Publications on the internet
UNCORRECTED TRANSCRIPT OF ORAL EVIDENCE
To be published as HC 618-ii
HOUSE OF COMMONS
TAKEN BEFORE THE
Home Affairs Committee
Tuesday 20 November 2012
Deputy Assistant Commissioner Martin Hewitt and Deputy Chief Constable Peter Goodman
Evidence heard in Public Questions 368 - 388
USE OF THE TRANSCRIPT
This is an uncorrected transcript of evidence taken in public and reported to the House. The transcript has been placed on the internet on the authority of the Committee, and copies have been made available by the Vote Office for the use of Members and others.
Any public use of, or reference to, the contents should make clear that neither witnesses nor Members have had the opportunity to correct the record. The transcript is not yet an approved formal record of these proceedings.
Members who receive this for the purpose of correcting questions addressed by them to witnesses are asked to send corrections to the Committee Assistant.
Prospective witnesses may receive this in preparation for any written or oral evidence they may in due course give to the Committee.
Taken before the Home Affairs Committee
on Tuesday 20 November 2012
Mr David Winnick (Chair)
Mr James Clappison
Dr Julian Huppert
In the absence of the Chair, Mr Winnick was called to the Chair.
Examination of Witnesses
Witnesses: Deputy Assistant Commissioner Martin Hewitt, ACPO e-crime lead, and Deputy Chief Constable Peter Goodman, regional e-crime lead for East Midlands, gave evidence.
Q368 Chair: Mr Goodman and Mr Hewitt, good afternoon-I do not think it is quite good evening as yet. The Chair has had to leave for various reasons, but we are grateful to you for coming along.
The globalised nature of e-crime is often cited as a major barrier to identifying those responsible and bringing them to justice. How are the United Kingdom police building a relationship with their counterparts in dealing with what is undoubtedly an international menace? Would you agree it is an international menace?
DAC Hewitt: Most definitely. It is fair to say that trying to ascribe a region around cyber crime is challenging in itself. You will hear talk about force level or national level or regional level, and actually the vast majority is international in its nature in terms of where the victims are, where the perpetrators are and where the systems they are using are. Inevitably we have to find a way of dealing with this in investigative terms and preventative terms that works across boundaries.
The Government has ratified the Budapest Convention, and we are supporting the EU Cybercrime Centre that is being set up in Europol, but primarily from our perspective the Police Central e-Crime Unit, which is the main operational unit that is hosted currently within the Metropolitan Police, has developed very strong relationships with most of the key countries and law enforcement in the key countries with which we work, and the Crown Prosecution Service does likewise with the prosecuting authorities. There are undoubtedly significant issues because you get into cross-jurisdictional issues that can be quite challenging for us. There are, with certain countries, logical levels of trust issues in terms of how much we are able to share and how much they will share with us, and it is just the number of players that can be involved in operations.
We are working well with others, but there is no doubt that this is an area where I think globally we need to move forward in terms of how we allow ourselves to work across jurisdictions and to gather evidence quickly, which is one of the biggest issues for us because generally we would work through the normal mutual legal assistance process. That can be very slow in what are often quite fast-moving investigations. It is about those police-to-police relationships, but I think globally we need to move forward in terms of how we deal with this challenge.
Q369 Chair: There was an error on my part. I should have asked you to identify your name, rank and responsibility.
DAC Hewitt: Sorry.
Chair: No, that is my mistake.
DAC Hewitt: I am Martin Hewitt, Deputy Assistant Commissioner within the Metropolitan Police Service. I work within Specialist Crime and Operations and have the chief officer oversight for the Police Central e-Crime Unit. I am leading for ACPO on the migration of the e-Crime Unit into the National Crime Agency.
DCC Goodman: I am Peter Goodman. I am Deputy Chief Constable for the East Midlands. I serve the five forces of the East Midlands around counter-terrorism, serious and organised crime and major crime. In relation to cyber-criminality, I have led on the project to deliver the regional hubs in three locations across the country, and I am just about to take over the national cybercrime portfolio that was vacated by Janet Williams on her retirement.
Q370 Chair: Thank you. Before I ask any further questions, is there anything you want to add, Mr Goodman, to what Mr Hewitt has said?
DCC Goodman: No, there is not. We have discussed beforehand.
