Yeah FOI! UK Police Force Cyber Capability And Public Reports From Across The UK

the level of their expert about their coffee and coming in to have a look the presentation it's got a bit of an of choose title Louis because but really that's actually well they can't make a title because so a policeman sniper cry and I used in their feet of information act and I'll just talk you through why I asked what I asked and some the results know also some interesting insights into the information okay so this is marginal medication so they can get you this actually made over here so my name is Ron restarts manager and logic so Houston headquarters our security company but we have a research development so I did an image in

electrical and electronic engineering McQueen's little tango hold on all the PhD thesis and

previously presented in across the world that's relevant when they specifically asked about it deep inside the presentation are the print sensor applications so agenda agenda and then information about the cyber protection that we have the minute or just some contacts with talker talk about my requests the results of analysis there's some abuse of Defense and if I doesn't take away some discussion so I a little bit rate so I'll look to the organizer to tell me whatever race weekend off and then if whenever I need to get all the makers storm for a couple of nights just to make sure in love unduly effective investigate two experiments ever protect review so and you can't handle

protecting itself whatever where the other type of threats okay so that means the whole of the UK right everybody K yeah but is our real is our cyber protection realistically covering all those different things I mean whenever you hear my breeches maybe hear about the money one of the things where we hear quite government initiatives it's usually who big company it's been act all yen pien somebody doesn't left some vulnerability website and somebody's not right but realistic that we're talking about hope UK showing that should be very yard where we are really at also protection shoot increase with us but he protects the public so we are the we're under Louisville essentially right there for the UK like they okay they consist

of the entirety of the UK so no I it's actually I'll talk you through where the thought process that I went through in order gets you to do an exact where every bus so say the average person s let's say that person let's say the people in this river race right this presumes everybody here is a separ professional so it's fine they're not opposed to each other what would you think you might say your brace you probably go when you've been a academic or technical in chess tonight you would go when you were median and do whatever it is doesn't need to do in reflective done so that's how your friend is breached right nice maybe in front of if

it's not me you would care a little bit last thing you would if it was you probably kind of fix it but without me deeper he probably to say dispatch it the answer they say the general public is breached right and they don't have us to call PETA for the person they didn't have the call other soaps cupcake you know why he's doing that what are those guys do what do they do no I would imagine and this is where this goes through difficult police because generally speaking the average general public would say okay I told to replace say that person does with the local police what happens right what happens so that was essentially the the

mechanisms to be watching right here this happened 2012 and as a result I asked for information for more 2011 to 2012 yeah and I didn't really know a lot of them you cannot remember from here so we did some digging in terms of well what I we got to my eternal surprise apple pie as far as I'm aware it was the first time you have to see there's a level never it was called the UK cyber securities company protecting them from putting the UK there there's the world and November 2011 okay that's a really great but the central break done before things are worthwhile they had four high level objectives and they said okay we're gonna secure UK cyberspace are

we're going to these more things one way to make the UK will secure place to do business business you can't be able to resist attacks in national infrastructure opens people rely on cyberspace yeah right it's not about protection good sir you can't necessary knowledge to Exhale cybersecurity it will lap my covers for the local police all right that's kinda science education but it's gonna fit anywhere today so my thought about each of those in each of those internal if I do reflect upon either the public or small to medium businesses right to expire but we could say your state or government departments some people care if you're rich right if you are a local co-op or you know four

shops are going to say everybody cares about you if they're targeting cats right small name is like they should be covered under this to do business enemies right like SUVs are disproportionately targeted and the reason they're disproportionately targeted but I hope not saying this to anybody who doesn't know this it's because they have less resources before he applied cybersecurity there's many more of them so generally speaking if you get some sort of scout or you're doing some sort of whatever you're likely to find just opening the addresses that have some graphical or at least no clue me as any because I don't actually have the resources to have these things so say you're an SME need

