Scotland’s national police force has committed to providing a detailed implementation plan for its new cyber strategy following a significant rise in online crime during lockdown.
Senior officers have been asked to lay out key milestones and delivery timelines for an ambitious new strategy that seeks to deal with the spike in internet enabled or dependent crimes since the onset of the COVID-19 pandemic.
Police Scotland formally brought forward a business case for its ‘Cyber Strategy, Keeping People Safe in the Digital World’ at a virtual meeting with committee members of the Scottish Police Authority last week.
The strategy, which will complement the force’s existing Digital, Data & ICT (DDICT) strategy of 2018, and intersect with other operational priorities, has been developed in response to the rapidly-evolving threat landscape of online crime, which has been exacerbated by the current coronavirus crisis.
It sets out four key objectives as the force seeks to become more resilient and able to respond to shifting threats, is part of a public health approach with partner agencies, increases the force’s online presence and capability to investigate cybercrime and protects those at greatest risk of harm.
Chief Constable Iain Livingstone told the committee: “We’ve always known that people are not safe in their own homes, and over the last number of years and decades increasingly policing has taken us into the private space in terms of public protection, protection of children and protection of people in domestic settings.
“What all of is know is that there’s an enormous challenge for people living in the virtual world, and where people live and where people conduct social business and social transactions – and professional business and professional transactions – [that] policing needs to be there. We need to be there to provide support, we need to be there to lead, in terms of prevention and education and clearly we need to be there in terms of enforcement when required.”
The chief constable said that he doesn’t see the cyber strategy as so much as a shift in demand for policing, but as ‘additional demand’; he explained by giving an example of officers who may be required to attend in a physical sense – responding to a case where someone has been threatened by an ex-partner – who might also need to access devices if that is the means by which such threats have been delivered. Within the current operational context, he added that “at the moment there’s a significant limitation in our ability to address this increasing threat”.
He also explained the changing nature of crime, recounting how as a young officer in Edinburgh in the 1990s the role would entail checking the windows of accountancy and legal firms. Now, companies are less worried about the threat of real break-ins and much more concerned about “online threats” and of “malware attacks demanding Bitcoin from outwith the UK.”
During the session, committee members heard some alarming statistics which demonstrate how cybercrime has increased since lockdown commenced on March 23; Deputy Chief Constable Malcolm Graham revealed that some “really concerning data” has been recorded in relation to online child sexual abuse crimes recorded during the pandemic.
According to Graham, who chairs the group charged with oversight of the strategy, there has been a 20% increase in that category of crimes compared to this time last year, with fraud rising by 54% in the first quarter of the year compared to 2019.
DCC Graham added: “We know that the complexity and the overall demands of crime are increasing and just about every crime has got a digital element – but that’s just the number we know about. The underreporting of cybercrime is a really significant challenge for policing as well, and it’s a key part of the strategy. We know that the data available doesn’t represent the true scale of everything. A recent UK government study reported that 95% of online banking thefts were reported to banks and credit card companies but only eight per cent were ever reported.”
Committee members approved the broad scope of the cyber proposals but expressed concern that there were no delivery timescales described in then plan. Committee member, Elaine Wilkinson, said: “In order for the authority to be absolutely supporting this we need that strong evidence base – I know you’ve got the material in DDICT and we’ve got a cyber strategy but what we don’t have presently is the detailed implementation plan with the resources set alongside that, that enables both Police Scotland to prioritise the use of the capital budget that you are given by the government and how we can support and make the case for that.
“And I just think it’s bringing those bits together now because we need to be very clear on what we deliver by when and how much money that would cost.”
David Page, Deputy Chief Officer for the force, addressed the point of cost by explaining the context of capital budgeting; the original ‘ask’ of Police Scotland this year had been for £74m but the force received £55m. He said if the force doesn’t get the investment required then “we can only move at the pace which we’re given the ability to move at”. However he said: “One of the key things to know is that the digital, data and ICT strategy and business plan we have already put forward actually underpins a lot of the technical requirements that are needed to deliver the cyber strategy.
“We’re not looking for a substantial additional ask; most of what we want to do this is actually in the papers and the ask in the papers that we have already put to the board. Hopefully that will provide some reassurance that we are not going to come in with a great big bill that we’re going to be asking. All we need to do is to have the DDICT funding that we’ve already put on the table for some years, every year, to be made available.”
Tom McMahon, Director, Strategy and Analysis, Police Scotland, told the board that the “substance” of the implementation plan will be done internally and be ready by the end of the calendar year.