Q371 Chair: I see. I will not describe that as a conspiracy in any way, shape or form. One assumes that the counterparts to the police in our country are in the main-I would be surprised otherwise-quite willing to co-operate in enforcing the law and bringing the culprits to justice, but are there difficulties now and again so far with police overseas?
DAC Hewitt: Generally speaking, law enforcement will be keen to assist but, as I say, you get into those kinds of jurisdictional challenges. One of the challenges-and we were just discussing it outside-is that certainly in most European countries, the method of investigation is run by an examining magistrate and somebody judicial, and they find it quite strange operating with us on a police-to-police basis. But it is trying to find a way we can operate within the bounds of our legislation and our procedures, and equally, so in a sense the challenges are no different than they are in any other international investigation. I think in the cybercrime arena it is pretty much there in every example, whereas in others it will be in a few. There is a challenge around how we equalise processes and allow us particularly to move evidence quickly from one jurisdiction to another to move an investigation on.
Q372 Chair: E-crime has come up for obvious reasons with all the technology involved in bringing this to the forefront. Would you say that it is going to increase substantially compared with other forms of criminal activity?
DAC Hewitt: I would say that it is, largely because what it is generally doing is either presenting opportunities for new forms of criminality that can be very profitable-and for all sorts of other motivations-or facilitating technology more generally, and the cyber-environment is facilitating existing criminality. I think one of the factors that Government agencies and everyone involved needs to take in is the speed with which it changes. We have worked in organised crime and serious crime for many years, and most other forms of serious crime will mutate and develop their methodology in relatively slow time to changes in the environment-to changes in what we do. In the cyber-world, you are talking about that happening almost constantly, and so the people who are out there are trying to find new ways and trying to overcome the defences that are being put in place within business and privately. You can only see that cyber, in its broadest definition, is going to increase because so much more of our lives are run in that space.
Q373 Chair: Which inevitably leads to the question that presumably there will be far more officers trained to deal with this.
DAC Hewitt: Yes.
Q374 Chair: Mr Goodman, is that your view?
DCC Goodman: Yes, very much so, and some of the work we have done around the regional hubs demonstrates the extra value that we can gain as a consequence of greater understanding, greater technical skills and also greater investigative techniques. This is the one area of policing at the moment where you are likely to have an offence committed in one part of the world through technology that is held in another, with a victim in a third part of the world, and that is an extremely complex environment, especially, as Martin says, because it mutates so very quickly from one form to another.
We are seeing some of the serious and organised crime partnerships of the past-criminal partnerships-that are now understanding the profit that can be got from this, so it is a very complex environment. We in the police service, together with our partners, need to make sure that we are understanding how that changes, understanding the problem and making sure we understand how we will respond effectively.
Q375 Mr Clappison: Without naming them, are there any particular countries that you find commonly tend to be involved in this sort of crime-as the headquarters for the people who are the brains behind the crime? Are you completely satisfied, if there are, with the response you get from Governments there?
DAC Hewitt: There are areas you would tend to see more criminality emanating from, and there are other areas where the technology and operating systems would tend to be. Some of those are challenging. The other important aspect to remember about cyber, which again makes it quite different to some other forms of criminality, is the range of activity that cybercrime can include. We have tended to be talking here around the kind of cybercrime for a financial profit in the fraud sense but, at the other end, you have cybercrime as hacktivism, as it will be called, and running up to state-sponsored and terrorism as delivered by cyber. All that is going on simultaneously. Another one of the challenges is some of the key actors in that activity, because of their technical skill and their knowledge, could be present in any of those different arenas, which again is quite different in its makeup to what we would normally be dealing with in either the terrorist or the crime world. But there are countries, and they will be fairly obvious, where there are real challenges with working with them. As I say, some of our challenge, of course, is in some environments it is going to be difficult for us to share information, but we have overcome that in some instances and we work very closely with a number of countries. It really is about trying to generate globally intolerance to this type of criminality and the willingness for people to share information and to take part.
Q376 Mark Reckless: Mr Goodman, I understand you are the ACPO lead on e-crime, and as I understand it, Mr Hewitt, you are the ACPO lead for the Police Central e-Crime Unit. Could you explain your division of responsibilities, the role of the Police Central e-Crime Unit, and particularly the role of ACPO in overseeing this area?
