Publications on the internet
UNCORRECTED TRANSCRIPT OF ORAL EVIDENCE
To be published as HC 618-iii
house of commons
taken before the
Home Affairs Committee
Tuesday 11 December 2012
Commissioner Adrian Leppard
Detective chief SUPERINTENDENT charlie mcmurdie and andy archibald
professor peter sommer and professor ross anderson
Evidence heard in Public Questions 57-132
USE OF THE TRANSCRIPT
This is an uncorrected transcript of evidence taken in public and reported to the House. The transcript has been placed on the internet on the authority of the Committee, and copies have been made available by the Vote Office for the use of Members and others.
Any public use of, or reference to, the contents should make clear that neither witnesses nor Members have had the opportunity to correct the record. The transcript is not yet an approved formal record of these proceedings.
Members who receive this for the purpose of correcting questions addressed by them to witnesses are asked to send corrections to the Committee Assistant.
Prospective witnesses may receive this in preparation for any written or oral evidence they may in due course give to the Committee.
Taken before the Home Affairs Committee
on Tuesday 11 December 2012
Keith Vaz (Chair)
Dr Julian Huppert
Mr David Winnick
Examination of Witness
Witness: Commissioner Adrian Leppard, City of London Police, gave evidence.
Q57 Chair: Mr Leppard, thank you very much for coming in. Apologies for keeping you waiting.
Commissioner Leppard: Thank you, Chairman.
Chair: As you know, the Committee is conducting an inquiry into e-crime, and we are hearing from a number of stakeholders. You obviously have the lead in respect of this area. How big is the team that you have working with you, and where are you based at the moment?
Commissioner Leppard: City of London Police has about 13,000 people altogether. About 250 people specialise in fraud and economic crime, and the roles we have are dedicated fraud investigation teams, but for this meeting in particular, we also host the National Fraud Intelligence Database, the one single repository of all reported crime intelligence from the police, members of the public and the private sector.
Q58 Chair: Will you be keeping that under the New Landscape of Policing?
Commissioner Leppard: Yes.
Commissioner Leppard: Because we have effectively built very good relationships with the private sector, and personal data-sharing relationships. We have highly skilled officers. We have a good track record of taking cases to court, and in the discussions we have had with the National Crime Agency, there is nobody who can see any benefit that we would gain by moving any of that to another agency. It would not increase efficiency or effectiveness, and it would cost more.
Q59 Chair: It is interesting because, of course, the Committee is concerned about New Landscape of Policing, which has not been completed; it is an unfinished masterpiece of the Home Secretary’s. We were concerned about the very same arguments you have just mentioned. As far as CEOP was concerned, the previous director of CEOP made the same arguments that you have made-that, "It is better outside because we have relationships with the private sector and we want to continue with it", but CEOP was included in the National Crime Agency. Everything else to do with e-crime is going to be in the NCA. That is right, is it not? Would it not have been sensible to put them all together? Either give that function to you and the City of London Police or take your functions and put them in as part of the NCA?
Commissioner Leppard: It is absolutely sensible to have the debate, and I think what we focused on is, where is the added value? Where is the added benefit?
Q60 Chair: Sure. But the debate is over because the decision has been made already.
Commissioner Leppard: It has. If I may, Chair, as you know, under the National Crime Agency there are four commands. Three of them-CEOP, Organised Crime and Border Police Force-all have their own assets and agencies. There is a body there. Economic crime does not, and we will represent policing. Of course there are many other agencies, like the Serious Fraud Office, the Office of Fair Trading and many other agencies that all have to work together, and the challenge of that particular command will be to get the best benefit.
Q61 Chair: Is there an argument to give it all to you, since you are doing such a good job? We will examine your job in a second, but since you appear to be doing such a good job, is it not better to have one function, the e-crime function, in the City of London, where you have your specialists, rather than have them put into the NCA, which is at the moment, as I have said, incomplete?
Commissioner Leppard: Chair, I do not agree with that, no. I think the way it functions at the moment, with us representing policing, one part of the agency under the economic crime command, and hosting the intelligence function, and then working very closely to the strategic priorities of the National Crime Agency, is probably the most effective way to work.
Q62 Chair: Let us turn to some of the results. The British retailers have said that online internet crime reached £205 million last year, and the global economy loses about £114 billion due to online crime. Are we winning? You have heard the argument, "Are we winning the war on drugs?" There are different arguments on that. But, as far as e-crime is concerned, are we winning this battle? Almost every week we have another example of somebody breaking in. The Home Office website was the last time somebody broke into something official. Who are these people who keep, in effect, running rings around some of the best police officers in the country?
Commissioner Leppard: The direct answer to your question is we are not winning. I do not think we are winning globally, and I think this nature of crime is rising exponentially, which is clearly why you are here and asking these questions today. As a country, we are as far advanced as any other European country, and indeed anywhere else in the world, but we are new in our development. I am sure you have heard evidence already from the cyber crime strategy, the new money and development. This Government has put a focus on economic crime. We have a focus on cyber. Many other countries have not, but we do have to bring all that together, and that will take a couple of years.
I have many facts and figures, which I can give you, about the nature of the scale of the threat, in terms of cyber and organised crime.
Q63 Chair: Yes, we are coming on to some of that. In terms of identifying countries, is there a particular country or group of countries where, when you arrive in the morning at City of London Police, you say, "My goodness, there is something else coming from this country. They obviously have the expertise to try to challenge what we are doing"?
Commissioner Leppard: There are countries in terms of the nature of the threat we are facing.
Q64 Chair: Could you give us an example?
Commissioner Leppard: To give you the nature of the threat that we know in the National Fraud Intelligence Bureau, we map organised crime groups and we know that about 1,300 of those groups are doing nothing but fraud as their main means of gaining money, as a criminal enterprise. A good 25% of them are using cyber as their main means-in other words, internet-enabled criminality. The work we have done to identify countries shows that about 25 countries predominantly target the UK.
Q65 Chair: Give me the top five.
Commissioner Leppard: The top five are mainly eastern European, and Russia is another country that we know hosts some of the criminality. That is not the Russian Government, but the criminality is hosted in that country.
Q66 Chair: In terms of the eastern European countries?
Commissioner Leppard: We have countries, such as Romania and others, which we are working with. With all these countries we are working with the law enforcement agencies, but I am trying to give Members of the Committee a picture of the nature of the criminality.
Q67 Chair: Sure, absolutely. You are obviously creating partnerships with the law enforcement agencies in those countries, to try to challenge the criminal elements from Russia and eastern Europe who seek to attack us through cyberspace.
Commissioner Leppard: Yes. Two challenges are really important for us. One is about how we deal with prevention. The other is in terms of cyber crime. By "cyber crime" I mean not just the technical attack but the fact that internet enabling is allowing a lot of fraud to be perpetrated across borders. A big challenge for us as a country is understanding the international threat and what the UK Government can do, with law enforcement, to try to gauge more effectively in other countries to combat that threat.
