James Brokenshire speech on Cyber Crime
James Brokenshire speech on Cyber Crime on Thursday 14 March 2013
Introduction
In the latest Bond movie ‘Skyfall’, technology and the ability to threaten the UK’s interests through the internet are at the very heart of the drama. I’m sure you’ve all seen it, but Bond’s latest nemesis hacks into top secret Government systems, exposes the identities of covert agents online and in one of the most memorable scenes causes an explosion at the heart of MI6 by manipulating sensitive computer systems.
It’s a great film and deserves the huge success it’s received around the world. Of course it’s fiction; Bond thwarts the villain and order is restored. But the real world threats we face as a country from the terrorists, the fraudsters, the hackers and those intent on using the internet and our ever more connected world to cause us harm are real, are significant, are enduring and are growing. There is little doubt that technology has fundamentally changed the way that we live our lives.
The internet has connected us all in a way that was barely imaginable when I was growing up as a kid or indeed even when I was starting work. In under 25 years we’ve re-written and indeed re-catalogued our industrial and social history. Four in five homes in the UK now have access to the internet; two fifths of adults are smartphone users and on average each household in the UK has three different types of internet enabled device.
So many of us now not just work online but live part of our lives online. Exchanging messages, pictures, memories through social media. Skyping or FaceTiming friends and family from thousands of miles away. Watching television or listening to radio from virtually any part of the globe. Our economy is increasingly going digital. Nearly two thirds of us manage our finances online. We do more of our shopping online than ever. Annual online retail sales topped £2.6 billion last year with year on year growth of 30%. One study suggests that the UK’s internet economy is now worth £82 billion a year and rising. And Government itself is increasingly adopting new technology for the delivery of services. Under the Digital by Default strategy, Government is moving more and more of its service provision online. It’s a global change and a global challenge.
Over a third of the world’s population has internet access and by the end of this decade the number of networked devices could outnumber people by six to one. This digital revolution continues to offer huge opportunities for growth in our economy, our culture, our well-being. It is imperative for the future of the UK that we harness these opportunities. But if we are to benefit from the huge potential upside of the online economy we have to confront the growing digital dangers that could put this at risk. And this is one of the biggest challenges we face as a country.
‘Cyber’ threats affect us all and demand a wide partnership When we try to describe ‘cyber’ threats, it can be all too easy to fall in to a trap of believing that they are some sort of science-fiction, and the preserve of technical experts. It’s a comfortable way of thinking that would allow many people to shut it out from their minds, safe in the knowledge that somewhere out there is a technician who can bring a stop to it. That is a dangerous way to think. Just as we all reap the benefits of the rapid technological changes that we have experienced, so too must we all take responsibility for ensuring that our security and prosperity does not fall prey to those who would seek to use these changes for their advantage. We need to understand that our every interaction online has the potential to either make it easier or make it harder for those who wish to use the internet to attack us. These so-called ‘cyber threats’ are not, in themselves new. Criminals have long sought to achieve personal profit by exploiting society’s vulnerabilities. States have long sought to harm each others’ economic competitiveness and political systems, and have deployed military capabilities against each other.
Terrorists have long sought to inflict harm on others in order to impose their way of life. Just as digital technologies have transformed the way we operate, it would be inconceivable to think that it wouldn’t also transform the military, security, crime and public order threats. But our response should not be to create a silo’d army of cyber security experts that is divorced from our wider efforts to keep the UK and its interests safe, secure and prosperous. Our ambition should be to reach a point of maturity where our understanding of how the internet and other digital technologies can be used to cause harm to the UK are so advanced, and our response to is so effective, that conventional and mainstream structures for dealing with such risks would be up to the task. The Government’s National Cyber Security Strategy recognises the need to make significant changes and investments now if we are to reach this point in future. That is why Government has underpinned the Strategy with programme of £650m new investment over four years. We absolutely must invest in our technical capabilities and our national expertise to ensure that our understanding of how technology could be used to cause us harm not only keeps up with our enemies, but out paces them.
