Scotland Yard's Computer Crime Unit is cash-strapped but is still catching the crooks, writes Bill Goodwin Scotland...
Yard's computer crime unit does not hit the headlines very often, but behind the scenes, its small, highly qualified team of detectives, can lay claim to having cracked some of the UK's most important computer crime cases. The unit, formed in 1984, is the country's first computer crime unit. Its victories include the prosecution of the Black Baron, responsible for the devastating Pathogen and Queeq viruses, and the arrest of the Datastream Cowboy, a teenager who hacked his way through US military systems in the late 1990s. More recently the unit won a commendation for the prosecution of Simon Vallor, the 22-year-old Welsh disc jockey, sentenced to two years for writing the Gokar, Redisi and Admirer viruses - the longest sentence ever given to a virus writer. Operating from a brown office block in Buckingham Gate, London, the computer crime unit is part of Scotland Yard's specialist crime directorate (SCD6), which focuses on activities as diverse as wildlife crime, money laundering, stolen vehicles and public order intelligence, providing them with advice and forensic services. It is one of five specialist computer units in New Scotland Yard - the others provide dedicated forensic services to the paedophile unit, clubs and vice, the anti-terrorist unit and special branch. They work alongside a civilian-run computer systems laboratory which provides forensic services to other parts of the Met. The computer crime unit's main role is to investigate, gather intelligence and to disrupt the activities of criminals responsible for software piracy, hacking, virus writing and denial-of-service attacks. Its acting head is detective inspector Clive Blake, a seasoned detective with a background in fraud and money laundering investigations. He oversees an eight-strong unit, made up of two detective sergeants and six detective constables. All are highly qualified in computer security. Between them they have three certified information system security professionals (CISSPs) qualifications and a Cisco certified network associate. Two of the detectives are qualified CISSP instructors, and three are currently completing an MSc in computer security. This level of specialisation is essential if the unit is to be taken seriously by the IT profession, said Blake. "We have recognised over the past couple of years, that in order to get the confidence of industry, we do need specialists with external professional qualifications that industry recognises and is comfortable with. So that when officers attend crimes, and meet companies and IT staff, they can talk the talk." The unit still manages to find the time to offer businesses, particularly small- and medium-sized companies advice on improving their security - an important crime prevention measure. Because it has no commercial axe to grind, it can offer more objective advice than IT suppliers. "We regularly get phone calls covering the spectrum of internal employment problems through to patching systems, the whole spectrum of IT. Sometimes people expect too much from us, but if we don't know the answer we can point them in the right direction." However, persuading companies to report computer crimes is still a problem. Many firms are concerned that reporting a crime will inevitably lead to a public court case and bad publicity, but this really reflects a misunderstanding of the way the unit works, said Blake. "If the company does not wish the matter to proceed to court, we still have the ability to investigate, maybe arrest people, and in conjunction with the victim company, consider civil action that may address their problems." This could range from disruptive operations, such as seizing computer equipment from a hacker, obtaining court orders to recover stolen data or taking out "gagging orders" to silence them, rather than criminal prosecutions. "As long as we are consulted at the earliest possible stage, it gives us the opportunity to discuss with companies what their needs are. We can discuss the best strategy and confidentiality issues, and work together." The cross-border nature of these crimes means that the unit has to work closely with overseas police forces. It has an "excellent" working relationship with the Federal Bureau of Investigation and with computer crime units across the world - essential for tracking down virus writers and hackers. "There is a good network around the world of qualified police officers who are IT literate and who know how to seize evidence and to maintain evidential standards. We know that someone will phone you back when you seek information through the conventional channels and package it in the right way with no problems over jurisdiction." The work of the unit has changed noticeably over recent years, with a greater proportion of investigations focusing on external hacking rather than security breaches by current and former employees. Computer criminals are also changing, becoming more professional, and often teaming up with organised criminal groups, said detective sergeant Steve Santorelli, one of the unit's senior detectives. "Gone are the days of hackers sitting alone in their bedrooms. They are networking, meeting together and going out for beers with each other. They are becoming more technically competent and richer. We are starting to see an increasing number that have developed drug habits because they are earning so much money from their day jobs." Since the terror attacks of 11 September anti-terrorism operations are occupying an increasing amount of the unit's time. Its detectives are working closely with the Security Service to monitor and gather intelligence on terrorist threats. But any IT director visiting the unit would be shocked to learn that it has no equipment budget. It competes for resources with other teams in the specialist crime directorate and in effect, relies heavily on sponsorship from suppliers, which donate or loan the latest equipment and software free of charge There is no training budget either, which means that the unit's detectives have to fund specialist training out of their own pockets, up to £5,000 for an MSc course in computer security. Most of the detectives study in their spare time at evenings and weekends. It is not unusual for them to pay for items of specialist software themselves, rather than go through the Met's labyrinthine procurement process. Although the Met has recently increased the tenure of service for detectives in the unit from five to 10 years, Blake admits that staff retention is still a major problem. Good detectives are frequently snapped up by the private sector, which is struggling to find qualified security professionals even in the downturn. "In the five years I have been here, a considerable number of officers have left for well-paid jobs in the private sector because the industry recognises their skills. Staff retention is an issue when people have taken the time and trouble to pursue academic qualifications. "It is a personal comment but if the organisation was to recognise this, and assist with funding for training, that might address the issue," said Blake. Most of the unit's work rarely reaches the public's gaze partly because some of it touches on areas of national security but also because the unit is anxious to preserve the anonymity of the businesses that report crimes. This can be a source of frustration for a unit which feels it has a lot to boast about. But Santorelli said it goes with the territory. "I have spent the last few months tracking down hackers who are more skilled and have caused more damage than Kevin Mitnick. But we can't talk about it because it goes against the ethos we have of keeping information confidential."
Hacker hits critical sea port infrastructure
Detectives from the Metropolitan Police Computer Crime Unit arrested an unemployed man in Dorset after a joint investigation by the Federal Bureau of Investigation into a serious denial of service attack against critical computer systems in the Port of Houston, Texas.
Aaron Caffrey has been charged with breaches under the Computer Misuse Act 1990, after computer systems in the port were brought to a halt in what police believe is the first electronic attack to disable a critical part of the country's national infrastructure.
The scheduling computer systems at the Port of Houston, a 25-mile long public and private sector complex, came under attack in September 2001, when an intruder bombarded a web server with thousands of electronic messages. The attack left the port's web service, which contained crucial data for shipping pilots, mooring companies and support firms responsible for helping ships navigate in and out of the harbour, inaccessible, placing shipping at risk.
The FBI traced the attack to Dorset and passed data to Scotland Yard's Computer Crime Unit, which analysed web logs to pinpoint the perpetrator.
Programmer attacks payroll system
Scotland Yard detectives were responsible for identifying and tracking down Stephen Widdowson, a computer programmer, who reprogrammed his employer's payroll system to siphon money into his personal bank account.
Widdowson, who paid himself thousand of pounds every month, fled to South Africa, but was successfully extradited during a joint investigation between Scotland Yard and an elite South African enforcement unit.
He was sentenced to three years in Southwark Crown Court last year. Police are still involved in operations to seize Widdowson's assets.
For more information on the computer crime unit go to www.met.police.uk/computercrime/index.htm#SO6