Q68 Chair: I was in Washington in the summer, and in the meetings that I had one was specifically about cyber crime and e-crime. The Americans certainly seemed to be very worried, and President Obama seems to be extremely worried, about this type of crime. Are the Americans working with us on things? Are they more advanced than we are? Do they have more resources? Are they more likely to be under attack than we are?
Commissioner Leppard: I think all of those things, Chairman. They have more resources. They are likely to get more attacked because of the nature of the scale of the business they have. In terms of the specialisms, we share a lot of knowledge.
You will hear from Charlie McMurdie from the Police e-Crime Unit that we have as much knowledge through SOCA and the Police e-Crime Unit as any other country has. But they are right to be worried about the scale of the threat, and you have heard from the British Retail Consortium. I think they have shown something like a 30% increase in online fraud attacks in the last year alone. This is a very worrying criminal trend.
Q69 Steve McCabe: Mr Leppard, one of the Government’s cyber security goals is to mainstream the capacity of police forces and law enforcement agencies to deal with e-crime or cyber security issues. How well are we doing in pursuit of that goal?
Commissioner Leppard: As you will hear from Charlie McMurdie, the Police e-Crime Unit, which has been leading on that, has been doing a good job to take training into police forces, right down to the beat officer level, to increase a better level of awareness, and there is certainly a marked difference.
We have our own training capacity. We have an academy, and we train investigators in how to use the internet. If you said where we were two years ago to where we are, there is a marked difference in skills-not just of specialist fraud investigators, but all different types of roles within policing. Of course, there is still a journey to go, but we are certainly on that journey.
Q70 Steve McCabe: Are there any areas that cause you particular concern or that you would want to draw the Committee’s attention to?
Commissioner Leppard: My area of special expertise is around economic crime and fraud but, as I have said, 50% of that is now being enabled through the internet. My concern, when I look across the country, in terms of fraud expertise, is that we know that the number of dedicated fraud investigators in policing is reducing. We anticipate it will reduce by 25% over the CSR period. There are only about 600 dedicated fraud investigators in British policing outside of the City of London Police, and we have 200 on top of that, so the real worry is that, at a time when fraud and e-crime is going up, the capability of the country is going down.
I have had discussions with the Home Office about creating a new national capability for economic crime that would support specialist agencies, like the PCeU, that will be dedicated fraud investigators. The Home Office have been very supportive of that, and I am looking at that funding proposal now.
Steve McCabe: Thank you very much.
Q71 Karl Turner: Clearly, victims of online fraud suffer real harm-psychological harm, among other things. What is your view of sentences? Are they currently too lenient or about right? What is your opinion?
Commissioner Leppard: It would probably be inappropriate for me to comment on sentencing. Each case is utterly different, and the judicial guidelines are that each case will be considered on its own merits and the level of harm, and I know judges do give consideration to that harm.
If I may endorse your point, one of the biggest frauds that we experience on the internet is called mass marketing-that is, the selling of online shares. Some 50% of the victims of that-and it is a £3.5 billion loss-are over 65. The average loss of those people is £25,000. That is a significant loss to the most vulnerable people in our society. The only comment I would make is that I would hope, like you, that due consideration is given in sentencing to the harm that victims are experiencing.
Q72 Karl Turner: What is your opinion, though, Commissioner? You have experience in seeing cases dealt with in criminal courts. Do you believe that the judgment of the court, the sentence passed down by the judge, reflects the psychological harm done to its victims or not? Please say yes or no. Do you think it does or it doesn’t?
Commissioner Leppard: In some cases it does, but in some cases it doesn’t.
Q73 Dr Huppert: Commissioner, can I follow on from some of the direction of that question, and ask about how you deal with the victims of online fraud? Certainly, when I have had constituents concerned about this, the sense is that the bank requires them to prove that they were the victims of fraud, rather than regulations protecting them. What is your assessment of that balance? Is the protection the right way round?
Commissioner Leppard: There are two questions there. If I come back to the regulations, which I think are good and sound in this country, if we can get a victim through into Action Fraud, which will be the central reporting for all fraud and cyber crime in this country-as I am sure Members know, Action Fraud is the core central web centre, basically, that comes into the NFIB, the City of London Police-we then have a very extensive engagement with them, supported by the Victim Support Scheme.
We monitor their satisfaction about how they have been treated as a victim, and the percentage levels of satisfaction range between 90% and 95% of victims. That is them saying, "We were satisfied with how we were dealt with". The issue is whether we can get enough knowledge that people need to report in the first instance, and that is a constant battle to get public awareness into that. I am very comfortable that, once they are in the system, we do the best possible job to represent their interests, look after them and keep them informed.
In terms of the bank’s role-you asked me specifically about regulation-I do think we have a very good regulation system in this country. There is always a challenge about whether the banks themselves and different banks are complying with all the regulations, and that is always the issue in terms of enforcement-that is probably a question better given to the Financial Services Authority, in terms of how they comply-but I think we have a good and effective regulatory system.
Q74 Dr Huppert: What steps do you take to make people aware that they ought to be reporting? Particularly for people who are not that digitally literate, who will still, nonetheless, use online banking and things like that.
Commissioner Leppard: I did say at the beginning, as well, that there are two issues. One is about prevention and the international dimension, but there is a big challenge for us. Knowing the nature of the threat at the moment, knowing it is reaching into every aspect of society, we must put a lot of energy into our public campaigning, and that is not just prevention.
There is some great work going on under the Cyber Security Strategy, very effective work in prevention. The National Fraud Authority has put on a great campaign on Facebook-you may have seen it-"The Devil’s in your Details". If you have not seen it, I suggest you do. It is a great way of helping people realise what we need to do. But, as you say, if I speak to an average member of the public and say, "Have you heard of Action Fraud?" they will say no, often, until they then want to know, "How do I report my fraud?" If they have not gone on the internet, how do they find that? It is a challenge we have, and I accept that challenge. We do have to push that out in better campaigning and much more public messaging about it.
Q75 Mark Reckless: Commissioner, what role do you see for public awareness campaigns in tackling fraud?
Commissioner Leppard: We have to put a huge amount of energy into this for the future. We need to stop thinking about fraud and cyber crime as something that perhaps only affects a smaller part of our population. It is affecting everybody. The second highest reporting coming into Action Fraud is online shopping, and it is in every community now.
Yes, we have to do prevention with the private sector. The biggest payback for us as a country is working with the private sector. I would like to see more campaigns similar to those on television that you might have seen, with drink-driving or road safety, and more investment from the Home Office and other agencies with cyber security-perhaps through the Cabinet Office money-to focus into segments of society.
It is a fairly long answer but, if I may, the National Fraud Authority does some excellent work at segmenting victims of frauds and cyber, and the campaigns are targeting different groups in our society. We need to put more energy into that, I think.
Q76 Mark Reckless: When you say "working with the private sector", do you see that as distinct from a general public awareness campaign?
Commissioner Leppard: The private sector has as much interest as us in trying to reduce cyber crime and fraud commercially. You will be aware that we have done a lot of work with different sectors-the insurance sector and the banking sector-to start finding ways in which they can fund some policing activities. There must be ways we can be innovative with the public sector so that they can help, perhaps, in some of the public messaging that we are going to do, particularly in relation to funding some of that.
