Date post: | 16-Aug-2015 |
Category: |
Documents |
Upload: | james-fisher |
View: | 17 times |
Download: | 1 times |
1
CONTENTS
FOREWORDS 2
EXECUTIVE SUMMARY: THE CYBERCRIME TIPPING POINT 4
TECHNOLOGY: CHANGING THE POLICING LANDSCAPE 5
CYBERCRIME: A RAPIDLY GROWING THREAT 7
TIME: A LIMITED CAPACITY TO FOCUS ON CYBERCRIME 9
SKILLS AND TOOLS: AN INABILITY TO RESPOND EFFECTIVELY 11
INFORMATION SHARING: HELPING TO JOIN THE DOTS 13
LEGISLATION: THE IMPORTANCE OF CHANGE 15
SUMMARY OF RECOMMENDATIONS 17
ABOUT THE SURVEY 18
2
THE POLICING
LANDSCAPE IS
CHANGING "Her Majesty’s Inspectorate of
Constabulary’s latest reports on
the Strategic Policing Requirement
focus on the preparedness of
forces to respond to a large-scale
cyber incident. But it is equally
important that we consider the
police response to the growing
numbers of cybercrimes that
affect individuals.
The public expects to receive the
same levels of support from the
police, whether the offence is
committed in their community or
online. This presents many
challenges for the police at all
levels. It is clear that we will need
to develop new skills, tools and
policies to provide an effective and
affordable approach to digital
intelligence and investigations.
Achieving this requires a detailed
understanding of the nature of
the cyber challenge and the best
police responses to deal with it.
It is for this reason that we were
delighted to be able to work with
PA Consulting Group on their
survey of the views of the analysts
and researchers in the National
Analysis Working Group. The
analysts have an unparalleled
range of experience and
knowledge about the challenges
law enforcement agencies face in
fighting cybercrime and their
survey responses have given us
some important and very
timely analysis.
I am sure all colleagues will find
the insights in this report very
useful as they develop their
response to the growing
challenge of cybercrime.”
Chief Constable
Giles York National Policing
Lead for National
Intelligence Analysis
Working Group
3
FOR POLICING,
THIS IS A
TIPPING POINT “To date, much of the focus on cyber has
been biased towards security measures,
information assurance and education –
all designed to prevent attacks which
compromise or damage the critical
national infrastructure. Far less attention
has been paid to helping the police deal
with individual victims of cybercrimes,
from bank fraud to online child sexual
exploitation, or to catching those who
commit those crimes.
Through our work across law enforcement,
we are seeing a growing recognition of the
importance of countering these threats, by
developing the UK’s digital intelligence
and investigation capabilities.
Our survey of 185 analysts from 48 law
enforcement organisations provides an
immensely valuable insight into the
experience of those on the frontline. We
are very grateful to the National Analysis
Working Group (NAWG) members who
took part and are quoted throughout our
survey. All the recommendations and
conclusions that follow are our own.”
Nick Newman Security and policing
expert at PA
Consulting Group
4
The policing landscape is changing
fast. Traditional crimes, such as
burglary and car theft are on the
decline, but there is growing
awareness of ‘invisible’ crimes –
including domestic violence, child
abuse and modern slavery. In
addition, criminal activity is being
transformed by the internet, social
media and mobile communications.
A high proportion of offenders use
this technology to plan traditional
crimes. In addition, a range of new
crimes are being committed purely in
cyberspace.
Yet there is a real gap in knowledge
and awareness of these changes.
Official statistics do not distinguish
between traditional offences and
those committed in cyberspace.
Home Office research shows
cybercrime is significantly under-
reported1, and there is limited data
available to quantify the scale of
new threats or the rate of change.
So there is a critical need to develop
understanding of this new world so
police and law enforcement
agencies can respond effectively
to cybercrime.
To help in that work, we surveyed
185 analysts from 48 of the UK’s law
enforcement organisations, who
represented local, regional and
national interests.
