Met Police and NCA: UK businesses are not helping fight cyber-crime

Two of the UK's top cyber crime-fighters have accused financial institutions and other companies of failing to share information about cyber-attacks because of 'mutual suspicion' between police and the private sector.

Met Police and NCA: UK businesses are not helping fight cyber-crime
Met Police and NCA: UK businesses are not helping fight cyber-crime

Met Police Commissioner Sir Bernard Hogan-Howe and Donald Toon, director of the economic crime command at the National Crime Agency (NCA), both told the World Cities Conference in London on Thursday that getting businesses to share evidence of attacks is a vital issue for law enforcement, as it emerged that cyber-crime reports rose 54 percent in the last year.

Industry representatives have backed their view but also suggest the police could do more in return for greater co-operation.

Hogan-Howe told the conference that cyber crime poses significant challenges for the police - including an urgent need to convince businesses that they need to share information with the police about cyber attacks on their systems, according to the Wall Street Journal (WSJ).

Separately, NCA's Donald Toon told the conference: “There's a real issue around co-operation between some parts of the private sector and law enforcement. For too long there has been a degree of mutual suspicion.”

Toon said UK banks with operations abroad are loathe to share information regarding money laundering and cyber crime, because of national anti-money laundering and national data protection laws, the WSJ reports.

Hogan-Howe, who revealed there had been a 54 percent leap in cyber-crime reports in the last year, said: “Organisations have control rooms running 24 hours a day to fend off attacks, often against state actors, but rarely will they share that information with the police.

“They say the police will be overwhelmed. I tell them that if they don't tell us, I can guarantee we won't do anything about it. It's vital they share that information with us.”

According to the report, he added: “Of course, businesses are concerned about shareholder value, and we're all concerned that the reputation of our organisations are intact. But the only person who benefits from that confidentiality and that discretion is the criminal who attacks us, or the state actor who may be involved.”

The two men's views have received strong backing from John Walker, visiting professor at Nottingham-Trent University and director of cyber security consultancy ISX.

He told SCMagazineUK.com: “They are absolutely spot on. First of all, commercial organisations are not gathering information as they should. It's one of those black arts which has got to be corrected - because until the commercials all get into a position where they're feeding into a central repository about the amount of attacks they're seeing and where they're coming from, we'll never get anywhere.

“I'm absolutely sure law enforcement will treat that information with confidentiality. We need to get commercial organisations telling the police and National Crime Agency what's going on because that is the only way we're going to get a big picture - and until we get that big picture we will never ever be in a position to curtail this threat.”

Richard Horne, cyber security partner at PricewaterhouseCoopers (PwC), also backed the police's call, but said commercial organisations need guidance on the kind of data they require.

He told SC: “There's definitely something in it. Combatting cyber-crime does require gathering of evidence, and sharing of evidence that's distributed across a wide variety of companies in the private sector.

“But I think there's also a requirement for the police or law enforcement to be clear about what data they need to combat cyber-crime. They need to be clear what data is going to be useful and how that data needs to be prepared, collated and presented to them, and in a way that protects privacy and confidentiality.

“Everyone's learning, everyone's building their capability, so there's also an element of needing to build capability to detect and report attacks as well.”

However, industry expert Fran Howarth, a senior security analyst at Bloor Research, is not optimistic the situation will improve because of difficulties gathering attack data and companies' fears over how it will be used.

She told SC by email: “Information sharing has long been a problem in security and I don't see that changing any time soon. Add that to the problem that organisations struggle to detect incidents, often taking months or being informed by third parties, and the need to inform law enforcement months down the line is probably not top of mind.

“I also expect that many organisations will be suspicious of the competence of the police in the area of digital crime. Plus there are legal issues regarding sharing information over borders. If information is shared with a third party, such as the police, the organisation itself will be held liable if those regulations are not upheld.”

SC Magazine UK contacted the Met Police and NCA to independently confirm the details of the statements, but they were unable to respond by time of writing.