Many police forces in England and Wales are behaving as if cybercrime and cyberdefence are not part of their remit, lacking detailed strategies to prevent, detect or react to it, a stinging report from inspection body Her Majesty's Inspectorate of Constabulary (HMIC) has found.
The HMIC’s Strategic Policing Requirement discovered numerous failings in all bar three of 43 police forces - Derbyshire, Lincolnshire and West Midlands - which were praised for developing comprehensive plans as part of the 2012 Strategic Policing Requirement (SPR). Only fifteen forces in total had even assessed cybercrime as a threat.
Many others lacked understanding of their responsibility to cope with major cyber-incidents and the phenomenon of digital crimes against citizens, believing they would be dealt with by national and regional policing bodies.
Forces still lacked any clear picture of cybercrime with as few as one in five digital crimes even being reported to help build a larger intelligence picture, something not helped a lack of the skills needed to investigate such crimes.
Forces were employing cyber-specialists to investigate crimes but nothing like enough of them, with most forces limiting these roles to forensic investigation; in 37 forces the take-up of training to improve cybercrime investigation was only two percent, the HMIC said.
“The police must be able to operate very soon just as well in cyberspace as they do on the street,” noted the report.
Meanwhile, on the topic of cyber-defence, many senior officers seemed “unsure of what constituted a large-scale cyber incident,” and were silent about strategies to protect citizens from cybercrime or prevent future crimes.
“It is now essential that police officers have the capability to deal confidently with the cyber element of crimes as it is fast becoming a dominant method in the perpetration of crime. The police must be able to operate very soon just as well in cyberspace as they do on the street.”
Critics suggest that change should be encouraged by specialist bodies such as the National Crime Agency (NCA).
“As a nation we are only now waking up to the pervasive nature of the cyber threat, but we will have to recognise as a nation that there is a broad-based shortage of cyber skills, not just in the police service,” commented Thales UK director of cybersecurity, Peter Armstrong.
“The establishment of the NCA has overseen the establishment of the National Cyber Crime Unit (NCCU) with the remit to help martial the national response to the most serious cybercrime; it has already established an NCA Special Constables scheme targeting specialist skills like cyber, supported by a strong recruitment campaign.”
Change has to happen and fast, according to Charles Sweeney, CEO of security firm Bloxx.
"There has been a lot of political rhetoric about the threat of cybercrime and its rising dominance. However, establishing central resources such as CERT-UK is undermined significantly if police forces are unable to help and assist people at a regional and local level,” he said.
Arguably, the fundamental role of police forces across the UK is, first, to act as a channel for reporting cybercrime, something without which the specialist units will be fighting without adequate intelligence. Years after the issue was first raised as deserving of urgent attention, in the view of the HMIC, they are clearly still failing to perform this basic role.
A second issue is prevention, something that should happen through alerting. And yet the reality is that today no citizen would even think to ask a local police force for advice on this topic let alone tell them when they become victims.