Q77 Mark Reckless: If you had to choose between more money for your team of officers enforcing on these issues versus money for public awareness campaigns, which would it be?
Commissioner Leppard: You would have to take a balance on that. The primary mission that I stand for is to protect the citizens of this country and, if I believed public messaging would protect more defrauded victims, then that is where the money should go.
Mark Reckless: Thank you.
Q78 Chair: There was an attack on the Home Secretary’s constituency website and the Home Office website earlier this year by an anonymous cyber criminal. What sanctions will he or she face, once he or she goes through the system? Will it be jail? Will there be a fine?
Commissioner Leppard: Firstly, you need to know what offence they have committed.
Q79 Chair: But he has obviously committed some offence, if he has been arrested and charged, has he not?
Commissioner Leppard: There will be either the Computer Misuse Act or the Fraud Act; they are the two main Acts. When that person goes to court, they will be charged, clearly, and there will be a hearing, either summary or it will be at the Crown Court, and the sentencing would be dependent on the sentencing guidelines of the country.
Q80 Chair: What are they, roughly?
Commissioner Leppard: Each case, as you are probably aware-
Q81 Chair: What is the maximum for something of this kind, depending on what they are charged with?
Commissioner Leppard: It depends on whether it is an indictable offence or not, but you can get up to eight to 10 years for a fraudulent offence. You can get the same for computer misuse. It is unlikely to be anything more than that.
Q82 Chair: Al-Qaeda has advocated a cyber jihad. Have you heard about this?
Commissioner Leppard: The threat from cyber and terrorism is something we have been working on with Government, GCHQ and other agencies, for many, many years, certainly.
Q83 Chair: Do they engage in e-fraud activities, as far as you are aware, or do they just try to disrupt existing websites?
Commissioner Leppard: No, there is plenty of evidence to show that some of the financing for terrorist activities worldwide will use fraud as a means of gathering money.
Q84 Chair: Does that apply to al-Qaeda as well?
Commissioner Leppard: It does, yes.
Q85 Chair: How would you seek to disrupt that?
Commissioner Leppard: We do seek to disrupt that now. In terms of other agency responses-MI6, MI5, GCHQ-all have some of the new cyber money, and all are taking actions to disrupt and protect UK citizens in that sense. Where a crime is committed, either the PCeU department behind me, Charlie or ourselves will work with those agencies.
Q86 Chair: As far as al-Qaeda is concerned, is there a country that it emerges from in terms of these cyber attacks? Is there an area of the world that you look to and think, "That is the country"?
Commissioner Leppard: I am not able to answer that question; I do not have enough knowledge to. There may be others who can answer that, and I am happy to write to the Committee later if you wish.
Q87 Chair: Please, that would be very helpful. One final question, Commissioner, on the issue of changing the law. If there is one thing you would like this Committee to do in its recommendations-we have just started this inquiry, obviously-what would it be? One thing to make your life easier, to make it easier for you to be able to do your job.
Commissioner Leppard: In terms of legislation, I know there is already a review of the Computer Misuse Act going on, and I think we need to look carefully at that to make sure it is fit for purpose. If I give you an example of that, the biggest threat we face in fraud is information data leaving either individuals or businesses. That is the way we are going to prevent fraud. If information is taken on a USB stick out of a business, is that an offence under the Computer Misuse Act? Only if you can then prove what it is going to be used for? We need to look carefully at that against the nature of the threat we are facing, to say, "Is it still fit for purpose, or should we review it?"
Chair: We will certainly look at that. Can I take this opportunity to thank you and your team for the work that you do? In some ways it has taken us a long time to get to this inquiry, but I know you all have been working very hard on this area, and we are very grateful. Please pass on my thanks, and those of the Committee, to all the officers in your team.
In the absence of the Chair, Steve McCabe was called to the Chair.
Examination of Witnesses
Witnesses: Detective Chief Superintendent Charlie McMurdie, Head of the Police Central e-Crime Unit, and Andy Archibald, Deputy Director, Cyber and Forensics, Serious Organised Crime Agency, gave evidence.
Q88 Chair: Ms McMurdie, Mr Archibald, you are very welcome. The Chair has to go to the Liaison Committee and that is why he has had to leave. Could I begin by asking both of you how you are measuring whether or not skill levels are improving in terms of tackling this problem?
DCS McMurdie: Do you want me to start, Chair? I am Charlie McMurdie, Head of the Police Central e-Crime Unit, and also responsible for the National e-Crime Programme Delivery Team, which is the piece of business that looks at skilling up law enforcement capability. One of those programmes is to improve mainstream law enforcement cyber capability. In relation to the current skill set, we conducted a training needs analysis, looking at the requirement within law enforcement. Part of that ties in with the strategic policing requirement, which has been ongoing. That now includes a cyber aspect to that requirement among forces.
To be fair, I think we found there was a particular dearth in cyber capability currently within law enforcement, and that cyber or the use of technology is an integral part to virtually every aspect of our policing response. With that in mind, a number of programmes were initiated. If I look at those in two different camps: one was a large piece of work with Skills for Justice to map out the competencies and the national occupational standards that law enforcement should have around cyber capability.
The other piece of work that we are doing is to build and embed cyber training programmes within all the current mainstream police training forces. From day one, when you join as a police officer, you will have a cyber component. Those courses are ongoing. They are being built, and we are looking at the first two main courses being rolled out in March next year that will focus on primarily open-source intelligence, but also the training course and awareness package for senior officers. The other courses are being built as we speak to go into the investigation process.
Q89 Chair: Thank you. Mr Archibald?
Andy Archibald: At the Serious Organised Crime Agency, we have a similar process in place at the minute. The challenge is very much that we have an existing workforce and investigators whose skills are very much in investigating in a traditional sense. There have been changes in the use of the internet in recent years, and as that has accelerated the skill sets to carry out investigations are very different, so we recognise that and we are addressing that in a range of ways. Initially, there is a basic foundation level of training required for all staff. We are accommodating that through some e-learning, which is accompanied by doing some testing of the learning to ensure that some of the messages have got through.
However, we recognise that different levels of skills will be required, to investigate from a foundation level to a cadre of staff who have more advanced skills and more capability, so we are focusing on a smaller number who have some greater skills in this area. Lastly, to develop or to identify some people with a particular aptitude for developing skills in this area to quite an advanced stage, so we have three levels there.
We are also working with partner agencies. We have gone through some of this transition, particularly around GCHQ. We are listening to their experiences, learning from what they have gone through, and we are about to get some support from them in relation to some of the more technical aspects about how we also incorporate that into our training.
Q90 Chair: Thank you. What of the future? Can we anticipate something like the equivalent of a digital scenes of crime officer?
