, to destruction of their home computer or network and to unlawful access/modification of their systems for use in crime as part of a ‘Botnet’ [4]. At the same time, the use of technology is becoming an increasingly regular feature across all types of crime and criminality.

8. With the impending Olympic Games in London in 2012, security is paramount to ensure that Government, industry and the public have the necessary confidence to trade and fully participate in the event. The MPS Computer Crime Unit (CCU) is liaising with the London Olympic Committee (LOCOG) in an advisory capacity to monitor emerging IT security threats to enable an appropriate threat assessment and evaluation to be produced. A capacity assessment is currently being conducted to identify resources, staff, equipment availability, and training opportunities and intelligence sharing from all UK Forces and the Serious Organised Crime Agency (SOCA).

National situation

9. Across ACPO forces, the co-ordination of e-Crime resources and issues is currently conducted through the ACPO Working Group, chaired by Commander Wilkinson of the MPS. A national e-crime strategy is being developed. National policing issues include duplication of effort, research and a need to improve the sharing of best practice, intelligence and training, together with the opportunity to make efficiency savings. The police service has up to now addressed the global e-crime problem within local structures using traditional methodologies.

10. There is a need to recognise that emerging technology plays an integral part in the delivery of core policing services, which should be reflected in national and local policing strategies and infrastructure.

11. The creation of a national unit to address the issues and threats described above, and to provide a better interface for policing with government, industry, partners and the public is currently being considered within ACPO.

MPS position

12. Members will be aware that Lord Harris and the Deputy Commissioner are currently overseeing an MPA scrutiny into the MPS approach to e-crime. A review of all MPS high-tech assets and external relationships has been conducted to identify areas for improvement or where gaps exist that require addressing. A definitive picture of the resources available has been established with an asset register produced to assist in the delivery of the specific actions listed within the five strands of the e-strategy implementation plan. It is not anticipated that there will be any further direct MPA scrutiny in this area (in the format described above), but the MPS will be presenting further papers to the MPA in due course.

13. Within the MPS there are several specialist operational units dealing with e-crime. These units primarily consist of staff utilising high-tech skills to retrieve forensic material and assist with the core operations and investigations of the various units.

14. These specialist units are: the Computer Crime Unit (CCU), Paedophile Unit; Counter Terrorist Command Intelligence Bureau, Clubs and Vice, and Computer Services Laboratory (CSL), Professional Standards and Covert Policing Command. All of these units have developed into centres of excellence, and in response to the particular demands of countering specialist and complex types of crime and criminality. All the units have been assessed. Due to the quality and standard of service each provide it is not proposed at this time that any of them should be closed or amalgamated into a single operational MPS e-crime unit at Appendix 2.

15. The specialist units enable the MPS to provide a response to the key types of e-crime that are assessed to pose the greatest threat. However, the national issues discussed above apply equally to the MPS. Alongside the service provided by the specialist units, the whole MPS needs to evolve into a position where awareness is raised and investigations and operations take e-crime issues into account as a matter of course – ‘mainstreaming’.

16. The evolving MPS e-crime strategy seeks to harness existing expertise but also to capitalise on opportunities for intelligence sharing, the sharing of best practice and economies of scale that should be delivered in the corporate interest.

17. The implementation of the e-crime strategy implementation has been broken down into five distinct areas, Intelligence, Prevention, Enforcement, Together, and Communication with a project lead for each. An overview of the functions being delivered by each strand as below:

• Intelligence
  Strategic and Tactical analysis, joint intelligence sharing protocols, Distinct Crime recording codes to quantify e-crime, coordinate and publish revised CII (Covert Internet Investigations) and Covert Human Intelligence Source (CHIS) protocols.
• Prevention
  Fraud Alert web site, media campaign, Crime prevention officers training, MSC projects, Awareness seminars, first responders training, Olympic threat assessment, mapping advice sites, collation of best practice.
• Enforcement
  Review; refresh ACPO manual, training for test purchase officers re Covert Intelligence Investigation, central database for skills, establish international evidential protocols.
• Together
  Practitioners forum to capture best practise, conduct a digital forensic best value review. Identify partnership and sponsorship opportunities.
• Communication
  To raise awareness of e-crime through publicity both internally and externally, establish change management plan, conduct capability assessment for all MPS high tech assets, e-crime conference and presentations in both internal and external environments.

18. Appendix 3 refers to the MPS e-crime Strategy Corporate Governance Model and Appendix 4 to the MPS e-crime Strategy Strands.

19. Current activities under the MPS e-crime strategy

• ACPO lead on e-crime issues and Internet Crime Forum lead
• INTERPOL representation with SOCA for UK e-crime
• Provision of IT expertise in kidnap and undercover operations
• Creation and management of UK wide Fraud Alert system
• Partnerships established with IT and financial sectors for intelligence sharing
• Olympics 2012 liaison with LOCOG re security
• Training MPS staff on e-crime awareness, and delivery of e-crime prevention packages to 162 borough crime prevention officers
• Utilisation of 38 Special Constables with IT skills in project development
• Training program of 200 test purchase officers to be deployed for Internet operations
• Capability assessment of all e-crime assets within the MPS and across all 43 forces being conducted to identify further opportunities

