UNCORRECTED TRANSCRIPT OF ORAL EVIDENCE To be published as HC 1537-ii

HOUSE OF COMMONS

ORAL EVIDENCE

TAKEN BEFORE THE

SCIENCE AND TECHNOLOGY COMMITTEE

MALWARE AND CYBER-CRIME

MONDAY 14 NOVEMBER 2011

GORDON MORRISON, JANET WILLIAMS, CHARLIE MCMURDIE and LESLEY COWLEY

JAMES BROKENSHIRE MP

Evidence heard in Public

Questions 27 - 92

USE OF THE TRANSCRIPT

1.    

This is an uncorrected transcript of evidence taken in public and reported to the House. The transcript has been placed on the internet on the authority of the Committee, and copies have been made available by the Vote Office for the use of Members and others.

2.

Any public use of, or reference to, the contents should make clear that neither witnesses nor Members have had the opportunity to correct the record. The transcript is not yet an approved formal record of these proceedings.

3.

Members who receive this for the purpose of correcting questions addressed by them to witnesses are asked to send corrections to the Committee Assistant.

4.

Prospective witnesses may receive this in preparation for any written or oral evidence they may in due course give to the Committee.

Oral Evidence

Taken before the Science and Technology Committee

on Monday 14 November 2011

Members present:

Andrew Miller (Chair)

Gavin Barwell

Stephen Mosley

Pamela Nash

Graham Stringer

Roger Williams

Examination of Witnesses

Witnesses: Gordon Morrison, Director of Defence and Security, Intellect, Janet Williams, Deputy Assistant Commissioner, Metropolitan Police, Charlie McMurdie, Detective Superintendent, Head of Police Central e-crime Unit, and Lesley Cowley, Chief Executive, Nominet, gave evidence.

Q27 Chair: I welcome you all to this session. It is a bit unusual for me to know all four witnesses before us. Of course, that doesn’t mean it will be a totally friendly session, but I’m sure it will be very informative. Obviously, Parliament has taken a close interest in this area in the recent past-there have been a number of very well attended events in the House recently-but clearly, as you all know, we need to be as far on top of the problems as we can. May I ask you to introduce yourselves for the record?

Gordon Morrison: I am Gordon Morrison, Director of Defence and Security for Intellect, which is the trade body for ICT in the UK.

Janet Williams: Hello. I am Janet Williams, Deputy Assistant Commissioner in the Metropolitan Police. I am the ACPO lead for cyber-crime nationally.

Charlie McMurdie: Good afternoon. I am Charlie McMurdie, Head of the Police Central e-crime Unit.

Lesley Cowley: Good afternoon. I am Lesley Cowley, Chief Executive of Nominet, the .uk domain name registry.

Q28 Chair: You are all very welcome. Between you, you have a very wide-ranging set of responsibilities for creating and maintaining the internet, regulating the industry and policing the users. What is your biggest fear for the internet with regard to malware and cyber-crime? Who’s going to start?

Charlie McMurdie: I’ll dive in. For me, it is loss of public confidence in utilising the internet. That’s probably one of our biggest fears, rather than an attack per se. It is that public confidence factor.

Lesley Cowley: For me, it is about better protecting people and businesses and also people and businesses being able better to protect themselves.

Gordon Morrison: The internet clearly provides social benefit and growth opportunities to UK technology and industry, so for us, the biggest fear is that things like malware will create a drag on those two advantages of the system.

Janet Williams: I suppose for me the fear is of this mutating into something even more difficult for us to police. At the moment, we are seeing the attacks quite squarely in the crime area. I suppose my greatest fear is that this could migrate into cyber-terrorism.

Q29 Chair: It would be possible, of course, to create a safe area-a safe haven-inside cyber-space that guaranteed a greater degree of security but would inevitably have restrictions within it. Is that a good idea? Should we think about things such as that?

Gordon Morrison: Yes. There are potential technology solutions to provide a safe-for-anyone internet, but that has to be balanced with the freedom that needs to be provided-the openness of the internet and the neutrality of it. There is a balance.

Lesley Cowley: I don’t feel there is a silver bullet. In particular, there isn’t necessarily a sole technical silver bullet. For me, this is particularly about education and knowledge so that people can use the net safely, and about finding better ways to increase that knowledge without scaring people completely. Some recent research from the Oxford Internet Institute showed that some people who hadn’t used the internet were quite frightened of doing so. I think that is counter-productive.

Charlie McMurdie: We currently have different secure networks within law enforcement or for intelligence sharing or different vested groups. I don’t think that is the answer on internet safety or security. There will never be one completely secure environment. There will always be that vulnerability, and that is more often than not the human vulnerability that has to access that data silo.

Q30 Chair: Is that partly because, just as in every other part of the world where people are exchanging information and trade is going on, there are bound to be criminals on the edge of it who have an interest in exploiting it?

Charlie McMurdie: You always have to have a doorway in and a doorway out, so that is the vulnerability that exists. We have seen recent attacks on very high profile infrastructures where you would expect the highest level of security but which have been found vulnerable. Everybody now relies on the internet for their daily working lives, social lives, commerce and so on, so it is about mainstreaming the standards of security and the public knowledge and responsibility to use it safely and securely, rather than creating strongholds in bespoke locations.

Q31 Gavin Barwell: When something goes wrong and a computer user is affected by malware, where should they go?

Charlie McMurdie: A piece of work is ongoing at the moment in the National Fraud Reporting Centre to increase its capability to take cyber-crime reports. That is being developed and is due to go live, I believe, later this year. We are doing some work with the centre to make sure that infrastructure is stood up and the appropriate data is captured. Currently, the advice is to report it to your police officers. We all know, though, that if members of the public have had their identity compromised and they have lost money-they have become a victim financially-their port of call is to report that to the banks, where they are reimbursed for their loss. That doesn’t mean to say that we lose the intelligence around that compromise taking place, because we have a process where the data captured by the banks is reported into the financial intelligence system and then collected as, "This is the number of people who have been defrauded". We are increasing law enforcement capability. One of the programmes under the DAC is to actually roll out mainstream training and awareness for all our 140,000-odd police officers, so they will be better enabled to take crime reports from victims of crime, but also to provide that investigative capability to those victims.

The big point of reporting or contact, as far I am concerned, is within our virtual taskforces where we have groups of people, whether it is the financial institutions or security bodies, who come together as a collective with a common threat or problem, and then they can brigade their intelligence to that report and report that to law enforcement to do something about it.

Lesley Cowley: I think there is a role for industry here as well, though, in terms of educating businesses and consumers, but also signposting where to go if you have a problem. Certainly Nominet, for our part, have a service we call "Know the Net", which is about signposting and helping to educate people and directing them to the right place, whether that is with Get Safe Online or other actors in this space. So there is certainly something very much around industry working in partnership with law enforcement and other agencies.

Gordon Morrison: There is a lot of best practice out there worldwide and in the UK, so what is really needed is a laser-like central point of reference on where to go for them. Get Safe Online may be the right place for it, to tell people how to protect themselves, what to do if there is a problem, and also to refer people to things like the malicious software removal tool that certain companies provide. So there is lots of technical stuff out there that can remove the code, but also lots of good practice. The general public, the SMEs and the large companies need to know where to go for that. The problem is that it is pretty much spread around.

