policing cybercrime
The future for the policing of cybercrime Peter Sommer, London School of Economics
What can we reasonably expect from law enforcement in terms of policing high tech crime? What can the police reasonably expect from us in terms of adequacy of prevention and co-operation when a suspected crime occurs? Cyber Crime Policing can only be understood within the broader issues facing the criminal justice system. It seems to me that both sides may be expecting too much of each other and a more realistic approach might be more productive. In this presentation I will concentrate on the situation here in the UK; however similar patterns occur in many other countries. Let’s start off with the good news.
History of UK Response to “Computer Crime” The UK was one of the first countries to have its own specialist squad of computer crime cops. In 1985 John Austen set up the Metropolitan Police’s Computer Crime Unit (CCU) within the Met’s Fraud Squad. In 1996 the National Criminal Intelligence Service (NCIS) started Project Trawler to scope out the range of “computer crime”; the result was published in 1999. Following on from that, and after protracted law enforcement lobbying, since April 2001 we have had a national structure – the National High Tech Crime Unit. It was set up as to be multi-agency and is run by a Detec
UK Response to “Computer Crime” • 1985 - Metropolitan Police’s Computer Crime Unit (CCU) established. • 1996 - National Criminal Intelligence Service (NCIS) started Project Trawler. • Mid- 1990’s Customs & Excise, the Serious Fraud Office and the Inland Revenue have computer investigation resources. • 2001 National Hi-tech Crime Unit established
8
tive Chief Superintendent and with a former head of the Met’s CCU as its policy advisor. The Unit exists both centrally and in every English and Welsh police force. There are some 40 officers at the centre and at least an equal number out in the regions. All police forces have some sort of computer forensics and network investigation capability. The Met also has its Computer Systems Laboratory of civilian staff, there is a small unit within the Forensic Science Service and Qinetiq, the now privatised arm of the former Defence Evaluation Research Agency (DERA), provides computer forensics for, among others, the National Crime Squad.
Some large UK-based companies say their IT security team outnumber the total number of police involved in computer crime in the UK Customs and Excise, the Serious Fraud Office and the Inland Revenue have also had computer investigation resources since the mid-1990s, though in each case these have been tailored to the remits of the individual organizations – C&E towards VAT fraud and narcotics smug-
gling, SFO towards complex fraud and Inland Revenue towards tax evasions. However leading figures in these agencies continue to play an important role in the UK’s overall response to cybercrime. Specialist groups also exist in the armed forces and Ministry of Defence Police. From their shadowy appearances at specialist events, it is also clear that the Security Service and the Communications and Electronic Security Group maintain significant interest and capabilities in this area, though of course their focus is on intelligence, risk assessment and prevention rather than the prosecution of crime. Over 400 individuals, law enforcement and private practice, belong to F3, the byinvitation-only UK “club” for those interested in computer forensics. Over 900 people belong to the restricted admittance Digital Detective bulletin board, which is UK-based though increasingly attracting overseas participants.
Web-based E-commerce is only eight years old Perhaps this is a good point to refer to my experience as an expert in court proceedings – usually instructed on behalf of the defence. Over the last 15 years I have seen some extremely good police work; at a technical level UK police officers and technicians are second to none in their abilities to examine harddisks and are pretty good at network forensics in the TCP/IP environment as well. What has also been striking in those cases where there have been allegations of complex conspiracies, is how far “ordinary” criminal investigators have been able to adapt their skills to dealing with evidence that is primarily digital. However it is also fair to say that once a case lacks the benefit of highly motivated and skilled officers, standards rapidly fall away. It is also true to say that if digital evidence is located on a corporate machine or network as opposed to a single PC or on the public Internet, then
policing cybercrime the police response is nowhere near as good. The UK was also early in the training arena; courses were run at the police training college at Bramshill throughout most of the 1990s. There is now a National Hi-Tech Training facility at a location in Bedfordshire – Centrex which provides a variety of courses, not only for techies, but also for their senior line managers and for other specialist investigators, for example, those involved in child protection. High end technical courses are also available at the Royal Military College of Science, Shrivenham, and indeed you can even take a Master’s degree there. The UK was also one of the leads in the setting up of courses and facilities at Interpol level. Even the United States, a country not much inclined to write up its history to give credit to activities in other nations, recognizes the pioneering role of UK law enforcement in setting out protocols for the safe handling of evidence from computers in the form of a Good Practice Guide published by the Association of Chief Police Officers (ACPO). The Home Office has had a High Tech Crime Team to advise ministers and drive policy and international co-operation for some time. UK officials, law enforcement officers and industry representatives usually appear in strength at international cybercrime gatherings at G8 level and elsewhere. On the international front, the UK has been prominent in the negotiations over the Cyber-Crime Treaty which bears the name of the Council of Europe but is also supported by other major players including the United States and Japan. It was finalised in 2001 and its main achievement is to require signatories to make their individual national laws compliant with harmonised definitions of various types of “computer crime” and to produce harmonised procedures for the acquisition and collection of computer evidence. All this is designed to make the prosecution of computer crime across jurisdictional boundaries a great deal easier.
