Saunders was speaking at an event hosted by UK think-tank Reform in central London on Thursday, where he was on a panel “detecting, intelligence and control: responding to the cyber-threat”.
Saunders proudly promoted the investment made in the NCCU but admitted that “there is actually still a lot of challenges in terms of skilling, recruitment and retention – making sure we've got the right technical capabilities and staying ahead of the game…as well as up-skilling at a local level.”
He added: “I do think having a basic model of having a strong, well-funded, central crime unit is really important but there's a massive hill to climb at local level.”
He cited the HMIC (Her Majesty's Inspectorate of Constabulary) report, released in April and which indicated only three of 43 forces were prepared for dealing with such cases, but said others are progressing well, albeit mainly in London.
“There has been some progress made there; the Met [Police] is a good example of a force that has invested a lot in FALCON. Outside London, some forces are doing better than others and perhaps I'll leave that there.”
“The key is getting the right balance there between what we're doing nationally, with the NCA, what we're doing locally for forces, and that regional tier of policing….(with specialised ROCU groups - Ed), which are really of the part answer for some small forces – some forces can't do the whole job on their own.”
Saunders, who was interviewed by SC for our cyber-crime special edition last November, also admitted that the systems for reporting cyber-crimes are still largely inadequate.
“There are things we need to do to improve the reporting system, there's no doubt about that, but I think that the basic concept of having a central national reporting system is sound because in practice what they're getting is tens of hundreds of reports of the same crime, from different parts of country, and that does need to be brought together and triaged.”
A deeper issue, said the NCCU head, is teething problems between certain groups, especially when one group has no capacity to deal with cyber-crime. He cited an example of Action Fraud referring a case to a local force, which may have no capacity to deal with the case and thus discard it.
“There is an issue with capacity overall,” he said.
“A lot of this is about up-skilling just to operate in the digital world,” Saunders later added, citing the increase in internet-enabled crimes – such as cyber-stalking and child exploitation – and how this needs to be tackled on a national level.
“The key challenges, I think, are around implementation and follow through.”
Other panellists looked at cyber-crime from a business perspective, with some suggesting that the fear, uncertainty and doubt (FUD) spread in the media and by security firms is not helpful to people coming forward.
Mandy Haeburn-Little, who heads up the new London Digital Security Centre and who is also chief executive of the Scottish Business Resilience Centre, said that this contributes to a lack of control, and that the messaging needed to be spot-on if companies are to take security seriously.
“Fear doesn't work – fear shuts down business, they don't get it,” she said.
“If we start looking at talking on day-to-day basis on realities of cyber-crime, the cyber-crime statistics will go up and if people report more, they will shoot up. And actually is that good thing? Yes I think it is, it may be controversial, but I would welcome much more realistic to cyber-crime statistics.”
Dr Ian Levy, technical director at GCHQ's Communications Electronics Security Group (CESG), added to the debate by saying that the right language is vital for risk management, and downplayed the reports of APTs and cyber-warfare.
“Language changes how you perceive risk…[and] this is all about risk management. When we talk about cyber-security, as an industry, it denies people to have rational feelings.”
Levy expanded on that last point by saying that citizens are too often scared unreasonably by the online threats, jokingly saying that many are led to believe they will be hounded by “winged ninja cyber-monkeys” who could compromise their machine just by “thinking about it”.
“If you look at attacks on enterprises, and the APT tag – most attacks we see are throwing patched vulnerabilities that have been patched.”