Investigating cyberspace

Internet and computer-related crime is stretching the UK's law enforcement agencies to breaking point. Cybercrime expert Peter...

Internet and computer-related crime is stretching the UK's law enforcement agencies to breaking point. Cybercrime expert Peter Sommer reports on the issues facing the Government's attempts to create a new high-tech crime squad

Lastweek Jack Straw announced he was giving the National Criminal Intelligence Service (NCIS) £337,000 to draw up a detailed plan for a high-tech crime squad. He had suggested such a squad a year ago in a speech to the Group of Eight industrialised nations (G8). It was also one of the recommendations of the UK's most extensive official research in the area - the two-year Project Trawler.

While it has been talked of since the mid-1980s, over the last few months lobbying among law enforcement and other agencies for the kudos and the new money that might come to a new unit has been intense.

Law enforcement politics

Some of the politicking has had all the vigour and meaning of school teams battling for a house challenge cup. But there are substantive issues as well, not all of them immediately concerned with cybercrime.

One has been the continuing arguments over the virtues of locally-based and accountable police forces against a national force. Another has been the police's relationship with industry. In particular, why should public money be spent to protect sloppy businesses, or software publishers who already have extensive remedies against pirates from the civil courts?

Other issues include: what relationship should the police have with the private security industry? And how far should the police concentrate on crime prevention, as opposed to detection?

Britain has had a Computer Crime Unit, located within the Metropolitan Police Fraud Squad, since 1985, but its remit has always been more limited than many people realise. At one point it had 10 members but last autumn, after a review of its workload, some officers were re-assigned back to general fraud work.

More recently other factors have entered the equation - with so much government emphasis on the knowledge economy, surely we need to be able to fight abuses like e-commerce fraud and hacking?

In the US, concern about "information warfare" and a "digital Pearl Harbour" led to the setting-up of the National Infrastructure Protection Center in February 1998, as well as President Clinton's demand for a budget of $91m (£56m) for a cyberspace security initiative in January 2000.

So what should be the UK's response? How should we cope with the increasing internationalisation of serious crimes such as money laundering, narcotics trafficking and terrorism - all of which rely on computers and networks?

There is legislation in the pipeline. The Regulation of Investigatory Powers Bill, due at the end of January - which deals with two important areas which need resourcing - updates the 1985 Interception of Communications Act (IoCA) to include warrants for private as well as public telecommunications networks, and is rewritten to deal explicitly with data traffic as well as voice.

The Bill will also contain the controversial law-enforcement powers to compel decryption of encrypted messages - a measure dropped from the Secure Electronic Commerce legislation last November. Both of these new powers will require law enforcement agencies to develop new and difficult working relationships with telecoms companies and ISPs.

What is the problem?

Much of the argument surrounding the powers of any new squad depends on what problems you hope it might solve.

With "computer crime" are we dealing with wholly new crimes (and new sorts of criminals) or with well-established crimes carried out in new ways? If you believe the first, we need a new squad. If you follow the second, then what we need is better training for all detectives.

For many front-line investigators the argument is this: to investigate a fraud you need skills in following transactions through numerous accounts and in spotting "anomalous" lifestyles - computer forensics is important, but secondary.

For example, at the sharp end of the most serious paedophilia Internet cases are abused children whose welfare is paramount and from whom statements may be needed. Skills in interpreting browser cache and history files have a lesser role.

Detectives from this school are concerned that specialist provincial skills might get lost - they also complain that the current police policy of "tenure" means that no-one stays in a post for more than five years.

Front-line officers worry about delays in obtaining computer forensic support services, such as disc imaging, which sometimes results in failing to charge suspects before statutory time limits are exhausted.

All of this means that many of today's front-line investigators want new funding for existing squads.

But there are strong counter-arguments. Computer crimes are not always committed within the boundaries of UK local police forces. Some computer crimes are incredibly complex and well beyond the capabilities of any local force.

What would be the ideal squad?

It is quite easy to draw up a specification for an ideal squad. It would be a central resource, it would provide training, research and technical back-up, and its officers would tackle the most challenging crimes.

That is not too far from what was proposed by NCIS' Project Trawler last June. But the Metropolitan Police's Computer Crime Unit (CCU) can claim that this has been its function for years - its officers provide the core of the Bramshill Police College training (as well as internationally for Interpol) and they have made several successful complex hacker and virus prosecutions.

The problem is not specification, but police politics. The Metropolitan Police has different squads who have different briefs. The CCU's main remit is computer and telecommunications misuse, while computer porn is handled by the Clubs and Vice Squad, who nailed Internet porn baron Graham Waddon last June. Large-scale fraud is dealt with by the separate Serious Fraud Office (who have an experienced computer forensics unit), and other Metropolitan Police officers literate in computer investigations can be found in CIB3 - the anti-corruption squad.

