On Wednesday James Brokenshire, Minister of State for Crime and Security, spoke at the launch of Fighting Fraud Together. he was hosted by the Lord Mayor of London in the Mansion House, whose comments I quoted in my previous blog.
Yesterday James addressed Westminster, at the annual Parliament and the Internet Conference. This was organised by the All Party Communications Group with the support of the UK Internet Governance Forum, the Internet Service Providers Association, The Broadband Stakeholders Group, the Parliament ICT Forum, the Information Society Alliance (EURIM) and the Internet Telephony Service Providers Association.
The audience was different but once again the need for genuine co-operation was at the heart of James’ comments, which I reproduce below:
Thank you for inviting me to address the Parliament and the Internet conference today. It is very impressive to see such a wide range of interests and expertise brought together.
We’ve just heard the readouts from the earlier sessions on the vision and opportunities of the internet. The internet has brought tremendous benefits for individuals and business, for pleasure and profit.
But we also know that criminals are spotting opportunities too, committing crimes without hindrance from national boundaries, with all the internet’s convenience and speed. Technology use has been mainstreamed by criminals and the UK’s response needs to match that.
As Minister for Crime and Security, my portfolio includes organised and financial crime, cyber crime and counter-terrorism. I also co-chair the UK Council for Child Internet Safety, which brings together experts from many fields with an interest in these issues. I know several of you here are involved with this work, which is hugely worthwhile.
Today though I will be focusing primarily on the organised and financial aspects of cyber crime.
To set the context, last year we published the Strategic Defence and Security Review and the National Security Strategy, assessing cyber security to be one of the top four national security threats to the UK.
We have set up a £650 million National Cyber Security Programme to help transform the UK’s response. That includes £63 million specifically to tackle cyber crime and I’ve been asked to talk today about how we plan to achieve that.
What is cyber crime?
Cyber crime falls loosely into three categories. Firstly, there are ‘pure’ online crimes, where a digital system is the target as well as the means of attack.
These include attacks on computer systems to disrupt IT infrastructure, and stealing data over a network using malware. The purpose of the data theft is usually to enable further crime.
Secondly, existing crimes have been transformed in scale or form by their use of the internet.
Fraud and theft have always existed, but what is new is the industrial scale on which they can now be carried out. It is as though one person were able to run down a street picking a thousand pockets every second.
In a third type of crime, the internet is just a powerful tool for communication, as with any business. It can be used to help organise drug dealing, people smuggling and many other ‘traditional’ types of crime. During the riots this summer we saw how mobile technology can be used to co-ordinate disorder.
This may not actually be ‘cyber crime’, but it makes many of the same demands on law enforcement as far as evidence gathering and investigation is concerned.
Who is committing it?
While there are major technical aspects to cyber crime, it is crime, and the people committing it are criminals. The major threat comes from increasingly technically-skilled individuals, working with organised crime groups.
They are very often based outside our jurisdiction, as is the infrastructure they use to commit their attacks. And most organised criminal activity is directly or indirectly aimed at making money.
As we know, the internet is a wonderful forum for sharing knowledge. Some use it to share knowledge on how to commit crime and to provide services to fellow criminals.
Some organised crime groups not only sell malware, but supply regular updates and patches and provide a 24/7 helpline.
As a result, relatively unskilled criminals can now set up a website selling counterfeit goods, or for that matter sell stolen goods on a legitimate trading site. Shutting out these lower level individuals has to be one of our priorities.
Although most criminal activity is financially motivated, there have been a number of attacks on company websites.
There have been claims by activists that this is part of a protest against those associated with ideals they disapprove of.
However, they are crimes and these incidents show the disruption that can be caused through the use of malware and techniques which were initially developed for other criminal purposes.
Finally, the internet offers a rich variety of new ways to communicate, such as social networking sites, online role-playing games and instant messaging.
These are so widely used that, inevitably, they are also a factor in personal harm crimes such as harassment, stalking and the exploitation of children. And the ease and apparently reduced risk of committing these crimes over the internet may attract individuals to whom they might not even have occurred before.
Strategy and actions to tackle e-crime
Fundamentally, we believe that just as the internet and the services on it benefit us all – Government, business, private citizens – so we all have a responsibility to ensure that the internet is as safe as possible.
We will be publishing the Government’s cybersecurity strategy later in the autumn but our approach to combating computer crime has three key strands:
Firstly, we want to reduce vulnerability to all forms of online crime, through a programme to improve online security and public awareness.
Secondly, we want to restrict online criminal activity by having the right laws and the right law enforcement response.
And third, but not last, we want to promote active national and international partnerships to enable a collaborative response between Government, business and the public.
The Government is committed to placing more services online. This is cost-efficient and convenient for users, but means we must make sure that services have security at their heart.
We will ensure that Government leads by example, and that when we procure and provide online services, security is one of the key criteria.
And we will make sure that good information assurance is a fundamental part of how we do our business, not just a secure wrapper around a fundamentally insecure process.
Like Government, businesses gain significantly from operating online. With that comes the responsibility to ensure their services are secure and that customer data is appropriately stored.
This means three chief things. First, companies should share information and resources, including with government, to transform the response to a common challenge and to help identify and deter threats.
The Prime Minister met with a number of leaders of industry in February this year to discuss the growing threats and the need for greater cooperation between the public and private sectors.