Their responses present a stark
warning about the scale of the task.
They forecast the time they spend
on cybercrime will treble over the
next three years; but only 30%
believe they have the skills and tools
to do the job effectively. In addition,
the analysts’ experience highlights
the immediate challenge of
transforming training, tools, and
ways of working in the new digital
landscape.
They also provide some specific
responses about what is needed to
meet these challenges. These
include a collaborative policing
approach – across national and local
boundaries; a new set of digital
investigation tools and training for
officers; and a focus on maximising
operational outcomes from
intelligence. In all this, modern
policing will need to find an
acceptable balance between
intrusive online surveillance and
individual privacy.
With growing pressures on frontline
police budgets, we believe a portion
of the National Cyber Security
Programme’s future funding should
be allocated to the 'digital
transformation' of police intelligence
and analytical functions, and for
training the next generation of digital
investigators.
We have made recommendations on
page 17 on how the police can
tackle cybercrime.
EXECUTIVE
SUMMARY The cybercrime
tipping point
1. Cyber Crime: A Review of the
Evidence, Home Office, October 2013.
5
The majority of analysts believe their work
leads to operational outcome, but are aware
that their task force will need to adapt to
match the changing landscape.
PA believes that the UK has reached a ‘tipping
point’2 on cybercrime and that tackling the
challenges is now urgent. However, this is made
more difficult because there is confusion over the
types of cyber threats and the responses required
to deal with them.
Sustained cross-government investment in the
UK’s National Cyber Security Programme
demonstrates growing awareness of the need for
a local response to a major cyber security
incident. However, these measures do not
adequately address the full range of
cybercrime threats.
The UK Home Office has also provided a helpful
explanation of the different types of cybercrime
and terrorism as part of a coordinated response
to digital intelligence and investigations. Yet there
is still very little data available to quantify the
scale and range of new threats, or the pace
of change.
Some progress is being made, and following a
Home Office sponsored workshop of national
policing representatives, facilitated by PA and the
College of Policing at Ryton in June 20143, a
common language was agreed to reflect the
scope of digital intelligence and investigation. The
following four definitions describe the operational
challenge and investigative response:
• Understanding the digital footprint, i.e. the
trail of data that is left behind by all users of
digital services. In an investigative context,
this typically relates to mobile and online
communications, travel and financial
transactions by offenders and victims.
• Countering internet-facilitated crime where
the internet and smartphones are used in
planning or committing traditional criminal or
terrorist activity. This ranges from online abuse
as part of a neighbourhood dispute to
communications between terrorists
planning attacks.
TECHNOLOGY: CHANGING
THE POLICING LANDSCAPE
6
• Countering cyber-enabled crimes (such as
fraud, the purchasing of illegal drugs and
firearms and child sexual exploitation) which can
be conducted on or offline, but online may take
place at unprecedented scale and speed. This
might include terrorism, e.g. where cyber-
enabled fraud is used to fund terrorist activities.
• Countering cyber-dependent crimes which can
only be committed using computers, computer
networks or other forms of information
communication technology. They include the
creation and spread of malware for financial
gain, hacking to steal important personal or
industry data and denial of service attacks to
cause reputational damage for criminal
purposes or terrorism.
The types of threat and the required response
are likely to vary across local, regional and
national levels, although (with the exception of
some large corporate targets) victim support is
always a local responsibility.
2. ‘The ‘new normal’?’ Police Professional,
17 April 2014
3. ‘Digital Intelligence and Investigations Event’,
College of Policing, Ryton, June 2014.
Figure 1: Indicative division of responsibilities and operational focus
7
Cybercrime is increasing but is not being
properly measured and reported. In our
survey, only 15% of respondents said
cybercrime was specifically measured within
their organisation. Despite law enforcement
not yet being able to fully quantify the threat,
57% of respondents think cybercrime (figure
2) will increase significantly over the next
three years (none felt it would reduce).
