UK law enforcement: an uphill struggle to fight hackers

UK law enforcement: an uphill struggle to fight hackers

About 16 years ago in the UK, I walked into a local police station to report a computer crime, because walking into local police stations is how they did things back then. There may well also have been penny farthing bicycles, real pea souper fogs, Mary Poppins, and Jack the Ripper, though I could well be wrong on those last two.

I was greeted at the incident report desk by a bemused officer on duty more used to dealing with stolen bikes or children stuck up trees than anything hacker related, and things went rapidly downhill from his very first question, which was, “What’s an Internet?”

The early days of UK law enforcement and the Internet

I can’t speak for everyone with my solitary anecdote, but even countries that had law enforcement bodies that were was a bit more on the ball with regards all things cyber had their problems, too. I vividly remember being asked to help [redacted entity] with something I’d researched sometime between 2005–08 (being deliberately vague here), resulting in a face-to-face meeting with someone I was half convinced was going to drag me off to a cell. I was helping! You asked me if I could help you! Sadly I can’t say feelings of reciprocal assistance were fostered in any great way, and that’s a shame.

Outside of my own experiences, many security researchers were working in almost total isolation; you couldn’t get ahold of security contacts for major social networks, nobody was on Twitter, huge organisations were missing “contact us” pages, and you were doing very well indeed if you managed to get a dialogue going with, well, pretty much anybody. All communication was done via yelling in blog comments and trying to figure out which people were at security conference dinner queues.

In short, you had hardly anyone talking, vaguely scary law enforcement with technical chops but a general lack of people skills, and officers ready and willing to ask you, “What’s an internet?”.

Frankly, I’m amazed the Internet didn’t burn down into a hole in the ground.

The present day

Things are significantly better now, and many of those problems have been addressed. We have every researcher you can think of available at short notice on sites like Twitter, we have bug bounties/halls of fame, ISPs are a lot more communicative, public facing clearing houses of malware/phishing pages, and most branches of law enforcement have a much better understanding of all things digital.

That’s not to say problems don’t exist, however. A recent report claims British law enforcement is having a tough time of it. If you’ve run into a cyberattack of some kind in the UK, you may find yourself out of luck because apparently only one in three of the 44 police forces in operation are able to deal with computer crime. While police claim some 90 percent of all crime has a digital element to it, their ability to flesh out so-called “cyber units” has been found to be lacking.

Into this already problematic area follows the frequently muddled response to forms of encryption and data privacy. The recent National Crime Agency report on Serious and Organised Crime walked a fine line between acknowledging privacy boons for regular web users, while pointing out the advantage to criminals.

That’s not really a popular line of attack, as it turns out, because the UK government has a thing for wanting to backdoor forms of encryption—and people aren’t really keen on backdoored encryption. Or how about the urge to move into the facial recognition realm, despite a false positive rate of 98 percent? On top of all that, we have this killer quote from a symposium on privacy and corporations:

Tesco probably knows more about me than GCHQ.

While admittedly tongue in cheek, it does raise questions about how much, exactly, we surrender when signing up to membership cards, loyalty accounts, and everything else along the way. Law enforcement would love to get their hands on that kind of profiling, and surveillance capitalism can have major ramifications for societies as a whole.

Essentially, things sound like they’re locked into a stalemate, and no sign of relief seems to be coming anytime soon. And if law enforcement actually is struggling to keep up with datasets and tracking information available to corporations, it’s natural that they’re going to insist on access to all the things, all of the time. At which point, people get rather angry and the cycle repeats itself. Meanwhile, in all of this, the criminals are getting away with all sorts of things.

Wanted: a huge pile of cash

Funding is the be all, end all of UK policing, but with cuts across the board and real-world police numbers down, it’s a hard sell to grab some cash for Internet shenanigans, especially when nobody seems to be entirely clear on what they want to do. Train more police in forensics? DDoS analysis? Malware reversing? Which type of digital attack is likely to be most relevant to the type of police work most commonly seen in the UK? Or, do they want to leapfrog all of that and just go all out on the “Encryption is good for bad people so we definitely want backdoors, thanks” approach?

Who knows, but considering the UK has only pumped £1.3 million into cybercrime training in the last three years, it leaves a lot to be desired. The cash is split between different regions, and that doesn’t go far—as the linked article mentions, North Wales spent £360 on 1,063 individuals to get them trained up from a total pot of £375,448. Meanwhile, there are some regions where a grand total of zero people were trained in aspects of computer crime over a period of three years (perhaps the “What’s an Internet?” officer resides there).

Backup en route

It’s not all bad news. If you could go back in time 16 years and tell me that UK law enforcement would be spending a million pounds on computer crime training, I’d probably be laughing in disbelief until 2018 rolled back around.

Nowadays, there’s plenty of ways to reach the police online, and across a variety of social media. Local and national police websites will often play host to infographics—actual infographics—with useful information on them and everything! There is, at least, money still being invested in the nation as a whole as far as cyberattacks are concerned, to the tune of £1.9 billion over five years to tackle high-level malicious activity.

Even accounting for this, I get the feeling that a bit more money sent to police officers would probably help home users and businesses feel a little more secure and, hopefully, a bit more optimistic that their low-level report to an officer manning the admin desk won’t end up in a large pile of “dunno, lol.”

Imagine a world in which a cyberattack on a home user would result in a phone call to police that actually gets answered and actually gets results. Perhaps it’s only another 16 years away.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.