City beat goes global
Adrian Leppard, commissioner of the City of London Police, explains to SC's Tony Morbin that crime prevention's mission in cyber-fraud is to help industry protect its information assets - but that international crime and encryption remain major challenges for law enforcement
In addition to covering crime in London's financial district, the City of London Police (CLP) takes all the fraud reporting anywhere in the UK, analyses it, triages it, and gives intelligence packages to other bodies – mostly police forces – for further investigation.
Leppard estimates 70 percent of all fraud in the UK is cyber-enabled, with around 50 percent coming from overseas. He described the scale of the problem to SC: “The British crime survey that comes out next year is expected to indicate that there are about three million (fraud) crimes a year in the country, of which only 250,000 get reported, and the capacity of the police service means they deal with about a quarter of that - so one of the biggest challenges we have is to make it easier for industry to report.”
Leppard contends that making reporting practical and easy is a more important factor than unwillingness or concerns over reputational damage on the part of victims. He says: “We don't make an issue about a particular bank being the victim. We want to know the nature of the crime, the methodology, so that we can take action to prevent it.”
Reporting of cyber-fraud through Action Fraud feeds into the national fraud intelligence bureau, a huge database and analytics centre with a hundred analysts. Leppard confirmed to SC that a new £27 million system is coming on stream next spring. “What's exciting is not just its analytics but
accessibility: we want to be able to take data feeds from multiple sources in any kind of format and put it straight into an analytic system. At the moment it's pretty unrealistic to expect banks and others to report crime though the Action Fraud system – there's no way, given the volumes that they are dealing with, that they are going to fill out very clunky crime reports online. We must at least provide the minimum benchmark of scale and volume so that politicians and others can realise the scale of what's going on and fund it appropriately.”
He says that the current capacity of policing cannot deal with the current scale of cyber-related fraud, noting how, “In triaging you have to make decisions about things that police will not be investigating. Prioritisation is done by a sophisticated decision-making tool that looks at scale, vulnerability of the victim, and a number of other factors as well.”
Locating the crime
The UK has moved to a national reporting system whereby the CLP allocates investigations to the forces that have the locus for the investigation, not necessarily where the victim lives, as cyber-offenders can be based anywhere. “We look at the crime, the package we have, and if we have indications in any way about where the crime is taking place we allocate the investigation to that force. The Metropolitan Police gets at least 30 percent of all investigations for the country.”
Insurance Driving Standards
City of London Police commissioner Leppard advocates Cyber Essentials as a minimum for everyone, adding that BS27001 is a stronger standard, but common approaches are necessary to keep information secure.
Cyber-insurance is also seen as a potential driver, and CLP has been working with Lloyds over the past two years. Leppard explained the rationale: “Crime prevention is information security, and insurance is a stepping stone to achieving that. It will drive the necessary security information standards, because in order to get a reduced premium at a realistic rate you need to demonstrate that you have taken all the necessary steps to protect your information assets and that's why we are working with insurance. We see it as a key stepping stone to crime prevention.”
Via the internet, the UK is now being targeted from countries not previously a source of UK crime, ignoring borders and laws, often emanating from countries where the UK does not have extradition agreements. Hence, the policing priority now is prevention and protection, and that very much involves industry.
Law enforcement has sought to build policing relationships in countries as diverse as Russia, China and Romania. “It's wrong to say we just can't get into these countries, but it is difficult. Traditional enforcement and extradition may or may not be effective, but where possible we will try and prosecute and take action. But we are also trying to disrupt offending. That is a very effective method of preventing more offending,” says Leppard.
An example cited was investment fraud, a major problem in the city. Leppard told SC: “We have all this intelligence coming in about cyber-fraud and we can see if there is a pattern of reporting. We take down the website immediately. The old approach would have been to leave everything running until we gather all the evidence against the offender, then try and pursue with a covert operation against the people involved. But every week you leave that website running could be another hundred victims. We shut down around 4,000 (criminal) entities every month – websites, enabling things like VOIP phone numbers, which appear to be UK numbers but are not, and mule bank accounts created to shift money. We are preventing about £500 million of fraud every year – eg, shutting an investment fraud website in four weeks prevents about a further eight weeks of victimisation. That's what I would suggest is the new performance indicator for policing... focussing on how many people we can protect, and how many more crimes we can prevent.”
Regarding police investigatory powers and their adequacy to do the job, Leppard commented: “The RIPA act deals with all our surveillance powers for policing (separate from GCHQ powers) but it is legislation that is constrained within the domestic country and here we are talking about needing to do intrusive surveillance of offenders on the internet that are in other countries. So we are working with the government at the moment, and I've spoken to the Home Secretary (Theresa May) and she's very keen to look at this to say, ‘How can we change the existing legislation to make it more appropriate to today's policing needs?'