Measuring cybercrime is difficult because there is
confusion over what people mean when they talk
about it and different perceptions about its
impact. This is made more complex because
most cyber offences are actually traditional
crimes committed using new technology. There
is, however, ongoing research to estimate the
scale of the threat by focusing on costs. The
Home Office has estimated the costs of
cybercrime could reasonably be assessed to
equate to at least several billion pounds
per year.4
The British Crime Survey is also starting to
ask cyber-themed questions. Some forces are
improving the tagging of crime reports with
cyber labels, while specialised units are able
to estimate the threat for specific aspects of
cybercrime, e.g. cyber-enabled fraud.
Given the lack of accurate figures, it is not
surprising that only half of the respondents
thought their police and crime commissioner
believes cybercrime has a significant impact in
their local community.
CYBERCRIME: A RAPIDLY GROWING THREAT
“Cyber fraud cost the UK £670 million
between August 2013-14, according to
recent figures from the National Fraud
Intelligence Bureau. Meanwhile,
separate research from credit reference
agency, Experian, found the illicit trade in
stolen data, used by criminals to facilitate
cyber fraud, has risen 300% over the last
two years.”5
4. Cyber Crime: A Review of the Evidence, Home
Office, October 2013.
5. The Guardian, Cybercrime Now Becoming A Serious
Problem for Many Britons, 21 October 2014.
8
Recommendation 1
There needs to be a concerted and nationally
coordinated effort to improve the measurement
and analysis of cybercrime data. This will
improve understanding of threats and the
ability to spot opportunities for efficiencies
where there is duplication in investigations.
Recommendation 2
For cyber-enabled and dependent crime there
should be centrally coordinated recording
standards for all police forces. This includes
national units taking the lead on providing an
overall threat assessment.
0 10 20 30 40 50 60
Increasing significantly
Increasing slightly
Remaining constant
Reducing
Increased awareness
of offences using mobile
equipment, and the
expansion of the use of
social media, means
more people are aware
that they could become
a victim of crime.
“
“
[The] police are becoming
more aware of the cyber
threat, but remain behind in
terms of their own technology,
knowledge and intelligence.
You only find something when
you look for it – and we have
only just started looking.
“
“ % of respondents
Note: All the quotations in this report are from comments made by survey respondents.
Figure 2: Proportion of analysts forecasting growth of cybercrime threat
9
More analysts are investigating cybercrime
but the time they spend on it is not keeping
pace with demand.
The survey shows that nearly three quarters
of analysts work on cybercrime as part of
their role, up 38% from three years ago.
Almost all of them think cybercrime will be
part of their role three years from now.
Despite this, they only spend 10% of their time
working on cybercrimes, or exploiting cyber leads
within investigations (figure 3).
Respondents think this will change and forecast
the proportion of time they spend working on
cybercrimes will treble over the next three years.
However, given the scope to improve the tools
and training for digital intelligence and
investigation, this would not necessarily lead to
a corresponding increase in resources as they
could be deployed more efficiently.
Figure 3: Proportion of respondents who
investigate cybercrime as part of their role and
actual time spent working on this.
TIME: A LIMITED CAPACITY
TO FOCUS ON CYBERCRIME
0
20
40
60
80
100
Proportion ofanalysts working on
cybercrime as part oftheir role
Proportion ofanalysts' time spent
working oncybercrime
Three years ago
Now
Three years from now
10
Our survey indicates around 50% of the time
analysts spend investigating cybercrime
relates to traditional ‘internet-facilitated’
offences; while cyber-dependent crime
accounts for only 10% (figure 4).
This is not unexpected given that relatively few
analysts work in specialist cybercrime units.
What is surprising is that this does not seem
to vary significantly between local, regional and
national units.
The relatively high proportion of time spent on
internet-facilitated crimes shows how analysts are
starting to focus on securing information about
traditional crimes that are now planned or
conducted using internet-based and mobile
communications. They are clearly recognising the
opportunity to obtain indicators, such as travel
and finance, from online sources, rather than
using traditional human surveillance techniques.