DCS McMurdie: I think that is a real opportunity, and that is another area that we are doing some work around to skill up front-line officers around search, seizure and retrieval of digital material. That is one of the competencies and one of the training packages that we are building. That obviously ties in with enabling those staff, not with just the right knowledge, but with the right tools to ensure that we are doing a proportionate seizure when they go out to these investigations, reducing the amount of material that we are bringing in. We are looking at the opportunity for bespoke-as we use at the moment-scenes of crimes officers, so a higher level of search and seizure capability from that front-line member of staff.
Chair: Thank you.
Andy Archibald: If I could add, likewise we have identified within our organisation a number of individuals with particular skills and trained them as digital forensics officers, so in terms of the seizure and the initial forensic examination, they are skilled and have developed skills in that area. Equally, there is a saving in terms of how we secure those services. We have previously outsourced some of that work. We are now able to bring that in-house, and we have seen some successes as a result of doing that internally, rather than outsourcing.
Q91 Dr Huppert: International co-operation is a key part of all this, and presumably you both have key operational relationships with European counterparts, for example. To what extent are those underpinned by the existing EU justice and home affairs measures, and which ones are you most reliant on? Whichever of you wishes to answer.
Andy Archibald: In relation to the threat that we face from cyber crime, clearly it is a global threat and international partnerships are pivotal. We have relationships in a number of areas internationally-with Interpol, with Europol, with the Commonwealth Cyber Initiative-and we have liaison officers in some key locations overseas.
In relation to the EU, we have a member of staff with a cyber skill background embedded in the development of the European Cybercrime Centre, which will go live in January. We want to influence the direction and the vision for that unit to ensure it complements the UK approach. We have someone there and we want to ensure that those countries that would benefit from some capacity building-I do not know if I am heading in the right direction with this.
Q92 Dr Huppert: As you will know, the Government is considering whether to opt out of all of the Justice and Home Affairs measures. I think there are 134 of them. It would be interesting to know which ones you make use of and would want to see us stay within.
Andy Archibald: We make use of Europol and we make use of Eurojust. I think the issue of-
Q93 Dr Huppert: Are those the only ones?
Andy Archibald: In terms of cyber, those are the main ones that certainly we make use of at the minute. We have quite an extensive international network. In terms of Europol, the Euro Cybercrime Unit and Eurojust are particular initiatives that we are involved in and are engaged with on a frequent basis, and we have staff there to influence that.
Q94 Dr Huppert: Detective Superintendent?
DCS McMurdie: From our perspective, we do a load of fast-time international working operationally, but then we have the strategic sharing and engagement that takes place. From our perspective, a lot of our joint operations that we have currently running with numerous countries or working together are funded under the JIP programme, and a lot of the work around research and data sharing and co-ordination of international investigations is managed and funded within Europol, so there is a potential impact that we would see there.
Q95 Dr Huppert: I would be grateful if you could write with a full list of any others that you do use, even occasionally. You do not have to list them all now, but I would be grateful if you could do that.
Can I also just ask about cloud computing services? That is posing a number of new challenges. How do you interact with the various cloud computing services, particularly the ones based overseas? Do you work through the providers? Do you work through UK courts or overseas courts? What are your routes?
DCS McMurdie: All the above. Every investigation that we touch has either suspects, infrastructure or victims, somewhere in the world or everywhere in the world. The opportunity to capture fast-time network traffic, attacks, victim data off cloud services, wherever those servers may be, anywhere in the world.
Normally the way that we will work that would be with parallel investigations, fast-time setting up, wherever the actual data or the server manages to exist. We will run a parallel investigation with that country, get the data preservation in place, share fast-time intelligence and then follow up through the MLAT process. One of the issues around that is the timeliness of the response and the volumes of data that we are looking for, and then the legislation for that country to be able to approach the service provider to get the data on our behalf or for them to progress that.
Q96 Dr Huppert: Do you find the MLAT process satisfactory, or does it need to be improved?
Andy Archibald: It is very slow, and often, as Charlie described, the police response and engagement bilaterally is much more efficient and faster.
A couple of points around that, if I may, that I think would help. In terms of securing that information when it is cloud computing, we use the existing legislation that serves the Serious Organised Crime and Police Act, and we can go through the process to secure that information there. Where MLAT exists in terms of an evidential chain, it is right that we can use that. Of course there are hard-to-reach countries and we do not have those arrangements there. That makes it more challenging with a country with whom we do not have those arrangements, and often we will find that it is those countries where we have to try to penetrate to get the information.
Q97 Dr Huppert: We have MLATs with most countries, I believe.
Andy Archibald: Most, yes.
Q98 Dr Huppert: So there is just a small list of them that are particularly problematic.
DCS McMurdie: The issue with the MLAT is it is extremely slow; we are talking about months to obtain that data. We cannot wait months if somebody is under attack or that data has been compromised and is being used for mass fraud, for example. Also, the MLAT process for mainstream police investigations, looking away from pure cyber, whether it is online bullying, whether it is the use of technology to commit any type of offence, low-level type of offence, that data may sit anywhere in the world. Local forces do not have the resources to go through the MLAT process, and certainly the Crown Prosecution Service does not have the resources to deal with that volume of requests.
Q99 Dr Huppert: It sounds like the MLAT process could be tweaked. Are there any other key challenges you have with operating with overseas counterparts? Are there any other suggestions on how to overcome those? If not, that is-
Andy Archibald: We are developing our approach internationally. It is a real challenge because of the nature of this particular threat. Those relationships have to be worked at and worked at hard. We need to identify those countries that have the greatest impact on the UK, and how we can leverage some assistance or some co-operation from them. That is about identifying where we can put our resources to achieve that.
For example, in the earlier session, you had mention of the US experience, and certainly some of the work around academia, around partnership working with industry, around law enforcement all coming together, there are some very good and well developed examples there, which we are also part of. It is about internationally identifying where our key relationships are, have we got those relationships right and are they in the right place and, equally, is there the opportunity, perhaps, to share some capability with other countries in this particular area?
DCS McMurdie: I certainly echo those comments, but we have two main issues. The UK we can make as safe and secure as we possibly can. We can have great legislation here. The cyber criminals know they will go to the weakest country, the hardest to reach country, and they will use its infrastructure or commit their attacks from there, so we keep chasing our tail to a certain degree around that. We have seen that with a lot of the internet governance work, with sites being hosted in hard-to-reach countries that we cannot have an impact on.
The other aspect that we have to respond to is where we are being attacked in the UK from systems, infrastructure coming through proxies, potentially. Quite often we do not know where that attack is emanating from within the time-critical period, and the ability to reach out to wherever that attack may come from and take action is not covered by UK legislation and UK powers. There are some issues around that.
Q100 Karl Turner: We hear that criminals are increasingly using social networking sites to target potential victims of online scams. I wonder whether your observations support that assertion.
DCS McMurdie: Twofold, without going into too much of our opportunity and tactics that we use in investigations, but criminals more often than not also have a social network footprint that is quite useful sometimes when we are conducting an investigation. Yes, we have seen social networks being used as per phishing-type scams. So dissemination of the scam-type email, as well as bespoke, looking at individuals’ open-source footprint to target them specifically, particularly where you are trying to get an inroad into an organisation or use that intelligence to corrupt individuals or harness vulnerabilities that may exist. It is used in a number of ways, to be honest.
Andy Archibald: The other point to make around that is that there are well known social networking sites that we will all be familiar with, but internationally there are a considerable amount of social networking sites. We have evidence and have seen those for sale on criminal forums, so you would buy a social networking site that you could then restrict access to and use that. Equally, in terms of social network sites, we have seen some online chat rooms; again, access to those chat rooms is restricted. Malware and other tools and techniques, which they can sell and market to have cyber attacks, are being dealt with and traded.
Q101 Karl Turner: Do you think there should be stronger requirements on social networking sites about storing information and sharing personal data?
DCS McMurdie: There is a real opportunity, as you have just heard, about public awareness with that. There is freedom of speech, and people put all sorts of information on the internet without realising how vulnerable that makes them. Our information is out there on 500 to 600 different databases at any one time, and the criminal groups run automated programmes harnessing all that data around us, day in, day out, and then they will utilise it to their advantage.
There is a real prevention opportunity. There are data sharing issues around obtaining the data when it has been compromised from some of those network providers and social networking sites. More often than not, a lot of them exist over in America, and how we obtain that data back. I think we need a balance between awareness and some sort of guidance about what personal data should or should not be retained about individuals.
Q102 Karl Turner: Talking of public awareness, where should the spend go? Should it be on public awareness campaigns or on law enforcement?
DCS McMurdie: We talk about prevention, and most people tend to think Action Fraud, Get Safe Online. The public awareness piece, which does need doing, is very important. A lot of people will not tend to look at that sort of advice until they have fallen foul, and that is human nature. There is an opportunity to increase that public prevention with perhaps tactical engagement, so more physical.
Part of the training programme that we are doing is skilling up prevention officers to give individuals that face-to-face prevention messaging, but the prevention work that we tend to do, because of our role remit, is to go after the guys that are harvesting hundreds of thousands of identities. We then would call that prevention in getting to those identities, disseminating them among industries to prevent them being utilised. That is a prevention, and that is something that we capture our performance around.
There is also, with that, a responsibility for who will take those hundreds of thousands of identities and do the preventative piece of work, to tell that individual, "Your computer is potentially compromised. Your financial identity is in the hands of that criminal group" to stop it being used. We currently share all that data with the UK Payments Association, so the UK banks, and we share it with the ISPs, but where we are dealing with thousands and thousands of identities we cannot go after each of those victims, so there is a victim care issue there as well.
Andy Archibald: I do not think it is an either/or. In terms of the response to cyber crime, there are a range of things and a range of opportunities for us to have an impact. Prevention and public awareness is a key aspect of that. The Commissioner in his previous evidence referred to that as well. Get Safe Online is one example of that. The work that they are pioneering in terms of increasing public awareness, ensuring that members of the public and society are aware of anti-virus and how to protect themselves is a really, really important message, in terms of both reducing the threat and managing the threat.
A number of figures are quoted, but about 80% of attacks could be prevented if individuals or small businesses had protected themselves and taken advantage of anti-virus software. There is an education we have to go through, and I think we need to ensure that we invest the appropriate effort there. The challenge for us is: how do you measure what you have prevented, if we have done some preventative activity? I chair the steering group for Get Safe Online, and that is the challenge that I have put out to that group. If we are going to invest resources and money here, we need to be clear about the benefit and the success of that campaign.
Q103 Mr Winnick: The Police Central e-Crime Unit, which you head, reported that it has prevented-and I give the figure; I have it in front of me-£538 million of harm since last November. If that is not spin, and I would not for one moment dream that it could possibly be, how is it calculated?
DCS McMurdie: There is a bit of a formula behind it, sir, and the issue is how we capture the harm around the work that we are undertaking and the harm that we are preventing.
Q104 Mr Winnick: The precise sum?
DCS McMurdie: That precise sum, which has now increased, and we look at the ratio of investment, so how much it costs me to fund that operation versus how much harm we prevent-so, how many of those identities that have been stolen, and how much fraud they would have facilitated over a period of time. The harm formula was put together with our performance team within the Metropolitan Police, with the assistance of Professor Levy and PricewaterhouseCoopers, some time ago, and then subjected to a number of challenge panels, including the Home Office and the Audit Office. It is a fairly complex process to look at the costs that different companies suffer.
We tend to very much underestimate the figures when we look at data that has been stolen that could be used for fraudulent purposes, because you cannot assume that all that data would successfully perpetrate that fraud. Likewise, we do not tend to use the victim figure because, with a lot of the victims, there is a notional figure for how much harm and how much it costs that victim to sort out their accounts or sort out their bank accounts or that payment that has not gone through. We tend not to use that as well, because a lot of the victims that have had their financial data compromised are not necessarily aware of that fact, and that is resolved by the banks.
All our figures-and I have the latest harm reports here for the next six months-are calculated using the same formula. What is really useful is the ratio, whether people may dispute the figures, of how much fraud would be perpetrated with an identity. The ratio of return on investment is steadily increasing, so the performance of my unit, whichever formula, or sticking to that same formula, is substantially increasing. I would put that down to our building better relationships within industry and academia, who are working with us every time we take these investigations on.
An example of that is the work that we are doing with the Virtual Task Force, so all the banks now work hand-in-hand with my team and it costs me substantially less to take on that investigation and run that at a very fast pace. Whereas historically it might have taken me six, seven or eight months to conduct that investigation, I can now do that in partnership with the banks within a number of weeks, so it is cheaper.
Q105 Mr Winnick: So it is a complex calculation, at the best of times?
DCS McMurdie: It is slightly complex, but I have an explanation that I can certainly send in to you.
Q106 Mr Winnick: I am sure the Chair would agree that would be very useful. I mentioned the figure of £538 million, which you have reported, and you said it has increased. What is the latest?
DCS McMurdie: £797 million within 18 months.
Q107 Mr Winnick: Total, in all?
DCS McMurdie: That is how much harm my unit has prevented.
Q108 Mr Winnick: It has more or less doubled from November last?
DCS McMurdie: No, we were at £538 million, I believe. It has gone up, perhaps not the same increment, but we have had to back-burner some cases because of the Olympics response that we have put in place.
Q109 Mr Winnick: By a third, perhaps; a quarter to a third. I have not done the arithmetic. How far does SOCA differ from the analysis?
Andy Archibald: We have a range of measures in terms of how we measure how successful we are being, and Charlie has emphasised the importance of arrests in that in particular; it is vitally important in terms of public confidence and deterrent in the UK that we make arrests.
The reality is that being successful in cyber crime involves much more than arrests. We have heard about prevention and about having public awareness, but equally the threat that we face is international. While the victims may be in the UK, those who are perpetrating the offence may be in one part of the world, those who have produced the malware will be in another part, and the financial transactions could be in another country entirely.
In terms of arrests and disruptions, we do rely-in terms of having a real impact on cyber crime-on the co-operation of a range of different partners and countries. If we continually arrest in the UK, for the reasons I have identified, that is part of the solution. What we really want to see, to have an impact, is those that are producing the malware, hosting the criminal forums internationally and laundering the money-those are the people that we need to target to have the greatest impact.
We measure some of those things in terms of how we share intelligence and intelligence packages with colleagues internationally, and how we then track what they are going to do with that intelligence and the difference it makes. We have some way to go in terms of the UK and the National Crime Agency, National Cybercrime Unit, coming up with a measurement, a metric and a narrative that describes how successful we are. I think it is a range of things, all the way from prevention, awareness, arrests in the UK, and arrests and targeting internationally with partners.
Q110 Mr Winnick: Thank you. Just one question. How many are in your unit, the personnel?
DCS McMurdie: Within my unit, sir?
Mr Winnick: Yes.
DCS McMurdie: We have recently grown from around 32 to 33 staff. We now have an establishment of 107 police officers, police staff. That includes three regional hubs, where we fund three staff in each of those hubs in the north-west. In addition to that, we have a number of special constables and members of industry that come in and assist us. We have gone through substantial growth as a result of the spending review last year. We have increased by 70-odd staff.
Q111 Mr Winnick: The permanent staff, apart from what you have said, people coming in?
DCS McMurdie: About 107 to 108. That includes the team that delivers on those national programmes of work as well.
Mr Winnick: Thank you very much.
Q112 Karl Turner: I think you said, Superintendent, that in your view judges are passing down lenient sentences to cyber criminals-sentences that do not really reflect the harm that that criminality causes. What do you think that is down to? Do you think it is anything to do with the difficulty of the victims giving evidence as to the degree of harm that has caused to them? What else might it be?
DCS McMurdie: A number of issues. It is very difficult to put a figure on potentially thousands of victims that have been compromised and evidence how much harm that has caused. This is an age-old problem.
We had a case at court last week. Potentially, several hundred victims had been attacked, and not all of those victims are prepared to stand up and evidence that fact. It is also difficult for judges, perhaps, when they are faced with individuals who tend to be fairly young, quite often, with no previous convictions. They have committed an offence over the internet against a big banking company or whatever the business may be that has suffered some sort of loss.
With fraud, you can see the financial amount that has taken place. I think there is work to be done by law enforcement to capture the loss and the harm, the loss of those facilities in being able to trade. How much harm does that cause? To put that in front of the judge, to enable the judge to get a better picture and sentence appropriately.
Chair: Ms McMurdie, Mr Archibald, thank you very much.
Examination of Witnesses
Witnesses: Professor Peter Sommer and Professor Ross Anderson gave evidence.
Q113 Chair: Professor Anderson, you said that one of the problems for policymakers is to understand the scale of e-crime and its costs. What are the main difficulties in establishing accurate measures?
Professor Sommer: Defining what you are trying to measure. Most of the-
Chair: No, I am asking Professor Anderson first, sorry. I will come to you in a second.
Professor Sommer: Sorry.
Professor Anderson: I would agree that measurement is an issue, and the British Government, the European Government and the American Government tend to use different measures. We produced a report on the costs of cyber crime, to which I drew the Committee’s attention, where we dealt with this issue by simply setting out separate categories. We have a category for those things that are indubitably cyber crime because they did not exist before the internet-things like fake AV software.
There is a category for crimes that existed before but whose modus operandi has changed completely, such as payment card fraud and much of banking fraud. Then there is a third category for frauds that have been defined to be cyber crimes because they are done online, such as tax fraud and welfare fraud. All VAT returns are now filed electronically, so if you have a carousel fraud, that is by definition now cyber crime, although the mechanisms used by people to do that are essentially no different than they were five years ago when they were all on paper. The robust way to deal with this, I think, is to just look at the categories separately.
Q114 Chair: Thank you. Professor Sommer, you were about to comment.
Professor Sommer: My apologies for interrupting prematurely. Most of these things can be defined in a number of different ways. Nearly all the frauds are going to be regarded as offences under the Fraud Act 2006, which was specifically designed to cover the e-dimension. Prior to the Fraud Act 2006, there was an issue as to whether you could have the deception of a machine-in other words, a computer-and that overcame that problem, and there are lots of useful categories within that.
Some of the other types of activity are clearly going to be offences against children. In all the estimates that people have been making about levels of harm, nobody has been talking about children, although in fact your first session this afternoon was all about children. I do not have the faintest idea how you are going to measure the harm to a child, even one whose photograph has been put up on to the internet and is there for all time. A lot of the figures end up being rather fanciful.
I have been listening very carefully to Charlie McMurdie’s explanations of what she meant by harm and although I am a great fan of the work, I have always had great difficulty in understanding what this harm factor was, other than as the means of persuading people to fund her work. It does seem to me that there is an overall problem in Whitehall that, unless you can put figures on to something, the problem does not exist, and if the figures do not exist then you invent them.
I suppose an overwhelming argument of that is a report produced by Detica on the cost of cyber crime, which managed to exclude any reference to children, any reference to the effects of malware, but included industrial espionage, which happens not to be a crime in this country, even though we know it causes potentially a great deal of harm. How they managed to get precise figures on an industry-by-industry basis of the amount of losses incurred as a result of industrial espionage really beats me.
One of the things I would suggest to the Committee is that perhaps the most important statistic of all is to look at the level of computer ownership and, consequently, the level of computer use in the country. The figures from the Office for National Statistics and Ofcom are almost identical. We are now well past the three-quarters mark in terms of individual PC ownership within the home. They are all typically going to be connected permanently to the internet via broadband. My guess is that after next Christmas when lots of people will have bought tablets, those figures will have gone up enormously. To take the matter even further, although I entirely recognise why the Committee is looking at e-crime, perhaps we can no longer make the separation between crime and e-crime, and the fact that we are trying to do so, other than looking at issues of how do we resource and how do we split up the various entities that are addressing it, trying to produce overall statistics may not be terribly helpful in the end.
Chair: That is very helpful, coming from you, because it takes us on a different track.
Q115 Dr Huppert: It is a pleasure to see both of you again. I think I have detected scepticism about Detica and Home Office figures before, in a range of contexts. Can I firstly ask about digital forensic capability within the police force as a whole? What level do you think that is at, and how could it be improved?
Professor Sommer: It is very patchy. As I think you know, I am a part-time academic. Most of my income comes from acting as an expert witness, and I specialise in digital forensics. When I say "patchy", I do not mean to say it is bad. It means that there are patches of astonishing excellence. They are often at relatively low rank levels in the police. They are constables, they are sergeants, but you will find a number of them have Master’s degrees. Having had to examine some of those dissertations, they are a very high level and they are internationally regarded as such.
Once you get away from those enthusiastic specialists, once you get away from what you will find in the elite teams of the sort that you have heard from SOCA and PCeU, then it gets really pretty bad. One of the problems at the moment is that the police are trying to economise to meet the 20% reduction target. Then permanent staff-perhaps civilians-are being let go, and resource is being made to the private sector.
There is a particular trap I want to draw the attention of the Committee to. Competitive tendering for outside forensic work sounds a very good idea, but in digital forensics what happens or what needs to happen is that you are not just sending something away and saying, "Do you have a match for this DNA? Do you have a match for this fingerprint?" Most digital forensics is about reconstructing events. So the digital forensics specialists, whether they are private sector, whether they are police, need to work together with the investigating officer. That happens in the elite groups. In my experience, it happens really increasingly rarely in the lower levels of ordinary crime, where digital evidence is important.
Q116 Dr Huppert: Just to be clear, in the areas where you say it is bad, is it that digital forensics are not done, or that they are done incorrectly?
Professor Sommer: The problem is that if you have competitive tendering, it rather assumes that the tender is perfectly framed so that people know what to respond to. If the mainstreaming process of which Charlie McMurdie talked about, which I think is very important, is imperfect, then what they are asking the tenderer to do is probably malformed. If you are squeezing them on price, there is no incentive for them to go back and say, "Excuse me, you are asking the wrong question", so they just deliver on what they are being asked to do. As a result, lots of things get missed, and may only occur, may only arise, if there is then a strong defence where questions are being asked.
Q117 Dr Huppert: I will bring Professor Anderson in in a second. But can I just be clear-do you think there are any cases where it is not that things are missed, but things are inaccurately found?
Professor Sommer: I do not think I have a universal knowledge. My worry is much more things that are missed, rather than incorrect conclusions being found.
Q118 Dr Huppert: Professor Anderson?
Professor Anderson: I would agree that forensics tend to be patchy. There have been many cases of things missed, one or two notorious cases of wrong conclusions being drawn, although that tends to have been some years ago, as things are getting better. Generally, the problem is that, as computers and communications become embedded everywhere, digital forensics then become a part of every investigation. The state of affairs is better than it was 15 years ago, when I started getting involved in policy, or 30 years ago, when I started doing this, but it still has some way to go.
Q119 Dr Huppert: What steps do you think need to be taken to improve it? What should we be recommending?
Professor Anderson: The ability to deal with digital evidence has to be integrated into the police force everywhere and at all levels. You might care to draw an analogy with the arrival of the motorcar two generations ago. It would now be unthinkable for a police officer to be unable to drive, unless they had been disabled but kept on in a back-room job, but it is perfectly thinkable to find even chief constables who would get their secretaries to deal with their e-mail.
Dr Huppert: Unlike Members of Parliament, of course.
Professor Sommer: We have heard a lot about mainstreaming, and I do not regard it as the fault of the officers you have had in front of you. This policy of mainstreaming has been around for five years, at least, to my certain knowledge, if you go and look back at some of the policy documents that have come out, and it always comes along very, very slowly. For a lot of these things, you will find, in the police, one of the other areas you need to look at probably is the capability within the Crown Prosecution Service to handle all these things. You can see the policies are there. It is just that they are not rolling out at the speed with which people are using computers. As a result, digital evidence is important.
Q120 Mr Winnick: Professor Anderson, you have of course appeared before us on previous matters in the last Parliament. I do not think events have proved you wrong by any means. You are both rather sceptical about the action being taken on e-crime, but you were present a few moments ago when the Head of the Police Central e-Crime Unit referred to the sum of money, now over £700 million-increased, as she told us, from November last year. Surely that demonstrates that it seems to be working.
Professor Anderson: What we have done in the analysis that we did for the Costs of Cyber Crime Report, which was requested by Sir Mark Welland, the Chief Scientific Officer at the MoD, after there was widespread scorn for the Detica report, was to try to unbundle things into direct and indirect costs. When you look at that, you discover that many of the costs of cyber crime are indirect costs, and I do not think that official accounting takes this into account properly.
Let me give you an example. In the year 2010, about a third of all the spam in the world was sent by one botnet, the Rustock botnet, and the owners of that botnet earned about $3.5 million from what they did. There was a colleague of mine in California who went to the trouble of tracing this with test purchases of Viagra and so on so that he could get some forensics.
In broad terms, spam cost the world $1 billion, most of this falling on ISPs and on service companies like Google. If a third of those are back to the Rustock botnet, then for every $1 the bad guys made, there was $100 of costs fell on everybody else. This is very, very different from traditional fraud, such as tax fraud, where the amount that the fraudster gets away with is typically most of it, and the indirect costs, the enforcement costs and so on and so forth, are but a small proportion. So, you are dealing with an intrinsically different animal than you are with conventional fraud, and using conventional Home Office methodologies is not necessarily the best way forward.
Q121 Mr Winnick: Either Professor Sommer or Professor Anderson, as briefly as you can, what would you say the Government should be doing that it is not doing?
Professor Anderson: We should be locking up more villains. We should be putting more of the cyber budget into policing and less of it into the intelligence sphere, into cyber war, broadly defined. This Government made a very welcome increase of £640 million in the cyber security budget two years ago, but 59% of it went to GCHQ and only a few million to the police. Had I been in the room when that decision was taken, I would have argued for the police to get more at the expense of GCHQ.
Q122 Mr Winnick: Professor Sommer, more or less the same?
Professor Sommer: More or less the same. I want to add something, and I think it emerged out of your questioning. I think you were absolutely right to press everybody on public education and on prevention, because no matter how good the police are, they are only going to be able to scratch the surface, and there is a lot to be said for helping people help themselves. In addition to doing that, one of the big routes for cyber crime is the so-called botnet, when you have poorly-secured computers, so there is a public health argument as well in terms of persuading people to look after their computers.
Again, if you go back to the budget, I have been looking at this budget, and I was looking at it again last week when we had the annual report from the Minister, and I was saying, "Where is this preventative thing?" and it has all rolled into other places. It almost becomes discretionary for the police, as part of their role, how much they are going to assign to it. If one looks at the single element that is assigned to public awareness, which is Get Safe Online, their budget over four years is £395,000. That is 0.06% of the total. That seems to me to be tragically low, and I agree with Ross that taking a few million away from GCHQ, for all the good work we believe they are doing, and putting that over to public prevention would be astonishingly good value for money.
Q123 Mr Winnick: Would you, have you, or are you intending to put this in writing to the appropriate Minister?
Professor Sommer: I put it in writing, partly, to you, and I was rather hoping that, as an influential Select Committee, the Minister would see it. I have raised this with the Cabinet Office. In fact, I raised it before their first report was published. They did call a number of us in to discuss a number of the issues, and I did keep on saying, "How much are you assigning towards all of this and towards public education?" They said, "You make a very interesting point", but when I came to look at the assignments and the final documents, I obviously was not as successful as I would have liked to have been.
Mr Winnick: The Ministers will see our report in due course, and hopefully the Home Secretary or whatever, the officials, will go through the questions and answers of sessions like this. Thank you very much indeed.
Q124 Mark Reckless: I am a little concerned about dismissing perhaps what GCHQ is doing with this money, not least because I do not have a good understanding of what that money-
Professor Sommer: I am not dismissing. They easily have the largest budget, on the basis that £650 million over four years is not going to be extended. The obvious place to look, if you are going to take money away, is the largest budget-holder.