Secondly, organisations need to act to protect their intellectual property, customer data, services and systems.
And thirdly, we need to develop a vibrant and innovative market in cyber security services. The public and businesses need to be able to recognise what is a secure and effective product and we will look at how to achieve that.
As well as Government and business taking action, we all need as individuals to take responsibility for protecting ourselves online.
Making sure we use an appropriate security package and keeping it and our operating systems up to date. Being appropriately cautious about opening email attachments from unrecognised senders and downloading files from unknown websites.
We need to play our part in keeping online services safe by setting strong passwords and keeping them safe. And everyone should be careful about putting personal or sensitive information on the internet.
Much has been done to raise awareness of online threats, such as through the joint public and private sector initiative, Get Safe Online.
We will build on that to develop a single Government portal for the provision of advice on internet safety to the public and businesses.
If individuals and businesses get better at protecting themselves, it will free up law enforcement resources to focus on the more sophisticated threats from cyber crime.
Much successful work has already been done to help reduce online crime. The latest figures from UK Payments show reported fraud losses on UK credit and debit cards were 9% lower in the first half of 2011 than in the same period of 2010, and online banking fraud losses fell by 32%.
This was due to several factors, including increased customer awareness of security and banks’ use of fraud detection software.
We must build on these successes to develop a better response to online fraud.
As part of this, we want to make sure that it is in individuals’ and businesses’ interest to make good security decisions.
In other crime areas, such as burglary or car theft, insurance policies impose a clear incentive to have adequate security. This isn’t the case for users of the internet.
We will look at whether this contributes to the spread of online crime, and whether change is needed.
Strengthening law enforcement response
Alongside raising awareness and promoting good security, it is vital to make sure we have the right capacity in law enforcement.
The Police Central e-Crime Unit and SOCA’s e-crime unit are doing excellent work – PCeU recently published a very encouraging set of harm reduction figures for the first six months since it received increased funding in April – and we want to build on that success.
And we want to make certain we have the right laws to ensure that those seeking to commit cyber crime can be prosecuted.
We published the Plan for the National Crime Agency on 8th June this year.
A key part of this will be a dedicated cyber crime unit acting as a centre of expertise. It will collect, analyse and share intelligence on criminals operating online and intervene against them nationally and internationally, supporting both UK and overseas law enforcement .
And the learning developed by the unit will be fed into police training programmes to provide understanding of these issues across the police service.
We want to make sure officers across the service are able to take proper reports, provide the right information to victims, and have the knowledge and support to carry out successful investigations.
We know that traditional police force boundaries and roles present specific challenges to investigating cyber crime, especially where an attack from outside the UK targets a large number of victims.
We will expand the Action Fraud service to take reports of all financially-motivated cyber crime.
This will play a vital part in putting together a better picture of computer-enabled crime to inform law enforcement and preventative action.
As our understanding of the online criminal world improves, we get a better understanding of where and how we can intervene to disrupt attacks and make the UK a less attractive target.
This will be done not just through direct reporting, but through better and more effective information sharing between all sectors.
The criminal economy is dependent on stolen information, so stopping it being converted into cash will reduce the profits of cyber crime groups.
Where we know of a data breach, the details need to be notified to financial institutions affected to render it useless to criminals.
As all this implies, promoting effective partnerships is therefore central to tackling cyber crime.
An important part of this work is international. We need agreements so that countries can support each other to carry out investigations and trace and disrupt criminal activity. Every country needs effective laws so that there are no safe havens.
With that aim we have ratified the Council of Europe Convention on cyber crime and have opted in to the European cyber crime Directive.
But Governments cannot deliver a safer online world on their own. We need to work closely with industry, to ensure that safe infrastructure and services can be provided to the public and share intelligence and skills.
One way we will do this is through the Forum for Innovation in Crime Prevention, chaired by a Home Office minister with members from science, technology, industry, business, design, law enforcement and government.
It will identify major opportunities for preventing and disrupting crime, including online, and will propose solutions to tackle these problems.
This need for government, law enforcement and industry to work closely together on cyber issues doesn’t stop with fraud or high level technical crime.
The riots in August wouldn’t be described as cyber crime, but social media and messenger services were used to co-ordinate and direct criminal activity. They also, at the time and subsequently, represent a valuable source of evidence for law enforcement investigation.
After the disorders the Home Secretary and I had a constructive meeting with three social media companies and senior police, looking at how cooperation between law enforcement and companies can be built on and enhanced.
Anything that is a crime off-line is also a crime if it is committed on-line. Companies have made clear that they are committed to removing illegal content and, when appropriate, closing accounts.
We also need to boost police capability to analyse and make use of information which is openly available on sites such as Twitter. And to use technology such as social media networks to communicate and build relationships with communities too.
In conclusion, then, just as the internet benefits us all, so the fight against online crime needs everyone to play a part.
We are committed to strengthening our law enforcement response, creating a centre of expertise in the NCA and helping to making sure police across the country have the right skills.
But it is just as essential for the public and businesses to act to make sure they are operating safely online.
For the private sector, which owns so much of the infrastructure and has so much of the expertise, to ensure its online services and systems are appropriately secure.
Government, business and the public need to work in partnership to share intelligence about the threat and take action to protect ourselves and others.
It is this which will ensure that the UK continues to benefit from all that online technology has to offer.”