“In policing terms, we must have the powers necessary to protect our citizens. This isn't about gathering huge volumes of data, just niche, focussed, targeted and proportionate powers to actually take action to investigate and protect our people.
“Then the other big issue is the increasing amount of encryption we're seeing in a range of services – whether it's devices, social media or other types of applications.”
Does this mean you want access to encrypted data? SC asked. Leppard responded: “We have to... this is the point.”
And on the issue of backdoors potentially being exploited by others? Leppard said: “It's not backdoors necessarily. Industry has been working with policing for hundreds of years to help police protect society. We have to be able – with appropriate and proportionate use – to access anything that we need to. It cannot be right that we start to create big swathes in our society, through social media or other digital environments, where the police don't go any more – and can't go.”
“As police, we would say providers do need to create services that can be accessed. But that accessibility should be heavily restricted to appropriate powers. Warrant powers through an independent judge, not through police, not to do with spying, though a legitimate process. We must encourage industry to develop encryption which can be, where necessary, addressed in order to protect our society.”
When it was suggested that the only people this would apply to would be the law abiding, Leppard responded: “The more you make mainstream services less accessible to criminals, the more you protect our society. It doesn't mean you eradicate the problem. I accept you'll move it but you will make a difference, and it's a positive difference.”
And what about legitimate use of encryption, say by authoritarian regime dissidents, lawyers?
“It's not just types of people. I think encryption is a really good thing because good encryption defeats 99 percent of all criminals. But what we must do is create the means by which we can access it if necessary.
“It's not for me to say how we might start unpacking that – and industry could keep hold of that. We can build lots of safeguards so that people would be more reassured about the proportionality and the necessity, but we must find a means of addressing this. It is increasingly creating a real challenge that is starting to compromise the acceptance that ... policing will protect our society from terrorism and serious crime.”
“What industry will say is that ‘we just provide a service. That's not our responsibility.' My kickback would be, I am telling you, this will happen: child sexual exploitation, slavery, trafficking, murder. Therefore I am putting some of that onus on you – I am telling you it will happen, therefore you do have responsibility.”
“In policing, you're never going to remove crime from society, so we work on how we are going to make the next big step to protect more people, prevent more crime. We have made huge progress in the last 10 years in reducing crime, and protecting this country from terrorist attacks. Encryption, if it is not addressed, has a real risk of taking us back 10 years in terms of the protection our society now expects from government agencies. It's a very real issue that does need to be addressed.”
Encryption backdoors - a hot issue
Adrian Leppard's comments to SC on the need for authorised and regulated access to encrypted data suddenly appeared part of a concerted effort underway by state authorities when it was followed days later by an almost identical appeal from MI5 director general Andrew Parker.
He too argued for the ability of police and the intelligence services to be able to access private electronic communications and called on social media companies to cooperate to turn over the communications of some suspects.
But it's a proposal that has many critics, from those who say it won't work to those who say it shouldn't be allowed to work.
Bruce Schneier, CTO, Co3, told SC: “If this was a good idea - from an infosec point of view - then the NSA and GCHQ would be saying it's a good idea - but they have been noticeably silent,” and described supporting encryption backdoors as being “willfully ignorant about the technology.”
Aral Balkan, founder and developer of social start-up ind.ie – which considered moving out of the UK over surveillance fears had said “Cameron has asked for backdoors on messaging apps and as someone working on building a social network that respects your privacy and human rights, I see no way to stay in the UK and guarantee that we will not be forced to compromise the integrity of our platform.”
However, despite the many critics, a recent Vormetric survey showed 63 percent of US respondents in favour of backdoor access to encrypted data in response to a national security threat, and 39 percent were in favour as part of a federal investigation. It is not known what the UK public view might be.
The police service suffers the same capacity and skills shortages as industry, with Leppard commenting: “We see more people getting skilled, but that skill base is still low, that's a fact.”
Leppard also notes a big distinction between the investigation of crime and the other crime prevention roles of policing which doesn't need as many specialist skills.
“We can train up staff and are building a prevention strategy, training local beat officers in what people can do as a minimum to protect themselves from cyber-attack: anti-malware; up-to-date patching; a standard of information assurance, so there are basics you can learn in a few hours then talk to other people and help them protect themselves.
“And that's a core message of policing – probably the most important mission of policing in this role. We are only ever going to investigate a small proportion [of cyber-crimes] so the challenge is to help people protect themselves in the first place.”
Leppard tells SC: “Policing doesn't lack capability, what it lacks is capacity, it has skills but hasn't got [enough] resource. It's got limited funding, the scale is huge. What would be more effective is if we could create economies of scale. If you can imagine 43 police forces all trying to build huge numbers of servers to gather this data, move it from one device to another and go through what they want from it, it must be the case that to do that on a national scales would be far more effective and far cheaper.” An implication is the potential for industry to provide secure cloud storage at the appropriate ILS4 level so that seised material could be uploaded into a central location for analysis.