Janet Williams: I don’t think we are as good as we need to be in policing, in terms of every single police officer in this country being as equipped to give a member of the public a piece of advice around cyber-security as they are, for example, for their windows and their doors-their general house issues. The other bit for me is that we have security co-ordinators who talk to smaller businesses and medium-sized businesses about their security, generally. They actually go to those premises and give them some good advice, and they are trained to that effect. We need to enhance their roles perhaps and give them the skills, capability and capacity to actually go to organisations, sit with them and help them do this thinking. Once they have some confidence that someone has sat with them and actually helps them do it for the first time, then they will feel equipped to go to Get Safe Online and, in the future, take advice via the internet. But in the first instance, I think some businesses just don’t have that confidence and need someone to hold them by the hand and take them there.

In policing terms, I would want to be in a position where every police officer has a basic level of training, and it gets better and better and better depending on their role: if they are a detective they have one set of skills; if they are in one of our regional hubs, they have another set of skills; and when they are in the central PCeU doing the high-level cyber-crime, of course they have the top-level skills. That should be complemented by a series of security co-ordinators who could go and hold small businesses by the hand in the first instance, and give them some good guidance.

Q32 Gavin Barwell: Am I being unfair to say that you have all given very informative and useful answers, but with slightly different emphases? Should I read into that that there is not yet complete clarity about the first point of contact I should go to if something gets on to my computer? Am I being fair in deducing that from your answers?

Janet Williams: Indicated assent.

Gordon Morrison: Indicated assent.

Charlie McMurdie: Indicated assent.

Q33 Gavin Barwell: You mentioned Get Safe Online. There is a lot of information there, both on use and on how to avoid harm. Do you think the site is well-integrated enough with the places you would then need to go to, as far as services and security are concerned?

Gordon Morrison: Yes, and what I was talking about does refer you to best practice and technical people to talk to. As a technical trade body, we would say that it does not necessarily cover the SME angle and maybe the corporation; it is very much focused on the general public and there may be some more work to do on that. One view in our country is that those running SMEs are the people who need helping to secure themselves. That is one piece of advice I would give.

Lesley Cowley: This goes to my point earlier about this being not a single responsibility but a shared responsibility. It is quite unusual, I suspect, for an end user to know exactly what the problem is, but they know they have a problem. Whether people contact their internet service provider, look online to find solutions, or go via trading standards or their local business association, it is important that they have some knowledge and know where to send people for help. There may be quite a range of actors in that space-certainly from my point of view one key thing is the education of businesses and end users, so that they can keep themselves safe too.

Q34 Pamela Nash: A recent report from the McKinsey Global Institute showed that e-commerce in the UK makes up 6% of the UK’s GDP, and 21% of growth in GDP, and the Minister Francis Maude recently said that the UK is currently Europe’s leading e-retail economy. Gordon and Lesley, do you feel there are indications that the UK will continue to be such a sought-after place in the world for e-commerce? Are there any concerns that would inhibit that growth?.

Gordon Morrison: Yes; we are definitely targets, as are the US and the western world, mainly because of our e-business. I do not see that changing-perhaps we should ask the police officers. I think we must recognise that we will-I hope we do-use ICT to grow and maybe get ourselves out of the deficit. I don’t see that changing.

Janet Williams: I think prosecution is really important in this, and I think that cyber-criminals should not feel safe. Although there is a great emphasis on prevention and on patching systems-all of which is very important-I think that prosecution is equally important. The police e-crime unit under Charlie has done some really good work. The way we work with industry now is quite unique in that previously, industry would hand us an intelligence package and expect the PC unit to get on with it. Now, we work hand in glove with industry, and we are using its people and kit alongside our people and our kit, which enables us to cross jurisdictions. We know that cyber-criminals don’t like this and that they are getting quite nervous about that capability. I think that is a good thing; we need more of that because it is obviously working. We know it is working because in the first six months of this year, for every £1 invested we have recouped £35 of harm. That means that we have saved the UK economy £140 million in the first six months alone. The proof is in the pudding. One, cyber-criminals are getting worried about us, and two, we are mitigating that level of harm.

The fact that we are now bringing all our capabilities together will be of benefit. The Cabinet Office initiative of getting the security services working with policing and industry, with everybody sharing information and helping each other to understand the problem and move forward, has got to be of benefit. That is something that this country has a really good history of and certainly in counter-terrorism-where I currently sit-we are known for our expertise in that sort of crime. Part of that is because we are good at sharing information and intelligence with security services and policing. We should build on the strong foundation in that arena, and the Cabinet Office initiative will help us do that.

Q35 Chair: May I just interrupt you there? In the earlier part of your answer, you seemed to indicate something that is, I think, a subtle but important change in position from the police, which is that crimes ought to be prosecuted in this area. There was a period when the attitude was either that we haven’t got the resources-I understand that-or that it is a victim-less crime and whoever it is will pick up the tab.

Janet Williams: It has never been a victim-less crime. Sometimes it is difficult to determine exactly who the victims are, but that is usually because of the quantity of victims, so it is hard to put a name to it. It is damaging our economy and our citizens and we should be very clear about that.

Yes, policing did struggle because we did not have the resources, the capacity or the capability to deal with this level of criminality or the way in which it was developing. I think we are getting there now. There are 104 people in the police e-crime unit. We started from a very small number, so we have increased massively. The next step in this financial year is that we will be building three hubs: one in the north-west, one in Yorkshire and Humber and one in the east midlands. They will link into the police e-crime unit and have a symbiotic relationship with that unit as well as being able to be leaders in the region in which they are situated. They will be able to take on this sort of criminality in their own right and, like the police e-crime unit, they can advise other serious crime units. If units are dealing with people trafficking or with drugs, the hubs will enable them to understand the cyber aspects as well as dealing with the pure cyber criminals in their own right.

Q36 Stephen Mosley: I was pleased to hear what you have just said. You were talking about banking earlier, and there is a perception that if money goes from your bank account, you speak to your bank and you might get your money back, but it doesn’t seem to go any further. Have you any statistics on how many prosecutions and successful prosecutions there have been over the past three or four years?

Charlie McMurdie: Certainly. We have arrested about 123-numbers do not really mean an awful lot, and that is an approach that we have changed. There have been 124 arrests, 32 so far found guilty. The numbers are not the key point that we are looking at. We could arrest 200 people tomorrow, but they may be low-level users of compromised data. Where our taskforce focuses its activity is working more often than not with the financial sector-all the banks coming together-where it would potentially have tens of thousands of victims. The banks work with us to identify the higher echelon of criminality that is responsible for the harvesting or selling of those data, or the compromised process of disseminating the malware to harvest thousands of computers to use them for attack purposes. It is about taking out the root cause-the two, three, four or half a dozen instances of top-end criminality before they get to the lower foot soldiers.

As to numbers of individual cases currently running through the courts or being prosecuted, we had another case concluded last week. Eastern Europeans had compromised tens of thousands of identities and run them through the UK infrastructure. They were facilitating global criminality, so in that instance they were writing the code, constructing the code and then using the code for financial gain. That could quite easily have been turned for attack purposes. To take out that higher end criminality is quite a significant result for us.

