Sadiq Khan’s manifesto for “A Safer and More Secure London” contains many worthy promises, including to, “Develop a cyber security strategy, led by the Chief Digital officer I will appoint, working with the police and security services to ensure Londoners and businesses have the information and resources they need to stay safe online“. The Chief Digital Officer will, however, have more roles than Rory Bremner. Superman could not deliver on most. More-over most current agendas and priorities will do little to help protect Londoners against the rising tide of on-line abuse, fear, fraud and impersonation that is sapping confidence in the Internet as a safe place to do business.
The new Chief Digital Office will need more than “inputs” from the business experts that Sadiq Khan has pledged to recruit to his advisory board. He or she (women tend to focus on delivering results, rather than winning pointless political battles) will need to assemble task forces from those who control the necessary resources and budgets and are motivated to deliver: whether that is to deliver worldclass broadband or worldclass on-line safety.
When it comes to making London the Safest Place to Go On-line we need an equivalent to the NCFTA: an umbrella organisation, with no official standing or reporting line, whose task forces are, in consequence, able to organise effective action when any one of their members has the necessary powers and the others will provide any necessary support, including forensics and funding.
This blog is a call for UK readers who control similar budgets and resources to volunteer to support Sadiq Khan in providing the umbrella for such an approach. That “umbrell” should not “come under MOPAC” – because MOPAC will inevitably be constrained by political battles and turf wars akin to those which the NCFTA bypasses. It needs to be able to co-operate with, but not “report to”, the National Crime Agency, City Police, GCHQ and the other UK agencies who tribal rivalries complicate co-operation against those looting the on-line world and creating fear and mistrust. But it also needs to be free to co-operate with those around the world with whom the private sector equivalents of the failed Asset Recovery Agency have long had informal co-operative arrangements, whether or not our security services were on speaking terms with their local peers.
If you are intrigued … please read on. Then use all appropriate channels to tell the new mayor and his officials how you can help – bearing in mind the enmity you may incur from the many Whitehall mandarins and Law Enforcement veterans for whom such an approach, bypassing conventional lines of command and control, is taboo.
Why is the subject so important?
More Londoners have been and will be the victims of knife crime than of terrorism. But many, many move have been and will be the victims of on-line crime . Hence the rapid expansion of Operation Falcon, the Metropolitan Police attempt to address “Fraud and Linked Crime On-line” which has already made over a thousand arrests, most leading to prosecution. However, the police will never have more than a fraction of the resources they need, unless the Mayor’s cyber security strategy adopts the partnership policing ideas explored in the ground breaking EURIM-IPPR study into “Partnership Policing for the Information Society” a decade ago.
The aim should be to enlist a least ten warranted industry experts for every full time policeman and ten unwarranted volunteers for every one that is warranted. But the world has moved on since the EURIM- IPPR reports.
The criminal supply chains and partnerships have flourished in the face of little or no effective action to “Report, Investigate and Punish” their activities. Public policy has focused on “awareness campaigns” and “protection advice”, alias frightening past, current and prospective victims into adopting processes that do little to protect them against the threats of today and may not only encourage complacency (as though anti-virus protects against most phishing scams) but render them more vulnerable to sophisticated scareware.
The UK’s current cyber-security (skills and numbers) expertise is split between
- those who work for GCHQ/MoD and the defence/aerospace supply chain (probably around half),
- those who work for the Financial Services/Fintech industries (most of the rest) and …..
- not a lot … The National Crime Agency, Operation Falcon, The City of London Police and our over-stretched, under-staffed and under-equipped child protection teams collectively employ fewer “practitioners” than any one of the top five suppliers to the financial service industry.
[The worlds IPR policing and enforcement teams tend not to be based in the UK but often work alongside the UK-based Fintech protection teams].
The time has come to recognise that split and for the Mayor of London to provide a framework for the Metropolitan and City Police to work alongside the global financial services information security suppliers, many of them based in London, to use a mix of civil and criminal law to identify, track, trace and “remove” those causing such harm to Londoners as a whole, not just to those who can afford to pay for protection.
Why has this not yet happened?
It is a major threat to powerful vested interests, old and new. They are too powerful to be battered down. They must be divided, subverted and won over piecemeal – combining the classic IT tactics of “fear, uncertainty and doubt” with the classic marketing tactics of “fear, sex and greed”. Hence the need to also follow “internet rules”: think big, but start small and scale on success. There are a number of embryonic exercises but most are rapidly hijacked by those with budgets and priorities that align with national priorities: to protect the state not its citizens.
Hence the reason £2 billion of Central Government funding vanished down a black hole in the West Country, air-gapped from the rest of the on-line world. There is very good reason for such spend, from the defence budget, but it should not be confused with protecting the rest of us from on-line crime.
