A Cybercommunity Safety Partnership to address On-line Harms and Abuse

We need a coalition of the willing to preserve confidence in the safety of the on-line world.

I am attempting to convene a local Community Safety Partnership, using voluntary co-operation between community groups and charities to join up front-line delivery across the silos of central and local government, including health, welfare and policing. On-line abuse, bullying and crime have cut Internet usage among those we are most anxious to help: the frail, lonely and vulnerable. They do not use the on-line services of the local authority or NHS. The closure of our last local bank branch hit them and local businesses hard. Meanwhile there is growing resistance from both victims and volunteers towards providing personal information or contact details, lest these be leaked, sold and/or abused. The effects are compounded by the deletion of existing contact files because of interpretations of the General Data Protection Regulation. Cumbersome processes to get “consent” for the blanket collection of data for vague purposes and/or provision to third parties do not help.

I therefore looked into support for piloting a Cybercommunity Safety Partnership which will support local people processes for those who cannot understand/use on-line processes and no longer trust remote call centres.  The idea has struck a chord. A number of industry bodies have agreed to trawl their memberships for volunteers and sponsors to support action, both nationally and locally.

Usage by vulnerable adults and the elderly has plateaued and may even be falling

We are used to data about the increasing ubiquity of Internet usage. This is being used to justify the withdrawal of physical access to banking and/or public services. But the 2019 ONS Analyses unpack some of the data. They reveal a less rosy picture. Half UK adults have never completed a government form on-line. Most pensioners go on-line only to read e-mails. Most over 75s have not been on-line at all in the past three months. The proportion of adults who are “lapsed” Internet users was under 4% in 2011 and is now over 6% (although the 7% peak in 2017, after the publicity for the Talk Talk breach may be over).  Their fears are justified. Over half have been contacted by some-one offering to fix their computer problems for them, Details are said to be available on the dark web to impersonate most of them and/or obtain credentials in their name if they do not go on-line. Over 10% of adults have already been victims of on-line fraud. We all have difficulty reporting problems, let alone obtaining support and/or redress.

There is safety advice but not for reporting or victim support

There is much good on-line safety advice (e.g. Get Safe Online)  but the processes for reporting problems (e.g. via Action Fraud ) to some-one who will take action are seriously overloaded. The Victim Support  website makes no reference to this area although the Regional Organised Crime Units  are supposed to provide an aftercare service. Citizens Advice  does not appear to cover cyber problems. Nor does Elder Abuse, although it does have advice on how to conceal that you are consulting them . Meanwhile Facebook  Google  and Twitter (the links are to their respective reporting pages) are criticised both for being difficult to contact and/or for failing to respond to reports of fraud/abuse while not checking before removing those subject to malicious complaints. They can’t win!

Many victims want some-one to talk to. Hence the overload that crippled Action Fraud, one of the few services to offer this. The need is to train local health and welfare staff and volunteers to respond. But they, in turn, need to be able to call on assistance from those (including security and legal professionals) who know what can be done, how to secure action and, perhaps, submit an actionable crime report. Help desks in Dublin, Gourock, Barcelona, India or the Philippines may be able to process calls according to a script but cannot be expected to do more.

Meanwhile children are fearful and girls are being driven off-line

Between 25% and 30% of children have been bullied on-line. One in eight admit to bullying. 20% admit to meeting strangers. 10% of those who videochat have been asked to change or undress. Nearly one in six have seen something that encourages self-harm. They bottle it up. 40% have never talked to anyone about the worst that has happened to them on-line. Until recently systemic on-line misogyny as endemic in Silicon Valley, was a taboo subject which it came to discussing why there were so few women in IT. Today we can see that it is actively driving half the world off-line, from girls to journalists and politicians.

The best advice is not well publicised or used

There are many good sources of advice and on-line materials including the on-line safety websites of NSPCC , Childrens Society ,
London Grid for Learning and Childnet There is also guidance (e.g. from Womens Aid) for older women, linking on-line abuse to domestic and physical abuse.

These need to be much better publicised and also packaged for use locally by

  • teachers and school support staff,
  • health, welfare and youth workers and
  • faith and community groups

to educate and engage both children and parents.

Every turned-round hacker is a win -win

Safety programmes should also harness the talents of those at risk, both to help protect their peers and learn about cyber related jobs and careers. It is a double bonus when a troubled child and potential hacker, often with previously undiagnosed issues on the dyslexia and/or autism spectrum, is drawn onto to a programme that will lead them into well-paid employment with an organisation that will provide clinical support as necessary.

The alphabet of concerns to be addressed include:

• Abuse – child, adult and elder (ad hoc, targeted, random, local, remote…)
• Bullying – including that linking physical and on-line, within schools or communities
• Control – e.g. gangs using social media targeted at local audiences
• Deception – impersonation, loss of identity, loss of access etc.
• Extortion – may be sexual, social and/or linked to control/grooming not “just” financial
• Fraud – all levels, including SMEs and courier fraud
• Grooming – 1/3 of the child abuse images reported to the Internet Watch Foundation last year were “selfies”

Possible Projects (and objectives/deliverables)

There are many areas where “coalitions of the willing” could improve safety, support victims, help them obtain redress and deter abuse and malpractice while Governments, Regulators and Law Enforcement agencies procrastinate in the face of lobbying and legal action.

