From Action Fraud to Action Plans
1 Action Fraud had an impossible task
The Times undercover investigation at Action Fraud has led to a rash of publicity, both tabloid and professional . The only surprise is that it has taken so long to expose the mismatch between public expectations and delivery.
Action Fraud’s own website indicates what the service was not intended to cover and thus demonstrates the need to better cover the latter.
There is also the need to distinguish between “reports” that are expected to lead to action and the many thousands of “notifications” that might arise from a single criminal action. An example of the latter was the premature and untargeted release of a piece of ransomware which, inter alia, crippled parts of the NHS. We also need to better handle the many thousands of partial reports from those have suffered loss or distress but cannot provide sufficient information to enable action, even were the resources available.
It is all very well to have a review but this needs to lead to much more than a simple change of contractors.
The Action Fraud team were set an impossible task. Loss of morale and cynicism were inevitable. But the problem goes deeper. The opportunity should be taken look at how to create honest and effective processes which also filter and distil incident notification with regard to all forms of cybercrime and abuse, into usable intelligence, actionable reports and effective victim support. That is much bigger task than Action Fraud was created to address. But it is essential to restore public confidence in the Internet as a safe place for voters and their children as well as for the 99% of businesses with no in house security expertise.
Hence the business case for Telcos, ISPs, Social Media Companies, On-Line Retailers and Transaction Service Providers (and all others who want the on-line world to flourish), to better co-operate with law enforcement. The need is to create more effective clearing houses for information on abusive/criminal activity and thus enable more effective action, under both criminal and civil law, to remove weaknesses, prosecute/deter perpetrators and change professional/corporate behaviour towards security by design, as opposed to afterthought.
2 The reasons were identified over a decade ago
The problems were foreseen in 2004. The fifth discussion paper of the EURIM -IPPR study into Partnership Policing for the Information Society was on “The Reporting of Cybercrime” It warned that: “Easy-to-use incident reporting systems are likely to be swamped unless material is received in a form suitable for automatic collation, analysis and forwarding. That means web-forms and/or pre-validated submissions from “trusted” sources, e.g. Banks or ISPs, on behalf of customers … The UK routines for reporting suspected money laundering illustrate the paralysis likely to result if this is not available.”
There was already a need to “reduce fragmentation and duplication of effort with regard to reporting structures and improve the availability of intelligence to help focus existing resource” and “a Catch 22 situation with regard to justifying the resources necessary to create easy-to-use reporting systems that will not be swamped. Without such systems we risk confidence in the Internet being eroded by the inability of most users to report incidents to someone who will take notice of their concerns. Education and awareness campaigns could do more harm than good unless accompanied by such routines.”
3 Now we face the predicted loss of confidence
The failure to create effective processes to collect and collate information on attacks to support the business case for action, has led us to a situation where criminal behaviour is almost risk free and therefore rising sharply.
- Government cybersecurity policy is focussed on the needs of GCHQ and MoD for state security and cyberwarfare rather than to protect citizens and business.
- Telcos, ISPs and other technology suppliers are effectively discouraged (on competition grounds) from working together to collectively remove the vulnerabilities that enable their customers to be attacked and abused.
Neither group gives serious priority to working with law enforcement and victims to identify and prosecute or sue the culprits.
I recently blogged that in June 2019 there were around 370 exhibitors at Infosec, most of them promoting cloud and/or AI based threat intelligence and/or behavioural analytics services to digest the billions of “attacks” into actionable information. Much of what they collect and report overlaps with what the National Fraud Intelligence Bureau hopes to receive, at no charge, from analysing that notified via Action Fraud and its other sources.
4 We have to unpack the problem to rebuild trust
Back in 2004 the EURIM -IPPR report said: The reporting problem can be addressed in manageable chunks, but to do so will require co-operation amongst a number of players, recognising that there are three distinct, albeit overlapping, reasons for establishing reporting mechanisms:
- the need for information on the size and nature of e-crime, to plan the right levels of skills, resource and working practices and commit to appropriate levels of investment across government and industry to reduce the opportunities for e-crime;
- the need to report suspicious incidents, vulnerabilities, adversary capabilities and the like, to enable the collection of intelligence, linked to means whereby this can be fed to different constituencies to enable them to protect themselves from new threats and vulnerabilities as they emerge – and to product suppliers to address security weaknesses;
- the need to provide the means whereby individuals and business can report and support investigation of suspicious incidents.
