Public services are undergoing a digital transformation and much has been made of the need and potential for such transformation within UK policing. The Centre for Public Safety has conducted a scan of the UK’s public-facing digital policing infrastructure to identify whether the foundations are secure.
While 27% of police forces and affiliated organisations achieved the best gradings in our tests, the others should be considered a cause for concern.
We call on those forces that fell short to demonstrate the best practice observed in other forces and we offer a number of recommendations to tackle the current and future threats facing the police service's public-facing digital infrastructure.
12 organisations offered users the ability to submit personal data over plain text. These organisations are placing members of the public at unnecessary risk.
public-facing policing websites scanned
of insecure sites solicited personal data
of sites assessed as world-class
More than 1 in 4 police and affiliated sites demonstrated the highest standards – the remainder are a cause for concern.
- We scanned 71 police and affiliated websites (including our own) and found that just over one-quarter (27%) demonstrated the highest world-class standard of secure connection, the remainder (73%) either lacked a secure connection for visitors or their implementation was deemed deficient or insecure.
- Almost 1 in 4 (24%) of the sites lacked support for secure connections at all, meaning information is communicated in plain unencrypted text across the internet. Of these, almost 70% (11 agencies) invited users to submit personal data – and in some cases information specifically relating to criminal activity – via these unsecured connections. They are exposing the public to unnecessary risk.
- This is despite the fact that the use of secure connections when transmitting personal data is regularly highlighted in crime prevention and online safety advice (“look for the padlock”) issued by the police service, Government and industry partners.
- Around 1 in 10 were found to have significant vulnerability in their implementation of a secure connection – including the National Crime Agency’s Child Exploitation and Online Protection Centre (CEOP), which has a specific online focus, along with six territorial police forces.
The public expect communications with the police to be conducted securely and with a right to privacy. Secure-by-default signals a commitment to that expectation.
- The A-graded delivery of ‘secure-by-default’ by 17 police forces demonstrates that some forces and their IT partners recognise the need to both signal and deliver a secure communications channel. Those sites with room for improvement can and should aspire to reach the same standard.
Cybersecurity threats are on the rise and, with digital transformation, the police service can expect to be a more appealing target.
- The growth in cybersecurity threats is well-evidenced, both by large-scale data breaches (e.g. TalkTalk, Yahoo and LinkedIn), but also in reports such as Akamai’s latest State of the Internet security report. It showed that Q2 2016 saw a 129% increase in total Distributed Denial of Service (DDoS) attacks versus the same period a year earlier, with web application attacks up 14% quarter-on-quarter.
- While there is much more to ensuring cybersecurity than simply having a robust and secure SSL/TLS implementation, we have chosen to use the SSL/TLS implementation as a proxy for overall security-mindedness.
- Others have also turned their attention to the issue of SSL/TLS implementation, with Symantec in their most recent Internet Security Threat Report declaring that “organisations need to be more proactive around SSL/TLS implementation” emphasising that it is “vital that website managers maintain the integrity of their SSL/TLS implementations”.
Trends in UK policing’s public-facing digital infrastructure broadly demonstrate a commitment and ability to deliver security improvements.
- Between July 2016 and September 2016 we noted 11% of sites (8) demonstrated security improvements. These came in the form of adoption of secure-by-default and improving specific implementations.
- However, two sites deteriorated during the period. These were Avon and Somerset Constabulary and Cheshire Constabulary. The full briefing paper provides further analysis.
The UK Police Cybersecurity Results
Civil Nuclear Constabulary (CNC)
Independent Police Complaints Commission (IPCC)
Devon and Cornwall Police
North Yorkshire Police
Police Service of Northern Ireland (PSNI)
West Mercia Police
West Yorkshire Police
ActionFraud (1 of 2) - Version for reporting financial loss
NCA SAR Online - Suspicious Activity Reports
South Yorkshire Police
ACRO - Criminal Records Office
City of London Police
Her Majesty's Inspectorate of Constabulary (HMIC)
Home Office Terrorist and Harmful Extremist Material Reporting Tool
Home Office Crime Reporting Tool
Police Ombudsman for Northern Ireland
Track My Crime Tool (by Ministry of Justice)
West Midlands Police
Action Fraud (2 of 2) - Version for reporting phishing and malware
Avon and Somerset Constabulary
National Driver Offender Retraining Scheme (NDORS)
NCALT Police E-Learning Platform (by College of Policing)
True Vision Hate Crime Tool
CEOP - Child Exploitation and Online Protection Centre
South Wales Police
Thames Valley Police
Organisations accepting personal data over plain text are marked with an asterisk.
British Transport Police (BTP)*
College of Policing
Greater Manchester Police*
Her Majesty's Inspectorate of Constabulary in Scotland (HMICS)*
Ministry of Defence Police
National Crime Agency
National Police Air Service
National Police Chiefs' Council
North Wales Police*
Police Investigations and Review Commissioner (PIRC)*
UK Missing Persons Bureau*
Case Studies: Why Cybersecurity Matters
Help gain an appreciation for some of the real-world risks relating to cybersecurity and public safety by considering these two examples. One relates to local gang crime, the other a domestic violence scenario.
The gang identify Connor ... and stab him repeatedly in the buttocks and slash his face.