We want “more” And yet almost everyone believes that this response is somehow not “enough”. There are a number of large UK-based companies who say that their own individual information security staff out-number the total of full-time police officers engaged in this sector. The comparison is a little unfair as corporate information security staff are mostly not investigators but work in technical and administrative roles – but the accusation remains. Almost everyone in IT security can be induced to say that they want “more” police and a “better” level of response.
Demands from the public say the focus should be child exploitation followed by email spam The activities of the specialist police officers is interesting too. For at least the last 15 years, successive officers from the Met’s CCU and the City of London Police Fraud Squad have gone around information security conferences large and small inviting attendees to report incidents to them and have confidence in police abilities. Often this has included a claim that the police understand corporate priorities and that they will in appropriate circumstances act with sensitivity so that a legitimate innocent business does not suffer prolonged disruption because it has been a victim or may be a scene of crime. The most recent manifestation of this has been the Confidentiality Charter launched by NHTCU at the end of 2002. These pleas for victims to report have been accompanied by warnings that specialist officers and units are constantly under threat unless they are shown to be busy and getting results.
Police priorities At the moment there are some 130 000 police officers in the 43 police forces of
England and Wales, provided at an overall annual cost of approximately £9000 million. For so long as UK citizens wish to keep tax payments down and also expect the Government to deliver services for education, health, social welfare, transport infrastructure, the arts, agriculture, industry and so on, we are unlikely to see more than minor adjustments in that figure. Within the broad crime reduction/law enforcement agenda there are many competing claims from the public and also from police officers. The public wish to see more “bobbies on the beat”, the swift handling of noisy drunks and faster flowing traffic at one level but also that narcotics importing, heavy duty organized crime, people trafficking, burglary and frauds are tackled. Individual groups of enthusiastic police officers lobby for more funds for their particular interests as well: how are we to cope with Turkish, Eastern European and Caribbean mafias, gun crime, art theft, and so on they demand. Law enforcement resources for mid-range frauds appear actually to have declined. Politicians, Home Office officials and local Chief Constables have to balance these conflicting demands, not all of which are equally well grounded in researched actuality, and against the limited budget. In fact, if we look at the National Policing Plan for 2003–2006 which was announced in November 2002 by the Home Secretary it is difficult to see where “cyber crime” easily fits. The four announced priorities are: Tackling anti social behaviour and disorder; Reducing volume, street, drugs related, violent, and gun crime; Combating serious and organized crime; and Increasing the number of offences brought to justice.
Hackers are, by and large an amusing diversion Approximately £25 million over three years is ring-fenced for the NHTCU but this has to include training and the 9
policing cybercrime building of relationships with industry as well as investigations, and part of those funds go out as “real new money” to the individual police forces for their network investigators. A further £25 million has been assigned to set up NTAC, the National Technical Assistance Centre, which is a central resource for dealing with encryption and interception. What should be the priorities for these specialist funds? Ask most of the public, and track what politicians actually say, and the demand is that focus be mostly on child pornography, perhaps followed by email spam. Hackers are, by and large, an amusing diversion and an opportunity for the media to dust down 20-year-old clichés about teenage geniuses– unless of course you are a direct victim. Frauds, whether internal to a company or generalised via Internet activity such as misleading websites and failures to complete auctions, seldom get much press coverage at all. Look more carefully and several different issues arise: definitions of “computer crime”, measures of effectiveness of police activity and internal police politics.
role? The dilemma can be seen at its starkest in relation to Internet-based creation, acquisition and distribution of child pornography. Without access to good knowledge of disk and network forensics, investigation is impossible. But towards the end officers may have to interview child abusers – and abused children. Skill in disk geometry or the RFCs on chat rooms won’t help much there. Similar considerations apply in narcotics and terrorism investigations, or those involving people smuggling or murder. We can see the results of this natural confusion in the plethora of small units within larger agencies. The Met has its CCU but also has anti-terrorism and child pornography units with access to their own computer forensics specialists. The National Crime Squad is supposed to be the main agency for handling national and international-based crime, but the Metropolitan Police, essentially these days the local police force for Greater London, still likes to take on big international cases. The main UK unit for handling forged credit cards is extensively funded by the clearing banks but is based on the City of London Police.
