0

Conducted in association with the

Police National Analysis Working Group

December 2014

1

CONTENTS

FOREWORDS 2

EXECUTIVE SUMMARY: THE CYBERCRIME TIPPING POINT 4

TECHNOLOGY: CHANGING THE POLICING LANDSCAPE 5

CYBERCRIME: A RAPIDLY GROWING THREAT 7

TIME: A LIMITED CAPACITY TO FOCUS ON CYBERCRIME 9

SKILLS AND TOOLS: AN INABILITY TO RESPOND EFFECTIVELY 11

INFORMATION SHARING: HELPING TO JOIN THE DOTS 13

LEGISLATION: THE IMPORTANCE OF CHANGE 15

SUMMARY OF RECOMMENDATIONS 17

ABOUT THE SURVEY 18

2

THE POLICING

LANDSCAPE IS

CHANGING "Her Majesty’s Inspectorate of

Constabulary’s latest reports on

the Strategic Policing Requirement

focus on the preparedness of

forces to respond to a large-scale

cyber incident. But it is equally

important that we consider the

police response to the growing

numbers of cybercrimes that

affect individuals.

The public expects to receive the

same levels of support from the

police, whether the offence is

committed in their community or

online. This presents many

challenges for the police at all

levels. It is clear that we will need

to develop new skills, tools and

policies to provide an effective and

affordable approach to digital

intelligence and investigations.

Achieving this requires a detailed

understanding of the nature of

the cyber challenge and the best

police responses to deal with it.

It is for this reason that we were

delighted to be able to work with

PA Consulting Group on their

survey of the views of the analysts

and researchers in the National

Analysis Working Group. The

analysts have an unparalleled

range of experience and

knowledge about the challenges

law enforcement agencies face in

fighting cybercrime and their

survey responses have given us

some important and very

timely analysis.

I am sure all colleagues will find

the insights in this report very

useful as they develop their

response to the growing

challenge of cybercrime.”

Chief Constable

Giles York National Policing

Lead for National

Intelligence Analysis

Working Group

3

FOR POLICING,

THIS IS A

TIPPING POINT “To date, much of the focus on cyber has

been biased towards security measures,

information assurance and education –

all designed to prevent attacks which

compromise or damage the critical

national infrastructure. Far less attention

has been paid to helping the police deal

with individual victims of cybercrimes,

from bank fraud to online child sexual

exploitation, or to catching those who

commit those crimes.

Through our work across law enforcement,

we are seeing a growing recognition of the

importance of countering these threats, by

developing the UK’s digital intelligence

and investigation capabilities.

Our survey of 185 analysts from 48 law

enforcement organisations provides an

immensely valuable insight into the

experience of those on the frontline. We

are very grateful to the National Analysis

Working Group (NAWG) members who

took part and are quoted throughout our

survey. All the recommendations and

conclusions that follow are our own.”

Nick Newman Security and policing

expert at PA

Consulting Group

4

The policing landscape is changing

fast. Traditional crimes, such as

burglary and car theft are on the

decline, but there is growing

awareness of ‘invisible’ crimes –

including domestic violence, child

abuse and modern slavery. In

addition, criminal activity is being

transformed by the internet, social

media and mobile communications.

A high proportion of offenders use

this technology to plan traditional

crimes. In addition, a range of new

crimes are being committed purely in

cyberspace.

Yet there is a real gap in knowledge

and awareness of these changes.

Official statistics do not distinguish

between traditional offences and

those committed in cyberspace.

Home Office research shows

cybercrime is significantly under-

reported1, and there is limited data

available to quantify the scale of

new threats or the rate of change.

So there is a critical need to develop

understanding of this new world so

police and law enforcement

agencies can respond effectively

to cybercrime.

To help in that work, we surveyed

185 analysts from 48 of the UK’s law

enforcement organisations, who

represented local, regional and

national interests.

Their responses present a stark

warning about the scale of the task.