Our Strategy also starts from the clear understanding that Government cannot do this alone. It requires a partnership across Government Departments and Agencies. It requires a partnership between Government, industry, academia, the public. And it requires a partnership that is not bounded by our national borders. That is why we are establishing the National Cyber Crime Unit within the new National Crime Agency to be a cross-cutting unit that works with all four of the Agency’s commands, rather than as a standalone command itself. It is why, when we expressed our firm support for the establishment of the European Cyber Crime Centre (EC3), we insisted that it be an integrated part of Europol, rather than a distinct entity standing alone from it.
Organised cyber crime
So how is the digital age transforming the way crime is committed and what are we doing to counter it? Well, as I have just said, we don’t see cyber crime as something unique and distinct. For the most part, it is old world crime such as fraud, being carried out with modern day technologies. What’s more, it is highly organised sharing many of the characteristics with other forms of organised crime. Just like the international drugs trade, online crimes such as fraud require a network of criminals, each of whom has developed a specific niche from which they can trade with other criminals — all driven by funds extracted from legitimate businesses, members of the public and even governments. Criminals develop services and trade them with each other. For example, professional technical experts design malicious software such as viruses or sell the tools onto others for their own use. Other criminals specialise in finding ways to trick users in order to get these viruses onto their computers — compromising legitimate websites, using phishing emails or hosting malicious websites. And they do it by buying and selling to each other the tools and services that are used to identify vulnerable computers — maybe your own personal computer — and infect it with malicious code. These networks of infected computers (botnets) can be controlled remotely by criminals, for example to harvest credit card and banking details. And these can then be traded with other criminals through the internet to enable them to use the stolen data to commit frauds. The internet was awash with these so called Automated Vending Carts — highly professional automated websites through which criminals could buy and sell vast quantities of these stolen credit card details as if it was any other form of online shopping. A SOCA-led global day of action has significantly impacted on this. Investigation assisted US agencies in seizing data for 26 of these sites and seizing 36 domains. Industry played their part too — following direct alerts from law enforcement, a further 44 AVCs were taken down. Information gathered as part of this operation has led to several UK and International arrests by SOCA and Partners in relation to operators and customers of these sites. This is the reality of modern online crime rather than some lone bedroom hacker stealing funds from your bank account.
The impact of cyber crime
When the full harm that cyber crime does to the economy is added up, the numbers are staggering — running into the billions of pounds each year. And it affects real people — real internet users. According to the 2012 Crime Survey for England Wales, one in three adults experienced online crime in the previous twelve months. This was higher than the proportion that experienced being a victim of ‘offline’ crime (one in five adults). And many more attempted attacks are blocked. Symantec alone reported blocking 5.5 billion ‘attacks’ in 2011. So we are facing a continual and large scale assault from criminals using technology. It is one that involves a network of highly skilled and highly professional criminals that stretches right across the globe. They make use of the changing technologies to launch ever more sophisticated attacks. And they exploit the complexities and vulnerabilities of our online presence.
How we are tackling cyber crime
From applying this understanding of the threat, we know what we need to do as a Government, with our partners, to tackle cyber crime. We need a joined-up approach that can link a local victim of crime to a global network of criminality— just as we would for any other form of organised crime. We need to stem the opportunities for cyber crime to take hold, strengthen law enforcement capabilities to disrupt, investigate and bring to justice those responsible for it, and safeguard ourselves, our economy and public against the threat. And we need to do so internationally as well as locally.
Strengthening law enforcement
We have strengthened national capabilities to tackle cyber crime by expanding both the cyber unit of the Serious Organised Crime Agency, and the Police Central eCrime Unit. These are specialist law enforcement teams, capable of combining traditional investigative skills with state-of-the-art technologies. They include dedicated cyber overseas liaison officers. These units work closely with their partners here and abroad, including the intelligence agencies such as GCHQ who have developed new and unique capabilities to identify and analyse hostile cyber attacks. This has broadened their understanding of the threat, and is helping law enforcement to prioritise and direct its efforts accordingly. But, consistent with our view that cyber cannot be boxed off as an issue on its own, we have combined the development of these specialist capabilities with a focus on mainstreaming the skills necessary to tackle online crimes, and criminals’ use of technologies, within all levels of the police.
