Improving the UK’s Response to Cybercrime

October 12, 2017

 This week the City of London Corporation (CLC) announced that it
would be backing the construction of a new court complex in the Square Mile.
This new 18 courtroom building would be a state-of-the-art, multi-purpose
replacement for the historic civil court, the Mayor’s and City of London County
Court and Magistrates’ Court. The CLC announced that the court’s primary focus
will be on fraud, economic crime and cyber-crime.

This announcement could not have come at a more opportune moment
for two reasons. First, the UK’s financial and legal services markets are on precarious
ground due to the unknowns surrounding Brexit. In their announcement the CLC
quotes the Justice Minister Dominic Raab, himself an ex-city solicitor at
Linklaters, by reinforcing the City’s world-leading reputation as the number
one place to do business and resolve disputes, it’s a terrific advert for
post-Brexit Britain.
Currently, employment in legal services accounts for
roughly 9.1% of the Square Mile’s workforce at around 44,000 jobs. The
Government will clearly be keen to maintain that level of employment but also
keen to retain the income which the financial and legal services sectors
generate and, if at all possible, improve both figures to pick up the slack
from other industries affected by Brexit.

The CLC itself highlights the interconnectedness of finance and law
and puts the figure of the financial services sector’s demand for legal
services at £2.8 billion. Flowing the other way,
the CLC puts legal firms’ demand for financial services at £793 million, so
roughly we are looking at £3.5 billon. The importance of the preservation of
this symbiotic relationship cannot be easily overstated, especially when
considered with the second motivator for the development of the new court
system –
the growth in cybercrime and the knock-on effect this is having
on financial institutions and customers. Action Fraud’s figures suggest that £10.9 billion was lost to the UK economy as a result of
fraud, including cybercrime, in 2015/16.
 

The National Cyber Security Centre (NCSC) in the UK produced a
report in October 2017 to celebrate its first anniversary. This put the number
of attacks classified by their experts as significant at 590. These attacks were not just limited
to financial institutions but targeted across a range of organisations, most
notably the WannaCry ransomware attack which affected over 42 NHS Trusts in
England whose computers still ran Windows XP operating software.

In July 2017, the ITU published the Global Cybersecurity Index (GCI)
which revolves around the ITU Global Cybersecurity Agenda (GCA) and its
assessment of five pillars (legal, technical, organizational, capacity building
and cooperation) to give each country a score for cybersecurity preparedness.
The GCI revealed that the UK is fourth in Europe for legal preparedness for
cybercrime and cybersecurity. The UK’s score was 0.819 out of a possible 1.
This puts us behind Estonia, France and Norway. In order to boost this score,
the UK should consider adopting three best practices from Europe; the Hungarian
method of judicial training, the Estonian method of private and public sector
cooperation and the Nordic collaboration method.

Estonia, the highest ranking country in Europe in the legal
category, reassessed and enhanced its cybersecurity commitment after a series
of cyberattacks in April 2007 which targeted a variety of organisations,
including government institutions, online banking and news broadcasters. In
response to this, the Cyber Defence Unit (CDU) was established. The CDU takes
the countries leading IT experts and trains them, anonymously of course, they
in turn
donate their free time to defending their
country’s online presence by practising what to do if a major utility or vital
service provider is brought down by a cyberattack. This is the type of good
practice the UK government should be aiming to copy. This system allows the
government to take advantage of the caliber of private sector talent which it
could not usually afford to employ. This best practice was even recognized by
NATO who built the headquarters of the
NATO Cooperative Cyber Defence Centre of Excellence in Estonia in
2008. In a similar vein, Switzerland has developed an association of experts
which compromises private companies and government agencies who will come
together in the event of a severe cyberattack in order to quickly diagnose and
treat the problem.

This symbiotic relationship has been attempted in the UK but is
still in its infancy and focused more on companies than individual IT experts.
The Cyber Security Information Sharing
Partnership (CiSP) was established in 2013 as a joint industry and government
initiative set up to exchange cyber threat information in real time. A 43%
increase in organisations’ membership of the CiSP was reported in the first
year of the NCSC’s existence. On an individual level,
Marcus Hutchins, a
self-taught computer expert, triggered a kill switch which halted the spread of
the WannaCry ransomware attack, he was then said to be working with GCHQ to
prevent further attacks. (But in a dramatic fall from grace, he has since been
arrested by the FBI and arraigned on charges of fraud. He allegedly created a
virus called Kronos that targeted banks and he now faces a potential 40 year
prison sentence.) However, this limited attempt at creating a symbiotic system
should be built upon further with the NCSC targeting specific individuals and
arranging to lease them from
their companies for training and practice.