Definitions of cybercrime For almost as long as people have been aware of a category called “computer crime” – the first books with relevant titles came out 30 years ago – there have been arguments about what to include. Most analysts draw a distinction between those situations where computer technology suffuses everything about the crime – the scene of crime, the nature of the offence, the type of evidence, the perpetrator – and “ordinary” non-virtual crimes where some of the critical evidence is in digital form. The NHTCU website refers to this as “new crime / new tools” and “old crimes / new tools”. But it presents a real problem to senior police officers: do they place every type of crime with a computer element in the hands of “cyber cops” or do they say that other types of specialist investigators should have primacy and that the “cyber cops” have an important but secondary 10
The cost of investigations must be proportionate to the outcome in terms of eventual punishment There are some advantages: in this broader definition of “computer-related crime” we are not limited to the £25 million specifically dedicated to the NHTCU. But there are also some downsides: Each specialist unit within each law enforcement agency naturally wishes to lead on important crimes, both for their own job satisfaction but also because the “result” will make it easier to get further funding in the future. But this can be at the expense of some duplication of effort in the development of intelligence and the maintenance of
technical resources. Secondly: it makes it much more difficult for the victims to know to whom to make their initial report. The multiplicity of agencies, each with their own publicity machines, can confuse the public – and indeed non-specialist police officers.
It is highly unusual to have any custodial punishment over three years Measures of effectiveness The cost of police investigations must, on the whole, be proportionate to the likely outcome in terms of eventual punishment. Here we can run into difficulties. The maximum penalty under sections 2 and 3 of the 1990 Computer Misuse Act is five years. For simple unauthorized access under section one the current maximum is six months. It is highly unusual to have any actual custodial punishment in excess of three years. But costs for contested cases, particularly if these have an international dimension, can be very high. Even in a purely domestic case reliable digital evidence must be collected both from the perpetrator and the victim. An international case will require a significant administrative overhead to negotiate access to evidence, visits by UK officers during the investigative stage and funding for overseas witnesses to attend trial. I have no idea of the total costs of the 1994 investigation and trial of Datastream Cowboy and Kuji for hacking from the UK into USAF and other military resources. Datastream Cowboy eventually pleaded and was fined a total of £1200. Kuji, as a result of a mistake in charging by the Crown Prosecution Service, was able to walk free from the court. Easy, say the critics, increase the punishment. There is a case for increasing the penalty for simple unauthorized access under section 1 , Computer Misuse Act,
policing cybercrime
If there aren’t enough police what about the law? •The 1990 Computer Misuse Act predates the Internet and is partly based on unauthorized access which isn’t very clear anymore with today’s technology. An example includes a computer owner welcoming visitors to one part of their system while prohibiting them from another. • The Regulation of Investigatory Powers Act 2000 (RIPA) has faced difficulties because of the lack of research before the bill was passed. For example it doesn’t appreciate the costs of asking an ISP to intercept or collate network traffic. • The Anti-Terrorism, Security and Crime Act, 2001 (ATSCA) has tried to make ISPs and companies retain data but doesn’t correlate with the current data protection legislation.
beyond its current six months, but the main arguments are that higher maximum penalties have a bearing on police investigative powers. But it is unlikely that we would see much in the way of higher prison sentences. There are several reasons for this: in setting punishment judges have to balance various considerations: they must recognize that some-one is a first offender or that they are very young (as in the case of Datastream Cowboy) or that they may have psychological problems (as has unambiguously happened in a number of cases in which I have been involved). More broadly we have to consider how far imprisonment gives value for money. It costs the state an average of between £28 000 and £29 000 per year to keep some-one in prison. It isn’t at all clear that, for this class of criminal, the possibility of prison is a deterrent; on the contrary, many of them think they are invincible until the moment they are caught. What
seventeen-year-old, interested in hacking for the previous 18 months, remembers that three years previously another 17year-old might have had a two year prison sentence? In any event, having spent the £28-29,000 a year on our hacker, at the end of his sentence he will emerge from prison. Will the process have reformed him, will he be able to get a legitimate job commensurate with his skills, or will his only opportunity to make serious money come from all those long-term criminals the system has arranged for him to meet in prison? In any event, we currently lack prison space.
Currently the best standards apply to disk and network forensics But the problem for senior police officers is this: how often can they embark on an expensive complex investigation where they can predict that, when found guilty, the punishment may be less than two years in prison? Would not the money involved be better spent on investigating domestic burglary, closing down local crack houses and all the other demands on police time?
