Big business fears e-crime communication breakdown
An industry body that represents large corporations has criticised Britain's Serious Organised Crime Agency (SOCA) for its lack of openness in working with UK companies to tackle e-crime.
The Corporate IT Forum (known as tif), which encourages IT knowledge sharing between large businesses, criticised SOCA, known as the "British FBI", for lack of communication. tif said it was concerned that large UK businesses are not getting guidance on combating cybercrime and online fraud.
According to tif, little open information exchange about combating internet fraud has occurred between corporate IT security experts and SOCA since the crime agency was launched.
Prior to SOCA's formation 10 months ago, serious e-crime was investigated by the National Hi-Tech Crime Unit (NHTCU). The NHTCU was then amalgamated into SOCA. The chief executive of tif, David Roberts, praised the NHTCU's previous efforts at encouraging information exchange, and said that the industry was finding it difficult to communicate with SOCA.
"We had a splendid long relationship with the NHTCU, but they don't appear to be re-emerging in SOCA," Roberts told ZDNet UK. "A lot of the difficulty with SOCA is the period of silence [since its formation], which is such a stark contrast to the NHTCU, who were really visible and proactive. It's the contrast that's worrying," said Roberts.
SOCA's online presence is indicative of its current lack of open communication with business, Roberts claimed. "Even SOCA's current website is not terribly helpful — it doesn't talk about who to speak to or who to approach about [cybercrime and information exchange]," said Roberts.
According to sources at Westminster, SOCA's atmosphere of secrecy is due to changes in the make-up of the organisation. Senior police officers from the NHTCU have been replaced by members of the intelligence community, according to the source.
"Apparently now SOCA is mostly spooks," said one senior politician, speaking anonymously.
However, SOCA denied that it was a shadowy organisation, instead saying that it deliberately kept a low profile so criminals would not become aware of its methods and take countermeasures. The crime agency added that most businesses would not want to publicly divulge that they had talked to SOCA because of possible damage to reputation.
"SOCA does liaise with industry and business to impart information about threats and concerns," said a SOCA spokesperson. "Most businesses don't want to make it public knowledge that we've been talking to them [about security], as it is sensitive information that can affect their stock price. Issues with banking institutions are always off the radar."
Roberts doesn't dispute the need for discretion about who the information was shared with. He insists, though, that more communication between the corporate security community and the police is needed.
"The NHTCU went through a phase when it wasn't sure how it wanted to engage with large corporates," said Roberts. "The whole relationship needed to be built on trust — corporates don't want anyone to find out about security breaches, because of their reputation, and the police can't tell you anything because the bad guys might find out their methods. The NHTCU succeeded in breaking down those barriers — if that's been lost it's very sad."
SOCA said that it had made some efforts to communicate, by approaching various sectors of industry to make them aware of the information contained in its threat-assessment document, which describes and assesses the threats posed to the UK by serious organised criminals.
However, SOCA said it had no specific plans for an outreach programme to businesses. "It's not an immediate intention as we're only 10 months old, and we've been set up as a low-profile organisation," said the SOCA spokesperson. "Primarily our concerns are about combating organised crime rather than [being] public facing."
However, SOCA said that it had "worked hard to develop relationships with industry," and said that it was "improving relationships with the private sector which will lead to new strands of working, including joint educational programmes". SOCA would not specify a timescale for when the educational programmes would be developed, or what the "new strands of working" would be.
Big business is also concerned that there is a lack of clarity about reporting e-crime — specifically who to report cybercrime to. According to tif, corporate IT security professionals remain unsure whether SOCA has responsibility for investigating e-crimes committed by an individual rather than an organised criminal gang.
However, SOCA responded that it is not a point of reporting, and that all reports of e-crime should be done through local police, as it only gets involved in level 3 (serious) crimes once they are escalated by the police. SOCA also said that crime could be defined as both serious and organised, even if perpetrated by only one individual.
"It's the actual level of criminal activity which would determine whether the crime falls within SOCA's remit," said the SOCA spokesperson. As organised crime often involves several types of criminal activity — for example, drugs trafficking could involve smuggling, money laundering and high-tech crime — SOCA investigates the whole web as opposed to one strand.
"We're not the only people involved in investigating crime," said the spokesperson. "Different sections could be looked at by different police forces. Our concern is more where the whole thing comes together."