to get briefs and they report their local place to class but that was essentially when I got like they also said the issue you can actually battery with resist our attacks against national infrastructure we all hate conversations now our robot we all have that in our hallways that's however many cans of millions is that not protect right same employees go home also professionals right say the city HR person was hope or the exact for whatever the apartment goes home and then they get breaks at home through their own Baba because there's some vulnerability and some nap here blah blah blah that's ten years old okay you didn't say you know did they go to the Danielle September's you get open

stable on the vibrant Cypress piece I didn't really have anyone that I could say I don't really know she doesn't like we're here with you then you can't have a necessary knowledge ticket sales are secured again surely opal is fallen so not having a food room for me to request right joke they're like and this time I was opposed talking points and I got I read right around and their thoughts nobody likes to do something about this because post-op McQueen's next to a power belt so then she can't be moved from you not know this gives people that right to access report information health back public sector organizations so that's the purpose so it's actually one of

those few times whatever you take elements it we're going to be more transparent and it actually work for that regalo generally speaking to you arbitrarily pogroms for some dirty laundry you'll find it all across the newspapers that's how they call it primary mission but it can be some for us that's what the outcome for this is it if you want to find out things about cybersecurity it's applied in practice at government this is what way you can do where else did you actually so some temples of some favor information requests have been put through to police because again this is requested the place mark normal these people dividers and check them out that's what reported

super I would be surprised another one how many bolts I face in this tool in the last five years that's twelve super went to your chocolate over multi traced alone that's a work factor how many apples items in the cold it has to do with the police with the reformer how many crimes in the world clogs one he was a big movie I call that justice so fy2008 send any public one in the UK I gave the context to this police salaries but you can't send a Daniel okay it has to be broken test information can't ask for my right matters of people most guillotine from existing systems they kind of have to go widely find information that's

already there we're not gonna get you know where some administrative effort to acquire yeah these are all limits will be important elections these so those are the rules that I said right come up with a couple of questions so I can take right since which separate dressing to each of the fifty one policeman stories the UK oh we got a sponsor from 37 the purpose of it was to determine how public Council or businesses means war crimes in the local policeman I II do think so all stop for hunt that I talk about this opposition I believe that that's teachers at the Amazon so Harley handle if they are reported and what is the library level of cyber expertise again

the reporting period was November 2011 to there whoever 2012 this is important as a novice date so my request details tested earlier I hope everyone in the back to read this little bit about everyone so one how many reports were from a public would be the business community for dnews reported offenses agreement of the computer misuse act like there are many acts of things could conceivably be covered on there plus I shall see you later in terms the results I got it was at least relevant and again if we go back to the 18 hours and if I say please give it to me from all these 9x well then that take something kind of

law and michael mattos a tasty love we're not gonna answer so there's been a scoping there all these reports essentially how many were deemed worthy of further investigation so trying to fill the time to cheat if I make a report it only if you actually go out and the third one how many of these were passed to the CPS prosecution service for consideration of qualification at that stage that's how more of an optimal talking CPS to fight back okay what actually happened okay so that's that stage is a white sentence cope with this and that was the point ministry questions to see how money as it goes through those kids again I'm referring back to the UK cybersecurity

sponsor 2011 which I mentioned at the start reason I mentioned that is it a specific require in 4.31 that the UK local police forces recruit cyber specials again service references intentions of course let's kill affiliate investigation cyber crimes so okay we're a union how many well the reports in question one not gonna read through this we'll talk about later essentially split it up into different categories I made crimes were a court of a social media all these how many were further investigated in this 2011 all the reports in question one where any of them use in an online reporting method never mind associated somebody said alien who those are the requests sent news to 51 second race with a timetable

tape he's giving all these answers November 2011 the property visible trial and this is what I'll give you each one so 51 requests 37 responses so that's my quick response trip I have given additional information by forces are so good that they just wants to know walk you to McDonald there's additional stuff that we never even ask for what we think will be useful 14 said the done was not organized I'll be referencing this constantly they know many volunteers Ola however make not tell me how many crimes were reported under cyber or this particular cyber legislation that's suspicious now every state is to respond is 33 so that average day to respond particular one algorithm all to do

