Policing, at times, is all about risk. As the police service embarks upon a journey of digital transformation, it must not be blind to the real-world risks of failing to take cybersecurity seriously.
It has become common for police forces and their Police and Crime Commissioners to declare tackling “cybercrime” and promoting “cybersecurity” as priorities for the public and businesses they serve. But what of the police service itself? How secure are the foundations on which digital transformation will be built?
Concerned that real-world risks were being overlooked, The Centre for Public Safety started assessing the current state of UK policing’s public-facing digital infrastructure in July. Keen to stay on the right side of the law, we limited our work to reviewing the security of the connection between the site and visitors.
For those not aware, the security of the connection between you and a website matters because if the connection is insecure then there is the possibility that others – on your network, or sitting between you and the server – might intercept your communications and either be able to simply read them if no encryption is used, or decrypt and read them if the connection is weak or insecure.
This should matter to forces because in embracing digital transformation they can expect to receive more information from more people – and some of it will be sensitive. Some of it – if it got into the wrong hands – could have serious implications for the individual, their family, their community and ultimately public safety as a whole.
Our latest Public Safety Briefing sets out two examples: one involving a man who helps police with information about local gang crime; and the other in relation to a female victim of domestic abuse. We set out the very real risks that come with failing to provide a secure connection. If you doubt the risks, we urge you to review the examples.
We started our cybersecurity assessment with the largest forces and were concerned by what we found.
The Met Police – despite the hundreds of millions of pounds spent on IT, year in, year out – failed to achieve top marks – it scored a grade C; while smaller forces, like Dorset, Durham and Gwent, with infinitely smaller budgets, scored close to top marks.
In total, we examined 71 police and police-related websites (including our own) – grading each one from A+ through to U – and found that while a quarter had a good quality, secure connection with their visitors, almost as many offered no secure connection.
So, it’s right to recognise Cleveland Police, Cumbria Constabulary, Devon and Cornwall Police, Dorset Police, Durham Constabulary, Gwent Police, Kent Police, Leicestershire Police, Merseyside Police, Norfolk Constabulary, North Yorkshire Police, the PSNI, Suffolk Constabulary, Warwickshire Police, West Mercia Police and West Yorkshire Police for coming out of the assessment with top marks. Their sites offer a good quality secure connection by default. They have secure foundations.
At the other extreme, some forces provide no secure connection at all and yet solicit personal data from members of the public. Worse still, some solicit information on criminal activity along with personal data.
It’s 2016 – the internet is not new, cybersecurity is not new – and the management and mitigation of risk are not new. That’s why we recommend and call on all forces to follow the lead set by the 16 forces that achieved top marks – and make their public-facing sites and online services secure-by-default.
The government, police and industry encourage us all to “look for the padlock” when submitting sensitive data online. It’s time the entire police service began practising what it preaches and provided the public with the assurance and confidence to transact online.
If a member of the public calls police on 999 or 101 they expect privacy and security. If they are interacting online with police, funnily enough, they have that same expectation.
With cybersecurity breaches often going unnoticed for long periods (if noticed at all), it may be that some forces and their technology partners have been “getting away with it”. But, with increasingly sophisticated threats and the commoditization of exploit kits and similar, complacently “getting away with it” becomes a recipe for serious disaster.
We assessed sites twice – once in July and again in September. We were struck by the example of one force that, perhaps in a rush toward digital transformation, “upgraded” their website – only to actually make it less secure.
The stakes will only get higher as more public interactions with police take place online and we hope that our first cybersecurity briefing will help focus minds as forces embark upon unprecedented changes to their public-facing online infrastructure.
We call on Chief Officers and those responsible for digital transformation or other technological change programmes to ensure that they do not neglect cybersecurity as they seek ways of providing a better service for less. Failure to take cybersecurity seriously can, and will, increase the risks to your organisation and – most importantly – to public safety.
The Centre for Public Safety published ‘Secure Foundations: Assessing the cybersecurity of UK policing’s online presence’ in response to growing concerns relating to the cybersecurity of UK police websites and their readiness for the coming digital transformation. This article by Rory Geoghegan was originally published on Policing Insight.