Last week I was told by one of those involved with the formation of the Cyber Security Council that Cyber has no Think Tank of its own and only three mainstream Think Tanks have taken a look at the relevant policy issues. Over the last few months DCMS has been consulting on “cyber” issues (e.g. the need to update the Computer Misuse Act) at arms-length from latest review of RIPA (which will now need to consider the “lessons” from the Post Office case) and the plans “announced” in April by the Home Secretary and the Chancellor of the Exchequer in the Statement of Progress against the Economic Crime Plan.
That statement can be seen as the Government response to the RUSI report “The Silent Threat: the impact of fraud on national security”. That called for fraud to be treated as a threat to national security with a new “whole of system”, public-private strategy, for tackling fraud”.
“Economic Crime” had been defined in the plan to include:
- fraud against the individual, private sector and public sector;
- terrorist financing;
- sanctions contravention;
- market abuse;
- corruption and bribery; and
- the laundering of proceeds of all crimes
A distinction was drawn between Economic Crime and Cyber Crime (covered in the UK Cybersecurity Strategy and November 2020 Progress Report but it was recognised that the distinction between the difference governance structures needed to be reviewed. The Government response to the cyber-enabled Covid Fraud pandemic saw NCSC operating increasingly in support of law enforcement via the City of London Police and National Police Chiefs Council with the support of those required by the Financial Conduct Authority “to have systems and controls in place to mitigate the risk that they be used to commit financial crime”, including via UK Finance which co-finances some of the relevant law enforcement units. The progress report refers to some of the NCSC actions.
The minutes of the meeting of the Economic Crime Strategic Board which approved the Statement of Progress and forward priorities, noted that “Multiple attendees highlighted that other sectors – specifically the tech sector – were a key part of the solution and should be brought into the public-private partnerships response to economic crime”. Paragraphs 47 -52 in the Impact Assessment for the On-line Harms Bill indicate a clear intention to extend the “duty of care” required of those regulated by the FCA to Telcos, ISPs and others whose systems may be used to commit crime.
This has implications
The only group trying to join up discussion is the Digital Policy Alliance, with the evolving and overlapping agendas of its groups on Digital Safety Tech and on Cybersecurity and E-crime. The public summaries of the members-only reports and the briefings sent to MPs (also in the same areas of the website) indicate how discussion has evolved over the past year as the Economic Crime Plan and the Cybersecurity Strategy began to come together as the cost of fraud to UK public purse, let alone the economy as whole, became unsustainable.
Unfortunately the cybersecurity community (largely outsource customers) and their customers (concerned about compliance, continuity, fraud, impersonation, loss of customer confidence etc.) have not yet to come together to remove risk (criminal and/or political) from their business models, as opposed to buying yet more layers of technical protection for unnecessary attack surfaces.
Hence my strong support for the Police Cyber Resilience Centres, with which DPA has had a couple of meetings and is working on several pilot partnerships. The CRCs are not mentioned by name but their objectives are clearly recognisable in the Economic Crime Plan under Actions 26 “Improve the policing response to fraud”, 27 “Improve support for victims of fraud” and 28 “Close the vulnerabilities that criminals exploit to conduct fraud”. Action 28 mentions working with the telecommunications sector to address vulnerabilities.
The respective roles of the CRCs and Police and Crime Commissioners (PCCs)relate to the updates in the Statement of Progress with regard to improving intelligence, increasing enforcement, safeguarding victims and changing public perceptions. The low priority given by most PCCs to cyber and/or fraud appears to reflect a feeling of public helplessness rather than lack of concern. It is likely to change rapidly if and when effective action is in prospect.
I do not yet know the agenda for the meeting of the DPA safety tech (on the 10th) and cybersecurity (on the 11th) but expect to learn how debate has evolved over the past month as players begin to realise that HMG is now serious about action – including in the context of global enforcement plans being agreed via the G7.
I also look forward to chairing a SASIG Academy ZOOM on the 12th on how to handle the biggest single threat – failure to attend to the motivation and health of those who run the systems. When I used to speak to City audiences on security and risk, one of my scripts began with a quick count of the audience before saying “Statistically xx (4%) of you are already working for organised crime. I will not ask you to put your hands up, but will remind those sitting next to you that, just because some-one is technically competent and professionally qualified, does not mean they are worthy of trust.” It always got a sharp intake of breath, followed by a good (if slightly nervous) laugh.
It is a well to remember the basics. A former Director of CESG used to say that the reason for investing in technology is to cause the enemy to focus on corrupting your people, Cybersecurity is not and end in itself. It is a means to an end.
We have to join up the debate and put cybersecurity into business, economic and social context. Hence the importance of the Digital Policy Alliance and its groups.