Cyber-crime data is lost because victims refuse to report breaches, Metropolitan Police told Commons
Policing cyber-crime in the UK is better than it was but still has some way to go before it offers a comprehensive public service, Janet Williams, the deputy assistant commissioner of the Metropolitan Police, told the House of Commons Science and Technology Committee.
Giving evidence to the inquiry into malware and cyber-crime, Williams said there is no “single point” for reporting cyber crimes.
Better structure needed
Williams added that listed companies often choose not to report attacks for fear it could prove “sensitive to the share price”. Unlike the US, there is no compulsion for firms to report breaches under UK law.
Despite all this, she did point out that, in the first half of this year, for every £1 invested the e-crimes division has recouped £35 – which amounts to a saving to the UK economy of £140m so far.
The security industry is highly critical of the resistance of companies to reporting e-crimes. Marta Janus, Kaspersky Lab security expert, commented, “Cyber attacks should be treated as any other crime, and people should understand that helping the police in such cases is just as important. Catching the cybercriminals requires a full investigation, and co-operation from the victim’s side really helps to build the full picture. It’s worth remembering that reporting cybercrime doesn’t mean any attack on your company will become public.”
The committee also heard that victims are often at a loss to know who to turn to if they are hit by cyber-crooks or even where they can find advice about staying safe online. As ACPO (Association of Chief Police Officers) lead on eCrime, Williams made a plea for changes to the policing structure to make this process easier.
“I don’t think we’re as good as we need to be in terms of every police officer in this country being as equipped to give every member of the public policing advice around cyber security as they are about their windows, doors and general security of their house issues,” she said.
Police review must add cyber-issues
There is currently a review of national strategic policing requirements which is looking more generally at the total structure of policing on a regional basis, and how it can be changed for the better. Williams fears that cyber-issues may be overlooked in all this.
“For me, it’s really important that cyber is identified within that requirement because, if it isn’t, then I think chief constables and crime commissioners may not feel that they’ll have to put their resources, or the infrastructure in place, to deal with this locally,” she said.
“Part of our strategy absolutely relies upon local police officers being able to deal with the low-level stuff, with the regions taking on some of the regional capability, then the PECU [Police Central E-Crime Unit] taking on the high-level stuff. If that isn’t in strategic policing requirement, I’m afraid that it might not happen,” Williams warned.
The “low-level stuff” referred to is the basic awareness and advice offered by the police to businesses. Just as officers visit smaller business to advise on physical security for their property, Williams would like to see them similarly educated to give solid advice on online security.
Janus advised: “If you suspect you have fallen victim to any kind of cyber-crime, you should immediately contact the police, giving them any details they will find helpful in their investigation. Unreported cyber crime allows cyber criminals to stay free and most probably continue their illegal activity, stealing more and more money and causing more and more damage to other victims. Moreover, the lack of punishment may encourage others to do the same.”