They forecast the time they spend

on cybercrime will treble over the

next three years; but only 30%

believe they have the skills and tools

to do the job effectively. In addition,

the analysts’ experience highlights

the immediate challenge of

transforming training, tools, and

ways of working in the new digital

landscape.

They also provide some specific

responses about what is needed to

meet these challenges. These

include a collaborative policing

approach – across national and local

boundaries; a new set of digital

investigation tools and training for

officers; and a focus on maximising

operational outcomes from

intelligence. In all this, modern

policing will need to find an

acceptable balance between

intrusive online surveillance and

individual privacy.

With growing pressures on frontline

police budgets, we believe a portion

of the National Cyber Security

Programme’s future funding should

be allocated to the 'digital

transformation' of police intelligence

and analytical functions, and for

training the next generation of digital

investigators.

We have made recommendations on

page 17 on how the police can

tackle cybercrime.

EXECUTIVE

SUMMARY The cybercrime

tipping point

1. Cyber Crime: A Review of the

Evidence, Home Office, October 2013.

5

The majority of analysts believe their work

leads to operational outcome, but are aware

that their task force will need to adapt to

match the changing landscape.

PA believes that the UK has reached a ‘tipping

point’2 on cybercrime and that tackling the

challenges is now urgent. However, this is made

more difficult because there is confusion over the

types of cyber threats and the responses required

to deal with them.

Sustained cross-government investment in the

UK’s National Cyber Security Programme

demonstrates growing awareness of the need for

a local response to a major cyber security

incident. However, these measures do not

adequately address the full range of

cybercrime threats.

The UK Home Office has also provided a helpful

explanation of the different types of cybercrime

and terrorism as part of a coordinated response

to digital intelligence and investigations. Yet there

is still very little data available to quantify the

scale and range of new threats, or the pace

of change.

Some progress is being made, and following a

Home Office sponsored workshop of national

policing representatives, facilitated by PA and the

College of Policing at Ryton in June 20143, a

common language was agreed to reflect the

scope of digital intelligence and investigation. The

following four definitions describe the operational

challenge and investigative response:

• Understanding the digital footprint, i.e. the

trail of data that is left behind by all users of

digital services. In an investigative context,

this typically relates to mobile and online

communications, travel and financial

transactions by offenders and victims.

• Countering internet-facilitated crime where

the internet and smartphones are used in

planning or committing traditional criminal or

terrorist activity. This ranges from online abuse

as part of a neighbourhood dispute to

communications between terrorists

planning attacks.

TECHNOLOGY: CHANGING

THE POLICING LANDSCAPE

6

• Countering cyber-enabled crimes (such as

fraud, the purchasing of illegal drugs and

firearms and child sexual exploitation) which can

be conducted on or offline, but online may take

place at unprecedented scale and speed. This

might include terrorism, e.g. where cyber-

enabled fraud is used to fund terrorist activities.

• Countering cyber-dependent crimes which can

only be committed using computers, computer

networks or other forms of information

communication technology. They include the

creation and spread of malware for financial

gain, hacking to steal important personal or

industry data and denial of service attacks to

cause reputational damage for criminal

purposes or terrorism.

The types of threat and the required response

are likely to vary across local, regional and

national levels, although (with the exception of

some large corporate targets) victim support is

always a local responsibility.

2. ‘The ‘new normal’?’ Police Professional,

17 April 2014

3. ‘Digital Intelligence and Investigations Event’,

College of Policing, Ryton, June 2014.

Figure 1: Indicative division of responsibilities and operational focus

7

Cybercrime is increasing but is not being

properly measured and reported. In our

survey, only 15% of respondents said

cybercrime was specifically measured within

their organisation. Despite law enforcement

not yet being able to fully quantify the threat,

57% of respondents think cybercrime (figure

2) will increase significantly over the next

three years (none felt it would reduce).