that's the finding it out to do probably means are just really busy I can't on the right-hand side me coming back to these game as well sex said that there were four national security tactics exceptions so they said no possum I don't I feel security we're not going to answer any of your questions for me at sex and there were 37 let's you know actually information very specific there were nine and I'm Marshall so again there were over ten questions within that someone said well we can give you the answers to one side of the sex that's right again why other people are going to be this little answer but wait at least you numbers once without was thank you so

the percentage of course responded was only 34 percent it's not a great number however the reason they wouldn't know is that this is not there's enough this is useful in terms of point examples it's a relatively small sample set we have to take it with rigorous statistics and then the cost these requests in theory as a maximum there's twenty seven five horrible pipes and we'll come back to that way and yeah this is a essentially the average request responses to each of the questions again weren't relevant will call the spot guy but we'll do the impression he's glad to be shared and then people walk down there the notice is a question for the sanction zero if

you're paying attention question for us is pointing and then the key fibers was broken up into different so question one and one average horses experience twice as many reports with people is for businesses okay so that's essentially what this again if to take your prisoners had often to be here okay enough to be any so good however if we if we project that light when we could say okay so however many are protected however many are reported for businesses we could expect twice as many to be effective public okay now that's addressing us you so that's not great enough to try to do something so one of the more helpful Kansai queries they saying took it make sure lungset

have access to another even that's what the doubt was essentially they give me older 14 2005 up to 2000 as well which show is essentially a linear expose pick you up from 20 actually on showing an Oprah trainer so not only are we saying that there are twice as many to the public were supposed to businesses we're also seeing there's moved on but so yes we're demonstrating there it's actually going on people are recording more year-on-year to local police forces to say you know what I have a crime visual unit is some sort of cyber event okay that's a little take people are doing a more but just that a couple people are getting it and it's not going on yeah

yeah question taken many except the report a political force that have enough information to work further investigation okay that's good to the things that people are reporting for the police the police take on board then saying okay ninety percent of the time that's worthwhile do the will 10 percent Rocking but they never sent a big number however once you ask once you then talk about how many were passed or propagation of not offend 2% so all of the people that are presenting hey I have experienced a crime and upset but then when 50% of those or worthwhile actually say yes so 50% yes so again - um because I've heard one because that would represent that

when usually helpful additional details and they broke a time exactly how the reports were presented them a result so we have fortune charged we've reprimanded restorative resolution on the technical crime resolution but yeah they're working to remember there is a number they're in their pocket and then they're 46 in there well the safe for sex with the pie charts but important are there from the crime right so that's interesting that our whole order of over or no pride wonder why people reporting things that protect this one particular time again it's important that there's no crime in it like wonder why that might be and generally speaking the way this is between the public is whenever was legal

in real life there's also illegal cyberspace right does not really hold up it's not about the books this hold forever isn't actually a crime there so yeah some of these are going to be they're going to have analogies in online they're not gonna have a more line so for example one would be they'll all find a girl with malware right sometimes old boxing watch your house it says my back I don't easily make sure I can he actually described underclothing appropriately this is actually a crime in cyberspace this might not actually have an equivalent in real life because I have to or something you rather than just Baptists actresses but the tech consultant interesting kind of great so

we have a loose crime so that evidence was not treated to do suspect again you can make estimations of that list of whether or not we're actually kind of writing about for formation we we should have got any more information and then we should be using that more at these crimes know this she was who can request a little place and if interaction result or not oh yes yeah so because some more amount of details here so policeman subgroups were super helpful give me exactly samples of some crimes were reported from oh yeah more connected sesame or so I think about when in the back can really get but well really like to snail tails so the first one there is

retailer states to someone access or computer software website change putting the holes of the price appear pointers essentially bring the guy for to pay or pay we Guzman eldest class so when that wasn't since the attack was not successful violence of committed his hate crime he knows all detected the second one retail victim were his website for where the chase 91 P turns like this was actually a Fault in world pay and I'm not actually in regional recommends health again they weren't this item have fewer but not still a crime as still some means attempted unsuccessful there another ependymoma index employers computer only from hope a hormone at the hard drive number for a fan directed the near systems at the

