Police Scotland’s new cyber strategy is timely. During lockdown, there has been a disturbing uptick in the number of online child abuse crimes, with rates up 34 per cent on the five-year average and fraud up by 54 per cent in the first quarter of this year, compared to 2019. As people have moved their professional, personal and financial lives online, fraudsters, scammers and abusers have followed.
Where policing has always been about public visibility, more than ever the beat is becoming virtual. Malcolm Graham, Deputy Chief Constable, Crime and Operations, Police Scotland, is acutely aware of a long-term shift within his profession, accelerated by the pandemic. He presented the strategy at a Scottish Police Authority (SPA) meeting in September, and its contents were approved by board members, with a stipulation that he come back by the end of the year with a clearer focus on how the 58-page document was to be implemented.
Graham says the title – Keeping people safe in the digital world – was one the force “wrestled with”, as it sets out to demonstrate a commitment to serving the public differently to how it has done in the past. In that sense, he says, the plan has to be backed up with the digital capabilities really to deliver on the new frontline, where everyday criminality ranges from threats of harm on Facebook to international drugs smuggling and organised crime on the dark web.
“The main thrust of the strategy is about the development that we need as an organisation to tackle digital threats,” he says. “It’s focused on the operational changes that we need to make as well as organisationally – working in partnership in different ways – but it’s really about that service offering to the public because of where they are now living their lives.”
He adds: “And that’s the bit I wanted to get across [in the SPA meeting]: that the world is moving so quickly and has moved so much that it might not be immediately visible in the way that some other crimes are – and some people may not have kept up – but actually this is the reality of what we’re dealing with in terms of the increased threat, because of the way that vulnerable people are targeted, children are being abused online, and increases in fraud.” The strategy itself recognises the limitations of policing, given the underreporting of online criminality; however, it focuses on four domains as it pushes into what the force describes as ‘uncharted territory’. Those are: its own resilience and ability to respond to shifting threats, public health, prevention and partnership, investigation of criminality and protecting and safeguarding. It is an ambitious and far-reaching document, yet its success will be dependent on the resourcing implications of an already tightening fiscal landscape.
Graham was joined in the SPA meeting by his financial colleagues, who outlined the difficulties of realising the full extent of existing modernisation programmes. David Page, Deputy Chief Officer, highlighted how the force had asked for £74m this year but had received £55m, adding: “We can only move at the pace which we’re given the ability to move at.” His remarks were in the broader context of funding Police Scotland’s capital expenditure requirements, of which the Digital, Data & ICT (DDICT) strategy of 2018 is a part. And he reassured board members that much of the cyber vision will come from that pot, rather than a new one.
However, the implication was clear and the response to Covid-19, in which there has been a demand on officers to be more visible in public places enforcing a raft of new regulations, has also borne down on costs. Graham says: “We’ve had to cut back on some of the work that we’ve done over the last six months because of Covid. We’ve had to deal with other internal issues that everyone’s had to deal with around safety and distancing. And we’ve had to make sure that we’ve maintained, in fact we’ve actually increased, public confidence in policing in Scotland during the period of the pandemic. But this is one piece of work that I really wanted to push on with and accelerate because the evidence of the last six months is that these threats have increased.”
Not only have they increased, but “Criminals are exploiting new technologies at an ever-increasing pace, and a growing number of traditional crimes now also feature a digital element,” according to the strategy.
I suggest to Graham that policing may need to have greater visibility in the virtual world, much as it does on the streets; currently, people can report certain crimes online, but largely are pushed towards the traditional routes. Would having virtual police stations on Facebook, with named officers providing a local presence similar to a traditional ‘Beat Bobby’, be a good addition to community policing?
Graham acknowledges that it is something the force is “actively looking at” and that there is a plan in the making. He says: “A digital contact strategy is the means by which we’re going to open up different channels for people to communicate and report different types of crime online. This will come into public domain through an SPA board in the near future.”