Q37 Pamela Nash: Can I ask a short question? With all the work that you are doing and that you have just detailed, do you feel that the message that it has been successful is getting through to industry, and have you seen any evidence of a positive response?

Charlie McMurdie: Most definitely yes. We have had that intelligence; it is getting through to the criminals, because when we do take out some of these higher-end criminal organisations we can see the intelligence behind that, and see that level of criminality move elsewhere; or the criminals will decide not to attack that sector because they have been detected. They will move somewhere else.

Certainly there is feedback that we have had from industry, which is encouraging more reports and more intelligence with us-that is how we have developed-and industry is seeing positive results as a result of us working with it and arresting and prosecuting these criminals. That is where we get the main source of our intelligence and learning as well, when we sit face to face.

You have heard the unit is now 104-strong, but I think certainly the Police Central e-crime Unit is probably one of the best cyber-capabilities now, worldwide, because of its success. But it is not just because of the 104 staff I have; it is because of the reputation and the way we work with our partners-our industry partners, our other law-enforcement partners, both here in the UK and abroad. We are a hub of 104, but we can call upon massive resources from elsewhere.

Janet Williams: There is one thing I am a little bit worried about, that it would be helpful to have some support on. We are just about to look at the strategic policing requirement nationally, and for me it is really important that cyber is identified within that requirement, because if it is not I think chief constables and crime commissioners may not feel that they have to put the resources in the infrastructure in place to deal with this locally. Part of our strategy absolutely relies upon local police officers being able to deal with the low-level stuff, as I described before; the regions taking on some of the regional capability and then the PCeU dealing with the high-level stuff. If that is not in the strategic policing requirement I am afraid it might not happen, but that is one thing that I would really appeal to the Committee to help with.

Pamela Nash: Thanks for putting that in.

Lesley Cowley: Your original question was not really about policing, necessarily. It was about the internet as the engine-room for growth. I think one of the reasons why the UK has been so successful is that we have very much viewed the internet as an enabler. We have taken a light-touch approach to regulation, and there has been a lot of industry-led information-sharing, knowledge-sharing and self-regulation, in effect. I do quite a lot of work internationally and the UK is well known for taking and supporting a multi-stakeholder approach, which I think has been absolutely key to some of the UK’s success in the internet economy.

Q38 Pamela Nash: A lot of the submissions that we have had in this inquiry have referred to that, but there also seems to be a bit of a thirst for some leadership. Do you think there is a role for Government to take the lead?

Lesley Cowley: I think there is, potentially. I think there is a role for Government to take the lead in partnership with industry and the other actors. Going back to your earlier question, certainly in discussions internally we have talked about the need for some sort of internet CERT, a place to share information about opportunities, threats and innovation. That would be helpful. Government can also take a lead by adopting some of the security standards at an early stage and showing leadership, and facilitating that approach going forward.

Gordon Morrison: Perhaps I can come in on that and say there is recognition that certainly industry is focused on growth and risks; there is a need to do some work in the UK, which perhaps Government can help us with, and there is some work that Intellect is doing about really focusing people on the risk of cyber, and perhaps the opportunity of cyber. That way people can invest and protect themselves.

To comment on what the police service said-I commend the work that has been done in the police in the virtual taskforce and financial services-a lot of members’ views in industry are that penalties for producing malware and doing cyber-crimes are perhaps not as hard and as long as they should be. It is not a criticism of the police service; more of the penalties.

I think the other thing-I just recommend this as a remark, really, from north America-is that certainly in north America the view is we should help people take civil law suits seriously, and have civil prosecutions against cyber-criminals.

Q39 Pamela Nash: I have a couple of specific questions about the .uk domain. Is there scope to make it a more tightly regulated place when it comes to malware? Could that alter the conduct of e-commerce in the UK?

Lesley Cowley: If you are talking about Nominet and .uk, we already do a great deal to make .uk a great place to do business. We have certainly done some recent work on DNSSEC-the enabling and security extensions-which will go some way towards what you describe. We do quite a lot of work in co-operation with law enforcement and others, both nationally and internationally. We are also doing some work on data quality to help make .uk a less attractive place for criminals and others who might put out incorrect information, shall we say. We are certainly aware from independent research that .uk is a very trusted place to do business, and people actively prefer a .uk website over a .com website. It is important we retain that reputation and that trust.

Q40 Pamela Nash: There is continual work going on to ensure that is the case?

Lesley Cowley: Absolutely. All the time.

Q41 Pamela Nash: Does everyone agree with that?

Charlie McMurdie: We work closely with Nominet. We have limited resources, but Nominet acts as a point of contact for industry to reach out to when it identifies rogue or fake websites, or websites that are being used to disseminate malware, for example. We will look at investigating those sites and producing agreed standards of criminality, and we have a process in place for referring sites to have them suspended where criminality is taking place on them. But as you have heard, it is an ongoing, developing, improving process, with better co-ordination around that.

Gordon Morrison: The only comment I would make is that we have a very good .uk domain, which is very professionally run, and we have a police service that is very focused on security. Our focus should be on education from schools all the way up to shareholders. This is not a technical issue; it is about people understanding not to click on certain things or not to read spam-the hygiene around using your computer, the green cross code for your computer.

Pamela Nash: Thank you.

Q42 Chair: Before we move on, Miss McMurdie, given your relationship with Nominet in the UK and your experience of dealing with police forces around the world, are there lessons we could learn from other police regarding domain name registers that would improve things here, or are we the leader in the world?

Charlie McMurdie: I think we probably lead the way, sir, with the process that we have in place. Obviously, the sites we are asking to have suspended are in a lot of countries, and a number of the operations we have conducted involve sites hosted all over the world. In a recent operation, we took down sites in 186 different countries, and we have suspended thousands and thousands of sites. More often than not, if they are in more remote countries, we will work with the top-level domain name registrars; we will work with industry, rather than go through the law enforcement group, which, quite often, is found wanting in some other countries. Particular problems happen to be in America, surprisingly; a lot of the infrastructure is hosted over there, and it tends to be a very slow and cumbersome process to get any form of response or action regarding sites in the States.

Stephen Mosley: I think most of my questions have been answered, Chairman, so it might be worth while moving on. Perhaps a bit later I can chip in on a question.

Q43 Graham Stringer: E-crime is a new crime. I guess when you were doing your training, it was not high on the agenda. When it is difficult to detect, capture and prosecute the criminals, how do you prioritise e-crime against other police work?

Janet Williams: That is where the strategic policing requirement comes in. ACPO has tried to push the cyber-portfolio up the agenda. To a certain extent, it has achieved that, hence the agreement about the three hubs and the comprehensive agreement on police officer training right across the country. We have never really had a comprehensive understanding of how significant this crime is, and we have never had a comparison with other crimes in the way that the strategic policing requirement will give. That is why I am so keen on influencing it.

Q44 Graham Stringer: If I understand that answer properly, I guess that means you have real difficulties in recording crime.

Janet Williams: Yes.

Q45 Graham Stringer: And knowing whether you are detecting a greater percentage of it or improving. Can you talk about how you record a crime, how you would test and communicate improvements in your technique, and the size of the problem you are dealing with?