Furthermore in terms of good practice, the UK should also consider
adopting the Hungarian approach. Hungary provides training to law enforcement
and the judiciary from a variety of organisations, including the International Law Enforcement Academy, to
raise awareness of the issues surrounding cybercrime. This allows the judiciary
to better understand the evolving threat and also allows them to become more
accustomed to how the internet is used today to commit crime. It seems
unlikely that the How Twitter works appendix to the High Court judgment
in Monroe v Hopkins [2017] EWHC 433 (QB), drafted by 5RB Barrister Greg
Callus, would be necessary in Hungary.

Finally, the UK should look to the Nordic National CERT
Collaboration to further improve its methods of fighting cybercrime. The CERT
Collaboration comprises Denmark, Norway, Finland, Iceland and Sweden and focuses
on technical cooperation and cybersecurity exercises to assess and strengthen
cyber preparedness, it also examines incident response processes and tries to
enhance information sharing in the region. Earlier this year it was announced
that various Nordic banks, including Danske
Bank, Nordea and Eika Group, will share information through the CERT
Collaboration to combat organised cybercrime. This is based on a pre-existing
Norwegian CERT model. This level of cooperation between private sector banks
and a public sector inter-government organisations also has echoes of the
Estonian and Swiss models. The UK did have a national level CERT (Computer
Emergency Response Team) but this was absorbed by the NCSC in 2016. The
previously mentioned CiSP was based in CERT-UK. Although CERT-UK still operates
and is experiencing a growth in membership, more could be done to promote this
to businesses, in particular banks.

The UK is already part of some multi-country agreements. The EU
Agency for Network and Information Security (ENISA) coordinates information
sharing among its Member States in the EU. In addition, the European Cybercrime
Centre exists as the division of Europol which coordinates cross-border law
enforcement activities against cybercrime and acts as a centre of technical
expertise on the matter. The UK’s ongoing membership of these bodies has been
called into question in the wake of Brexit.

The UK is also looking outside Europe to formulate agreements. In a
joint UK-China statement given while President Xi Jinping was on a state visit
to the UK in 2015, the two countries announced agreement
to establish a high-level security dialogue to strengthen exchanges and
cooperation on various security issues, including organised crime and
cybercrime. Furthermore, they agreed not to conduct or support cyber-enabled
theft of intellectual property, trade secrets or confidential business
information with the intent of providing a competitive advantage. In February
2017 it was announced that t
he UK and China have agreed to regular
coordination on cyber-security related issues in order to prevent
cyber-commercial espionage and related transnational criminal activity.
This
agreement was fostered by Sir Mark Lyall Grant, the UK’s national security
adviser, and Wang Yongqing, secretary-general of the Central Commission for
Politics and Law and National Security Adviser to the Chinese Government, at
the second meeting of its type with the third scheduled for February 2018. This
tentative attempt to forge cybercrime cooperation outside of Europe is so far
proving to be successful but only further time will allow us to assess how
effective it is.

On the face of
it, it is beneficial to join yourself with a country which accounts for an
estimated 9.63% of cybercrime, according to a 2017 Symantec survey. It should
also be said however, that the same survey puts the UK’s output at 2.61% of total
global cybercrime. The top scoring country is our ally, the USA with 23.96%.

The Government is clearly trying hard to push cybercrime to the
front of the agenda, and in 2016 announced its second five year National Cyber
Security Strategy. The strategy, issued by the Cabinet Office, aims to make the
country one of the safest places in the world to carry out online business and
doubles investment in cybersecurity compared to the first plan. However, more
needs to be done. We are currently in the top four in Europe for legal
preparedness but globally we are falling behind our allies Singapore (another
financial hub), the USA (which scored 1 out of 1) and Australia. In particular,
emphasis should be placed on training for members of the judiciary, developing
more area specific agreements and targeting the private sector for coordination
with the public sector.

Phoebe Whitlock is a
Junior Research Assistant in the European division of the Telecommunications
Development Bureau at the International Telecommunications Union. The ITU is
based in Geneva and is the
specialised
agency of the UN for information and communication technologies.