The Cybercrime Awareness Clinic is a collaborative project between the University of Portsmouth and Hampshire Constabulary. As part of our ongoing effort to better inform and support our community in relation to cyberthreats, we thought it would be a good idea to learn more about the role of the local police in the fight against cybercrime. With this in mind, a couple of weeks ago I had the benefit of speaking with T/Det Supt Justin Norris, Cybersecurity and Protect Officer Lucy Dibdin and DS Will Burns about cybercrime, cyberawareness and the role of the constabulary in fighting cybercrime. What follows is a summary of the main questions and points of our discussion.
I arrive at the HQ soaking wet after a truck passing by drenches me in water, movie-style. After some drying, a quick chat and some coffee, I start my “questioning” by addressing the popular impression that the police in the past has not considered cybercrime to be of great importance and I ask my hosts if they feel this has changed recently. Justin begins by reassuring me that things have significantly changed in the past few years. As cybercrime is acknowledged to have a huge impact on the local community from a personal and business perspective, it is natural that the Constabulary would be intensifying its efforts as well. There is a consistent effort to develop better responses by enhancing the constabulary’s technical capabilities and investigatory potential as well as improve on the prevention advice and victim support. Although there is a long way to go, it is a relief to see that the efforts are concerted and holistic, especially taking into account victim support.
I am pleasantly surprised to hear from Will that the constabulary has developed substantially on its capacity to investigate cyberdependent crimes, such as hacking incidents, malware, denial of service attacks and even ransomware and plain theft of cryptocurrencies (Bitcoin). And this is in addition to incidents, such as online fraud, sextortion or cyberharassment, which probably make up most of the volume of the reported cybercrime.
Yes, I say, but what happens when the perpetrators are abroad? Is it a hopeless cause to investigate in most of the cases? Justin then realistically points out that despite the difficulties, the constabulary would still investigate and try to make use of its networks of collaboration in bringing offenders to justice, if certain criteria in relation to seriousness and feasibility are met. As he adds, however, there is definitely still room for improvement in terms of the need for existing national and international agreements to evolve in order to correspond to the escalated challenges that the transnational nature of cybercrime can pose for law enforcement agencies globally. Even when the National Crime Agency (NCA) and Regional Organised Crime Units (ROCU) get involved, there is always the big hurdle of actually locating the cybercriminals, as many of them possess the skills to cover their tracks efficiently.
I then proceed to ask their view on the main strength of the local police in terms of dealing with cybercrime, only to be met with a unanimous answer that it is the increased levels of face to face contact and support. The increasingly constructive interaction with the public and victims of cybercrime is further reinforced by a shift in policing culture towards cybercrime. Current HC staff recognise that cybercrime is indeed a serious issue for the police, contrary to earlier years where anything “cyber” was considered niche compared to traditional street crime. The increased interaction, I am told, in addition with an effort to promote reporting by cybercrime victims also helps the police build its intelligence map regarding cyberthreats and develop better prevention mechanisms and guidance with the clinic also playing a crucial role in these efforts.
When I ask for the main challenge for the police, the response also links to the above: Making contact and providing support for individuals that are vulnerable and hard to reach. As we discuss, the coming years will bring an explosion of interconnected devices and along with this development, many citizens will be more vulnerable due to the increasing levels of complexity the Internet of Things will introduce in relation to security. At the moment, I am told, the police focuses on three main groups that require additional support: older people, small / medium enterprises (SMEs) and children in schools; three focal points that have also been identified and adopted by our Cybercrime Awareness Clinic.
Related to the constant technological development, a parallel challenge faced is the constant need to upgrade the technology used and equip staff appropriately in order to gather intelligence and investigate crimes. However, despite the constant need for more resources, which is an issue all the discussants acknowledge, the building of strong partnerships seems to be the way to pool existing resources together and mitigate this problem. The introduction of cyberspecials in the fight against cybercrime for example, allows HC to collaborate with experts in the area of cybercrime and cybersecurity who contribute on a voluntary basis. Beyond the specials however, I am told that the constabulary is assisted in its efforts by the relevant regional and national agencies (National Cybercrime Security Centre, NCA, ROCU), but also from stakeholders such as Cisco, the National Air Traffic Control, the Chamber of Commerce and the Federation of Small Businesses and naturally local authorities. At this moment, we are interrupted by the tannoy which informs us there is cake on the 6th floor, but unfortunately we were tight on time and resisted the temptation to pause our chat and go upstairs to try some.
Moving to my next question, I wonder how we could maybe help the police better deal with cybercrime. The answer is not far from what I expected. If you are a business, Justin and Lucy tell me, then make sure you report what has happened, but also take steps to preserve evidence of the incident whilst restoring your system. Keeping a record of what has happened is crucial for individuals as well. If you are being harassed online for example, take a screenshot of what is written with your phone and make notes of what has transpired. If there is an actual communication with the cybercriminals, in cases of extortion or ransomware, the police need to be informed and would provide specialist support. But the most crucial element that we all agree on is building awareness through making use of the free support provided by the government or through helping and educating each other.
Looking at my watch, I see we are way over the allocated time we had for this discussion, but I don’t want to go before asking for some final advice. I ask Lucy for three bullet points and she struggles to include all she would like to tell me in these three bullet points, leaving me to summarise:
- Passwords: Make sure they are adequately secure, change default ones and use different ones for different accounts.
- Awareness is key: From the CEO to the core staff, everyone needs to become more educated and aware of the risks. Doing lots of little things might seem marginal at first, but it adds up to make you more secure eventually.
- Keep your personal details and activities private and don’t post everything about your life online in order to avoid having your information used against you.
We conclude our discussion with a commitment to try to do this more often in the form of bimonthly communications about different issues relating to policing cybercrime and I promise to come back for another discussion sometime soon. I walk out of the Southampton HQ to find the day has turned sunny and warm, compensating me for having arrived soaking wet a few hours ago and I stroll to the nearby train station to get my train back to Portsmouth. I keep coming back to something Justin said during our discussion that summarises it all very well: “We should all help each other become more cyberaware and safe, this is part of our everyday living now!”
Vasileios Karagiannopoulos, Cybercrime Awareness Clinic Director