Law reform Perhaps for those who want “more” but recognize the limits on police resources, we can turn to law reform. There are a few areas which merit attention. In the area of substantive law there are some important issues: the 1990 Computer Misuse Act pre-dates the Internet and is based, at least in sections 1 and 2, on the concept of “unauthorised access”. In 1990 people knew when they were making an unauthorized access to a computer because they usually had to input a username and password to which they were not entitled. But in today’s connected world where a computer owner may positively welcome visitors to
one part of their computer system but wish to exclude them for other purposes, things are not quite so clear. Again, there is some doubt how far some-one “busying out” a system, for example in a denial-of-service attack, actually commits an offence. A yet further desirable reform is a law covering theft of trade secrets. A Law Commission Report, including a draft Bill, has been around since 1997 without any action being taken. We have had a number of significant changes in the law governing how investigations may be carried out. The most important of these are the Regulation of Investigatory Powers Act, 2000 (RIPA) and the Anti-Terrorism, Security and Crime Act, 2001 (ATSCA). Both of these have run into difficulties because of inadequate research consultation prior to their being offered to Parliament. RIPA suffers from, among other things, an appreciation of the costs in asking an Internet Service Provider, to carry out interception or to collect and produce communications traffic records. In addition, an over-ambitious approach to handling encrypted material means that we are still waiting for this part of the legislation to come into force – the Home Office has struggled to include data in transmission which is encrypted rather than concentrating on what would have been easy – stored encrypted data. ATSCA has attempted to provide a regime of requiring ISPs and companies to retain data but does so on an incomplete understanding of how that might interact with Data Protection legislation and EU Telecommunications Directives. More broadly, there is a general problem with increasing police investigatory powers: we are all in favour of extending these against criminals while simultaneously worrying that those same powers may be abused against us, either by the tiny minority of rogue law enforcement officers or by a future government with its political back to the wall confusing the “national interest” and “national economic well-being” with its own continuance in power against widespread political dissent. 11
policing cybercrime However any of these law reforms, even once agreement on detail has been reached, may face a long wait before legislation is put before Parliament. Legislation of all kinds is waiting in the Parliamentary wings and many new pieces of law have many clauses and/or require Parliamentary agreement on related delegated legislation such as Codes of Practice.
There won’t be a big increase in the amount of police resources devoted to cybercrime Conclusions The UK has a solid cadre of highly motivated, skilled cyber-cops. It has in place a series of training schemes to increase their number but also to ensure that their line managers and all investigators get a measure of “awareness sessions” so that they understand digital evidence. At the moment the best standards apply to disk and network forensics; law enforcement understanding of corporate networks, how they work and where evidence might be located, is however relatively weak. Our laws tackle both the substantive issues of defining certain actions as criminal and of giving the police and others a framework within which to investigate. What is needed now are a series of important but essentially incremental changes. The Police have some internal work to do: to reduce the amount of inter-agency competition and set up better national unified systems to respond to victim reports so that the victim can be rapidly put in touch with the most relevant set of investigators. But we won’t be seeing any great increase in the amount of resources devoted to tacking “cyber-crime” either in the limited sense of hacking, virus 12
writing, denial-of-service attacks and telecommunications fraud, or in the wider sense of “computer-related crime”. In effect, for most of the public, these rate low on the range of things they expect the police to do with the funds we are prepared to give them. In this regard, the position of the war against cybercrime is very similar to that faced by many other sectors of crime, particularly white collar crime. Police response will be partial and limited, not because of any lack of enthusiasm or commitment from officers but because we also want to keep our taxes low and place some limits on police powers to investigate. There are important consequences for those who are responsible for securing IT dependent companies. In many industries, those within them have long reached an understanding of what their own role in crime prevention and detection and the appropriate balance between the responsibilities of potential victims and the publicly funded agencies of law enforcement. If you run a bank you know that part of your costs are to have buildings of a certain construction and design, certain personnel and audit procedures, and particular sorts of trucks and further procedures to handle cash in transit. If you are a retailer, your security costs include building design, but also product tagging, the use of closed circuit television, and store detectives. In these and other industries this understanding of respective responsibilities has been able to evolve over time. Often the understandings have been strengthened by the mediation of insurers, whose detailed policies often spell out specific security requirements in clauses and warranties. The problem for many IT-based companies is that similar norms and understandings simply have not emerged. While regular retail security has had over 150 years to develop, Web-based E-commerce is, at most, eight years old and continues to evolve rapidly. IT-dependent companies need to understand this: you cannot routinely
expect the police to investigate crimes and recover assets where you yourself have failed to take reasonable precautions. Successful prosecution depends on adequate evidence and if you lack the procedures to collect it after an incident, it is unlikely that police officers will be able to make up for lost ground.
IT-dependent companies need to understand that police can’t be expected to investigate crimes and recover assets if reasonable precautions haven’t been taken About the author Peter Sommer is a Research Fellow at the London School of Economics where his main interest is the reliability of digital evidence and he teaches a Master’s course on information security. He has been acting as an expert witness in the courts involving computers since 1985 and has been involved in a number of headlinegrabbing trials. He is an external examiner at the Royal Military College of Science, an advisor to the National Specialist Law Enforcement Centre and has run training for the Crown Prosecution Service. In the last Parliament he was a Specialist Advisor to the Commons Trade & Industry Select Committee. Research assignments have include activities for the European Commission and the Financial Services Authority.
Contact: Email:
[email protected] [email protected]