However, the number of police analysts has
reduced by around 25% in the last few years, so
finding the resource to realise these digital
opportunities is a challenge.
These constraints should force a rethink about
the roles, training and skills involved in
investigating cybercrime. At the moment there
are: analysts; the designated ‘single points of
contact’ (SPOCs) for telecommunications
enquiries; high-tech crime investigators and the
new ‘Digital Media Investigator’ (DMI) role; as well
as mainstream investigators. These roles have
overlapping responsibilities and present scope for
efficiencies. That is underlined by the finding in
the survey that 70% of respondents think non-
analysts are doing their own analysis, and this
could provide a potential additional resource.
Recommendation 3
Law enforcement organisations need to
develop a future operating model for
cybercrime analysis. They need to redefine
and clarify roles and responsibilities across
cyber-enabled, dependent and internet-
facilitated crimes against key roles (analysts,
SPOCs and DMIs) as well as between local,
regional and national units.
0% 20% 40% 60% 80% 100%
Force
Regional unit
(ROCU)
National unit
Internet-facilitated crime Cyber-enabled crime Cyber-dependent crime
% of total time spent on cyber
Figure 4: Proportion of time spent investigating different types of cybercrime
11
Analysts need better skills and training and
to collaborate more effectively with partners
to secure the expertise they need.
Only 30% of our respondents who work on
cybercrime felt sufficiently equipped to conduct
digital investigations – frequently citing a lack of
adequate training. There also seems to be a lack
of deep expertise with only 5% claiming to have
‘considerable knowledge’.
Yet these digital skills are critical to exploiting
internet data sources effectively. Half of our
respondents’ investigations were dependent on
the collection and analysis of communications
data (figure 5).
Open-source research and social media analysis
are also widely used – in 46% and 32% of
investigations respectively. This underlines that
there are tools available to access social media
data but the critical issue is having the right skills
in place to exploit those tools.
This need is being recognised, with the College of
Policing bringing out new training courses to
increase the cyber awareness of mainstream
officers. However, the analysts felt that these
courses need to be focused on the roles that
are most likely to be involved in
investigating cybercrime.
SKILLS AND TOOLS: AN INABILITY
TO RESPOND EFFECTIVELY
Three years ago it
[cybercrime] wasn't
recognised as an issue.
Now we are beginning to
recognise it, but still can't
respond effectively to it.
“ “
[We need] further training
on how cybercrime works
and how best to turn that
evidence into intelligence.
“ “
12
There is also a need for a number of specific
activities that tackle the skills gap in cybercrime
work. This should start with nationwide policy and
user guidance on how to use open source
material for intelligence and evidential purposes.
Improved training should be provided to develop
open source investigative skills for all analysts
and there should be wider access to specialist
open source technology and tools.
In addition to the focus on training, we are
seeing investment in new roles such as the DMI.
However, our experience in delivering digital
transformation suggests there should be a more
fundamental rethink of the recruitment and skills
profile for those working on cyber analysis and
investigation.
Recommendation 4
Cybercrime analysis requires
experienced data scientists with the skills
and experience to exploit big data. Law
enforcement will need to find new ways of
working with industry and academic
partners to define and source these roles.
0 10 20 30 40 50 60
Other
Digital forensics
Social media analysis
Open source research
Communications data
The increased
percentage of time the
public spend on
convergent technological
media has increased the
scope for criminal
behaviour across the
platforms and made
investigation difficult for
the non-technical officer.
“
“
% of investigations
Figure 5: Proportion of investigations using different types of digital surveillance
13
Cybercrime does not respect force or
organisational boundaries. This means
it is vital that there is closer collaboration
between law enforcement organisations
to share information.