All three might also benefit from routine bulk reporting by those running protection services for their clients, most of which include monitoring, analytical and trend analysis services.
Today the organised of bulk incident notification to enable collation and distillation into actionable intelligence in support of collective investigation and action under both civil and criminal law (as recommended in Fighting Fraud Together) will be much harder.
- Partly because of the massively increased volume of attacks.
- Partly because the private sector cybersecurity industry, geared to the needs of Government and big business is a $multi-billion industry with little incentive to provide uncharged access to law enforcement.
5 We have to change the incentives
The situation would change rapidly were those who pay for commercial cybersecurity services to require the ability to pass their incident reports, in common format, to a central clearing house akin to that recommended in 2004.
In 2008 the UK clearing banks offered such a service as a by-product of a real-time shared fraud detection services linked to payment clearing. Parts of HMG, however, wanted statutory access. I will not go into the reasons (including the position of City of London operations in the critical financial services infrastructures of overseas Governments) why statutory as opposed to voluntary access is impractical.
At present the prime incentive for cahnge is the desire of the major advertisers, who fund the Internet as we know it today, to protect them brands from piracy, stop them from being damaged by being associated with abuse and to check that thec click they pay for are genuine. Google and Facebook have little choice but to respond. The means they use could also help transform the safety and security of the Internet as a whole
6 There are many questions
The questions asked in 2004 remain pertinent:
- Who wants to report what to whom and what do they expect to happen afterwards?
- Who wants to receive what reports, on what and what are they going to do with them?
- Who should be responsible for analysing reports, producing intelligence for dissemination and information for action by which appropriate authorities and organisations?
- How should such intelligence be distributed to different constituencies, and by whom?
- What reporting already happens (private sector, law enforcement agencies, regulators etc.) and how might existing information be better processed and shared?
- What are the potential volumes? What resources would be needed to handle them?
- What governance and security processes are appropriate for which material?
7 We should be honest about Intelligence Gathering versus Reporting
Those contacting Action Fraud or abuse@ teams and others need to know whether their submissions will be treated as:
- Intelligence – to be distilled into action plans to remove vulnerabilities, disrupt criminal supply chains or enable partnership action (under a mix of civil and criminal law)
- A potential crime report – for criminal investigation, whether based on the collation of intelligence, a report by an individual victim or a rpeort by an ISP or Bank covering an attack on a number of customers
- A potential case for civil action by victims (or a group of victims) and their lawyers/insurers because there is insufficient evidence or resource to support a criminal prosecution.
However the submission is treated, there is a need to provide the victim with realistic advice. In 2005 the Culture Media and Sport Select Committee saw this a role for Citizens Advice or the Law Society (Para 25) . Citizens Advice appear happy with this recommendation, provided they are given the necessary support.
I have now handed over my project portfolio but remain on the advisory board of the Digital Policy Alliance and plan to attend the next meeting of the Cybersecurity Group. I intend to suggest convening a round table on reporting to see whether there is support for an exercise to update the exercise done in 2004 – but without the expectation that Government can and will lead a joined-up exercise. That is because the conflicting agendas across the tribes of Whitehall, let alone across those of law enforcement, make an industry-led approach more likely to succeed.
But is the loss of confidence in the on-line world such that the leading players are willing to work together?
And would Ofcom (as competition regulator for the on-line world) allow them do so?
Those are questions I leave to the next generation.
That said – the new Ministers at DCMS ARE from the next generation.
So are those at the Home Office and BEIS.
And we can see a stiff breeze of change beginning to waft through the corridors of power – beginning with demands for weekly progress reports on Brexit arrangements.
Given that we are in the foothills of the most unpredictable general elections in several decades we might even see democratic pressures over-ruling departmental agendas.
Make YOUR voice heard.
Such opportunities do not happen often.