Janet Williams: We have already covered some of this, but for me it is about no single point of reporting; everybody knows where to go in the case of a burglary or a rape. I do not think there is the same level of understanding. Also, some organisations do not choose to report, because it might be sensitive to the share price in that organisation. They may feel that they really do not want this to come into the public domain, so we lose a great deal of understanding and intelligence as a result. Currently, there is no obligation on business to report. What we get is fractured, because there is no single agreed point of reporting. Even what we do get is not a full picture, because some people just choose not to report.

Q46 Graham Stringer: You are answering lots of questions before being asked, which is an advantage.

Chair: It is the intelligence unit.

Graham Stringer: Are the operational responsibilities in different parts of different police forces clear?

Janet Williams: With the exception of the Metropolitan police and the police e-crime unit run by Charlie at the moment, in terms of this high-end cyber-crime investigative capability, it only exists in that one place. We try to fulfil that national function, which is what we are supported to do financially. That is what is in our strategy. In terms of capability elsewhere across the police service, it varies, depending on where you are. There are some pockets of really good capability in Scotland and the north-west. I am sure Charlie knows other areas too. It is not comprehensive and it is not co-ordinated in the way that we want it to be, but it is part of our strategic direction. That is what we have some of the money for. We are on a time line to deliver it by 2014. We are working to that time line, and in fact are ahead of it, but by no means is it comprehensive coverage now.

Q47 Graham Stringer: What are the advantages of the new unit in the National Crime Agency over what you have at the Met and in SOCA?

Janet Williams: What is really important to me when we migrate to the National Crime Agency is that everything that the police e-crime unit has succeeded in doing-building relationships with industry, developing capability and capacity, improving our intelligence capability, but most importantly, going after criminals, being good at that, capable of doing that and very operationally focused-needs to be retained. The benefits could be that if you co-join with SOCA and other agencies-that is the key-it should be greater than the component parts. What is important is that the capability should support the other strands of the National Crime Agency, building much better, faster, cross-jurisdictional reach and intelligence-sharing. Much better relationships with the security agencies should enable us to step change. For me, there is no point in the police e-crime unit migrating to the NCA if the NCA is not better than its component parts. That, absolutely, must be our ambition. We must protect what we already have and enhance it.

Q48 Graham Stringer: You have mentioned a number of times the benefits of working with the security services. How do you work with Interpol and Europol? Or do you work with them?

Janet Williams: We do not do much with Interpol to my knowledge-Charlie might know better than me-but we have done quite a bit of work with Europol. We have some taskforce work, but Charlie knows more about that, I think.

Charlie McMurdie: Europol is slightly more tactical than Interpol in our engagement. Certainly we attend the Interpol working groups as one of the UK Interpol representatives. Interpol is looking at more strategic, international engagement, learning and process-type work. It is moving towards being more around training standards, whereas with Europol we have a number of groups looking at common legislative problems and issues, common training standards, building training modules and tactical data-sharing. We can task Europol some of their analyst capability, or task out packages of work through Europol. For example, some of our joint investigation treaties are established through the Europol route. So it is far more tactical, currently, through Europol, rather than slower-time, more strategic work ongoing with Interpol.

That said, we have just conducted a recent operation-website suspension work, with rogue medical websites-with 80-odd countries, which was co-ordinated by the Interpol control centre. It provided capability for us and put all the various points of contact in place. But far more work is with Europol, currently. Interpol is just relocating as well, so it has been through quite a move; it is looking at bigger growth, to put in more capability.

Q49 Graham Stringer: My last question. E-crime must be the easiest crime to do internationally. Are there any areas where relations with other countries or other agencies could be improved, on an international basis?

Janet Williams: Quite a lot of different countries. We have a considerable resource in SOCA, in that it has developed really good international relationships. Most definitely the police e-crime unit piggybacks on those relationships, which is quite right. As we draw closer to the NCA, I think that will become more and more apparent. We have tried not to create our own independent relationships and duplicate effort. We have tended to piggyback on the SOCA relationships and to develop them in a more proactive and operational sense.

Q50 Stephen Mosley: It is the international dimension I was interested in. Do you have any indication of how much the crime committed against people in the UK actually originates outside the UK?

Charlie McMurdie: Every investigation that we conduct has suspects based internationally or money flow that will travel internationally, or the attack will be facilitated through international sites, servers or systems. So every case that we deal with requires international co-operation, parallel investigations, data from abroad, and the way that we have to work is on a police-to-police basis; cyber is too big, too fast, to run through our existing law-enforcement MLAT process. An attack is happening this evening at 4 o’clock, and we need to have 10 or 12 different countries on the line responding within the hour to do something about it.

Q51 Chair: That presumably will include everything, from the minor scams that are targeted at large volumes of people all the way through to the spectrum of criminality that occurs on the net?

Charlie McMurdie: Primarily, the fastest time response that we need to put in place is when an attack is live-is happening-and they are taking out some particular infrastructure, so an online service or function-

Q52 Chair: Sorry, but you have misunderstood my question. Your answer to Stephen’s first point was that everything has an international dimension. I am just asking you to confirm that the whole spectrum of criminality has an international dimension.

Charlie McMurdie: More often than not, yes. Even if we forget cyber-crime and the high-end attack-type stuff and look at something simple, such as somebody sending some cyber, internet bullying-type message, or stalking somebody online, that is probably hosted on some Hotmail or Yahoo! account, and the IT and the data that we require will be hosted in a different country.

Q53 Chair: There are two officers with considerable experience here. Does that require a different approach to law enforcement and crime detection from that for crimes that are from a static location?

Janet Williams: Yes, I absolutely think it does. First, the legislation is not fit for purpose and we need to bring it up to date to deal with this, but we also need a much more dynamic response. If you think about prevention in traditional terms, police officers would normally look at a series of crimes, take the learning out of that, think about it and issue good practice, and people would then adopt those as prevention measures. We haven’t got time in this arena to do that. We are having to act dynamically to patch systems, to warn people about how they might protect themselves in order to prevent the spread of a virus infection, for example. The speed is different, the calibre of officer you need who has the technical skills to do that is very different, and the legislation that backs you up has to be very different, so this whole thing needs to be looked at.

We are very fortunate that we have managed to identify some very experienced detectives to work for us in the police e-crime unit, but it takes about seven years to get someone up to the level that we require to do the sort of work that we are asking them to do. You don’t need that many of those people-you can have less skilled people supporting them-but you absolutely do need a core. There aren’t that many people in the country able to do this, and we are constantly seeing leakage into industry, which is, frankly, poaching, because, of course, everybody wants these people. For me, the way that we think about this has to be very different.

Q54 Chair: May I test you a little further on this legislation that has to be different? I presume from that that you need legislation that creates a framework within which you can work while giving you a great deal of scope to move fast within it.

Janet Williams: Absolutely, within the law, so that we can protect UK interests and UK people whose data is often housed outside this jurisdiction. We need to be able to protect it.

Charlie McMurdie: A key part of our remit of arresting and prosecuting people is to make the most out of the learning, the intelligence-both the strategic and the tactical learning that comes out of our operations. That is what we feed into. We have established a Home Office group to look at some of that learning, some of the gaps in our capability, and opportunities around legislation.