company attention to disrupt their business operations they got some ones right that guy just got in evidently someone think I can believe it all the data I'm gonna fan her number five as excess that greets basic America changing pasture poultry councilmember Alsip again caution you'll notice as well that's social media how insulated then number sex is better being a schoolboy during the lesson of work let's go use your school computer to access the skilled network deleted files arrived trying to get access to things we couldn't compromise blessing spares no those are examples there were actual examples of things that report to the local place so like so one of two or sixty programming interface but it not hopefully well it

was really well but we have examples in the magento shopify right for people who remember what that is that's essentially a very similar like this is evidently being used against what we do business we have so this is never that we have made in school can be visited that's important to know right these people are actively being targeted by these things no to the victim number two was a victim by proxy they were number one of their suppliers horrible okay rule patches whatever else but anybody think of another fake company that was attacked target again by proxy these people are also vulnerable these vulnerabilities all exist within this whole media business environment music or they're dispatched

final six were interesting to use social media note that the report crimes what's the basis in question six social media with zero so there are crimes occurring in social media in 2012 well nobody reported that way we're 2016 most year probably get the friends yes and I are and as a result we'll never they're much more active on that night 2011 we would also be hardened to opossum our school systems enough national instructor as well of course I mean this is all publicly funded stuff that sits in you know hundreds of buildings across the country I wonder how much money those guys got from the cyber protection initiative in order to secure those things gas and

everybody said this not deliver the virus like cyber specialist was all this year 11s and that's for specialists Saul a yearly intern answer from everybody the answer back was no that's not again you're doing over the course of a year extrapolating across they're only three seven replied I've never done the national expertise to be able is important there is a national level stuff so say Starbucks guessed it right there's going to be a national level organization there in order to protect those people no that's fine but the whole point of money difference between a national level or the local level of protection is that they actually gave the things along that level so the answer to national protection they can

probably don't care about this more locally stuff local police are supposed to handle that stuff and yet where is that set the priority but even if it wasn't working them I'm sure they're super primary Asian they say okay this worlds they preach any we're at the top okay and then question five is actually pregnant dying by the type that was reported there was nothing terribly shocking under this Paris but there are actually seeing results in these areas so broken time by malware that's a personal details one authorized computer access expressive children really cyber for anything to you with Wi-Fi and there's something older it's other relevant Americas but now you have things like malware class whatever

there are things fall into those categories are being reported within that computer nice computer mississippi's fact counter they are actually being avid against the public at small businesses these people need protection there are no signs of the categories is essentially just a pair of numbers pie chart access its large number so one day exclusions meant that the UK government contributes to the DPI our report and as a result mrs. or businesses rugby blue and then it's okay here's the secretary Rachel's the world good absolutely good to contribute without that kind of information is the kind of stuff I have massive war so we're gonna have on the might snap make that public through this vehicle for

your information point we're gonna tactic that information is you have to the samisen stuff I'm asking for so that's a little bit so is it chess we've seen therefore the lease a floor is one is considered the least some of their information was protected either by some sort of police force information exclusion or since our national security yeah oh there's no no when we give me okay Thursday actually handed me big shovels of extra data because they're being super help so so I broke that like into across the UK this is the reasonable night again we're breaking this time in furious so the places where you should go live with the blue board on the reports yes if you track that

plane nobody has actually been bracing or portlet is pull it there and then under your rules protect their we're least likely attack there and then there are areas where we did not receive reports that's large nice cobblers hold on Scotland a scholarship here and Northern Ireland as well yes the recipe you can write to you that the black areas are no information then TV to get back to me right don't ask for my testicle little packet and then you can also have faces like Durham the radwells for security exemptions so you want to show her what's going on in there that's to do with national security as to whether or not a particular member of

the public authorities so yeah this is essentially a description of across the UK how are your resources reporting with a reacting to reports of threats against the public and enemies so if they're not reporting in if they're not putting together a kind of a circuit Alice number bonsai trees for the domain of the public over crimes so that's essentially the information that I got to have from the resolution requests but there is a little bit extra that I went into coming back to the post request which is 27 5 400 so long to stop the resented possible feeder information requested by 30 pound an hour like probably more long didn't all the nasse house places but let's ignore it because

