Earlier this month the Police Commissioner for the City of London, Adrian Leppard, wrote an open letter to The Times in which he painted a distinctly positive view of cyber-crime protection in the UK. In response, Computerworld UK sourced the views of cyber-security experts and published a story - ‘London Police Commissioner’s cyber-crime open letter laughed at by industry - that grabbed the attention of Leppard himself.
Eager to answer to his critics, he requested an interview to explain why he remains optimistc about the growing threat of fraudulent activity being carried out by organised gangs on the Web.
Leppard was criticised for having a “bullish” position, and many in the industry seem to support a recent Home Affairs Select Committee report on cyber-crime, which detailed how the government is losing the war on online criminal activity and said that it is too complacent in targeting cyber-criminals. The committee concluded that there appears to be a ‘black-hole’ where e-crime is committed with impunity, and that online fraud is often not reported or investigated by law enforcement.
But the commissioner argues that although the government, its security agencies and the police forces are still on a “journey” to becoming fully competent in the field of protecting against cyber-crime, industry experts aren’t fully aware of how the situation has changed over the past two years.
“We are comparable to America”
"We are a lot further on than the general commentator thinks and we are a lot further on than a lot of other countries. We are comparable to America in terms of policy, investment and technical capability. We are with the pack worldwide – but it doesn’t mean we are ahead of the threat, the threat is massive and it is growing exponentially," he says.
“The picture that was created in your previous article is what was happening two years ago. Two years ago, if you went to report an incident of cyber-crime, the police didn’t know what to do.”
Leppard explains that since the coalition government came into power and decided to make cyber-crime a core policy in targeting fraudulent activity, a number of changes have come into play. For example, the Serious Organised Crime Agency (SOCA), which the commissioner claims never regarded cyber activity as a major priority, will cease to exist as of October and is set to be replaced by the National Crime Agency (NCA).
The NCA will also take control of the Metropolitan Police’s e-crime unit, which has built up a decent reputation in tackling criminal activity online. This will merge with the cyber function that previously sat under SOCA to become the NCA’s cyber-command unit and will support all of the NCA’s operations: child exploitation, organised crime, border agency, and economic crime.
Alongside this, the City of London Police has worked to create a central reporting unit for all fraudulent activity for police forces, dubbed Action Fraud. Previously, if a business or citizen wanted to report an incident of cyber-crime they would go to their local police station and the crime would be logged at a local level. However, now organisations and citizens are being encouraged by forces to report it to Action Fraud’s call centre or via its online reporting tools.
“About two years ago we really started to try and change the landscape – we recognised that reporting to police was very fragmented. If you tried to report fraud to West Midlands, Yorkshire, the Met, you just got a different answer every time. Policing hadn’t moved with the times,” says Leppard.
“Now, fraud and cyber-crime is the only crime that gets reported nationally. It’s a big change, but now a record of crime doesn’t go down to a county anymore, it’s at the country level. This is because the threat isn’t local, it hasn’t taken place in Warwickshire, it’s coming in through the internet.”
He adds: “Action Fraud then take this information and disseminate what is and isn’t crime, and push it out to other agencies.”
Leppard and the City of London also host the National Fraud Intelligence Bureau (NFIB), which is the country’s intelligence database for cyber-crime. The NFIB is used to collect reports of serious fraud from industry bodies – for example, the banking sector feeds in data via the Fraud Intelligence Sharing System (FFIS) - however there are similar arrangements for other industry stakeholders.
Seeking Home Office investment
All of this is work is being propped up by the government’s pledge of £650 million to target cyber-criminals, 15 percent of which went to forces and the majority to GCHQ to protect critical infrastructure. However, it is the industry reporting to the NFIB that critics have the biggest problem with, where MPs and experts state that the banks, for example, only report incidents of fraud that they decide are relevant. Often the forces and intelligence agencies will remain unaware of a lot of the fraud taking place, as the banks simply refund customers that lose out due to online criminals.
This is something that is partly being helped with the introduction of Action Fraud – which received some 40,000 crime reports in the last quarter – but Leppard concedes the forces currently only get “one view in a limited prism” and he is currently trying to secure money from the Home Office to build a new industry reporting system, so as to gather more information across all industries.
“One thing we are really trying to get right is industry reporting. Industry will never be in a position to ring up a call centre, or fill in a form for each crime. What we have to do is define the technical interface between us and the whole sector, so we can just automate feeds. There is a myriad of industries, using a myriad of systems – so what we have to build is a common, thin architecture that can give us the basic minimum to help build the intelligence picture for this country,” says Leppard.
“If we said: we need X number of pieces of information, no industry is going to start rewriting all their systems, but if we can get one common architecture that could work. There will be two common threads to the feeds of information – one will be the offending criminal and one is going to be the victim.
“In a normal crime you would want the time, the day, exactly what happened, but we will never be able to do that. We need to be more basic. We need to get this reporting right so we know the scale of reported crime – at the moment our reported crime figures aren’t right,” he adds.
Leppard hopes that if he can secure money from the Home Office to build the new system, for which he has put a bid in to the government department already, then the data received from industry will help influence policy, funding, and the UK can begin to realise the scale of the cyber-problem.
Leppard says: “At the moment we rely too much on extrapolated figures and industry telling us that the scale of the problem is X percentage, when we need to know actually what it is. Crime reporting is really about getting policy right.”
The commissioner expects that between £3 million and £4 million from the Home Office will get the City of London Police on its way to building a system for businesses across a number of industries, but Leppard isn’t ruling out seeking financial assistance from industry too.
Protection vs enforcement
According to Leppard, compared to a year ago the level of fraud related activity that is being facilitated by the internet is increasing significantly. He said that 12 months ago, cyber-crime accounted for approximately 50 percent of all fraudulent activity, but this has now increased to up to 80 percent in recent weeks.
Realising the scale of the problem has also made Leppard realise that police forces and intelligence agencies will not be able to effectively combat cyber-criminals through enforcement. Instead, the commissioner is looking to introduce a culture of protecting against the threat, where he also believes that businesses and the public need to be educated on the threats.
“We are never going to enforce our way out of the problem of cyber-crime, these areas are so huge that the way we are going to combat this is prevention. We have to get the public and the industry into a better place to start protecting themselves –that’s our responsibility, to understand and present back what they can do,” says Leppard.
“I’m not going to worry about enforcement, we are taking information, identifying gangs, targeting them, but they are only ever going to be a drop in the ocean. Unless we get the whole of industry and society to shut down the threat, that is the only way we can protect ourselves.”
He adds: “We need to start seeing public campaigns – millions of pounds worth of campaigns – like we have had for drink driving, fire safety, etc., about how to protect ourselves from social media, from online threats. We have to get the public to a much higher and sophisticated level of understanding of what prevention means.”
Despite the progress made so far, Leppard is keen to reiterate that that changes taking place are still in their early stages and due to the nature of the threat, the police forces, security agencies and government departments will continuously be chasing and trying to keep up with cyber-gangs that are finding new ways to access and steal information. However, he says the cyber-protection picture isn’t the one of doom and gloom portrayed by industry experts.
“I’m not naïve to assume that we are going to solve the problem, it’s such a big problem. But we are doing far more than people realise,” says Leppard.