London Police-BBA cyber crime partnership gets mixed response

News by Doug Drinkwater

The City of London police has partnered with the British Bankers' Association (BBA) to tackle cyber crime, but the alliance has already come under criticism from one cyber security expert.

The new partnership has been established to prevent cyber criminals stealing from customers and reportedly prevented the theft of £173.9 million over the past nine months. In addition, it has apparently identified 20,000 suspect bank accounts since April last year.

Under the terms of the agreement, reported in the FT on Monday, the organisation will attempt to create a virtual “ring of steel” around the City of London – a reference to physical security employed around the UK's financial centre – and also aims to educate global banks on the cyber risks via its new global centre of excellence. This centre is to run training workshops on subjects such as the latest threats and techniques used by cyber criminals to commit fraud, bribery and corruption.

Commissioner Adrian Leppard of the City of London Police said in a prepared statement: “In 2014, serving the country as the national policing lead for economic crime, the City of London Police is focusing on the rapidly evolving and expanding threat of fraud and cyber crime.

“The next logical step for us to take is to create a ‘virtual ring of steel' around what is the financial engine room of the UK. The way we are going to do it is by teaming up with City workers and sharing our experience and expertise with the banks that are now the target or being used as a facilitator for organised crime.”

But despite this new initiative, which follows shortly after mixed results at the latest Waking Shark exercise, some cyber security experts have questioned the project.

Adrian Culley, technical consultant at Damballa and formerly of Scotland Yard's Computer Crime Unit, told that collaboration is “very good thing” but urged that there is more work to be done.

“More communications are great but they're never going to solve the problem alone,” he said, adding that this partnership needs to focus on educating on skills and technology. “We need to address the fundamentals first.”

Those fundamentals, according to Culley, should include improved bank collaboration and education (he says that “most people didn't know the 1990 Computer Misuse Act” at Waking Shark).

Damballa's Culley continued that the “ring of steeling” terminology has been lifted from the days of IRA attacks, but believes that it's hard to achieve this kind of defence in a digital world where perimeter solutions such as firewalls, for example, are designed to allow and block access in equal measure.

“A physical ring of fire doesn't translate into cyber space. Plus, it's missing the point of where the industry is now,” he said, adding that IT departments have become too reliant on perimeter technologies.

“We've got to start educating on the basics of what is an attack, but at the same time educate on protecting compromised network systems, and what [companies] do and don't care about [in terms of data]. We need to raise the bar.”

Nick Pollard, senior director of Professional Services at Guidance Software, agreed and said that banking institutions must up their game independently, and said that laws should be clarified on data breach notifications – something which could yet result from the EU's impending Data Protection Reform

“Overall, the partnership is a very positive move,” he told via email. “The creation of a virtual 'ring of steel' around the City of London sends a clear warning message to the cyber criminals.

“However, collective action must be balanced with individual responsibility; each bank has to take charge of its own house. Institutions not only need to ensure that they have the right policies in place to participate in the CISP platform, report to regulators, law enforcement and so on, but also ensure that these policies are fully updated and acted on. 

“One of the ways through which we can move to a culture of effective collaboration is to strengthen and clarify the law around notification.  This, I believe, would help organisations to identify a critical path to notification, which will vary between and within institutions, and to instil a new culture of co-operation - where ideas, techniques and skills can be shared. A cultural change is essential if we are to make serious gains in the arms race with the cyber criminals."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews