Scotland Yard's Computer Crime Unit is cash-strapped but is
still catching the crooks, writes Bill Goodwin
Scotland Yard's computer crime unit does not hit the headlines very
often, but behind the scenes, its small, highly qualified team of
detectives, can lay claim to having cracked some of the UK's most
important computer crime cases.
The unit, formed in 1984, is the country's first computer crime
unit. Its victories include the prosecution of the Black Baron,
responsible for the devastating Pathogen and Queeq viruses, and the
arrest of the Datastream Cowboy, a teenager who hacked his way
through US military systems in the late 1990s.
More recently the unit won a commendation for the prosecution of
Simon Vallor, the 22-year-old Welsh disc jockey, sentenced to two
years for writing the Gokar, Redisi and Admirer viruses - the
longest sentence ever given to a virus writer.
Operating from a brown office block in Buckingham Gate, London, the
computer crime unit is part of Scotland Yard's specialist crime
directorate (SCD6), which focuses on activities as diverse as
wildlife crime, money laundering, stolen vehicles and public order
intelligence, providing them with advice and forensic
services.
It is one of five specialist computer units in New Scotland Yard -
the others provide dedicated forensic services to the paedophile
unit, clubs and vice, the anti-terrorist unit and special branch.
They work alongside a civilian-run computer systems laboratory
which provides forensic services to other parts of the Met.
The computer crime unit's main role is to investigate, gather
intelligence and to disrupt the activities of criminals responsible
for software piracy, hacking, virus writing and denial-of-service
attacks.
Its acting head is detective inspector Clive Blake, a seasoned
detective with a background in fraud and money laundering
investigations. He oversees an eight-strong unit, made up of two
detective sergeants and six detective constables.
All are highly qualified in computer security. Between them they
have three certified information system security professionals
(CISSPs) qualifications and a Cisco certified network associate.
Two of the detectives are qualified CISSP instructors, and three
are currently completing an MSc in computer security.
This level of specialisation is essential if the unit is to be
taken seriously by the IT profession, said Blake.
"We have recognised over the past couple of years, that in order to
get the confidence of industry, we do need specialists with
external professional qualifications that industry recognises and
is comfortable with. So that when officers attend crimes, and meet
companies and IT staff, they can talk the talk."
The unit still manages to find the time to offer businesses,
particularly small- and medium-sized companies advice on improving
their security - an important crime prevention measure. Because it
has no commercial axe to grind, it can offer more objective advice
than IT suppliers.
"We regularly get phone calls covering the spectrum of internal
employment problems through to patching systems, the whole spectrum
of IT. Sometimes people expect too much from us, but if we don't
know the answer we can point them in the right direction."
However, persuading companies to report computer crimes is still a
problem. Many firms are concerned that reporting a crime will
inevitably lead to a public court case and bad publicity, but this
really reflects a misunderstanding of the way the unit works, said
Blake.
"If the company does not wish the matter to proceed to court, we
still have the ability to investigate, maybe arrest people, and in
conjunction with the victim company, consider civil action that may
address their problems."
This could range from disruptive operations, such as seizing
computer equipment from a hacker, obtaining court orders to recover
stolen data or taking out "gagging orders" to silence them, rather
than criminal prosecutions.
"As long as we are consulted at the earliest possible stage, it
gives us the opportunity to discuss with companies what their needs
are. We can discuss the best strategy and confidentiality issues,
and work together."
The cross-border nature of these crimes means that the unit has to
work closely with overseas police forces. It has an "excellent"
working relationship with the Federal Bureau of Investigation and
with computer crime units across the world - essential for tracking
down virus writers and hackers.
"There is a good network around the world of qualified police
officers who are IT literate and who know how to seize evidence and
to maintain evidential standards. We know that someone will phone
you back when you seek information through the conventional
channels and package it in the right way with no problems over
jurisdiction."
The work of the unit has changed noticeably over recent years, with
a greater proportion of investigations focusing on external hacking
rather than security breaches by current and former
employees.
Computer criminals are also changing, becoming more professional,
and often teaming up with organised criminal groups, said detective
sergeant Steve Santorelli, one of the unit's senior
detectives.
"Gone are the days of hackers sitting alone in their bedrooms. They
are networking, meeting together and going out for beers with each
other. They are becoming more technically competent and richer. We
are starting to see an increasing number that have developed drug
habits because they are earning so much money from their day
jobs."
Since the terror attacks of 11 September anti-terrorism operations
are occupying an increasing amount of the unit's time. Its
detectives are working closely with the Security Service to monitor
and gather intelligence on terrorist threats.
But any IT director visiting the unit would be shocked to learn
that it has no equipment budget. It competes for resources with
other teams in the specialist crime directorate and in effect,
relies heavily on sponsorship from suppliers, which donate or loan
the latest equipment and software free of charge
There is no training budget either, which means that the unit's
detectives have to fund specialist training out of their own
pockets, up to £5,000 for an MSc course in computer security. Most
of the detectives study in their spare time at evenings and
weekends. It is not unusual for them to pay for items of specialist
software themselves, rather than go through the Met's labyrinthine
procurement process.
Although the Met has recently increased the tenure of service for
detectives in the unit from five to 10 years, Blake admits that
staff retention is still a major problem. Good detectives are
frequently snapped up by the private sector, which is struggling to
find qualified security professionals even in the downturn.
"In the five years I have been here, a considerable number of
officers have left for well-paid jobs in the private sector because
the industry recognises their skills. Staff retention is an issue
when people have taken the time and trouble to pursue academic
qualifications.
"It is a personal comment but if the organisation was to recognise
this, and assist with funding for training, that might address the
issue," said Blake.
Most of the unit's work rarely reaches the public's gaze partly
because some of it touches on areas of national security but also
because the unit is anxious to preserve the anonymity of the
businesses that report crimes.
This can be a source of frustration for a unit which feels it has a
lot to boast about. But Santorelli said it goes with the territory.
"I have spent the last few months tracking down hackers who are
more skilled and have caused more damage than Kevin Mitnick. But we
can't talk about it because it goes against the ethos we have of
keeping information confidential."
Hacker hits critical sea port
infrastructure
Detectives from the Metropolitan Police Computer Crime Unit
arrested an unemployed man in Dorset after a joint investigation by
the Federal Bureau of Investigation into a serious denial of
service attack against critical computer systems in the Port of
Houston, Texas.
Aaron Caffrey has been charged with breaches under the Computer
Misuse Act 1990, after computer systems in the port were brought
to a halt in what police believe is the first electronic attack to
disable a critical part of the country's national
infrastructure.
The scheduling computer systems at the Port of Houston, a
25-mile long public and private sector complex, came under attack
in September 2001, when an intruder bombarded a web server with
thousands of electronic messages. The attack left the port's web
service, which contained crucial data for shipping pilots, mooring
companies and support firms responsible for helping ships navigate
in and out of the harbour, inaccessible, placing shipping at
risk.
The FBI traced the attack to Dorset and passed data to Scotland
Yard's Computer Crime Unit, which analysed web logs to pinpoint the
perpetrator.
Programmer attacks payroll system
Scotland Yard detectives were responsible for identifying and
tracking down Stephen Widdowson, a computer programmer, who
reprogrammed his employer's payroll system to siphon money into his
personal bank account.
Widdowson, who paid himself thousand of pounds every month, fled
to South Africa, but was successfully extradited during a joint
investigation between Scotland Yard and an elite South African
enforcement unit.
He was sentenced to three years in Southwark Crown Court last
year. Police are still involved in operations to seize Widdowson's
assets.
For more information on the computer crime unit go towww.met.police.uk/computercrime/index.htm#SO6