UK Policing Unfit for Purpose in Digital Age, says Former Cop

Only days after The Bank of England issued a favourable report on the safety procedures of London’s financial services industry earlier this year, a major electronic bank robbery took place in the City of London.

Barclays Bank admitted that confidential files of 2,000 customers were stolen and sold.

Now a former member of Britain’s elite cyber cops has broken his silence on the complacency of Britain’s financial institutes. Currently employed as a City cyber-security specialist and technical consultant, Adrian Culley is a graduate of the Information Security Group at Royal Holloway, University of London. He was later head of UK regional forensic technology for PricewaterhouseCoopers and he warns of a fatal combination of chaos and inertia at the heart of one of the foundations of the UK economy.

A little over 10 years ago, Culley was a member of the London Metropolitan Police’s Computer Crime Unit which, amazingly, comprised only a small team of detectives who were supposed to deal with the full spectrum of online crime from white-collar fraud, to hacking, through to obscene publications and terrorism. Though the manpower for fighting crime has stepped up since then, so has the extent of criminality and it comes at a much faster pace, says Culley. The banking industry is no safer now than it was then, he argues — in fact it is probably less so.

In February, the Bank of England published findings from its Waking Shark II security exercise. Culley says he was instinctively suspicious of the progress claimed by the Bank’s report on itself. The Waking Shark II cyber-security exercise took place in November 2013 and used a simulated persistent threat model designed to test the soundness of the supporting financial infrastructure. The model is way behind the times, Culley contends, but adds that that has always been the case with Britain’s police force and banking authorities.

“When I was at the Computer Crime Unit (CCU) there were only six detectives for the whole of London, covering a vast array of crimes,” said Culley, “and that was as recently as 2003.”

The authorities underestimated the scale of the challenge then and they are doing the same now, Culley says.

Only an hour before the Bank of England released the results of its report – or “congratulated itself” as Culley puts it — the government’s business secretary Vince Cable released the Strengthening The Cyber Security of Our Essential Services  communiqué.

“The two reports don’t join up at all. If you dig down, there are some shocking findings in Cable’s report. There’s massive confusion. We have now effectively got two brands of financial services authority [in 2013, the Financial Services Authority (FSA) was split into the Prudential Regulation Authority and the Financial Conduct Authority], both of which have jurisdiction over the same companies. It would be a joke if it wasn’t so serious. You can’t have two regulators for the same reason you can’t have two monopolies commissions. It adds unnecessarily to the burden on a small number of people within banks.”

More worryingly, Culley says, there is evidence that banks have been attacked and haven’t informed the authorities. This could be for two reasons – commercial sensitivity and/or ignorance of procedure. Most banks have been infiltrated by an attack and the recent Caphaw malware attack managed to infect financial institutions in Britain, he claims. “There seem to be no strategies for dealing with the situation,” he adds.

The atmosphere of complacency that has been allowed to build up in City institutions could harm Britain’s strength in the financial services market. Britain was among the first nations to legislate against cyber-crime, with the 1990 Computer Misuse Act. However, that may have been where complacency set in.

“It’s been 24 years since that Act was passed and still those involved in Waking Shark struggled to identify what constitutes a criminal misuse of computers,” Culley says.

“Effectively, the role of detective is delegated to the guardians of banks’ IT networks. They bear the burden both of prevention and initiating a coordinated incident response. That’s identifying, mitigating and collating evidence of attacks by criminals, rogue financial actors and even action by foreign states. It’s a huge responsibility which is being farmed out to a very small professional group, dispersed between different City institutions.” 

With laws that cannot be enforced and safety procedures that have never been agreed on, let alone tested, Britain is highly vulnerable to cyber-attack, he warns. If and when it happens, many institutions don’t seem to have a plan of action.

A Strategic Policing Requirement report that has just been published by Her Majesty’s Inspectorate of Constabulary (HMIC), exemplifies the curate's egg that is the cyber-crime fighting force in the UK for Culley. There are pockets of excellence but, as the report details, the majority of constabularies are found wanting.

“This starts and ends at a very senior level,” says Culley. “Unfortunately, the challenges of placing the intangible place that is cyberspace do not at all lend themselves well to traditional, measurable goals and objectives.”

The big question, he says, is whether the Robert Peel style of British policing, which has broadly served us well since 1829, is still fit for purpose? 

“It should be no surprise to anyone that a policing model from in the early 19th-century is creaking at the seams with the demands of cyberspace and cybercrime,” says Culley.


Nick Booth worked in IT in the UK’s National Health Service, financial services and The Met Police, witnessing at first hand the disruptive effects of new technology.



« Is Bullying Rife in Tech?


Top Tips: How to Bring Big Data into your Data Warehouse »
Nick Booth

Nick Booth worked in IT in the UK’s National Health Service, financial services and The Met Police, witnessing at first hand the disruptive effects of new technology. As a journalist and analyst, his mission is to stop history repeating itself.

  • Mail


Do you think your smartphone is making you a workaholic?