E-crime policing - genuine response or token gesture?

Mike Barwise

Yet another announcement – this time at the Infosecurity Europe expo in London – of the imminent launch of a Police Central E-crime Unit (PCEU) "subject to funding" gives me a distinct sense of deja vu.

In 2001 the National Hi-Tech Crime Unit (NHCTU) was founded with a £25m cash injection to close significant gaps in police investigative capability at all levels. It had an annual budget of around £9m and important liaison functions, both with industry and with over 40 regional police Hi-Tech Crime Units. In its first year alone it handled 10 cases leading to 30 arrests.

However, by 2003 doubts about resourcing were already evident, despite the 40-50 staff managing typically 20 cases per year. In 2004 Nick Ray, chief executive of software security firm Prevx told a House of Commons hearing: "The problem is not with the law; it is with resources to catch the criminals and prosecute them...". But despite this state of affairs, by the end of 2005, the NHCTU had conducted over 70 operations leading to 172 arrests – a pretty good success story, which is presumably why it was dismantled in 2006, by being subsumed into the Serious and Organised Crime Agency (SOCA), a multi-remit behemoth modelled on the FBI, formed by the amalgamation of several disparate agencies.

Only a tiny fraction of the £400m annual budget of SOCA would directly support the functions of the old NHTCU. In particular, the centrally funded support of regional HTCUs was dropped, resulting in reduced availability of technical expertise to front line officers dealing with e-crime. Indeed the 4,300 strong bureacracy that SOCA became was by early 2007 coming under fire on performance issues. In two years it managed nine investigations leading to 15 convictions, although some of these were continuations of NHCTU cases. Then, in November 2006, the PCEU was suddenly mooted with a surprisingly similar remit to the lately dismantled NHCTU. Now, almost 18 months later, it is due to launch if it can find its initial funding of £5.3m – just over a fifth of the startup funding provided to the NHTCU seven years ago. The new unit is also expected to run on half the annual budget of the NHCTU. How it will mesh administratively with SOCA still remains unclear, but the complexity of the latter ensures a strong bureaucracy with lots of red tape.

So, does the UK government really take e-crime seriously? Let's do some quick comparisons. The sexy field right now is of course terrorism. However, the actual likelihood of an ordinary member of the public getting caught in a terrorist attack is infinitesimal. There have been less than 100 terrorism-related deaths in the UK since 2001, including a couple of terrorists and one innocent victim of mistaken identity. Furthermore, we have lived with terrorism in the background year in year out, ever since the Salford Barracks bomb of 14 January 1881 claimed two victims, leading to the creation of the Metropolitan Police Special Branch. So terrorism is nasty, but not a high statistical risk. Nevertheless the terrorism policing budget runs to hundreds of millions a year. UK road deaths average 3000 per year, yet their minimisation devolves largely on county councils with increasingly tight budgets. The government admits that 100,000 people fall victim to identity theft alone every year, but the annual budget for policing this and all other aspects of e-crime seems to be a mere £4.5m. The only conclusion I can come to is that the current e-crime strategy is largely politically motivated window dressing. That's a pity, as numerous highly skilled and dedicated officers in the NHTCU showed a real difference could be made if adequate resources were available.