it's the information and again give a maximum 10 of 18 hours that would then be 40 in this case a 50 local cemeteries preservative all of them used all the time even if they do 27 540 that's why visa over that was a maximum like that in theory so when you take element by sending the same request all I have to do this in a relatively generate a to one email addresses necessarily to be a very devious mind you were kind of we dig there so this is Walter thought process here as we go along these does that very accept submissions by email any email any utility you know have to be correspond well sometimes they ask questions bike

that's all clear whatever else so they need to actually be able to contract you again otherwise my hope is kept entirely neither the identity of the requester than the ordination of the requester is considered or necessary so I pretty much like the wealth education right there so this is like the intentional the whole point of the people comedian/actor it's still a lot of people go and find what find out about information but that's alright noble but it also the exhibit so really only you need to do is write a very short script mutator basic template variant robbers in there send out the seriously series of emails to whatever audio feedback gossip then I phoned police for some berries but it can't be

anyone yeah it's not 51 that's the maximum of hospitals social service departments educational boards whenever it is that you want anything at all so let's put this together in the process look so you select some sort of classic template generate some sort of identity probably going to me to tell your them that leaves an actual effect right so you put together starting to four names right as you see fit you've got a couple of email addresses you're going to need a couple of temporary email addresses do generate some sort of topic a Generac topic I would like to know the number all right on the top of primary mental social possibly the impact of it you

know what's the cause with stopping this expertise was exciting this that's encountered up to your imagination with applause it's all sort of offset the current date you can ask for every six months individual requests for every six months for last five years they will consider every single one of the cleaner accent the one individual request fourth in fact because it's broken dyed by guillotine hours if you sent it further further gone in theory I couldn't hire guys who said no I'll take too long say method at the end of the six months three months whatever and then the easier for those guys were actually produce results and again nothing uses up the time that's like your target

emails they sources Hospital Russell's everyone's Oh and then Sam all right I'll have to get this together four months of rejected I've had fine but for all of these things we're gonna 70 large networking and then that's gonna consume on resources like there are two conditions you have to be within here right this is not entirely two conditions they have to fall off one of these two things you know the information requested is exempt from excluder we'll talk about whether requested this introducing some reasonable repeated has to be so for something to be exempt from disclosure it has to be at least partially compiled and actually have to get to the reason for this is them form I think all the

harm tests where they say okay well we've got the down we're kind of looking at here the positives to tell you what here the negatives are telling you about it we're gonna sign with the negative on this sorry right and whenever some of the votes that did give me answers to tend over of information gave the rape part of this hard tax right so you know this is a girl in this instance we don't get the data but if we're going to carry out this particular kind of resource consumption attack a maximum care we don't care mentality or whatever wherever you want what we want is for people to expand to kind of like doing

things and that's it so as long as it isn't immediately rejected from being exempt and some damage to the dog might not be the maximum kid in the matter but it'll be something that's greater this year similar are various boy don't make it to an individual will reject a mixture it is national security or police force we kept asking like things of that nature just don't know about tell you about so the three ones that are more interesting for us right if it's repeated there's a nuisance unreasonable repeated so we're heated to describe at least essentially he's in a public communal ready you can't make repeated requests to the same thing well you can change the timeframe commentary

that would be different but you have absolutely everything difficult script that there is a specific site you can go to you find a list of all you have parsed out maybe hope you care about isn't unreasonable ie is going to exceed the 18 hours but even in that instance they have to do some sort of assessment of the data to begin with and as I said you can segment that's doing to promote leadership what you see this now it uses a dignity over to know everything should be rejected by that but are you gonna categorize something as an using specific no any individual police force might be able to work like this is suspicious and again I said to the fifty

one individual once right so it has to be each request sending individual body then as a result each individual body but have to independently a ten percent there's a pattern here I go hang on the minute that seems like it's scripted I'm not gonna answer my question that seems to be something that's all the other job description of the people you're assessing figure information request but do you know the skills we have this wonderful but this still has to happen fifty one individual titles and I only did the police again however many you know that you find out hundreds symbol there's missing Cuban style so what things in the could because you live in for similarities requests worst email or