Chair: In some respects you have done that, but if you would give a fuller picture arising from the question.
DAC Hewitt: When this first emerged as an issue there was a single ACPO lead, Janet Williams, who I think has probably given evidence before you in the past. Janet was part of the original process that led to the creation of the Police Central e-Crime Unit. PCeU, as we call it, is the funded team that has grown now to being over 100 members of staff, that has the primary investigative capability for tackling high-level cyber-criminality.
Q377 Mark Reckless: Who does that report to?
DAC Hewitt: That reports ultimately to me within the Metropolitan Police, because it is hosted in the Metropolitan Police. We are in a process of transition at the moment and, ultimately, PCeU will become part of the National Cyber Crime Unit that will sit within the NCA when that is created in about a year’s time. We are in a transition process at the moment and what will then happen is a cyber-capability will remain, obviously, in the Metropolitan Police for dealing with specific issues there, but the responsibility for being the top-level investigative capability will transition across to being within the National Cyber Crime Unit within the NCA.
I have the operational oversight and also, having been involved in it for the past two or three years, the lead for that transition work to make sure that in capability terms we don’t lose anything at the point when PCeU transitions into being part of the National Crime Agency from a national perspective.
DCC Goodman: I have picked up the strategic role from Janet Williams around the development of cyber-capability and cyber-responses around the country within the last three or four days, so I hope you will be reasonably gentle with me on the basis of that. That includes the development of the hubs around the country, their performance and the outcomes that they achieve. It is about developing a comprehensive training programme on behalf of the police service-from executive level right down to first responders-so that we increase knowledge among the police establishment. It is about developing the ways and means to enable communities, businesses and large enterprise to prevent the commission of offences against them, which have not been developed in a comprehensive way before. It is around making sure that we get our victim engagement right, because there will be many thousands of victims here who are looking for a response from us when we have yet to understand fully what that looks like.
Q378 Mark Reckless: You speak of victim engagement. We have had some engagement from the British Retail Consortium, which says that a number of its members have put an awful lot of work into preparing cases where they, and potentially other companies, have been the victims of e-crimes, but they have then been disappointed that these have not then been taken forward by the police. Can you offer them any hope for the future in that area?
DAC Hewitt: I can, I think, but I absolutely recognise their frustrations at the moment. The challenge that we are facing is, having got ourselves beginning in cybercrime and creating the Police Central e-Crime Unit, we have moved on enormously in terms of our capability and capacity to deal with things at a higher level. What we are trying to catch up with now is to get all the police forces aware of the phenomenon and capable of dealing with the phenomenon, because clearly once the Police Central e-Crime Unit transitions into the National Cyber Unit, there will have to be a threshold around the level of investigation that they undertake. The work that Peter referred to in terms of mainstream understanding, knowledge and capability around the country and in terms of training people up to have a capability and having the hubs is all designed to allow us to be able to investigate crimes at a lower level more generally.
The goal in cyber has to be around prevention activity and developing prevention activity. I know it is often rolled out, but it is the simplest image to use: we have to get to a point where we, as citizens, organisations and businesses, are not, effectively, leaving the windows and the doors open when we leave the office or when we leave the house. We have to start working much more collaboratively with business, industry and other Government agencies to make sure that everybody out there has the best information about protecting themselves in the first instance. Then we need to increase our capability to be able to investigate when a crime does occur. I know it is in some of the written evidence that you have already received, but the latest GCHQ assessment was that 80% of the criminality that was reported could be prevented with relatively straightforward security measures being taken, either by the individual or by the organisation. I think collaboratively we have to work much more closely together. We undoubtedly have to develop our ability to investigate lower level crimes.
Of course, there is another important difference, which is if someone’s house is burgled, there may well be other burglaries that have taken place, but that is essentially an individual crime that the police will go along and investigate. If someone has a relatively low-level cyber attack that steals some money out of their bank account, steals their identity or whatever, the chances are that they are going to be one of many, many victims, because that is the nature of the criminality. We need to be working at understanding that picture and then getting up that chain to start being able to do the disruption and the prevention higher up.
Chair: We have a bit of a problem-for my colleagues, and also for Mr Goodman and Mr Hewitt-that I think we are going to be deserted in this Committee if we go on beyond 5 pm. So I am keeping an eye on the clock and keeping an eye on the questions and the answers. They are very informative, but we have to make some progress.
