Villains Of The Piece

Adrian Leppard

Retired Commissioner, City of London Police and Director, Templar Executives

In his final interview as the man in charge of policing fraud and cybercrime in the UK, retiring City of London Police Commissioner Adrian Leppard reveals why the authorities are now “swamped” by online crime and why – despite the crisis – the UK could still become a world leader in cyber security.

For the first time last year the British Crime Survey, which measures crime across the UK, included questions on fraud and cybercrime. It shows there are five million frauds and 2.5 million cybercrimes taking place a year, compared to a total of seven million other crimes.

Those are very significant figures. They double crime levels in an instant – and make fraud and cybercrime the most prevalent in our society.

The challenge we face as police is that only a fraction of those (250,000) crimes are actually being formally reported. So at the national level, we are unaware of the scale of the problem. There is also only enough capacity within British policing to deal with around 60,000 of those crimes a year and we only get a positive outcome rate of about 12,000. So, as you can see, the chances of being caught are very slim.

There has been a significant surge in bank card fraud across the UK; one in five of us have been a victim in the past 12 months.

We have also seen the recent Dridex malware attacks, which stole £20 million from online bank accounts. This indicates that the theft of bank account details from individuals and businesses is a popular target for criminal gangs.

The City of London police acts as a huge crime bureau for the country. We have the lead responsibility for policing economic crime and fraud – including cyber. Any fraud or cybercrimes reported come to us in the UK through a fairly clunky system called Action Fraud, which is a website and reporting centre before they are then passed to the City of London Police.

It’s a good process, but we are swamped by volume. The major issues are largely down to factors beyond our control. Firstly, the bulk of criminality is being conducted from overseas from countries where we can’t reach them. The British police can’t just walk into another country and arrest somebody. Second, these threats come through the internet. The traditional means by which governments protect you and I from other crime types are borders, for cybercrime this approach does not work.

So what can we do? Certainly, as I reach the end of my policing career, I know I leave a service well-versed in preventing the more visible crimes, but that needs to continue to evolve to meet the threat posed by cybercrime, especially online fraud. There is only so much that can be achieved within the limited resources available and the competing priorities police forces are seeking to deal with.

Ultimately, this new crime needs new resources from the Government, such as a big campaign to reach every household, similar to the ‘Clunk Click’ campaign for drink driving. Campaigns of that scale reach everybody and that is what is needed so people can protect themselves. I think there is a role for government in accrediting certain services, like email, making it a more secure environment for everybody.

You also start to recognise that all of this threat is being hosted through the industry. The internet facilitates the benefits and health of our society, so it’s a good thing, but it is actually criminals working through ISP’s, through telecom providers and through the businesses at the front end who are using the internet to facilitate a service for their customers. They, therefore, hold the key to how we protect society.

So the next challenge is – how do we find a way that businesses can adopt common standards of information security in a way that’s achievable and cost-effective for them and doesn’t place them in a competitive disadvantage against businesses in other countries?

Cyberhealth and safety should be the new health and safety. We should know that of all the attacks in recent years, about 60 or 70% involved an insider threat.

If you look at some of the PwC and KPMG research you will see 90% of small companies are being attacked each year, while the corporates will also say it costs them an awful lot when they have a breach.

You can’t just say ‘Woe is me.’ You have to have a conversation about a cyber breach and its effect on your business. You need to make sense of the cyber threat.

We have no one standard anywhere in the world and, in the UK, there is no standard that is a requirement. There’s no regulatory or lawful requirement to adopt a standard of security and when we look to the future we have to look at what are the minimum standards that business should be adhering to. They have to adhere to minimum standards in Fire Safety for example – but my view is we should be adhering to a common set of standards which are laid down by law for cybersecurity.

Although we have a Government that doesn’t like to regulate business, we can estimate it’s costing the UK about £30 billion a year in fraud, and other countries are all grappling with these same changes. So what I’d like to see Britain doing is becoming a leader in cybersecurity.

“If we can’t reach the offender we can still remove their ways to make money”

What you need to do is start looking at the positive advantages to the country and to business. You are already seeing a number of FTSE 500 companies that are bringing significant investments into cybersecurity. It would be a good start recognising what the individual business growth is and, from a trading perspective, what the overall growth could be if we became one of the leading countries in cybersecurity.

It is achievable because we have a well connected Government, led through a Cabinet Office with a security strategy. Our security agencies, GCHQ in particular, have been heavily involved with business for a long time, providing advice and guidance.

Across the world, some security agencies are still quite stand-offish from business, but we’ve been working in this area for a long time and we have gained a lot of knowledge and expertise in cybersecurity. So we have the potential to turn this into a business and power growth in the country.

The conversation we tend to have is always negative, about the challenge and the threat and how difficult it is.

But London is the world’s largest trading centre in banking. It competes with New York so there’s good reason for it to be the leading light for cybersecurity.

The UK Government has a good name in a range of areas. We have technical skills in cybersecurity. There’s the uniqueness of British policing in its success at preventing crime and working with communities.

So many countries use a fairly traditional enforcement approach to combat crime and for many decades we have led on a softer approach, which is how to eradicate crime. By working with offenders and businesses, to see how crime might occur, you can help to curb crime from the outset.

I wouldn’t say this is all about prevention either. If you look at enforcement, you have the National Cybercrime Unit (NCCU), who we work with, then there’s the European Cyber Centre. There is also the US Department of Homeland Security, the FBI and the US Secret Service. By working together we can collectively set targets. For example, the Eastern European countries are working very effectively in cyberspace because they have a presence on the dark web and infiltration into organised crime groups in the cyber world.

We can’t look at that as being our only means of addressing the problem. We have got to think in a different way. We need to be innovative. For example, we have an Intellectual Property Crime Unit within our Economic Crime Unit here and it focuses on hard goods and, more importantly, virtual goods. So where people are putting albums on websites and you can buy the latest track and get it for free, that’s a crime. Stealing intellectual property – that’s stealing people’s livelihoods.

Often these are hosted by websites in other countries, so what can we do to target it?

What we’ve been doing is effectively targeting their funding structures. We’ve been working with some of the big funding providers, such as Mastercard and Visa, to provide information on websites selling illegal material, which in turn they prevent operating by shutting down the funding structures they host. We have done the same with online advertising, in order to take down advertising from certain websites.

If we can’t reach the offender we can still remove their ways to make money. We now shut down 4,000 enabling structures a month. For example, intellectual property websites or investment websites, those trying to sell you diamonds or trying to sell you land. We’ve found Voice Over Internet Phone (VOIP) numbers used by fraudsters, which look like they’re a British phone number but they’re not.

If we close these things down and start to stifle criminal enterprise, we, therefore, protect more people and prevent more crime. We estimate that we are saving the UK roughly £500 million a year by doing this.

It’s just another stat, but if you said fraud in this country is £30 billion a year and we’re only preventing £500 million – that’s a big gap.

There’s also military scoping, and individual states’ capability in this area is growing quickly. Every government agency in every country is putting more and more investment into cyber. They are building their own scripts that are getting on to the internet that can do damage, and increasingly we see criminals using hijacked scripts that have been built by intelligence agencies.

So you have state capability growing exponentially and people’s access to the internet is growing. It is an arms race.

In Britain, we have good technical skills and we’re getting better every year. There’s a positive journey and we can see increasing successes. My only word of caution is that it is still only a drop in the ocean compared to the threat we are facing.

So whilst we are growing in capability, the threat is growing faster than us.