IP the use of a template I reputation of certain key text time interval between submissions this is essentially spot alright but what there is no spinal filter or work the site it's a person sitting there going I think this was in fact it's father stole the thing indicates of people number now why would somebody do this in Paris why does anybody do anything with you that will main control things or just to see if it works you can also different activism important remember is that this will go to anyone anywhere in order to you don't have to be a member to you can't reach have to say something to you can doesn't for this will give them the answer

someone in wherever you want just constantly have the FOI request system with garbage stuff to assess the whole thing not consumes you can actual resources can theory depends it's entirely up to you how many you say whatever it sounds so if there you can do all these things like a new trend against it so we have a net boy system that's intentional authenticated the whole point that's in lecture that for whatever they wanted already keep it going with a chat or one most way to talk about very long this appears to be a better access to data but any defense rates is more near rooftop so essentially let's talk about these in any great detail essentially have the

current system which is probably easiest access you can imagine right well actually just making everything look like all the time this is the easiest way to do not anything other than that to get to be more secure without additional cost Howell actually will make more attack but more difficult access so if we talk about making requests to Anthony has one thing detection software essential six five of the second and then we've got central organization as laughable so companies what you could do is make to something as simple as P expect right like you could generate multiple character constants and make more difficult today we do still do it moving at harbors or you tiny unofficially

Anthony like many times whenever you're looking into the government systems you kind of actually go in that and authenticate using here whenever you want to pass what you essentially gonna on this idea in that when you can make it with that not already existed something could be implemented however that's gonna cost money nothing costs nothing in fact or they call so ridiculous in our family in order to do that we also request you can also require a response before the request in actions again you can still script that before you so applying counseling help more spa the terms of whether or not we're going to pick that logic and it's at some level of the

national level depends who you get to then finally the sample at my request office which is probably the best way to do there are actually general generally benefits did to me as a public requesting information for this as well so the idea would be that you couldn't be a central fYI request system to be essentially a triage step this tree I person would look at of metal that's in suspicious ie we both response filter worth it was passive it was not perfectly well trained to spot these things plus it actually gives you the benefit of being able to say please house all the political stories this question rather than medium it will dig around will find

fifty one individual email addresses some of which were definitely role in the internet and then the Senate each of them communicate with individually you can actually just send one class that this man guys that would be better for me as a person if you request it also protected but of course cost that system essentially that's the end but a couple of just the primary benefit of this talk in general is to demonstrate that actually you could use free permission request to find the useful information myself security right I asked a couple questions whatever you think is worth qualifying might development just went out the community the class system would require our right there in the public in

the business public a small medium businesses are indeed reporting crimes would look at this type of race again that was a theory then I propose it's smart it's definitely happening you've got twice as much from the public that's businesses based on this time here can speak your statistical the technical questions consult you know appear to have been very well resourced and to investigate cyber crimes a zero people with specific cybercrime knowledge which was something was not yet in the strategy so that it as a result you can do resource consumption attack against them you have to put in your mind is exactly why so the way to do this thing but remember as well person does not

have to be you can remember the UK presently you get some used to be in somebody whatever they want to just as a final addendum is actually finished so that time expiry trying to get 2011 finished and coincidentally took place in 16 others look you've got the similar you probably results reporting my Wellington there the significant progress with toward reaching these goals they say this is the screenshot you'll notice certain wasn't local and we were actively building our cyber schools knowledge I'd like to find out how many experimenter specials over and that's essentially it [Applause] considering instead few years like you know it moves on you concern it will have in yeah I think they'll be

interesting I think just something that all began and see anything else it's very different would be worthwhile like to be such an expert anything how do we gonna find the time I promise we'll be able to it's probably just attending it

[Music]

[Applause]