Q55 Stephen Mosley: From what you have said, it sounds as though you have the capacity to do the investigation side, but you also talk about crime prevention, which the police would normally do, and it sounds as though, because of the expertise you need, you probably aren’t able to do it yourself. Who do you think should take the lead on educating people in schools, and on crime prevention? Lesley talked about a multi-stakeholder approach. Is that multi-stakeholder approach suitable, or do you think someone should be given the task and told that their job is to lead crime prevention and to bring together the vendors, the industry, Nominet and yourselves?

Charlie McMurdie: I think BIS already has programmes of work ongoing, and linking through with Get Safe Online, but I think there is a real gap and an opportunity where we need to have physical representatives that people who have been victimised or need advice can turn to, whether they sit under law enforcement as our SECCOs-crime prevention officer-or whether they sit as sub-people working to get safe on line. But those individuals don’t currently exist, and I think there is a real opportunity to work with the industry to put someone of that nature in place. People don’t look for advice on what they should have done or how they should have dealt with things until they have been a victim, when it is too late. It should almost be at the point of manufacture, point of sale, or point of education. The use of the internet is an integral part of everything we do. It should be integrated into our schooling processes. It is too little, too late.

Janet Williams: Someone said to me that we all understand that we won’t walk down a dark alley in preference to a lit alley. That is instinctive, and we almost need to get to that point with this, so that people understand what the danger signs are, and at the moment most people don’t.

Q56 Chair: I suggested at the Get Safe Online briefing that was held here last week-it produced a very good online leaflet-that we want perhaps to work with retailers, particularly in the high street, and persuade them to carry that and make sure there is always an up-to-date version of it that goes out with every piece of kit that is sold. Would you agree?

Janet Williams: That is an excellent idea, and I think there is work ongoing with some of the staff of particular electrical stores-I won’t name the shops-to increase their training and capability to advise people on the security aspect when they are buying something, and to give them that type of leaflet.

Gordon Morrison: Yes.

Charlie McMurdie: Excellent idea.

Gordon Morrison: I would argue that it is people who control the problem, from school leaver, schoolchild or whatever to shareholder, and the industry and the police service can help that. The real issue about social change in the UK is that it is at national level. It is even like TV adverts or the old public information service of years ago. It is about making people realise how big a problem this is. I don’t think we have got that. I think we have the components, but people don’t really understand quite what the threat is.

Q57 Chair: I think some of it is there. I rather like the HSBC advert with the little girl opening a magic money box, for example. It is a very clever message. We want to see that penetrate right through society. I think that is a problem we can all agree on. The Minister is sitting behind you absorbing all these ideas, and feeding them into the autumn financial statement. I thank you all for attending.

Witness: James Brokenshire MP, Parliamentary Under-Secretary of State for Crime and Security, gave evidence.

Q58 Chair: Welcome, Minister. I was delighted to see you listening in to the previous session, because we had what I think you will agree were four extremely well informed witnesses.

James Brokenshire: You had several experts in their field and it was very interesting for me to sit back and listen to their contributions as well, so thank you.

Q59 Chair: We are obviously waiting for the announcement of the cyber-crime strategy. Could you explain to us what you consider to be the key issues in tackling malware and cyber-crime?

James Brokenshire: There are three key themes that we are looking at in the cyber-crime and cyber-security strategy, which we will issue soon. The first is reducing online vulnerability, through a programme to improve security and the steps that people take in terms of the purchasing and design of software and systems, as well as public awareness, education and some of the themes that you touched on right at the end of the preceding session.

The second theme is restricting online criminality, by having the right laws and the law enforcement response in place to ensure that those who seek to commit cyber-crime can be prosecuted.

The third theme is what I might characterise as the co-operation strand. That is co-operation between citizen, Government and business, as well as co-operation between Governments, recognising very clearly the international aspect to this crime, which is probably above all other crimes in the way that everything connects up.

It is those three strands that I would perhaps focus on in setting the overall framework to the approach, given that I do not think that there is one single answer to this issue. There has to be an approach that takes a number of different steps and covers that broad range for it to be effective.

Q60 Chair: The Government announced a substantial sum of money for tackling cyber-crime-£650 million. Of that, £63 million will be

"enabling the UK to transform our response to cyber crime".

In your previous answer, you recognised that this is a problem facing business, Governments and the whole of society, including individuals. How much of that money will be apparent to individual computer-users?

James Brokenshire: As you heard in the previous session, investment is going into law enforcement capability and capacity. Therefore, I think that the response that the public receive around cyber-crime will be enhanced by the investment that takes place. We are moving to a new policing environment and the establishment of the National Crime Agency, to which I am sure we will turn in further questions. Again, I believe that that will enhance that capability further by drawing various strands of law enforcement operations together, so there will be that sense of seeing a step change.

Clearly, we are also looking at the educational side of this issue. The Office of Cyber Security and Information Assurance, and the Cabinet Office, are working closely with BIS and other Departments, including the Department for Education, to look at how we can better impart some of those educational issues. We will also focus on skills, to ensure that we have people who are appropriately skilled to provide that response.

I think that there will be visibility to this approach and I think that we are already starting to see that, but clearly one of the challenges that we face is getting the positive information out there in terms that the public understand. I think that in some ways we wrap a lot of this information up in technology-speak, which sometimes makes it a little bit impenetrable for the public and others to have a sense that it is directly relevant to them. The communications strategy must have that idea at its heart.

Q61 Chair: We had a very similar discussion with Anne Milton recently, in the context of how the public understand and respond to advice on alcohol. Do you see this as a similar thing, in terms of the way that public health messages need to be transmitted-not in "doctor-speak" but in "human-speak"?

James Brokenshire: It needs to be imparted in that way. Sometimes, when I have attended some of the conferences, debates and discussions on the issue, it can at times sound as if you are talking through a complicated plot from a science fiction novel, whereas in fact, what we are talking about is real-life crime and real-life impact. It is actually the language used in some of this. If we simplify it to fraud or some traditional crimes that are committed using technology, breaking it down in this way, we can make apparent to business the reputational risk that they may run if they don’t get some of these issues right. That context and relevance is very key in ensuring that that transfers from something that may be viewed as perhaps for the specialists and technicians to something that has a broad and wide impact and application to all of us.

Q62 Chair: You heard my last question to the previous panel about the need for the work of Get Safe Online to reach the customer at the point where they buy their goods. Would the Government consider that to be a useful way of spending some of this incredibly valuable money? You have a substantial sum of money at your disposal, but it must be spent wisely to be of the maximum effect. Is that the sort of initiative you are considering to improve public awareness?

James Brokenshire: We need to consider how Get Safe Online could be more responsive to information or alerts issued by law enforcement agencies or via the new mechanism to enable people to report financially motivated cyber-crime, Action Fraud, which will come online later this year.

Q63 Chair: My particular point was about the point of sale of hardware, where, particularly on the high street, evidence suggests that a significant proportion of the customer base are not aware of the risk they are facing when they first switch on their smart phone or laptop.

James Brokenshire: I am keen to discuss that with business, in terms of what is likely to be efficient and effective. It is also perhaps worth pointing to the example of the UK Council for Child Internet Safety, which I co-chair, and the work that we have been doing with Dixons and Currys. Those retailers have been putting information on the back of their till receipts about loading up filtering software so that parents become aware of some of the issues for children-the concept of active choice. I am keen to continue discussions with business about what happens when people buy hardware in a shop, but we cannot ignore the fact that, nowadays, most people buy a lot of this stuff online anyway. If the point of sale is migrating towards the online environment, how are we better able to impart those messages online as well as offline in the stores?