The NCIS took the lead in the UK part of Operation Cathedral which investigated Wonderland, the international Internet-based paedophile club. But its main job is fighting top-league villainy - its would not want to tackle low-level Web-hacks. NCIS can claim to be good at research, co-ordinating with other police forces, industry and overseas law enforcement agencies, but it is not an operational organisation. Among front-line police, NCIS is not universally admired - it is funded by grants from all UK police forces.

The Association of Chief Police Officers (ACPO) has gained considerable influence because it has become a forum for national police issues while respecting local forces. It has a Computer Crime Committee, most visible in the forum set up with ISPs, but which has also produced a Good Practice Guide for Computer Evidence. But, unlike the police forces, NCS and NCIS, ACPO has no statutory basis.

Hovering in the background, always eager to market its ability to tackle serious crime as well as spies and subversives, is the security service, which is mistrusted by some in the the police. The security service (MI5) has an obvious role as the chief consultant (with Cheltenham's Communications Electronic Security Group) on the security of government computers.

The same group of MI5 officers provides important input on potential threats to the Critical National Infrastructure - the muted UK response to the US information warfare agenda co-ordinated from the Cabinet Office. Thus the security service can offer technical and investigatory expertise and would, in any event, need to be involved in any attacks on government and other critical systems.

But, say critics, MI5 has always been stronger on intelligence collection than assembling evidence which has to be produced and tested in open court. And their officers' preference for pseudonyms reduces their courtroom credibility.

What are the solutions?

At the moment NCIS looks as though it will be the winner. NCIS already mediates police requests for telephone interception under the current IoCA regime by filtering and forwarding requests for ministerial warrant. It also passes on the "product" of intercepts to the requesting police. Under the proposed Regulation of Investigatory Powers legislation this role will have to expand to include non-traditional telecoms companies, ISPs and owners of corporations owning large Lans and PABXs.

NCIS is also a prime candidate to "own" the new encryption-related Government Technical Assistance Centre (GTAC) with set-up funds of £25m. The Cabinet Office Performance Innovation Unit's May 1999 report, Encryption and Law Enforcement, said that such a centre was needed both to liaise with industry and to carry out decodes where expected "co-operation" is not forthcoming.

Such a centre would have to be within law enforcement rather than the Home Office, hence NCIS' role. But Whitehall rumours suggest that the centre may take advantage of the offer of secure accommodation, not at NCIS but at Thames House, headquarters of MI5. In any event, expertise and resources would inevitably have to come from Cheltenham.

NCIS is currently favourite to become the home of the high-tech crime squad too, although there are strong suggestions that the CCU might evolve into a national operational unit.

What is clear though, is that whoever runs such a squad will need to develop more than just knowledge about high-tech crime. One of its greatest challenges will be to form good relationships with sections of the IT industry, without whose confidence crimes will go unreported and technical assistance will be unforthcoming.

Who's who in UK cybercrime squads

  • CCU: Metropolitan Police Computer Crime Unit, located within SO6, the Fraud Squad. Handles computer and telecommunications misuse cases. Established 1985
  • CESG: Communications and Electronic Security Group, part of GCHQ, Cheltenham. Provides technical support and some specialist industrial liaison
  • Clubs & Vice: Met Police unit concerned, among other things, with computer porn
  • Customs & Excise: Remit includes smuggling and VAT. Has separate resources for interception and computer forensics
  • Forensic Science Service, Met CSL: Technicians who make secure "images" of seized hard discs. Assists in analysis of Internet caches
  • GTAC: Government Technical Assistance Centre. New unit to provide decrypts for law enforcement and liaise with cryptography service providers
  • Home Office: The responsible ministry. Develops policy for the police and other agencies including interception and encryption issues
  • NCIS: National Criminal Intelligence Service. Responsible for the gathering of strategic and technical intelligence on serious crime. Provides liaison with security service and international bodies. Responsible for "tapping" warrants under the Interception of Communications Act. Chartered under the 1997 Police Act
  • NCS: National Crime Squad. Made up from the older regional crime squads. Tackles serious organised crime. Set up in 1998
  • Provincial police fraud squads: there are 43 of these. They usually have at least one computer forensics officer who is also lent out to other specialist squads
  • Security service: MI5 is responsible for UK internal security. Provides consultancy to government ministries, departments, and agencies as well as tracking cyber threats to national security
  • SFO: Serious Fraud Office. Not part of the police service, contains lawyers and accountants as well as policemen on secondment. Has its own computer forensics facilities
  • Read more on IT risk management