We have established three regional cyber policing hubs to deliver policing capabilities with the technical skills to tackle technologically advanced criminals outside London and set about enhancing the training of police officers to make them more aware of how to utilise new technologies when investigating crime. And the results have been impressive. The Police Central e-Crime Unit reported that itexceeded its four yearoperations performance target within the first year of the National Cyber Security Programme alone — by preventing an estimated £538m of harm. SOCA repatriated over 2.3 million items of compromised card payment details, with an estimated prevention of potential economic loss of over £500 million, to the financial sector in the UK and internationally between November 2011 and November 2012. But it’s not just about tackling financially-motivated crime. In Operation HOUTHA, the Police Central eCrime Unit responded to a complaint from the British Pregnancy Advisory Service that their database had been hacked into and their website defaced. The hacker, ‘PabloEscobarSec’ had indicated that their motive was due to BPAS being, and I quote, ‘involved in murdering unborn children’. The hacker threatened to publish the entire list of BPAS’s clients on the internet — a move which would have caused serious and immediate harm to individuals who had received advice in relation to pregnancy termination, some of whom may have done so without the knowledge of their partners, their families and their wider communities. A dynamic response from the Police Central eCrime Unit in London and the regional hub in East Midlands led to the hacker being arrested within hours, and before the data could be published as threatened. Whilst the hacker is believed to have acted alone, a clear affiliation with the ‘hactivist’ group Anonymous was identified. The suspect was convicted and jailed for two years and eight months after pleading guilty to Computer Misuse Act offences. It is important that a member of the public or a business of any size reports online crimes. We have sought to make this easier than ever. We have enhanced Action Fraud to be the UK’s national reporting centre for fraud and financial internet crime, on a 24/7 basis.
Reported incidents of crime are developed into intelligence and information packages for police forces and national agencies, to inform targeted law enforcement activities. But we know that underreporting of cyber crime continues to be a problem — whether it is as a result of cynicism about the likely law enforcement response, or whether it is driven by a fear of suffering reputational damage. We need to be absolutely clear - businesses and the public need to report to Action Fraud when they have been victims of cyber crime so that, wherever possible, law enforcement agencies can identify and bring to justice those responsible. It is irresponsible not to.
Implications for businesses
When considering their role in preventing and indeed tackling these threats, businesses must think of cyber as they would any other issue on their corporate risk registers. It is just one more aspect of how to protect their intellectual property, their competitive advantages, their customers’ data and their own reputations. The companies that do this best know that IT security is not a bolt-on to their business — they know that it is core to their business. They see it not as something that will cost their business and hold them back — rather they see the digital revolution as an enormous opportunity for growth and improvement, with security as a fundamental enabler to this. Government has been working with industry, academia and across the public sector to promote awareness of the need to address cyber threats. Last year, I took part in the launch of the ‘10 Steps to Cyber Security’. It informs board members and senior executives about how they can manage their cyber security risks in order to safeguard their most valuable assets. We also understand that the digital world requires us to think differently about how we protect the critical national infrastructure.
The Centre for Protection for the National Infrastructure, CPNI, already works with the network of companies that comprise our critical national infrastructure to ensure that they take the necessary steps to improve their cyber security measures and protect key systems and data. This is informed by the work of the Security Service, which has developed and enhanced its cyber structures, focusing on threats from hostile foreign intelligence agencies and terrorists and working with UK victims. And we are constantly working to ensure that our understanding of what compromises our critical national infrastructure reflects the changes in the way that infrastructure is delivered. Implications for Government Government has also been working to take advantages of the benefits of the digital revolution. More and more government services are now being delivered online, and there are more to come as we continue to deliver the Digital by Default strategy. For example, 7.93 million customers filed their self-assessment tax returns online in 2011/12. HMRC’s new Cyber Crime Team has been set up to tackle tax fraud by organised criminals. Furthermore, a team of technical experts, working alongside external partners, has shut down well over 1,000 bogus websites since its launch in 2011.