Q379 Mark Reckless: Just very quickly, the Home Office tells us that it is planning to have changes in how e-crime is recorded. Do you know when that is going to come in? Is that going to help you in your work? It may be an extra bureaucracy for officers locally to have to do that.
DAC Hewitt: The view is around changing some of the recording. As it says in the evidence there from the Home Office, there is no such thing as a cybercrime on the current recording system. We need to be very careful that we are answering the right question, because for me this is not about how many are we recording. A harassment, a theft or a fraud is still a harassment, a theft or a fraud, whether that is delivered through a cyber platform or not. The more important point for me is for us to be able to have information that allows us to understand the nature of those attacks and where they are coming from, and then allows us to work out what we can do to deal with them at that high level to prevent them happening.
Q380 Dr Huppert: Presumably in order to allocate your resources effectively, you have to know how these crimes are being committed. Do you have enough information? Would you want to see the modus operandi of a crime always recorded with the offence so that you know exactly what is e-crime that you can tackle and what is not, and how you should allocate those resources?
DAC Hewitt: The more information we have the better. Recording the method relies on a level of knowledge within the victim and a level of knowledge within the person who is receiving the report to do that effectively, but I think we are trying to get towards that. The key issue for me is using as many reporting mechanisms as possible, so some of this will come through crime reporting and some of it needs to come through our relationship with business and industry who are informing us of attacks that they have fallen prey to or that they have successfully prevented, and then it is building as much information as we possibly can about the methodology, who the victims are and the nature of the information, because it is normally data that people are trying to get to in the first instance. All that allows us then to work again with partners, both public and private sector, to identify the way that you can either block that methodology or tackle or investigate. The more information the better, but I don’t think necessarily the answer is going to be just having more expansive MO submissions on the crime reports.
DCC Goodman: Just to add on the back of that, it is interesting that we talk about crime recording and, of course, we ought to move to a process where, wherever possible, we understand the part that cyber has played in a particular type of criminality. One of the big stumbling blocks to that is that often the victims of that cyber-criminality won’t know-and they certainly won’t know-the detail of what has been committed against them. A victim of a dwelling-house burglary will tell you they came in through the front transom window and they stole the video recorder from the lounge and they went out via the front door. It is very difficult for a victim, even if they discover it, to understand how £200 has gone missing from their personal account, so it is not without complexity.
Q381 Dr Huppert: Let me come back to the issue of resources but just pick up on this issue about the victims. As I understand it, you currently have the Police Central e-Crime Unit, SOCA and CEOP, and you have the City of London Police, which has a role on internet-enabled fraud. If I am victim, who do I go to? Do you seamlessly pass people from one group to another, or are there silos, as happens in most other areas?
DAC Hewitt: In the first instance you would go to your local police force. The process, as you will be aware I am sure, with Action Fraud, which sits within the National Fraud Intelligence Bureau, is developing a process to take some of the cyber reports as well to try to build the picture.
Q382 Dr Huppert: Do you think that is working, by the way?
DAC Hewitt: I think it is a start, and we need to get to a point where we can get a bigger picture of what is going on. I think the system at Action Fraud is not designed to give the real granularity of detail about individual offences, but what it can be, hopefully, in the future is part of the broader picture of the offending type. Do we pass a victim seamlessly? Sadly, probably the answer to that would be no, but that is the work that Peter is doing around information for officers. Now cyber-awareness will form part of pretty much every basic and advanced investigative course that police officers do. There is a whole range of electronically delivered awareness training. It is all about building that picture up and then being able to, I think most importantly, give a victim a very honest picture of what that experience is going to be and what they are going to get as a result of reporting that crime, but it is not seamless at the moment.
Q383 Dr Huppert: I think we will be making some suggestions about that. Can I come back to the money issue? In the whole National Cyber Security Programme, I think 10% of the money-£63 million-is given to the Home Office to tackle e-crime. Do you think that is the right balance in terms of the whole National Cyber Security Programme, and what are your priorities for spending that £63 million?
Chair: I think that Mr Goodman is suggesting that is a lead question for you, Mr Hewitt.