Q125 Mark Reckless: Is it not possible that that may lead to some things that are very important not being done?
Professor Sommer: I do know a few people at GCHQ, but my overview of their general policy, I am afraid, is as opaque as almost everybody else’s who is outside that particular environment. It has always been, I think, the big problem in evaluating police cyber security policy. There were a number of discussions both before and afterwards, and I remember asking the Cabinet Office, who were disposing of the money, and alas, as with so much to do with intelligence work, you have to take it on trust and hope that the trust is justified.
Q126 Mark Reckless: But you do not take it on trust, and are confident that if that money were redeployed there would be better returns to it?
Professor Sommer: All I am saying is that, if you take an organisation that has only £100,000 a year, does not have an office, and you were to give them another £1 million, I suspect that the benefits would be rather greater than another wonderful machine to carry out surveillance by GCHQ. That would be my guess.
Q127 Mark Reckless: Thank you. Do you recommend making any changes to crime recording practice to get a more realistic or broader understanding of online crime? Would that be sensible?
Professor Anderson: This is something that we have spoken about a number of times over the years, since 2005 when the previous Government-unfortunately, in my view-decided that fraud reporting should be done to the banks, rather than to the police. This caused the fraud statistics to go down, but it opened up an even larger gap than is usually the case between the crimes reported through the police, on the one hand, and the crime levels reported through victim surveys on the other. Now, for most practical purposes, official recorded crime is useless in determining the level of fraud.
The most recent UK official figures that we have are annex 3 to the British crime survey for 2010, which suggested that, although our risk of becoming victim to a traditional acquisitive crime, such as burglary or car theft, was about 2% per annum, your risk of becoming a victim of fraud was about 5%. The only figures we have had since then was a Eurostat survey in 2011, which was conducted across the Member States of the EU, which suggested that in the UK we were in the second-worst position after Latvia.
Both the experience of crime and the fear of crime appear to be significant in this country, yet official crime statistics do not give us any pointer, at least in England. In Scotland, things are different, because there was a survey there last year that indicated that the main fear of crime north of the border is of online crime, card and online banking crime-not of violence or mayhem, despite my countrymen’s reputation for that. Very, very patchy official statistics have arisen. If you could nudge the Government towards fixing that, that would be useful.
Professor Sommer: There is another recommendation you might like to think about. If you perhaps follow my earlier remark that lots of things can be defined both as a cyber crime and as an ordinary crime, the police have systems for when a crime is reported to enter things on to a form so that they can build up statistics and they can then follow the crime up. There was some discussion a few years ago about introducing a field in that form as to whether there was digital evidence.
I do not know how matters have progressed at the moment, but that seemed to me to be an excellent idea because at very, very low cost you would be able to go back across a whole range of crimes, see where digital evidence seemed to be important and you would then be able to do resourcing. That would be without getting into statistics about whether it is a fraud or whether it is an extortion or any other sort of thing that you might call cyber crime. It seemed to me to be a low-cost solution. I know there was a proposal. I do not know where it has gone to at the moment, but I think it might be something the Committee may want to probe.
Q128 Dr Huppert: Firstly, Professor Anderson, just very quickly, you were somewhat critical of the limited amount of funding that was given to the police from the cyber security programme. How much should they be getting? Can you put a number on the size you would like to see?
Professor Anderson: I have not thought that through in concrete budgeting terms, but what is needed in operational terms is basically to train the entire UK police force to deal with digital issues competently, and to have sufficient specialist resources that we are able to go after the perpetrators of large-scale globalised petty crime. This is one of the things that is almost ignored at the moment.
Typical large-scale cyber crime might consist of somebody in Russia sending out 100 million phish and getting a few hundred respondents and defrauding each of a few thousand pounds. Each of these crimes individually falls below the radar. What we need to do, in order to have a proper determinative effect, is to consider them in total and work together with agencies in other countries where there are victims, to go after the bad guys and lock them up. That is not being done enough at the moment.
Q129 Dr Huppert: Professor Anderson, you cited, in your evidence to us, the banking regulations being the UK’s biggest legislative failure in relation to tackling e-crime. How would you change that?
Professor Anderson: What I have been doing to try to change it is trying to educate people about the consequences of the regulatory failure. The problem is that in Britain, banks often find it easy to blame their customers for fraud. We have been doing this firstly through the press. There was a Channel 4 Dispatches programme last night, which showed that, for example, the Ombudsman was dealing with about 70 cases per day where customers did not get their money back from banks after fraud.
We have been lobbying BIS and the Bank of England about this. The problem was that the Financial Ombudsman Service considered itself to be independent, and therefore nobody wanted to touch it. The Financial Services Bill that is currently going through Parliament-or perhaps it has just gone through; I do not know-should give the FCA the power to regulate the Ombudsman Service from next year, so we will be seeing the FCA and presenting files to them of cases in which the Ombudsman has failed.
The failure is that the Ombudsman, in effect, has completely ignored the Payment Services Regulations 2009, and people going to the Ombudsman with complaints found that the responders were unaware of the existence of the regulations. The banks have therefore being treating the Payment Services Regulations as if they did not exist. There is consumer protection, which the European Parliament and this Parliament wisely enacted, but it has not had any force or effect.
Q130 Dr Huppert: One suggestion that we have had from some people is that victims who suffer personal loss should have some liability if they were negligent about their own computer security. Do you think there is any merit in approaches like this, either of you?
Professor Anderson: The banks certainly claim that they will blame people if there was gross negligence. In practice, they often blame people as a routine matter, even when it is not clear there was negligence at all. One of the things you have to be very careful about here is safe default. I am not quite as enthusiastic about public education as some other people, because of the simple fact that computers and mobile phones and social networking sites tend to ship with unsafe defaults because it is better for selling advertising.
So you have to think very, very carefully in this context: what do the equipment vendors, the service providers and so on want people to do, and what are the risks to which that exposes people? In such circumstances, you then have to ask to what extent it is reasonable, in given circumstances, for banks to impose liability on people. The problem is it is a shallow gain here. Everybody is trying to push liability on everybody else. It is even fashionable in the industry. We call it leverage. The buck has to stop somewhere, and ultimately it is down to the legislator to decide where the buck should stop.
Professor Sommer: The problem is also evidence. How do you show that something has actually happened? Most people have no idea how to even address the problem, so they are always at some considerable disadvantage, as Ross has pointed out.
Q131 Chair: Finally, gentlemen, could I ask whether you think it is possible to secure large Government databases against cyber attack?
Professor Anderson: There is a problem in that you can have security or functionality or scale. If you are a good engineer you can have any two of those, but people putting out tenders for systems in Whitehall tend to assume that getting all three is trivial.
Q132 Chair: Professor Sommer?
Professor Sommer: I think Ross has captured it. The more people that have access to a system, the more likely it is that there will be some sort of failure, even if the technical side of it is absolutely immaculate. You are right to ask the question. I am afraid it is an impossibility.
Chair: Gentlemen, can I thank you very much on behalf of the Committee for your evidence? That concludes our business for today.