Law enforcement organisations have invested in
improved information sharing and collaboration
since the 2004 Bichard Inquiry. However,
cybercrime is placing increasing demands on
those systems. They need to be able to share
large volumes of data because offender groups,
victims and the ‘digital crime scenes’ typically
span force boundaries or even different
international jurisdictions.
In addition police forces may need to work with a
large range of private sector organisations (e.g.
financial services) that collect data on cybercrime,
and find ways of sharing data with them.
This is not currently happening consistently. One-
third of survey respondents reported they had
been unable to share operationally beneficial
information with other appropriate organisations.
This was due to policy constraints or a lack of
suitable IT.
The survey shows the core areas which need to
be addressed are those relating to how analysts
get access to data in other organisations and the
policy on information sharing (figure 6).
INFORMATION SHARING:
HELPING TO JOIN THE DOTS
14
This makes it critical that forces work together and
exchange information at local and global levels.
Some progress is being made. 70% of
respondents said their organisation is
implementing plans to improve information sharing
across boundaries. However, police forces are
often doing this in isolation. This means there is a
need for a concerted effort to agree and use
common data standards across policing. The
growth of collaboration initiatives, such as
MINERVA, should help.
It was also encouraging that half of respondents
felt well engaged with the National Crime Agency,
although it is clear that more work is needed to join
the dots in a sometimes fractured landscape.
The areas where further work is needed include:
• Improving the speed of data exploitation
• Increasing capacity for self-service queries and
basic analysis by non-specialist staff
• Ensuring closer integration with operational
teams to improve intelligence outcomes.
0 5 10 15 20 25 30 35 40
Access to data
Data exploitation
Policy
People and skills% respondents
Recommendation 5
Law enforcement needs effective and
sustainable systems for sharing large
volumes of data on cyber-dependent and
enabled crime. Analysts working in these
areas will then be able to match up
information between investigative leads
which span geographical boundaries.
[We need] a single information
sharing agreement across all
law enforcement agencies.
“
[We need] joined up IT
systems that enable a single
entry point to practitioners.
“
“ “
Figure 6: Areas which need to be addressed to improve collaboration
15
It is clear that effective responses to
cybercrime require the ability to analyse
digital data sources, yet legislative
constraints mean these can be increasingly
difficult to acquire and exploit. The survey
shows that analysts feel there is a growing
need to modernise legislation so it reflects
the impact of technology.
70% of respondents felt it reasonably or very
important for the Government to introduce new
communications data legislation so that
investigatory powers, designed for the telephone,
can keep pace with the widespread use of internet-
based communications. 23% believe that a lack of
new legislation is already having a reasonable or
substantial effect on operations today.
Figure 7 shows the increasing reliance on a range
of digital sources (especially communications data,
social media and digital forensics) by those
analysts who state they have the greatest
understanding of cybercrime. This group has
the greatest awareness of the limitations of
current legislation.
In order to gain acceptance of the need for
updated legislation, those tackling cybercrime will
need to explain how new surveillance powers
would be used proportionately. This should include
an emphasis on how the procedures to acquire
data guard against any intrusion into the privacy
of innocent citizens.
This needs to be underpinned by evidence that
shows changes are a necessary and proportionate
response to digital threats and need to reflect the
changing technological environment. This will
maintain the UK’s existing security and police
capabilities in response to increasingly
sophisticated activity of those involved in
terrorism and serious crime.
The Home Office has consistently made the
case for legislative change under two successive
governments, and the emergence of new
cybercrime threats bolsters its campaigns for
change. There is also now a timely opportunity for
police and agencies to make their case for
updated legislation.
LEGISLATION: THE IMPORTANCE
OF CHANGE
16
Recommendation 6
To secure legislative change, police and
agencies will need to explain the capability gap
better; provide assurance that the acquisition
and use of communications data is
proportionate; and demonstrate they will be
held properly to account through independent
and transparent scrutiny. The ‘sunset clause’
in the Data Retention and Investigatory
Powers Act and upcoming review of
Regulation of Investigatory Powers Act
provides a timely opportunity for police and
agencies to make their case.
