The Claim: Security Minister Ben Wallace told BBC Radio 4’s Today programme: “There is some good news which never gets reported – nine out of 10 of the latest, most serious cyber-crime attacks have resulted in arrest or charges.”
Reality Check verdict: The relevant figure is slightly less positive to the one Mr Wallace cited on air. Between October 2016 and May 2017, the National Crime Agency (NCA) and regional organised crime units identified suspects in nine, and made arrests in seven, of the 10 most serious cyber-incidents under investigation. No-one has been charged.
We all know a burglary when we see one. Smashed window. TV gone.
But large numbers of people – and entire organisations – don’t necessarily realise when they’ve been a target or victim of a digital smash-and-grab.
That’s the public awareness challenge that makes combating the growth of this 21st Century crime so difficult.
Put simplest, cyber-crimes and attacks fall into three broad categories:
- Personal crimes – such as a fraud committed through a bogus online shop or auction – but also bank card cloning and other identity-related scams in which your personal details are taken, sold in online market places and used, ultimately, to steal money.
- Attacks against organisations – such as this year’s huge Wannacry attack which caused major disruption within the NHS. The criminals demanded payment in an untraceable online currency before they would hand back control of computers.
- Attacks possibly organised by a state against another state’s institutions or infrastructure. The alleged involvement of Russian agents in the US president election would be an example of this kind of cyber-attack, if proven to be true.
Starting at the bottom and working up, a few years ago the Metropolitan Police estimated that the annual number of online fraud offences nationwide would overtake all types of burglary by, at the latest, autumn 2017.
That already looks spot on. In the year to June 2017, the police recorded just over 423,000 burglaries across England and Wales.
The Office for National Statistics says there were 653,000 frauds – and all experts in this field think there are many more unreported incidents.
Separate experimental data from the Crime Survey for England and Wales, a rolling survey of our experiences, estimates there were 3.3 million frauds in the year to June – and more than half of those were “cyber-related”.
On top of all that, there were an additional 1.6 million incidents of “computer misuse”, generally meaning hacking or virus attacks.
If a hacker steals your personal data, that can be used by organised crime gangs to create fake bank cards in your name. Viruses can be used to hold machines to ransom or, without your even knowing about it, turn your PC into a “zombie” that becomes part of a global attack on a major institution.
And that’s where many of these individual crimes fit into a bigger picture.
Since it was set up in October 2016, the National Cyber Security Centre (NCSC) dealt with 590 “significant” incidents. The most well-known of these was the Wannacry attack, which prompted the Home Secretary to hold the first ever Cobra meeting (a government emergency response committee) dedicated to a cyber-attack.
So what about the response?
The Home Office says cyber-crime is a national priority and the NCA plays the lead role in pursuing suspects and building the intelligence picture. It runs some investigations itself and assists others being led by detectives inside the country’s regional organised crime units.
But individual police forces are also under sustained pressure to up their game.
While some have well-developed units, such as the Metropolitan Police’s “Operation Falcon”, others are struggling to recruit because they need detectives with highly specialist skills.
One of the major problems is working out who is supposed to be investigating a particular incident because the crime gang behind an attack could be anywhere in the world.
It’s very difficult to count how many cyber-related criminals have been successfully prosecuted. Many suspects will be charged with fraud or theft offences but there’s no breakdown on how many of those were related to online swindles. Only 55 people were convicted of computer misuse offences relating to hacking last year.
During his interview Mr Wallace was referring to the NCA’s list of the most serious cyber-incidents between October 2016 and May 2017. These are categorised by assessing the following factors:
- Threat and risk
- Public impact
- Financial harm
- Nature of the incident
Mr Wallace claimed: “We are getting there.” Are we?
The government believes it is, arguing that the NCSC is a world-beating body, backed up by expert investigators in the National Crime Agency, MI5 and GCHQ.
But Parliament’s Public Accounts Committee said in February that a skills shortage and “chaotic” handling of personal data breaches were undermining confidence in the government’s ability to protect the UK from cyber-attacks.
The MPs said ministers had taken too long to consolidate an “alphabet soup” of agencies – although some experts said the report was unfair and failed to take into account the resources now being thrown at this very modern threat.