Measuring cybercrime is difficult because there is

confusion over what people mean when they talk

about it and different perceptions about its

impact. This is made more complex because

most cyber offences are actually traditional

crimes committed using new technology. There

is, however, ongoing research to estimate the

scale of the threat by focusing on costs. The

Home Office has estimated the costs of

cybercrime could reasonably be assessed to

equate to at least several billion pounds

per year.4

The British Crime Survey is also starting to

ask cyber-themed questions. Some forces are

improving the tagging of crime reports with

cyber labels, while specialised units are able

to estimate the threat for specific aspects of

cybercrime, e.g. cyber-enabled fraud.

Given the lack of accurate figures, it is not

surprising that only half of the respondents

thought their police and crime commissioner

believes cybercrime has a significant impact in

their local community.

CYBERCRIME: A RAPIDLY GROWING THREAT

“Cyber fraud cost the UK £670 million

between August 2013-14, according to

recent figures from the National Fraud

Intelligence Bureau. Meanwhile,

separate research from credit reference

agency, Experian, found the illicit trade in

stolen data, used by criminals to facilitate

cyber fraud, has risen 300% over the last

two years.”5

4. Cyber Crime: A Review of the Evidence, Home

Office, October 2013.

5. The Guardian, Cybercrime Now Becoming A Serious

Problem for Many Britons, 21 October 2014.

8

Recommendation 1

There needs to be a concerted and nationally

coordinated effort to improve the measurement

and analysis of cybercrime data. This will

improve understanding of threats and the

ability to spot opportunities for efficiencies

where there is duplication in investigations.

Recommendation 2

For cyber-enabled and dependent crime there

should be centrally coordinated recording

standards for all police forces. This includes

national units taking the lead on providing an

overall threat assessment.

0 10 20 30 40 50 60

Increasing significantly

Increasing slightly

Remaining constant

Reducing

Increased awareness

of offences using mobile

equipment, and the

expansion of the use of

social media, means

more people are aware

that they could become

a victim of crime.

“

“

[The] police are becoming

more aware of the cyber

threat, but remain behind in

terms of their own technology,

knowledge and intelligence.

You only find something when

you look for it – and we have

only just started looking.

“

“ % of respondents

Note: All the quotations in this report are from comments made by survey respondents.

Figure 2: Proportion of analysts forecasting growth of cybercrime threat

9

More analysts are investigating cybercrime

but the time they spend on it is not keeping

pace with demand.

The survey shows that nearly three quarters

of analysts work on cybercrime as part of

their role, up 38% from three years ago.

Almost all of them think cybercrime will be

part of their role three years from now.

Despite this, they only spend 10% of their time

working on cybercrimes, or exploiting cyber leads

within investigations (figure 3).

Respondents think this will change and forecast

the proportion of time they spend working on

cybercrimes will treble over the next three years.

However, given the scope to improve the tools

and training for digital intelligence and

investigation, this would not necessarily lead to

a corresponding increase in resources as they

could be deployed more efficiently.

Figure 3: Proportion of respondents who

investigate cybercrime as part of their role and

actual time spent working on this.

TIME: A LIMITED CAPACITY

TO FOCUS ON CYBERCRIME

0

20

40

60

80

100

Proportion ofanalysts working on

cybercrime as part oftheir role

Proportion ofanalysts' time spent

working oncybercrime

Three years ago

Now

Three years from now

10

Our survey indicates around 50% of the time

analysts spend investigating cybercrime

relates to traditional ‘internet-facilitated’

offences; while cyber-dependent crime

accounts for only 10% (figure 4).

This is not unexpected given that relatively few

analysts work in specialist cybercrime units.

What is surprising is that this does not seem

to vary significantly between local, regional and

national units.

The relatively high proportion of time spent on

internet-facilitated crimes shows how analysts are

starting to focus on securing information about

traditional crimes that are now planned or

conducted using internet-based and mobile

communications. They are clearly recognising the

opportunity to obtain indicators, such as travel

and finance, from online sources, rather than

using traditional human surveillance techniques.