We need a three pronged London Cyber Security Strategy:
- to meet the needs of London as a global financial services centre
- to meet the needs of millions of Londoners, from children, through consumers to silver surfers
- to work with governments, including but not just our own, to make the on-line world a safer place
It also needs to complement, but not be subsumed into, the current central government focus on cyberwarfare capabilities. There is a good case for it to complement the Chancellor’s focus on reducing tax avoidance and recovering the proceeds of crime (including, for example, large scale organised benefits fraud) – provided the Chancellor agrees to share the benefits of success (asset recovery) with those who do the work.
The rest of the UK will also benefit, but only if London leads the way – particularly with the imaginative use of existing civil and criminal law to ensure that “the perpetrator pays” – and if they cannot do so, that those who enabled the attack are held liable. Last night I was at an excellent Chatham House event to launch the first edition of the “Journal of Cyber Policy“. A fresh look at product and service liability was one of many taboo ideas whose time may have come. We need to better motivate Internet Service Providers to serve society, as opposed to manipulating society (from politicians and regulators to parents and children) to serve their current business models.
The tensions can be seen in the way ISPs are coming together to combat, for example, “the ad blocking pandemic” or the extension of blocking from copyright enforcement to age checking. Change is therefore unlikely unless robust regulatory action is complemented by the emergence of new business models which may, in turn, lead to a collapse in the perceived value of big (and vulnerable) data. Hence the importance of Google v. Vidall Hall where the UK Supreme Court has refused Google leave to appeal against the idea that copying without permission is a tort. The leave to appeal is against the decision that it is bound by UK/EU law and that it might have to pay compensation without evidence of financial loss.
A meaningful Cyber Strategy requires that the Mayor has support from those in industry who want him to succeed in changing the balance of power between criminals (and those who want policy to remain in the crime prevention groove) and those who want criminals to decide that London and Londoners are too risky to attack because they might retaliate (potentially bankrupting anyone in the criminal supply chain who is worth suing as well as those who fail to help identify them). Can such a strategy succeed? Who knows – hence this call to help support a mayor who has the professional and political background to understand what is at stake for those who elected him.
Addendum: why current Government Cyber Policy has not helped.
We need a focus on reporting, investigation and prosecution, with victim support linked to civil action against perpetrators and those who aided and abetted them. The scale and nature of the problems revealed by the latest UK Cyber Breaches Survey, released in parallel with the Cyber Governance Health Check, indicate that current policies have not, and will not, curb the rising tide of on-line crime.
More seriously, they are unlikely to halt the erosion of confidence in the Internet as a safe place to learn, play or do business.
“Awareness” is no longer a problem and has not been for many years. The problem is disbelief that mainstream security products and services will provide adequate protection. We have known for over five years that mandating security by design would help improve matters : but have yet to take action. We have known for over a decade that the situation will deteriorate until we organise effective partnership policing to identify and deter predators and all who aid and abet them.
Those protecting the City of London have known for over a century that civil action is easier to organise and has a greater deterrent effect when it comes to addressing cross-border crime: (from piracy on the high seas through fraud and theft related to goods or cash in transit to that organised on-line by international criminal syndicates. It is, however, most effective when organised in global co-operation with local law enforcement, bypassing sclerotic international treaty-based processes.
Meanwhile HMG has done almost nothing to support automation of UK processes to notify suspicious activity : so it can be digested and collated into meaningful reports on which action is practical, ideally in real-time, to track and trace attacks as they happen or transactions as the proceeds are laundered. The objective should be to enable effective (perhaps even instant) action under civil or criminal law to halt attacks as they happen and sue all who fail to help identify the perpetrators. In consequences our investigation resources are poorly targeted and the flow of successful prosecutions is too low and slow to act as a deterrent.
There are many reasons for this failure.
I am currently reading Gordon Carrera’s excellent book “Intercept: The Secret History of Computers and Spies” which shows, en passant, how those reasons, good and less good, have evolved over time. Today, however, voters are beginning to link those reasons to the desire of much of the Internet community to avoid paying their fair share of taxation, not just to the need to protect whistle-blowers from corrupt, oppressive and/or vindictive government bureaucracies, from the US Federal Government to UK Hospital and Healthcare Trusts.
Government spokesmen still talk up schemes like Cyber Essentials scheme which set set the bar low, to encourage SMEs to improve their processes at affordable cost. These look increasingly dated, raising questions as to whether they now do more harm, with illusions of adequacy among those compliant, than good. Businesses under pressure from on-line or off-shore competitors are, however, questioning the effectiveness of spend on security which gets in the way of legitimate trade while failing to protect them or their customers against fraud and extortion. And the blanket opposition of the ISP community to blocking sites and services which break the law is beginning to look increasingly odd as routine use of the techniques extends from blocking child abuse images, through the enforcement of US gaming laws to segmented marketing.
The time has come to look through the other end of the telescope. London has more at stake than the rest of the UK. But it also has the resources to take effective action. We do, however, have to recognise that the Mayor has no control over those resources, any more than did Thomas Bloodworth (Lord Mayor at the time of the Great Fire of London, perhaps the last time London faced a bigger peacetime threat) – hence the “modest proposal” above.