DAC Hewitt: Coming from pretty much a standing start, that was probably the right sort of allocation of money to allow us to develop and understand the capability we needed to develop, and then the capacity. A large part of that money has gone to creating the Police Central e-Crime Unit and developing that capability and capacity. We have the three regional hubs now up and running. It is about all the development of the training to mainstream cyber-understanding as part of law enforcement training for anybody who works within law enforcement. We have high-level accredited training. We have started to try to understand how we manage digital forensic processes as well. One of the challenges you have at the moment-unlike when I was originally going in and searching people’s houses when I arrested them-is when you walk into someone’s house, there will be probably five or six electronic devices that are essentially computers. It is how we understand and how we better triage what we submit for forensic examination, because otherwise the system gets clogged with what questions we are asking the providers to give us. It is work around forensic, work around crime reporting and work to try to develop the virtual taskforce working with business and industry, but the significant point for me is we cannot solve this issue as law enforcement. This will only be solved by Government, law enforcement and other agencies all bringing to bear their abilities and then working with business and industry.
Chair: I think that is a very valid point indeed, and I am glad you have mentioned and emphasised that.
Q384 Dr Huppert: One last very quick question. We have talked a lot about resources and setting up the infrastructure. Are there any legal powers that you need, or any legislative changes that would make a difference, or is it largely about resources and training?
DAC Hewitt: There is work under way to review the Computer Misuse Act, which I would say is not fit for purpose now. It is a fairly old piece of legislation, and, as we said, this is changing very quickly, so that work is under way as a review.
Q385 Dr Huppert: That is the main one.
DAC Hewitt: Yes, from my perspective.
Q386 Steve McCabe: Mr Hewitt, I understand that the Cyber Security Strategy requires you to mainstream cyber-awareness and skills through the police service. How do you measure your success in doing that?
DAC Hewitt: In the first instance, the reality is you measure it by the output and the delivery, and, as I said, we have a programme now that takes you right from being newly appointed and from being a trained police officer through all the investigative stages that a person would go through in their career, with cyber being part of that, right up to the training for very senior officers. In the first instance, it is going to be about measuring the fact that we have created those programmes and that they are being delivered and everyone is undertaking them. As we move forward, the measure will be whether we are more effectively dealing with the issue and, as was previously asked, whether, when someone walks in and report a cybercrime, we are dealing better with that than we currently do.
Q387 Steve McCabe: Mr Goodman, you have mentioned the regional e-crime hubs. Just succinctly, what are the goals of e-crime hubs?
DCC Goodman: They set out to achieve three main goals. One was to increase the strategic capability we have across the country because there was no real accredited capability developed outside London before they were delivered. We now have that in three locations-in the East Midlands, in the North West and in the Yorkshire and Humber region-but they don’t just service those regions. They service the entirety of the country in a very strong partnership with the Police e-Crime Unit. Secondly, it was to start to develop some of that tactical awareness among officers around victim care and around the methodology that they can adopt. Thirdly, it is very much around raising awareness, not just within the law enforcement community but among broader communities of the prospect of cyber-criminality and the means of preventing some of that taking place.
Steve McCabe: That is lovely. Thank you very much.
Q388 Mr Clappison: On the definition of e-crime, do you think that crimes that use the internet only for organisation or communication-other types of crime that is-be categorised as a type of e-crime, or do you think that just conflates the issue?
DAC Hewitt: My take on this is we are in danger of asking the wrong question. The reality is, as I think I said in one of the earlier answers, that there is going to come a point where almost every crime that takes place has some involvement of some form, and I wonder what we achieve by doing it. I would rather get us to a point where we understand the impact of technology on crime, whether it is what I would call a pure cyber right down to, "I used my device to facilitate it", and then we understand what it is we need to do to deal with that-either to prevent it or to detect it. The danger is that we go down a route of wanting to define things when, quite frankly, the criminals out there are not thinking about that. They are just using whatever method is the most convenient to do the crime.
Mr Clappison: That is very helpful. Thank you.
Chair: Gentlemen, undoubtedly there will be further sessions, and we will be calling other witnesses. It may well be the Committee, or the Chair in particular-who, as I have said, is not able to be here-will want to write to you and ask further questions, but we are most grateful to you for coming today. It is a new field for us-perhaps more of a new field for us than it is for you-but it is one which certainly this Home Affairs Committee is going to explore, hence the reason we were very pleased you were able to give evidence today. Thank you very much indeed.