However, the number of police analysts has

reduced by around 25% in the last few years, so

finding the resource to realise these digital

opportunities is a challenge.

These constraints should force a rethink about

the roles, training and skills involved in

investigating cybercrime. At the moment there

are: analysts; the designated ‘single points of

contact’ (SPOCs) for telecommunications

enquiries; high-tech crime investigators and the

new ‘Digital Media Investigator’ (DMI) role; as well

as mainstream investigators. These roles have

overlapping responsibilities and present scope for

efficiencies. That is underlined by the finding in

the survey that 70% of respondents think non-

analysts are doing their own analysis, and this

could provide a potential additional resource.

Recommendation 3

Law enforcement organisations need to

develop a future operating model for

cybercrime analysis. They need to redefine

and clarify roles and responsibilities across

cyber-enabled, dependent and internet-

facilitated crimes against key roles (analysts,

SPOCs and DMIs) as well as between local,

regional and national units.

0% 20% 40% 60% 80% 100%

Force

Regional unit

(ROCU)

National unit

Internet-facilitated crime Cyber-enabled crime Cyber-dependent crime

% of total time spent on cyber

Figure 4: Proportion of time spent investigating different types of cybercrime

11

Analysts need better skills and training and

to collaborate more effectively with partners

to secure the expertise they need.

Only 30% of our respondents who work on

cybercrime felt sufficiently equipped to conduct

digital investigations – frequently citing a lack of

adequate training. There also seems to be a lack

of deep expertise with only 5% claiming to have

‘considerable knowledge’.

Yet these digital skills are critical to exploiting

internet data sources effectively. Half of our

respondents’ investigations were dependent on

the collection and analysis of communications

data (figure 5).

Open-source research and social media analysis

are also widely used – in 46% and 32% of

investigations respectively. This underlines that

there are tools available to access social media

data but the critical issue is having the right skills

in place to exploit those tools.

This need is being recognised, with the College of

Policing bringing out new training courses to

increase the cyber awareness of mainstream

officers. However, the analysts felt that these

courses need to be focused on the roles that

are most likely to be involved in

investigating cybercrime.

SKILLS AND TOOLS: AN INABILITY

TO RESPOND EFFECTIVELY

Three years ago it

[cybercrime] wasn't

recognised as an issue.

Now we are beginning to

recognise it, but still can't

respond effectively to it.

“ “

[We need] further training

on how cybercrime works

and how best to turn that

evidence into intelligence.

“ “

12

There is also a need for a number of specific

activities that tackle the skills gap in cybercrime

work. This should start with nationwide policy and

user guidance on how to use open source

material for intelligence and evidential purposes.

Improved training should be provided to develop

open source investigative skills for all analysts

and there should be wider access to specialist

open source technology and tools.

In addition to the focus on training, we are

seeing investment in new roles such as the DMI.

However, our experience in delivering digital

transformation suggests there should be a more

fundamental rethink of the recruitment and skills

profile for those working on cyber analysis and

investigation.

Recommendation 4

Cybercrime analysis requires

experienced data scientists with the skills

and experience to exploit big data. Law

enforcement will need to find new ways of

working with industry and academic

partners to define and source these roles.

0 10 20 30 40 50 60

Other

Digital forensics

Social media analysis

Open source research

Communications data

The increased

percentage of time the

public spend on

convergent technological

media has increased the

scope for criminal

behaviour across the

platforms and made

investigation difficult for

the non-technical officer.

“

“

% of investigations

Figure 5: Proportion of investigations using different types of digital surveillance

13

Cybercrime does not respect force or

organisational boundaries. This means

it is vital that there is closer collaboration

between law enforcement organisations

to share information.