Q64 Graham Stringer: Francis Maude gave a speech in which he referred to a survey done by Google, which found that only 5% of internet users thought it was the Government’s responsibility to look after the security of their information. Do you think that that means that there is something fundamentally different about e-crime and about the state’s responsibility? Do you feel that the state has as much responsibility in looking after the security of information as it does looking after the security of individuals or people’s property?

James Brokenshire: I think, Mr Stringer, you make a good point about the differences that reside in this environment. In large part, the infrastructure that makes the internet operate and the way in which information is stored reside in the private rather than the public sector. Now, that does not mean that the Government do not have an important role; I strongly believe that they do, taking the various strands of work that I outlined at the outset in relation to the strategy and approach that the Government will adopt. I think that the Government are instrumental and have a role when we look at the international perspective in bringing together Governments and how the law and law enforcement respond. Indeed, given the way the Government themselves operate, as we move to an online Government world in the provision of services, we will be facilitating and holding a lot of information ourselves, and it is important that we do that right. It is also important, in the design of our systems, that we seek to use that opportunity to perhaps raise standards and ensure that we are influencing things in the right way.

Q65 Graham Stringer: You have suggested a Government portal for providing security information to people. How would that differ from the information that you would get from Get Safe Online?

James Brokenshire: I would certainly look at Get Safe Online as essentially being a platform; you would use it as a mechanism to transfer the information.

Q66 Graham Stringer: So it would be an upgrading of Get Safe Online?

James Brokenshire: That is certainly how I would visualise it. Rather than trying to create something new, I am always of the school that wants to use something that is there and to draw it together more effectively.

Graham Stringer: That is clear.

Q67 Chair: Before you move on, and just to be clear, Get Safe Online is a public-private partnership, so do you envisage the Government taking the lead in putting more money into it and encouraging the private sector to do so as well, or are you just leaving it to the private sector?

James Brokenshire: Get Safe Online has been a strength because it has had that public-private partnership attached to it, recognising and reflecting the challenge that was very much at the heart of Mr Stringer’s question about whether this is something that resides in both environments. I would certainly want to see Get Safe Online continuing to have that public-private partnership, but I would also want to look at ways in which we are able to make it more responsive. I would want to look at the information that will be coming through from various different agencies to ensure that Get Safe Online is able to protect the public better so that, if threats and risk emerge, we know how best to impart that information. At the same time, we must recognise that we do not have a monopoly on these things and that there are some other very good sources of information. Recognising that, Get Safe Online can perhaps also act as a signpost to other sources of information.

Q68 Graham Stringer: Here is a conundrum. Get Safe Online has done a survey, and 28% of internet users declined to use security programmes-I do not know whether you are aware of that statistic. Do you think that is perverse wilfulness on the part of nearly a third of internet users, or is it ignorance? Do you have a view about what the solution should be? Should it be just more information-battering these people with more information-or does there need to be a legislative framework to deal with this?

James Brokenshire: I am not in favour of legislation in this particular arena. This is, in large measure, about how we can better educate people and, coming back to my earlier point, about underlining the potential challenges or risks in a way that is understandable, so that people recognise that we all have a responsibility in this arena. Of course, the Government have the responsibility to provide a basis of information for individuals to take up, but there is also a responsibility on business to assist. I sometimes liken this to the fact that we are moving to a system of more online business and online trading, and that facilitates growth and business. If business is taking its customers more down an online trading route, it has a responsibility to support them in that environment and, therefore, to design its systems in a way to aid that process.

Q69 Roger Williams: Good evening, Minister. We have had some written evidence-indeed, we had some oral evidence last week-that suggests the Government have too many organisations with overlapping responsibilities. At the same time, one of the real restrictions on effective police activity is a lack of resources. How would you respond to that suggestion?

James Brokenshire: The Office of Cyber Security and Information Assurance in the Cabinet Office provides the overarching, cross-governmental lead to draw the relevant strands together. I actually think that we have made some very important changes in law enforcement, through the funding that has been provided and as a result of the recognition of the threat that cyber poses. The creation of the new National Crime Agency, with the National Cyber-crime Unit contained within it, will actually start to draw together some of these strands to ensure that there is a more co-ordinated, more coherent law enforcement response. That will harness the intelligence hub that will be at the heart of the National Crime Agency, establishing the National Cyber-crime Unit as a centre of excellence so that it is able to work with individual police forces, as well as being responsive to the complex areas of cyber-crime that are currently being confronted. Those changes will actually join this work up much more effectively. In addition, we will be looking at how to co-ordinate and task work around this arena, working with and through the strategic policing requirements of individual police forces so that they lock together much more effectively. In turn, we are working through that with the security agencies to give coherence to that strategy. So, important work is already in place. We are taking further steps to give even greater coherence to the existing architecture.

Q70 Roger Williams: So you think the central role of the National Crime Agency is that of bringing together of the rather diverse number of organisations to gain some more resource efficiency?

James Brokenshire: The resources have been committed in relation to the scaling-up of activity around cyber. I think the National Crime Agency interlinks the various different strands of work through the commands the National Crime Agency will have, recognising that so much of cyber is organised crime and financially motivated crime. When we talk about cyber-crime, sometimes we can talk about a number of different things. We are talking about high-end, network-based attacks on IT infrastructure-that sophisticated level-but we are also talking about traditional crimes committed in a different way. Now, that new technology may mean that they are committed on a greater scale with greater ease, but ultimately you are talking about things like fraud and theft. Thirdly, it is how technology is being used to facilitate crime, whether that is the online data supermarkets exchanging people’s details, or the use of social networking to be able to facilitate crime. I try to break it down in those three separate pots, in terms of how you might define cyber-crime, give that clarity and then decide what the response should be.

Q71 Roger Williams: How are you going to make a judgment on whether the National Crime Agency has been effective in doing that sort of work?

James Brokenshire: One of the things that has been very clear to me is the need for better information and better data. There have been estimates as to the impact of cyber-crime. The Office of Cyber Security and Information Assurance and Detica produced a report earlier this year suggesting it could be as much as £27 billion, but then what does that mean? How do you then take that forward? That is why we want to establish Action Fraud, which will be a clear reporting mechanism for financially motivated cyber-crimes, so, again, we are getting better reporting and better information, and therefore establishing the responsiveness based on that.

One of the clear pieces of work that we are doing in the creation of the National Crime Agency, on each of the different strands of operation that it will fulfil, is doing precisely what you are saying, Mr Williams: providing that clear granularity to show that it is working, that we are better responsive to these issues, from a base where I think the information is not as good as it should be.

Q72 Pamela Nash: In May, Francis Maude announced that the Government will put in place a digital identity assurance scheme for public services by summer next year. Is this project on schedule and how much will it cost?