Figure 7: Types of digital data used by analysts in relation to cybercrime knowledge
[We need to]
explain what
justification police
need to have to
obtain data.
People assume
police can access
anything at
anytime, but there
are strict controls.
“
“
0%
20%
40%
60%
80%
100%
None A little Moderate Considerable
Other Digital forensics Communications data
Social media analysis Open source research (non-social media)
Level of analysts’ cybercrime knowledge
Types of digital
data used
17
SUMMARY OF RECOMMENDATIONS 1. There needs to be a concerted and nationally coordinated effort to
improve the measurement and analysis of cybercrime data. This will
improve the understanding of threats and the ability to spot efficiency
opportunities where duplication in investigations exists.
2. For cyber-enabled and dependent crime there should be centrally
coordinated recording standards for all police forces. This includes
national units taking the lead on providing an overall threat assessment.
3. The law enforcement community needs to develop a future operating
model for cybercrime analysis. It needs to redefine and clarify roles and
responsibilities across cyber-enabled, dependent and internet-facilitated
crimes against key roles (analysts, SPOCs and DMIs) as well as
between local, regional and national units.
4. Cybercrime analysis requires experienced data scientists with the skills
and experience to exploit big data. Law enforcement will need to find
new ways of working with industry and academic partners to define and
source these roles.
5. Law enforcement needs effective and sustainable systems for sharing
large volumes of data on cyber-dependent and enabled crime. Analysts
working in these areas will then be able to match up information between
investigative leads which span geographical boundaries.
6. To secure legislative change, police and agencies will need to explain
the capability gap better; provide assurance that the acquisition and use
of communications data is proportionate; and demonstrate they will be
held properly to account through independent and transparent scrutiny.
The ‘sunset clause’ in the Data Retention and Investigatory Powers Act
and upcoming review of Regulation of Investigatory Powers Act provides
a timely opportunity for police and agencies to make their case.
18
This report records key findings from our cybercrime survey, conducted in
association with the NAWG6. The NAWG represents over 1,500
intelligence analysts and researchers working within UK law enforcement.
The recommendations in this report are made by PA Consulting Group
and do not necessarily reflect the views of the NAWG or individual
respondents.
In the survey we explored the analysts’ perception of the threats posed
by cybercrime; how that threat is evolving and how the UK law
enforcement community should respond.
Around 15% of the NAWG membership responded, which provides a
valuable body of evidence to inform a debate that currently has limited
sources of quantitative evidence to draw upon.
Many respondents took the time to add personal observations to their
responses, and we have quoted some of these anonymously throughout.
We are extremely grateful to the NAWG and all who took part in
the survey.
__________________________
6. Throughout this report the term ‘analyst’ is used as shorthand
for a member of the NAWG who has responded to the survey.
ABOUT
THE
SURVEY
Contact:
Nick Newman
19
Corporate headquarters
123 Buckingham Palace Road
London SW1W 9SR
United Kingdom
Tel: +44 20 7730 9000
paconsulting.com
This document has been prepared by PA.
The contents of this document do not
constitute any form of commitment or
recommendation on the part of PA and
speak as at the date of their preparation.
© PA Knowledge Limited 2014.
All rights reserved.
No part of this documentation may be
reproduced, stored in a retrieval system,
or transmitted in any form or by any means,
electronic, mechanical, photocopying or
otherwise without the written permission
of PA Consulting Group.
We are an employee-owned firm of over 2,500 people, operating globally from offices across North America, Europe, the Nordics, the Gulf and Asia Pacific.
We are experts in energy, financial services, life sciences and healthcare, manufacturing, government and public services, defence and security, telecommunications, transport and logistics.
Our deep industry knowledge together with skills in management consulting, technology and innovation allows us to challenge conventional thinking and deliver exceptional results with lasting impact.
2036-105