Law enforcement organisations have invested in

improved information sharing and collaboration

since the 2004 Bichard Inquiry. However,

cybercrime is placing increasing demands on

those systems. They need to be able to share

large volumes of data because offender groups,

victims and the ‘digital crime scenes’ typically

span force boundaries or even different

international jurisdictions.

In addition police forces may need to work with a

large range of private sector organisations (e.g.

financial services) that collect data on cybercrime,

and find ways of sharing data with them.

This is not currently happening consistently. One-

third of survey respondents reported they had

been unable to share operationally beneficial

information with other appropriate organisations.

This was due to policy constraints or a lack of

suitable IT.

The survey shows the core areas which need to

be addressed are those relating to how analysts

get access to data in other organisations and the

policy on information sharing (figure 6).

INFORMATION SHARING:

HELPING TO JOIN THE DOTS

14

This makes it critical that forces work together and

exchange information at local and global levels.

Some progress is being made. 70% of

respondents said their organisation is

implementing plans to improve information sharing

across boundaries. However, police forces are

often doing this in isolation. This means there is a

need for a concerted effort to agree and use

common data standards across policing. The

growth of collaboration initiatives, such as

MINERVA, should help.

It was also encouraging that half of respondents

felt well engaged with the National Crime Agency,

although it is clear that more work is needed to join

the dots in a sometimes fractured landscape.

The areas where further work is needed include:

• Improving the speed of data exploitation

• Increasing capacity for self-service queries and

basic analysis by non-specialist staff

• Ensuring closer integration with operational

teams to improve intelligence outcomes.

0 5 10 15 20 25 30 35 40

Access to data

Data exploitation

Policy

People and skills% respondents

Recommendation 5

Law enforcement needs effective and

sustainable systems for sharing large

volumes of data on cyber-dependent and

enabled crime. Analysts working in these

areas will then be able to match up

information between investigative leads

which span geographical boundaries.

[We need] a single information

sharing agreement across all

law enforcement agencies.

“

[We need] joined up IT

systems that enable a single

entry point to practitioners.

“

“ “

Figure 6: Areas which need to be addressed to improve collaboration

15

It is clear that effective responses to

cybercrime require the ability to analyse

digital data sources, yet legislative

constraints mean these can be increasingly

difficult to acquire and exploit. The survey

shows that analysts feel there is a growing

need to modernise legislation so it reflects

the impact of technology.

70% of respondents felt it reasonably or very

important for the Government to introduce new

communications data legislation so that

investigatory powers, designed for the telephone,

can keep pace with the widespread use of internet-

based communications. 23% believe that a lack of

new legislation is already having a reasonable or

substantial effect on operations today.

Figure 7 shows the increasing reliance on a range

of digital sources (especially communications data,

social media and digital forensics) by those

analysts who state they have the greatest

understanding of cybercrime. This group has

the greatest awareness of the limitations of

current legislation.

In order to gain acceptance of the need for

updated legislation, those tackling cybercrime will

need to explain how new surveillance powers

would be used proportionately. This should include

an emphasis on how the procedures to acquire

data guard against any intrusion into the privacy

of innocent citizens.

This needs to be underpinned by evidence that

shows changes are a necessary and proportionate

response to digital threats and need to reflect the

changing technological environment. This will

maintain the UK’s existing security and police

capabilities in response to increasingly

sophisticated activity of those involved in

terrorism and serious crime.

The Home Office has consistently made the

case for legislative change under two successive

governments, and the emergence of new

cybercrime threats bolsters its campaigns for

change. There is also now a timely opportunity for

police and agencies to make their case for

updated legislation.

LEGISLATION: THE IMPORTANCE

OF CHANGE

16

Recommendation 6

To secure legislative change, police and

agencies will need to explain the capability gap

better; provide assurance that the acquisition

and use of communications data is

proportionate; and demonstrate they will be

held properly to account through independent

and transparent scrutiny. The ‘sunset clause’

in the Data Retention and Investigatory

Powers Act and upcoming review of

Regulation of Investigatory Powers Act

provides a timely opportunity for police and

agencies to make their case.