James Brokenshire: The project, which, as you say, Francis Maude has been leading on, again brings together Government with other business and other agencies effectively to facilitate better use of services online. In other words, you have your identity online. How better we are able to secure our identities, and therefore to have that trusted identity-if I can describe it like that. To respond to your point specifically, it is intended to provide a solution that can be used for accessing any public service, simplifying your experience when you use services online, as well as ensuring security and privacy. The costs will not be known until the design stage has been completed. That work is underway, so I am sure that we will be able to provide this Committee with more details as that work progresses, but, at this point, because of the design work being in place and that being a key and core part of it, I am unable to provide those figures for the Committee.

Q73 Pamela Nash: Can I take it from that that it is not on schedule?

James Brokenshire: No, it is on schedule. I would not want to give that impression to the Committee. It is about the different phases of work. I know from discussions that I have had with Mr Maude that he is very much driving the process through and wants to see it committed to on time, because of the benefits that we will all get from it, in terms of the way that we interrelate with the cyber-world that the Government will increasingly be evolving into.

Q74 Pamela Nash: I appreciate that, but I believe that the original timetable said that the first prototype would be tested in October, but you are saying that it is still at the design stage at the moment.

James Brokenshire: I would be very happy to write to the Committee to confirm the different levels and stages of work, because it is something that the Cabinet Office has been leading on. I certainly recognise the importance of it. If we are able to ensure the good use, and safe use, of online services through Government, we need to have greater assurances for the use of our identities. I will certainly confirm and double-check for this Committee on the progress that is being made in relation to that particular project.

Q75 Pamela Nash: Thank you, that would be really helpful. We discussed this in last week’s evidence session, when we heard evidence from the academic community. Although it was accepted that this might be a useful project for Government, serious concerns were raised about the value of one of these schemes-that a digital identity assurance scheme is itself vulnerable to criminal activity. What are the Government doing to ensure that that will not happen in this scheme?

James Brokenshire: We have seen, from some data losses in the past, the impact that this can have and, increasingly, as so many of our services move to an online world, the need to have a trusted identity and identity assurance will continue to get more significant over time. In many ways, I think that is what lies behind the ID assurance solution that is being developed through this work. Clearly, privacy and security of people’s identity is absolutely at the heart of this work, recognising the threats that I am sure will continue to be a challenge and that will continue to escalate. The work that is being undertaken is very much a core part of ensuring that our identities are protected, and the way in which services are designed will respect and reflect that. If we come back to what Mr Stringer said earlier about the role of Government, I think that this is very much part of it. The way that Government design their systems and provide that information assurance are a core part of what Government need to do in the design of their services and in taking more citizens into the online world.

Q76 Pamela Nash: I am not clear about this at the moment. I appreciate that it is still in a design stage, as you said, and that it will simplify the systems for customers-people who go online and access public services-and hopefully the aim is that it will be a more secure process for them. At the same time, an announcement by the Cabinet Office earlier this year indicated that a market would be set up to allow different private companies to get involved and to continue schemes.

James Brokenshire: It is interesting, because, if we look at information assurance, some of things that I have been talking about are as directly relevant to private companies and the way in which they set up their systems for facilitating business and for ensuring that customers are able to use their services as they are for Government in a number of areas. We envisage that the private sector will drive the solution, which is why there is this partnership approach in terms of the design process. The public sector will act as one of the early adopters of the system, in order to drive the standards and drive that approach, but, having got the design and got it right, we would see other businesses potentially adopting a similar sort of approach. The Government may be one of the lead adopters of the solution that is then designed, but then other businesses may take it on and utilise a similar approach, ensuring that the Government are doing their bit to raise the bar around information assurance in this arena.

Q77 Pamela Nash: Again, I have to highlight the fact that academics were very sceptical last week that business would take this on.

James Brokenshire: We are working very closely with business and industry around this particular piece of work. It is important. While there will always be those who are sceptical about particular pieces of work, raising the bar on information assurance and identity assurance is an important part of how we deliver a safer and more secure internet, given that so many more services are gravitating towards that area.

Q78 Pamela Nash: Could I ask you to expand a little on what you see as the benefits for individuals who are using the digital identity insurance scheme?

James Brokenshire: I suppose if you have a secure and trusted identity, it makes it easier to be able to use services, which ensures that people’s experience of using online services is that much more effective. In some ways, it is about simplifying it so that it makes it more accessible and people are more readily able to use services online. If we are taking more Government services down that route, that is an important part of it. It is about that simplification, so that the public’s ability to take advantage of online services is much more heightened. Simplification is one of the key things that the public will see, but ultimately it is also the safety, security and privacy building blocks that will sit behind it that will help to deliver on that overall framework.

Q79 Stephen Mosley: We have mainly been focusing on malicious software, but you can also have problems with legitimate software that has been poorly written because it could be exploited and people could take advantage of it. In the Home Office submission, you say, "We want the public and business to be able to identify easily products with good security. We will work with the private sector and others to identify how standards for measuring the effectiveness of products or services could be developed." Is that an aspirational statement or is there more meat on the bone than that?

James Brokenshire: One of the important issues around this is how we are best able to give that sort of information to the public so that they know what they are buying and the sort of assurance they are getting. One of the things that we are examining at the moment is whether the use of kitemarks and other such mechanisms is able to fulfil the basis of that statement. That work is very much ongoing. We are also working with CESG, which is at the centre of GCHQ and which does a lot of work on validation and certification, to see how best we are able to impart that assurance. It is not aspirational because work is ongoing on this to provide the information for the public on security and on assurance so that they are better able to know what they are buying.

Q80 Stephen Mosley: We heard about share value from one of the police officers earlier. Companies might not want to inform the police of problems that they have experienced because of shareholder value and because of the perception of risk to their brand. Do you think that that is a problem? If so and if companies are not declaring these things, do you think that there should be some sort of punishment or financial liability placed on them if they are supplying software or websites which they know are vulnerable?

James Brokenshire: This whole point of information assurance and of companies taking these issues seriously is a valid one. I made the point earlier about how we are able to take this from something that is viewed as being for computer experts to something that non-executive directors of companies are considering as very serious to their risk issues-issues of vulnerability and reputational issues-in relation to their businesses. There is legislation under the Data Protection Act to inform the Information Commissioner about data breaches and the rules and requirements that operate there. This is something that we need to look at closely to ensure that we have good information about what is happening out there. If problems are emerging, it is something that I keep under consideration-whether regulation or some further step may be required-to ensure that that is being followed through and that we are able to get the information that law enforcement and indeed others would want to have to recognise threat and risk, or to make a prosecution, but equally to ensure the public are best advised about the risks that they may face if their data have been lost or mishandled in some way.

Q81 Stephen Mosley: The Government are probably one of the largest purchasers of software and IT services in the country. Do you use your own purchasing power to improve the quality of software that is out there?

James Brokenshire: We are doing that: the question is whether we can do more in the way in which we design services and, when we have new systems coming online, ensuring that security is very heavily rooted within that. That is something that Francis Maude takes the lead on in terms of procurement of IT services from across Government. Obviously, he heads up on cyber-security across Government as well. Therefore, when the Government buy services, software and systems, the safety and security of how we do that is a key element of the work that is ongoing. Do we need to do more? Yes, I think we do.

Q82 Stephen Mosley: Bringing all three strands together, if there was a company out there that you believed was not reporting things to the police, would you use your purchasing power to say, "No, we are not doing business with you"?