20. The following issues are worthy of special mention:

• Reporting and Investigation are key challenges. By raising awareness across the MPS, and by providing more specialist training for investigators, the MPS will become more accessible and able to provide a good service to those wishing to report e-crime. However, the fact remains that due to the volume of offences and the national and international nature of e- crime, sometimes involving hundreds or thousands of victims, the police service cannot undertake to investigate all allegations as a matter of course. The MPS strategy will continue with the current approach whereby through improved intelligence gathering the e-crime picture is better understood, so that proactive prevention can be pursued with our partners in government, industry and other law enforcement agencies. The objective is to reduce the opportunities for criminals to exploit technology and to take action to ‘target-harden’ identified vulnerabilities. Police resources can then be deployed to tackle the organised criminal networks or high threat individuals that are capable of causing such disproportionate harm.
• Digital Forensics The most significant resource requirement in relation to investigations where IT is utilised to facilitate the-crime, or is retrieved as part of the investigative process, is the examination and storage of digital media. The substantial quantity of forensic product retrieved by operational officers within the MPS has resulted in large-scale outsourcing. The service level agreement for the Department of Information (DoI) to process hard drive and forensic analysis is currently being achieved, but this is due to the use of managed contracts and individual units providing their own forensic capability. With increasing utilisation of digital technology, the demand for associated forensic services is likely to increase by 30-40% over 2006/7. Therefore there is a need to plan for future demand, in order to prioritise expenditure on the increasing costs of outsourcing. (£4.3 million expenditure, 05/06).
• Recruitment and retention of staff is one of the identified issues to be addressed as part of the e-crime strategy implementation plan, under the enforcement strand. The recently conducted MPS capability assessment included the issue of recruitment and retention. Recruitment is not a major difficulty and retention problems only arise in retaining staff within e-crime units, where limited opportunities exist for staff development. In the majority of cases the only loss of staff tends to be from one MPS unit to another, rather than to outside industry.
• An opportunity to save on equipment and training costs by co-ordinating the requirements of the MPS e-crime units is evident from the research conducted so far. In relation to training, the bulk purchasing of courses or the provision of UK delivery rather than costly attendance at individual foreign training events is easily attainable. Likewise, compilation of an equipment and skills database to identify available resources could negate the need for duplication of purchasing requirements. Where equipment is required then bulk-purchasing opportunities on behalf of all the departments needs to be enforced. MPS development opportunities are outlined at Appendix 5.

21. The development of a central e-crime co-ordination unit for the MPS, supported by a Computer Incident Response Team (CIRT) is the logical next step, and will be the subject of a paper and presentation to MPS Management Board in the near future.

22. Briefly, an MPS e-crime unit could perform the following functions:

1. Prevention
2. Industry partnership
3. Tasking and co-ordination
4. Intelligence development
5. Research and development
6. Computer Incident Response Team (CIRT)
7. Provide a public face for e-crime policing in the MPS
8. Disseminate training and best practice
9. Address forensic issues
10. Ensure the application of technology within investigations, effectively mainstreaming this knowledge and skills base
11. Assist in securing the capital against cyber attack, by ensuring a closer working relationship with specialist and partner agencies, government and industry

23. The MPS has staff within the SCD6 CCU who already have the experience and ability together with established partnerships and intelligence protocols within industry to perform a CIRT function. The current resources of the CCU are able to respond to a limited number of incidents and are not in a position to provide the extensive national response to the demands, which the National High Tech Crime Unit (NHTCU) previously provided. CCU staff have successfully led a number of investigations concerning threats to CNI and BotNet attacks, and are members of the BotNet Task Force and INTERPOL. Current MPS e-crime resources are deployed and dealing with high priority issues such as counter terrorism, kidnap, intelligence gathering, and child abuse. However, the scale of e-crime as outlined at the start of this paper requires significant extra investment in the strategic response to ‘mainstream’ and enhance the service the MPS provides.

The future national position

24. Prior to the formation of the National High Tech Crime Unit (NHTCU) in 2001, the MPS Computer Crime Unit CCU at SCD 6 undertook national responsibility for the investigation and co-ordination of all network related computer crime. This position was subsequently adjusted to focus upon London linked offences, and related forensic examinations. Since the realignment of the NHTCU into SOCA e-Crime in April 2006, now is a good time to reassess the role of the MPS CCU in relation to national and international offences that impact on London and the UK.

25. Discussions are underway through the ACPO Working Group about the viability of a new national unit to co-ordinate the national policing response to e-crime. A national unit would closely reflect the structure and function of the proposed co-ordination unit in the MPS and there may be opportunities for a joint or closely aligned approach, which will be examined by the end of this financial year. A further paper will be submitted to the MPA when the position of all the internal and external stakeholders to such a proposal has been ascertained.

C. Legal implications

None relevant identified within the scope of this application.

D. Race and equality impact

Improved e-crime intelligence and notification opportunities will enable those communities who are traditionally reluctant or unable through physical or language reasons to communicate with police. The provision of the existing Fraud Alert notification site in several languages for victims of crime and to promote prevention and awareness opportunities in various languages is an ongoing activity. There is therefore an opportunity to enfranchise and engage community groups who have previously been inhibited in communicating with police. The existence of such virtual and on-line communities are numerous and easily accessible, and can be utilised to encourage and promote-crime prevention, intelligence sharing and communication.

E. Financial implications

Effective delivery of the MPS e-crime strategy will deliver savings but detailed breakdowns are not yet available as some elements of the strategy have yet to be agreed and are subject to partnership protocols being established.

F. Background papers

None

G. Contact details

Report author: DCI McMurdie, MPS.

For more information contact:

MPA general: 020 7202 0202
Media enquiries: 020 7202 0217/18

Send an e-mail linking to this page

Feedback