They include:

Guidance on GDPR for voluntary groups who have no wish to provide personal information about their themselves and their supporters, members or clients to third parties unless with explicit and well-informed consent. The need is to digest current complex and incoherent guidance into succinct, authoritative and usable material for agreement with ICO – and then to publicise it.

Seminars to train teachers, youth and community workers, health and welfare staff in the detection of symptoms of abuse, bullying and/or grooming and in the use of existing on-line safety materials to educate target audiences. This will include working with organisations like the Grids for Learning to identify/produce/publish materials and with relevant professional bodies and trade associations to identify/train volunteers with security expertise to help with delivery.

Finding professionals, volunteers and materials to help Victim Support and Citizens Advice with relevant technical/legal expertise to handle cyber victims, including to obtain redress where this is practical and realistic. This will include exercises to trawl security professional bodies, trade associations, training providers, law firms and employers for those with relevant expertise and experience.

Organising/testing/delivering on-line safety material that addresses the evolving concerns of target audiences: Examples include: “How do you to protect your phone against abuse, control, key-logging, tracking etc”. “What to do if …“  This will include the identification of well informed and connected supporters and sponsors with business as well as social responsibility cases for helping.

Identifying and promoting the services of those offering virtual CISO/SOC and/or legal services to SMEs. This will entail  co-operation with professional bodies, trade associations, product and services suppliers and Internet service providers who are unable to otherwise address 95% (by number) and 50% (by value) of the cybersecurity market and/or who wish more customers to move on-line.

Identifying those willing to act as police service volunteers (warranted or not), including to provide non-emergency back up to local community police teams as well as the national panel being created by the NCA, NCSC and NPCC to support major investigations.

This may require restarting political activity on the governance of voluntary co-operation between industry and law enforcement and use of professional trained and qualified volunteers akin to that which led to the recommendations (over a decade ago) in the EURIM-IPPR Partnership Policing study . That group also responded to David Blunkett’s Community Policing consultation.  Changes were made in 2011, during the run up to Olympics, to enable medical and security professionals and military reservist to become police service volunteers and  special constables.

Many forces have not yet, however, implemented those changes. The number of volunteers and specials in London  fell sharply after the Olympics , when the number of special constables in the Met Police peaked at nearly 6,000, (the target for the Games had been 10,000). The number fell by 8% the following year. The fall accelerated to 20% in 2014. There are now fewer than 2,000 (a fall of 17% on 2018).

Skills and careers out-reach programmes with a priority for turning to turn those at risk into assets. The aim would be to organise local access to the relevant national programmes, including cybersecurity apprenticeships. The successful Plymouth pilot  needs a new write up now that it has been packaged for replication with help from DCMS and others. It indicates what can be achieved but also the pre-condition for success and the problems that have to be overcome.

The neurodiverse may have great talent but may also need ongoing clinical support which conventional employers cannot provide. Hence the value of linking local skills incubators to shared SOC/Virtual CISO services underpinned by joined up (across Central Government funding and procurement silos) contracts to support public sector  organisations both large (e.g. Local Government, MoD and NHS) and small (e.g. Schools and GP Practices).

Addressing the way girls are driven off-line Here the need is to work with organisations like Cybergirls First  to produce video and materials package covering risks, self protection and careers advice, plus contacts and support services. The Cybergirls First model is focussed on the age group and communities where girls are at most risk of being driven off-line and appears to be very successful.

Success does, however, depend on assembling a critical mass of employers who wish to publicly position themselves as employers of choice for girls (at all levels of seniority). It has been shown to work with well known employers wishing to support and recruit from inner city schools within easy travel of their City Centre locations. Packaging it for local employers and travel to work areas across the country probably requires support from the public sector organisations who are often the largest local employer.

To bring together best practice in the above in local geographic partnerships to show how all parts could/should fit together to hacve a transformative effect on both safety and confidence.

Variations on  the project ideas above are already being implemented across the World, not just the UK but it is still more common for square wheels to be reinvented with public funding. The latter is too often focussed on “innovation” as perceived by those who do not know what has already been tried and failed.

We need support for copying what has worked elsewhere, after checking any pre-conditions for success.  

Are you interested in helping creating a coalitions of the willing to make things happen?

The first organisation to like the concept was the Security Panel of WCIT, the IT Livery Company. This blog entry is based on the request for volunteers they will be sending to their members. I plan to make similar requests to most of the other members of the Alliance, led by IET, which is creating the new Cybersecurity Council.

I also intend to approach those who fund the Internet, the major advertisers whose spend is wasted if paying customers turn their backs on the Internet. Another target group is the banks and on-line retailers who will have to reverse their business models if confidence is not restored. Finally I will be seeking to engage with those security providers who are losing out because their distribution chains do not include the shared SOC/CISO services needed by the 99% of UK businesses with no in-house ICT skills. These need people, not just technology, support.

Data Center
Data Management