James Brokenshire: At the moment, it is getting the information so that it is clear in that way. I think what you are getting at is whether there are companies that perhaps have back doors or trap doors or something like that in the services that they are providing and what should happen. I would say that those companies would be running a significant reputational risk in the services that they provide in any event, and there are obviously liability issues that may reside around that and whether they are open to being sued for any errors in their software or their code that may be known and that they have not acted upon. There are a number of different ways to put pressure on those companies to up their game, although I am not aware that this is a significant issue in practice, from what I discern. Clearly, it is something that we will be keeping a close eye on.

Q83 Graham Stringer: The general perception is that the evil little geniuses who produce the malware, viruses and worms and things always get away with it. Do you think that that is a fair perception?

James Brokenshire: If what we are saying is that more people should be arrested and prosecuted, I agree with you-more people should be arrested and prosecuted, which is why we are investing in law enforcement and its capability as we are. This is something that crosses international boundaries, hence the reason for having that international link and, in many ways, for having the London conference that the Foreign Office organised a couple of weeks back.

I would also say yes, some of this is about organised criminals and those hackers who perhaps have been designing software as well, but it is also about the absurdity of the online, illegal supermarkets effectively offering software for sale to criminals, who may not be sophisticated. Therefore, when I talk about online or cyber-crime being a facilitator, that is one part that I focus on equally-how we are best able to disrupt, take down and bring those responsible to justice-because it is not always at that level of sophistication. People may be criminals without that technical expertise-they simply buy in illegal, black-market software to commit their crimes. There are a number of different levels of activity here. Some of the crime may not be considered and recorded as, for example, an offence under the Computer Misuse Act, but in fact be a traditional crime using a more sophisticated technique.

Q84 Graham Stringer: One of the police officers before was saying that they are focused on getting the Mr and Mrs Bigs and the gangs behind that. They tend to ignore the small-time criminal who uses software that he does not really understand and go for the bigger people. I inferred from what they said that they also could not get at the people who create the malware. I think you were agreeing with that point in what you said.

James Brokenshire: I certainly do not write off the criminals who are committing some of the crimes at the other end. You have the specialist capability that very much looks at the high-end work-the specialist technical work-but I want the strategic policing requirement and the establishment of the new cyber-crime unit, which is meant to better impart information and knowledge, to leverage and harness the response of police forces to crimes that are committed using technology. We need to ensure that we are doing both by mainstreaming our response to old crimes committed in a new way and by also looking at the more sophisticated end of the market.

Q85 Graham Stringer: Finally, is the legislative framework, or the legislation, that the police are working with at the moment sufficient? Does it need updating?

James Brokenshire: The Computer Misuse Act provides for offences relating to the creation of malicious software and to seeking to interrupt, disrupt or intervene in a computer system. We continue to keep the legislative framework under review. We are looking at how best the law enforcement agencies are able to operate. Clearly if there are gaps and if issues are arising-it was interesting, obviously, to hear the contributions in the preceding session-we will act on that as part of the work we are doing. Looking at the legislation and ensuring that it is fit for purpose is one of the key strands that we are undertaking. Equally, as so much of this crime is old-world crime, if I may describe it as that, we recognise the need to ensure that there is an understanding that many of the offences and much of the legislation is technology neutral and, therefore, it should not be seen that, because it is in a new environment, there is automatically some impediment to charges being brought and prosecutions being made.

Q86 Chair: You will know that, from the prosecutions that were discussed earlier, many seemingly small crimes, as you put it, are actually conducted by people who have tentacles in very serious, high-level crime. This is a continuum with no hierarchical breaks-low-level petty thief up to high-level bank robber. This is a continuum and it needs to be managed in that way, doesn’t it?

James Brokenshire: The individual victim of the crime certainly does not regard it as a small crime.

Q87 Chair: More than that, the criminals themselves travel up and down the spectrum. You do understand that?

James Brokenshire: I understand the point you are making. That is why I made the point about it not being a small crime. Any crime, if you are a victim of it, is appalling. If you are sitting in the safety of your own home and it happens to you, it is not acceptable.

Q88 Chair: Let’s put it this way: it may just be a light-hearted point that the HMRC scam got through the House of Commons firewall this week, but, actually, behind that seemingly trivial crime there are serious, high-level players. Do you accept that?

James Brokenshire: There are victims here, first of all. I will labour the point because I think it is about understanding the real-life impact. I agree that there are organised criminal groups acting in this arena. That is why the National Crime Agency is configured in the way it is; it is looking very much at organised crime, financially motivated crime and border-related issues, as well as at the Child Exploitation and Online Protection Centre, with the cyber-crime unit being a capability that is available to those different strands. I think that is really important in the way this is configured, so that the very spectrum you identify is properly understood, and the intelligence hub that will be at the heart of the National Crime Agency will be able to interpret and understand that. Therefore, it is a coalescence of lots of crimes that in quantum terms may appear in isolation to be at a lower level in monetary terms-even though it will have a big impact on the individual, in isolation it does not involve millions of pounds. When you coalesce all of that together and gain that intelligence, you get a much clearer picture of the overall criminality being perpetrated, and about how it may well be organised or be international. We must therefore ensure that we gain that picture, so that the response is that much more effective.

Q89 Chair: A simple point. I am sure you will accept that e-commerce is increasingly critical to the UK economy. You heard evidence in the previous session about the relationship between the police and Nominet. Do you believe that we can do more to create a secure .uk domain, or do you think that that relationship is as good as it can be?

James Brokenshire: Our experience of the .uk domain is that it delivers a safe and secure domain. I think Nominet takes issues of cyber-security very seriously, and we are not aware of any particular problems concerning the .uk domain name being a significant problem in that sense. I know that where problems come up, Nominet treats them very seriously. We do not currently see the need for further regulations at this point in time, but obviously we will continue to keep the issue under review.

Q90 Chair: A few quick questions to finish. Ofcom investigates ISPs only when there have been repeat reports of bad behaviour. Are you satisfied with that, or do you think that the regulation covering ISPs should be strengthened?

James Brokenshire: At this stage we are not proposing to change the legislation or regulation. We prefer perhaps to build relationships with the ISPs to improve performance, and deal with the issue in that way. Obviously, we will keep the matter continually under review, but at this stage we are not proposing to change the regulation in that sphere.

Q91 Chair: In its evidence, PhonepayPlus told us that under its regulation, the UK enjoys the most "stable and sustained" premium-rate services in the world. Have you considered using it as a template for the regulation of e-commerce inside the UK?

James Brokenshire: It is not something that I am aware we are considering, Mr Chairman, but I am very happy to look at the evidence that was provided to the Committee and to see whether there is anything that might be considered.

Q92 Chair: Finally, I am sure that like everyone else in this room you have got a PC at home. Are you one of the 28% or not?

James Brokenshire: No, I do have software security on my home PC. I suppose it is about ensuring that we are all playing our part in that way. As I say, when I look at my role on UKCCIS-the UK Council for Child Internet Safety-it is about how we ensure that parents such as myself understand how all the filtering and the steps that we might want to take on our home computers are adopted appropriately, so that we are protecting ourselves as well as looking after our kids.

Chair: Thank you, Minister.

James Brokenshire: Thank you, Mr Chairman.

Prepared 16th November 2011