Centre for Public Safety conducts independent assessment of UK policing's cyber-security
The Centre for Public Safety has conducted a study into the standard of cyber-security found in police forces around the UK, highlighting areas for improvement.
Are the general public at risk?
The Centre for Public Safety (TCPS) scanned 71 police and policing-affiliated websites (including their own) and found that while one in four demonstrate high standards of secure encryption - the remainder have significant room for improvement.
With cyber-crime a growing threat and data breaches a brutal reality for anyone holding valuable or sensitive data, Rory Geoghegan, founding director of The Centre for Public Safety said: “The government and police regularly tell the public to ‘look for the padlock' when using websites - it's time they followed their own advice and delivered secure-by-default websites for the public to use.”
Only 27 percent demonstrated the highest world-class standard of secure website connections. The remainder either lacked a secure connection for visitors or their implementation was deemed deficient or insecure.
Twenty four percent lacked any automatic secure connections, meaning information is communicated in plain unencrypted text across the internet. More worryingly, TCPS highlighted that more than 70 percent of these sites invited users to submit personal data.
TCPS said that in some cases information specifically relating to criminal activity was sought in plain text without any form of secure connection, and said that, “we consider such sites to be placing the public at risk and that such practices should be terminated.”
These practices also go against the crime prevention and online safety advice (“look for the padlock”) that is regularly issued by the police service, government and industry partners.
Some of the newest implementations fell short of the highest standards. When first tested in July 2016, Cheshire Constabulary scored a ‘C' grade. By September 2016, following the launch of a new “upgraded” website, the connection was less secure achieving only an ‘F' grade which meant it was vulnerable to the POODLE attack, increased vulnerability to man-in-the-middle (MITM) attacks and no support for TLS 1.2.
TCPS is advising that with the move towards a digital transformation, the police service and related agencies must ensure their services are secure. Based on their analysis, one quarter have secure foundations - one half have room for improvement - and the remaining quarter are in need of serious and urgent improvement.
Rory Geoghegan, founding director of The Centre for Public Safety told SCMagazineUK.com: “While the rest of the world moves to secure-by-default, some forces and their IT providers seem intent on delivering not-enough-by-default. Take the Met Police - spending hundreds of millions per year and only achieving a grade C [security]. Police and Crime Commissioners and Chief Officers are banking on savings from digital transformation. They must ensure the online services provided are secure, or they risk public trust and public safety. Those police forces accepting personal data and information on criminal activity over plain text should, as a matter of priority, implement secure connections.”
Geoghegan added: “It is perhaps doubly embarrassing for those forces and PCCs who have set cyber-security and cyber-crime as key priorities, while failing to get the fundamentals right in their own organisation. On the basis of our study, just one in four of us have a police force providing the highest standards of online security. It's essential that policing swiftly moves to ensure the entire country can feel safe and secure interacting with police online. Over a quarter of police forces have got it right, allowing the public to communicate with them securely - but the rest need to redouble their efforts.”
Concluding, Geoghegan said: “The National Cyber Security Centre has a vital role to play and we urge them to ensure they provide a channel for the public and others to report vulnerabilities in police and public safety digital infrastructure. It's 2016 - the internet is not new, the cyber-security threat is not new - and yet some police forces and their IT providers seem to think it is acceptable to pay large sums of taxpayer money for insecure technology.”
Mostafa Siraj, senior security advisor at WhiteHat Security said: "Having a secure connection between end users and websites is a very basic and fundamental security requirement. With the widespread use of public WiFi in the UK, it can literally take a hacker seconds to sniff the entire communication exchange between a user and a website.Siraj added: "Even when a user is not using public WiFi, if a hacker is able to access any switch or router across the connection between the user and the site, they can still sniff all the data flowing between the two. Given that most of these routers or switches still have the default username and password used to administer them, this is not too big a challenge. If personal information or user credentials are being exchanged, the damage of such sniffing could be even bigger, as most people still use the same username and password combination across all their online accounts.