The U.K.’s criminal justice system is struggling to keep up with the international scope and sophistication of Internet-enabled crime, and will need a new skills framework as well as help from the private sector in order to cope, according to a study published this week.
The report, a collaboration between Europe-wide lobbying group Eurim and U.K. think tank the Institute for Public Policy Research (IPPR), is the latest call for a new approach to cybercrime. The All-Party Internet Group will shortly publish a study recommending that the Home Office count e-crime statistics with other types of crime.
The government has expressed concern about the rise in ‘phishing’ e-commerce crimes, and the DTI’s latest e-crime survey found that IT security problems are now an issue faced by the majority of UK businesses, with nearly all large companies affected.
Investigation of these crimes requires technical skills, sifting through huge amounts of evidence and new forensic standards — needs for which the U.K.’s criminal justice system is ill-equipped, according to Eurim’s discussion paper, “Addressing the needs of law enforcement and industry for investigatory and enforcement skills”.
Of the U.K.’s 140,000 police officers, about 1,000 have been trained to handle digital evidence and fewer than 250 have higher-level forensic skills or are with Computer Crime Units, Eurim said. Together with the Forensic Science Service and its contractors the U.K. has fewer than 400 full-time expert staff to draw on, leading to forensics backlogs of six to 12 months, the paper said. While resources are taken up with large-scale investigations such as the Internet pedophile sting Operation Ore and anti-terrorist operations, criminals are left free to attack businesses and consumers.
“Computer assisted extortion, fraud and impersonation, however great the damage, are on the back burner,” the report said. “Any attempt to change the situation requires change to both the skill levels available and the priorities for deployment.”
The lack of police e-crime training means that most companies damaged by Internet attacks do not even bother to report the crimes, according to Nick Ray, chief executive of software security firm Prevx Ltd., which sponsored the upcoming APIG report. “It’s like if your car radio were stolen, you wouldn’t report it because you’d know the police wouldn’t do anything about it,” Ray said. “The police are doing a good job, but there are far too few of them for the size of the problem.”
The answer is to draw on the private sector’s 8,000 security experts, who include former military, police and security services personnel as well as ex-hackers, Eurim and IPPR argue — before the private sector takes matters into its own hands. “We face a very real risk of seeing the democratically accountable policing of computer-assisted crime replaced by a combination of vigilante action and the covert privatization of legitimate investigation,” the report said.
At the moment there is no overarching framework allowing private and public-sector experts to work together on e-crime, and such a framework must be the Home Office’s goal in building up the level of available expertise, the paper recommends. Training needs to be measured against a national benchmark, skills need to be assessed against a national framework and a single government department needs to take responsibility for e-crime training, Eurim said.
It recommended that the Criminal Justice Sector Skills Council (Skills for Justice) take the task of sorting out the overlapping sets of e-skills agencies, identifying at least five bodies with overlapping responsibilities in the area.
Qinetiq Group PLC, a technology research company spun out of the U.K. Ministry of Defence, agreed that the private sector must play a role in fighting cybercrime, but warned that a framework was needed to ensure the integrity of the private companies involved.
“A court of law needs to be confident in the validity and integrity of evidence, whether electronic or otherwise, and this requires the private sector operator to be a highly trusted link in the criminal justice chain, working to a robust set of standards and in a transparent manner,” said Neil Fisher, QinetiQ’s director of security solutions and vice-chair of the U.K.’s Information Assurance Advisory Council, in a statement.
The company itself is already heavily involved in police work, providing training to 25 police constabularies, maintaining a relationship with the National High-Tech Crime Unit and supporting NHTCU and Metropolitan Police Computer Crime Unit investigations. Qinetiq experts have acted as witnesses in various prosecutions.
The government also needs to raise awareness about e-crime in the general public and with businesses. For example, the government could declassify and publish parts of the Interpol Manual as guidance for businesses on participating in tackling e-crime. “‘General awareness’ appears to be below the threshold for public sector support,” the paper noted.