Implications for the public
The public’s role in tackling cyber crime cannot be underestimated. Our home computers can often provide opportunities for criminals to target, much more easily than trying to bypass complex cyber defences of banks or other major institutions. Through taking a simple set of steps, the public, you and I, can reduce some of these vulnerabilities just as we would try to protect any other aspect of our life from crime. We can set stronger passwords to keep hackers out — as if we were installing mortise locks on our front doors. We can learn how to identify phishing emails and make sure we don’t click on the links that will download viruses — so that we are not inviting a cyber criminal into our home computers. And we can keep our systems up to date with the latest patches and anti-virus protections — just as we would closing the windows and set the burglar alarm before leaving the house. The Government has been working in partnership with industry to help achieve this. For example, The Get Safe Online website and associated Get Safe Online week helps raise the awareness of how we can all protect ourselves.
The recent targeted campaigns by the National Fraud Authority helped boost awareness of the threat of cyber crime and the steps the public can take to protect themselves against it. Action Fraud’s The Devil’s in Your Details campaign reached over 4million individuals with an estimated benefit of protecting against £3.27m loss to fraud through the internet. HMRC has launched a service that provides automatic advice to customers on their out of date browsers and the threat this might pose to their online security.
Working internationally
All of these activities — to prevent, disrupt and investigate online crimes need to reach way beyond our national boundaries. We need to work with a wide range of multilateral institutions and arrangements — EU, Commonwealth, UN, G8 to name but a few. We are a driving presence at all of these and must continue to shape their agendas and be a leading voice in the response to a truly global threat. The UK has taken a lead and driving role on the global agenda. We hosted a successful London Conference and have made cyber security a priority issue for our Presidency of the G8. But we need to recognise that there are conflicting views about how international cooperation on cybercrime should proceed. Indeed, there are fundamentally different geopolitical views about the nature of the internet. Some think that the State should take the role of arbiter of what is done, controlling information and deciding what should be shared and with whom. We do not share this view.
Freedom of expression cuts to the very heart of the debate about the future of the internet. With the proliferation of people connected, digital technology has rapidly become a key medium to exercise freedom of expression and to realise other human rights. It is increasingly fundamental to a healthy civil society and to democratic participation. So we must ensure that improved security and tackling terrorist threats does not come at the expense of human rights. Our threshold is therefore high, ensuring that freedom of expression and speech are not compromised. States should only limit these rights in exceptional situations. Such measures should not be adopted lightly, but only if it is appropriate, effective, proportionate and in accordance with international legal obligations. There have been calls to develop a new multilateral treaty to address this challenge, to provide a legal base against which all countries can develop their own legislation. However, I believe that this call is misplaced. There are already existing treaties, such as the Budapest Convention, that set out clearly what countries need to do in terms of legislation, law enforcement procedures, and how to work together to tackle cybercrime. Although it originated in the Council of Europe, it was always designed to be a global instrument and it has a global range of signatories. This is an excellent instrument, and we have consistently supported it since its creation. It took many years to develop the Budapest Convention, and it is difficult to see how any new Convention could be developed more quickly.
We do not believe that any new treaty would be any more effective, and the work to create it would divert resources away from what we do need to do, and would particularly divert resources in the countries with the least capacity, as they would be torn between working on a treaty and working to tackle crime. We have been very clear that the UK is ready to support the development of capacity in other countries, both directly and through partners such as the Council of Europe and the Commonwealth. The Government has a dedicated Capacity Building fund (£2m p.a.) to be used to deliver direct and practical capacity building projects. To support this further still, we will shortly be launching a new Global Centre for Cyber Security Capacity Building.
