Secure Foundations: Assessing the cybersecurity of UK policing’s online presence

Read the Secure Foundations Briefing

secure-foundations
secure-foundations-box1
secure-foundations-box2
secure-foundations-box3
secure-foundations-box5
secure-foundations-box7
secure-foundations-box8

Our Findings

More than 1 in 4 police and affiliated sites demonstrated the highest standards – the remainder are a cause for concern.

  • We scanned 71 police and affiliated websites (including our own) and found that just over one-quarter (27%) demonstrated the highest world-class standard of secure connection, the remainder (73%) either lacked a secure connection for visitors or their implementation was deemed deficient or insecure.
  • Almost 1 in 4 (24%) of the sites lacked support for secure connections at all, meaning information is communicated in plain unencrypted text across the internet. Of these, almost 70% (11 agencies) invited users to submit personal data – and in some cases information specifically relating to criminal activity – via these unsecured connections. They are exposing the public to unnecessary risk.
  • This is despite the fact that the use of secure connections when transmitting personal data is regularly highlighted in crime prevention and online safety advice (“look for the padlock”) issued by the police service, Government and industry partners.
  • Around 1 in 10 were found to have significant vulnerability in their implementation of a secure connection – including the National Crime Agency’s Child Exploitation and Online Protection Centre (CEOP), which has a specific online focus, along with six territorial police forces.

The public expect communications with the police to be conducted securely and with a right to privacy. Secure-by-default signals a commitment to that expectation.

  • The A-graded delivery of ‘secure-by-default’ by 17 police forces demonstrates that some forces and their IT partners recognise the need to both signal and deliver a secure communications channel. Those sites with room for improvement can and should aspire to reach the same standard.

Cybersecurity threats are on the rise and, with digital transformation, the police service can expect to be a more appealing target.

  • The growth in cybersecurity threats is well-evidenced, both by large-scale data breaches (e.g. TalkTalk, Yahoo and LinkedIn), but also in reports such as Akamai’s latest State of the Internet security report. It showed that Q2 2016 saw a 129% increase in total Distributed Denial of Service (DDoS) attacks versus the same period a year earlier, with web application attacks up 14% quarter-on-quarter.
  • While there is much more to ensuring cybersecurity than simply having a robust and secure SSL/TLS implementation, we have chosen to use the SSL/TLS implementation as a proxy for overall security-mindedness.
  • Others have also turned their attention to the issue of SSL/TLS implementation, with Symantec in their most recent Internet Security Threat Report declaring that “organisations need to be more proactive around SSL/TLS implementation” emphasising that it is “vital that website managers maintain the integrity of their SSL/TLS implementations”.

Trends in UK policing’s public-facing digital infrastructure broadly demonstrate a commitment and ability to deliver security improvements.

  • Between July 2016 and September 2016 we noted 11% of sites (8) demonstrated security improvements. These came in the form of adoption of secure-by-default and improving specific implementations.
  • However, two sites deteriorated during the period. These were Avon and Somerset Constabulary and Cheshire Constabulary. The full briefing paper provides further analysis.

The UK Police Cybersecurity Results

Organisations with the Highest Gradings (A+, A)
Grading: A+
Civil Nuclear Constabulary (CNC)
Independent Police Complaints Commission (IPCC)
Grading: A
Cleveland Police
Cumbria Constabulary
Devon and Cornwall Police
Dorset Police
Durham Constabulary
Gwent Police
Kent Police
Leicestershire Police
Merseyside Police
Norfolk Constabulary
North Yorkshire Police
Police Service of Northern Ireland (PSNI)
Suffolk Constabulary
Warwickshire Police
West Mercia Police
West Yorkshire Police
Organisations with Room for Improvement (A-)
Grading: A-
ActionFraud (1 of 2) - Version for reporting financial loss
Bedfordshire Police
Cambridgeshire Constabulary
Gloucestershire Constabulary
Hertfordshire Constabulary
NCA SAR Online - Suspicious Activity Reports
South Yorkshire Police
Organisations with Significant Room for Improvement (B, C)
Grading: B
ACRO - Criminal Records Office
City of London Police
Crimestoppers UK
Derbyshire Constabulary
Her Majesty's Inspectorate of Constabulary (HMIC)
Home Office Terrorist and Harmful Extremist Material Reporting Tool
Home Office Crime Reporting Tool
Northamptonshire Police
Police Ombudsman for Northern Ireland
Police Scotland
Track My Crime Tool (by Ministry of Justice)
West Midlands Police
Wiltshire Police
Grading: C
Action Fraud (2 of 2) - Version for reporting phishing and malware
Avon and Somerset Constabulary
Lincolnshire Police
Metropolitan Police
National Driver Offender Retraining Scheme (NDORS)
NCALT Police E-Learning Platform (by College of Policing)
Nottinghamshire Police
True Vision Hate Crime Tool
Organisations with Significant Vulnerabilities (F)
Grading: F
CEOP - Child Exploitation and Online Protection Centre
Cheshire Constabulary
Essex Police
Lancashire Constabulary
South Wales Police
Staffordshire Police
Thames Valley Police
Organisations with No Secure Connection (U)
Grading: U
Organisations accepting personal data over plain text are marked with an asterisk.
British Transport Police (BTP)*
College of Policing
Dyfed-Powys Police*
Greater Manchester Police*
Hampshire Constabulary*
Her Majesty's Inspectorate of Constabulary in Scotland (HMICS)*
Humberside Police*
Ministry of Defence Police
National Crime Agency
National Police Air Service
National Police Chiefs' Council
North Wales Police*
Northumbria Police*
Police Investigations and Review Commissioner (PIRC)*
Surrey Police*
Sussex Police*
UK Missing Persons Bureau*

Case Studies: Why Cybersecurity Matters

Help gain an appreciation for some of the real-world risks relating to cybersecurity and public safety by considering these two examples. One relates to local gang crime, the other a domestic violence scenario.

secure-foundations-example-1
secure-foundations-example-2

Media Coverage and Impact