He adds: “Our offering in the future will be need to be broader, and people would expect that. We’ve done a lot of work to gauge public appetite and to make sure that it’s inclusive. Because there are all sorts of difficulties and dangers if you move to exclusive reporting in the sense that you’re potentially disenfranchising certain sectors of the community with the level of digital exclusion that there still is across the country. We’re mindful of that when we’re developing all that work so I don’t think it will necessarily be a shift, it will be a broadening of the offer.”
The force is also looking into being part of a UK-wide reporting channel for cybercrime specifically; there are still way too many crimes that are not reported to police at all. Figures from the Scottish Crime and Justice Survey (SCJS) indicate that one in five adults have been the victim of one or more types of cyber fraud and computer misuse in the year 2018/19, with one in 20 having been victims of more than one type. However, the majority of victims confirmed that they did not report the incidents to the police. This was particularly true in the case of scam phone calls and viruses, with 84 and 79 per cent of victims respectively not reporting such incidents to anyone.
Graham says: “We want to be able to capture that through some sort of single route and we’re part of a piece of work at UK level to see if we can be part of a structure of single reporting that recognises that geographical boundaries are not always clear to people. And therefore, we want something that is as easily accessible and relevant to people who might be part of the UK as much as part of Scotland. That probably links across cybercrime and fraud, which is not the same thing, but they overlap in the middle.”
There have been several developments in the last 12 to 18 months that have seen the force make great strides forward, in terms of its overall digitisation. Although body-worn cameras have not been deployed as they have in other forces south of the Border, Police Scotland has prioritised the issuing of Samsung Galaxy 9 notebooks – with a Motorola-led interface – to every frontline officer. The devices have had a “phenomenal impact” on policing, says Graham, and recognition of hand-written notes has improved from 80 per cent on earlier devices to 99.8 per cent. The force is in the process of rolling the notebooks out to specialist officers for major crime inquiries.
Even though the cyber strategy is still to be implemented, the force recently unveiled plans to establish a national cyber centre of excellence – staffed by 150 specially-trained officers – as part of an operational and training commitment to tackle offences such as child sexual abuse, fraud, and the sharing of indecent images.
Graham also talks about the rollout of new digital triage equipment, so-called ‘kiosks’ which have been introduced. The Cellebrite software system, installed on laptops, allows officers to plug in smartphones and scan them for digital material relevant to an inquiry. They were heavily scrutinised last year in parliament, amidst what Graham says was “legitimate” concern from privacy groups, but he insists that the triage process is “standalone” and that the data is not networked into other police systems. He says: “A decision is made either to retain it so it can go for a full forensic examination or we don’t and we give it back. And people can get everything that they need back at the time, which again is a legitimate concern of people. If you take somebody’s phone off them that’s got a big impact on people’s lives these days and we appreciate that.”
Like most public sector organisations, Police Scotland is not immune to IT project failures. The force’s modernisation plans were seriously hampered in 2016 when the i6 computer system project with Accenture collapsed. Plans to replace 130 electronic and paper-based systems – covering 80 per cent of police processes – were shelved, leading auditors to conclude that: “Police officers and staff continue to struggle with out-of-date, inefficient and poorly integrated systems.”
Graham admits there have been tech “wrinkles” along the way since eight regional forces were merged into one in 2013 and i6 came at a time when the force wasn’t ready to “land the benefits” of the system. Instability at the oversight body – the SPA – has not helped in terms of governance and keeping transformation plans in line with public expectations of a modern police service. But the Digital, Data and ICT (DDICT) Strategy in 2018 – and now the cyber strategy – has at least set out a clear path towards how information technology is going to be used to support its agenda. “It feels to us that we’ve just reached a stage where we can really start to capitalise operationally on the benefits,” says Graham. “It’s probably taken us a bit longer than we thought it would, but it allows us a foundation to build on that we could never have dreamed of in the past.”