Terrorism online
International cooperation continues to be central to our approach for tackling other potential online threats. To date, terrorists have not seen cyber-attack as an important means of conducting their actions, although of course they use the internet to radicalise, spread propaganda, disseminate violent extremist material and communicate with each other. But we and other governments are very mindful of the fact that this could change. It is therefore important that good cyber-security by Government, critical national infrastructure providers and others takes account of what may well be a growing threat over time, and close down any opportunities for disruption which terrorists might otherwise exploit. And we will continue to take action against those that use the internet to circulate materials that break the law by explicitly glorifying or encouraging violence. We fund a specialist internet counter-terrorism police unit. And, to date, over 2000 sites which break UK terror legislation have been taken down by the unit.
Plans to go further still
At the heart of our vision for how we can tackle cyber crime more effectively is the National Cyber Crime Unit. This will be a powerful new unit within the new National Crime Agency that will be established this October. It will build on the successes of both the Police Central eCrime Unit and SOCA Cyber, together the experience and expertise of these two precursors to deliver a new single UK lead on tackling cyber crime. The National Cyber Crime Unit will collaborate with partners to fight cyber crime, protect the public and reduce harm to the UK from online crime. It will provide a highly specialised and fast-time investigative response, nationally and internationally to the most serious incidents of cyber crime. It will work proactively to eliminate and prevent opportunities for online criminality, including through close engagement with partners such as the Intelligence Agencies. It will be central to the wider work of the National Crime Agency in tackling serious crimes such as fraud that have been transformed in scale and scope by the use of the internet, and will deliver dedicated operational support to its law enforcement partners. And it will build stronger partnerships and information sharing relationships with industry, intelligence agencies and others and supporting a transformational change in law enforcement’s mainstream cyber capabilities. Through these changes, we expect to see a more targeted response to the most serious online crimes; ensuring that expertise is focussed on the most sophisticated cases where it can deliver the most impact further downstream. We expect to see a step change in wider law enforcement’s ability to tackle cyber and cyber-enabled crime.
We expect to see further enhancements to the already strong partnership working between law enforcement, industry, intelligence agencies and others to work collaboratively against the cyber crime threat through sharing best practice and intelligence rapidly and securely. This will benefit from far greater clarity on who leads the response and how the national law enforcement lead will work with its key external partners. The NCCU will also provide a clear single point for our international partners to engage with, supported by the wider NCA arrangements for its international networks and gateway functions. Finally, we expect that the NCA’s single intelligence picture to identify the growing use of the internet to change the way other serious crimes are committed and, through the NCA’s tasking and coordinating capabilities, deliver the most effective response. I am pleased to announce that the National Cyber Crime Unit launched in shadow form at the beginning of this month. A joint team of officers previously from SOCA and the Police Central eCrime Unit are now working together to test and implement the new operational structure of the National Cyber Crime Unit. This has been brought about by the commitment and dedication of the precursor units and I am grateful for their continued support in building a world-class new National Cyber Crime Unit. Joint operations between the units are already underway in preparation for the National Cyber Crime Unit being established. This joint working has already led to arrests against those involved in a phishing scam against the UK banking system and its customers, and a criminal network, linked to established UK organised crime groups, concentrated on high value fraud on both UK and international corporate victims.
These two operations undertaken by the Joint Operations Team are still ongoing but so far 14 arrests have been made relating to offences including conspiracy to defraud, money laundering and identity theft, with prosecutions pending. The resulting operational activity targeting the money laundering network resulted in further arrests. In total the four operations have resulted in 19 arrests, the seizure of digital material, and the restraint of £500,000 of assets pending confiscation. More effective law enforcement operations also require the CPS to keep pace. The CPS have responded by devoting more resources to cases involving online criminality, training prosecutors and developing the skills and knowledge right across the CPS that will be needed to ensure that, eventually, all prosecutors are equipped to prosecute cases that are affected by digital technologies. We will ensure the legislation is effective.
The investigation of cyber crimes and other crimes enabled by the internet are increasingly dependent on the availability of communications data. Communications Data is information about who was communicating, when, from where, how and with whom; it is the context but not the content of a communication. It is a vital tool used in the investigation and prosecution of a broad range of crimes, including cyber crime. It enables the police to build a picture of the activities, contacts and whereabouts of a person who is under investigation. It also assists law enforcement to unmask the identity of those perpetrating internet-based crime. Rapidly changing technology and business practices means that communication service providers do not always retain the Communications Data required by law enforcement and intelligence agencies to protect the public and ensure national security. While data is already available for traditional forms of communication, such as telephony, it is not always held for internet communications. Without action, crimes enabled by email and the internet will increasingly go undetected and unpunished.