Figure 7: Types of digital data used by analysts in relation to cybercrime knowledge

[We need to]

explain what

justification police

need to have to

obtain data.

People assume

police can access

anything at

anytime, but there

are strict controls.

“

“

0%

20%

40%

60%

80%

100%

None A little Moderate Considerable

Other Digital forensics Communications data

Social media analysis Open source research (non-social media)

Level of analysts’ cybercrime knowledge

Types of digital

data used

17

SUMMARY OF RECOMMENDATIONS 1. There needs to be a concerted and nationally coordinated effort to

improve the measurement and analysis of cybercrime data. This will

improve the understanding of threats and the ability to spot efficiency

opportunities where duplication in investigations exists.

2. For cyber-enabled and dependent crime there should be centrally

coordinated recording standards for all police forces. This includes

national units taking the lead on providing an overall threat assessment.

3. The law enforcement community needs to develop a future operating

model for cybercrime analysis. It needs to redefine and clarify roles and

responsibilities across cyber-enabled, dependent and internet-facilitated

crimes against key roles (analysts, SPOCs and DMIs) as well as

between local, regional and national units.

4. Cybercrime analysis requires experienced data scientists with the skills

and experience to exploit big data. Law enforcement will need to find

new ways of working with industry and academic partners to define and

source these roles.

5. Law enforcement needs effective and sustainable systems for sharing

large volumes of data on cyber-dependent and enabled crime. Analysts

working in these areas will then be able to match up information between

investigative leads which span geographical boundaries.

6. To secure legislative change, police and agencies will need to explain

the capability gap better; provide assurance that the acquisition and use

of communications data is proportionate; and demonstrate they will be

held properly to account through independent and transparent scrutiny.

The ‘sunset clause’ in the Data Retention and Investigatory Powers Act

and upcoming review of Regulation of Investigatory Powers Act provides

a timely opportunity for police and agencies to make their case.

18

This report records key findings from our cybercrime survey, conducted in

association with the NAWG6. The NAWG represents over 1,500

intelligence analysts and researchers working within UK law enforcement.

The recommendations in this report are made by PA Consulting Group

and do not necessarily reflect the views of the NAWG or individual

respondents.

In the survey we explored the analysts’ perception of the threats posed

by cybercrime; how that threat is evolving and how the UK law

enforcement community should respond.

Around 15% of the NAWG membership responded, which provides a

valuable body of evidence to inform a debate that currently has limited

sources of quantitative evidence to draw upon.

Many respondents took the time to add personal observations to their

responses, and we have quoted some of these anonymously throughout.

We are extremely grateful to the NAWG and all who took part in

the survey.

__________________________

6. Throughout this report the term ‘analyst’ is used as shorthand

for a member of the NAWG who has responded to the survey.

ABOUT

THE

SURVEY

Contact:

Nick Newman

nick.newman@paconsulting.com

19

Corporate headquarters

123 Buckingham Palace Road

London SW1W 9SR

United Kingdom

Tel: +44 20 7730 9000

paconsulting.com

This document has been prepared by PA.

The contents of this document do not

constitute any form of commitment or

recommendation on the part of PA and

speak as at the date of their preparation.

© PA Knowledge Limited 2014.

All rights reserved.

No part of this documentation may be

reproduced, stored in a retrieval system,

or transmitted in any form or by any means,

electronic, mechanical, photocopying or

otherwise without the written permission

of PA Consulting Group.

We are an employee-owned firm of over 2,500 people, operating globally from offices across North America, Europe, the Nordics, the Gulf and Asia Pacific.

We are experts in energy, financial services, life sciences and healthcare, manufacturing, government and public services, defence and security, telecommunications, transport and logistics.

Our deep industry knowledge together with skills in management consulting, technology and innovation allows us to challenge conventional thinking and deliver exceptional results with lasting impact.

2036-105