The Government is committed to legislating to ensure that law enforcement and intelligence agencies continue to have the access to the communications data they need. That was why the Government published the Draft Communications Data Bill. Last year the draft Bill was subject to Pre-Legislative Scrutiny by a Joint Committee of both Houses, and the Intelligence and Security Committee (ISC). In their findings the Committees accepted the need for legislation. The Committees made a number of valuable recommendations to assist with revising the Bill. We have accepted the substance of every one of the Joint Committee’s recommendations and are redrafting and consulting on the Bill accordingly. Substantial change to the Bill was clearly required. However, as the Committees say, we do need to legislate. We remain committed to introducing the Bill at the earliest possible opportunity. We will work even closer with industry and academia to tackle cyber crime.
Next week, I will be co-chairing, a new Cyber Crime Reduction Partnership with the Minister for Universities and Science, David Willetts. This will provide a new forum in which Government, law enforcement, industry and academia can regularly come together to tackle cyber crime more effectively. And we will continue to improve the sharing of information within and between industry sectors, and with government and law enforcement. The new Cyber Security Information Sharing Partnership, CISP, will be formally launched later this month, providing a practical information sharing platform for industry and Government to share information on cyber security threats and mitigations. We will do more to help the public and small businesses protect themselves online. Despite the successes of the National Fraud Authority and Get Safe Online campaigns, we know that we still have more to do, in cooperation with industry, to improve awareness of the cyber crime threats and understanding about the simple steps that can be taken to defend against it. Work is well under way on a programme of public awareness drives. These will build on the successful campaigns by the National Fraud Authority and Get Safe Online in order to deliver measurable and sustainable changes to online behaviours of individuals and SMEs.
We will need our private sector partners to work closely with us in order to make this a success and have a wide-reaching and lasting impact. And the Government will provide cyber security guidance for SMEs, making the messages in the Ten Steps to Cyber Security document accessible for all businesses. We will further improve our ability to respond when faced with a major cyber incident — our intention is to move towards the establishment of a UK National Computer Emergency Response Team (CERT), to improve national coordination of cyber incidents including with law enforcement. We will ensure that the lessons that were learned from the successful delivery of a safe and secure Olympic and Paralympic Games are reflected in our cyber security national incident management plans. We recognise the importance of ICT skills in making the UK more resilient to cyber crime. We are investing heavily in skills, research and education improve to improve cyber capabilities in the UK.
It is important employers offer HE students the sort of cyber security internships that will help equip them with insights, understandings and experience that will improve the quality and range of the field of candidates available to help meet growing demand for skills. The demand is there - we need to ensure that quality placement opportunities match these and bring tangible benefits for both the interns and their host employers; Internships and work placementsin general area well-proven way for students and graduates tobetter apply and extend their learning; We are also establishing new university cyber security centres of excellence and will shortly be announcing which of these will host the new global cyber capacity building centre. This initiative will aim to increase the scale and effectiveness of global capacity building efforts across the full range of cyber-security threats. Cybercrime will be a major element. It is an example of how we will continue to lead and shape the international agenda on tackling cyber crime.
Conclusion:
We are facing a growing and ever more complex threat. But our response to it has grown too. And our ambition is to go further. The internet should be a source of tremendous economic and cultural growth for the UK. Cyber security should be an important part of that growth. Businesses that take cyber security seriously can gain a commercial advantage from doing so; the UK can export its expertise through the growth of a vibrant UK security industry. Through the introduction of the National Cyber Crime Unit later this year, through greater awareness and action from the public and industry, and through continuing to work closely with our international partners, we can deliver a lasting and transformative impact on those criminals that seek to use the economy to harm the UK and its interests.