Cyber Attacks (13444/19)

Request

REQUEST PART 1

Could you please tell me how many incidents of cyber-attacks you have recorded since the beginning of 2017?

Of these can you tell me how many incidents were referred to external sources including the police, the National Crime Agency and the National Cyber Security Centre?

And how many of these incidents were handled internally?

REQUEST PART 2

CHECK is the umbrella term for the National Cyber Security Centre approved penetration test companies and the method in which they conduct a penetration test.

Could you please tell me whether you have had a CHECK test in i) 2016/17, ii) 2017/18 and iii) 2018/19?

Could you also tell me what cyber security do you have aside from CHECK work including the following i) user education ii) other penetration tests iii) internal security team iv) other.

Response

Please find attached our response for request part 1.

However, West Midlands Police will neither confirm nor deny that information is held relevant to request part 2 as the duty in Section 1(1)(a) of the Freedom of Information Act 2000 does not apply by virtue of the following exemptions:

Section 24(2) – National Security

Section 31(3) – Law Enforcement

These exemptions and explanatory notes are shown here:

https://www.app.college.police.uk/app-content/information-management/freedom-of-information/#freedom-of-information-exemptions

Sections 24 and 31 are prejudice based, qualified exemptions, thereby both evidence of harm and public interest considerations need to be articulated.

Overall Harm

By confirming or denying that the force holds any information regarding this technique would in itself disclose exempt information. Confirming information is held, by citing a substantive exemption, would confirm penetration testing has taken place, where on the flip side, to say no information is held you are confirming no such testing has taken place.

Although the techniques are in the public domain, it is how, when and whether they might be used, that are the sensitive issues for the police service. If forces were to highlight that they were not involved in penetration testing or highlighted vulnerabilities within a penetration test when it occurred, this information could lead to criminals and terrorists targeting those forces. By providing information of this nature, terrorists and criminals may look to infiltrate those forces with ‘fake’ identification in the hopes to get to sensitive areas and either cause harm or extrapolate sensitive information. Criminals and terrorists would likely assume that these forces are not effectively set up to challenge unknown individuals as they are not tested.

Moreover, during a time when the current threat level from terrorism is classified as ‘severe’ (highlighted by link below) we would not want to provide any information that allows for terrorists to improve their operations.

https://www.mi5.gov.uk/threat-levels

The security of the country is of paramount importance and the police service is charged with enforcing the law, preventing and detecting crime and protecting the communities we serve. As much as there is a public interest in knowing that policing activity is appropriate and balanced in matters of National Security, this will only be overridden in exceptional circumstances.

The public entrust the police service to make appropriate decisions with regard to their safety and protection and the only way of reducing risk is to be cautious with any information that is released.

Public Interest Considerations

Section 24(2) National Security

Factors in favour of confirming or denying that information is held

The public are entitled to know how public funds are spent and resources distributed within an area of policing, particularly with regard to how the police effectively keep their computer systems secure from criminals/ terrorists. To confirm whether or not the penetration checks and other cyber security work have been completed, would enable the general public to hold West Midlands Police to account ensuring we are properly protected and breaches are recorded and investigated appropriately. In the current financial climate of cuts and with the call for transparency of public spending this would enable improved public debate.

Factors against confirming or denying that information is held

Security measures are put in place to protect the community we serve. As evidenced within the harm, confirming or denying the requested information, would highlight to terrorists and individuals intent on carrying out criminal activity if there are vulnerabilities within West Midlands Police.

Taking into account the current security climate within the United Kingdom, no information (such as the citing of an exemption which confirms information pertinent to this request is held, or conversely, stating ‘no information is held’) which may aid a terrorist should be disclosed. To what extent this information may aid a terrorist is unknown, but it is clear that it will have an impact on a force’s ability to monitor terrorist activity.

Irrespective of what information is or isn’t held, the public entrust the police service to make appropriate decisions with regard to their safety and protection and the only way of reducing risk is to be cautious with what is placed into the public domain.

The cumulative effect of terrorists gathering information from various sources would have an even greater impact when linked to other information gathered from various sources about terrorism. The more information disclosed over time will give a more detailed account of the tactical infrastructure of not only a force area but also the country as a whole.

Any incident that results from such a disclosure would, by default, affect National Security.

Section 31(3) Law Enforcement

Factors in favour of confirming or denying that information is held

Confirming that information exists relevant to this request would lead to a better informed public which may encourage individuals to provide intelligence in order to reduce these attacks.

Factors against confirming or denying that information is held

Confirmation or denial that information is held in this case would suggest West Midlands Police take their responsibility to protect information and information systems from unauthorised access, destruction, etc., dismissively and inappropriately.

Balancing Test

The points above highlight the merits of confirming or denying whether the requested information exists. The police service is charged with enforcing the law, preventing and detecting crime and protecting the communities we serve. As part of that policing purpose, information is gathered which can be highly sensitive relating to high profile investigative activity.

Weakening the mechanisms used to monitor any type of criminal activity, and specifically terrorist activity would place the security of the country at an increased level of danger.

In order to comply with statutory requirements and to meet NPCC expectation of the police service with regard to the management of information security a national policy approved by the College of Policing titled National Policing Community Security Policy has been put in place. This policy has been constructed to ensure the delivery of core operational policing by providing appropriate and consistent protection for the information assets of member organisations. A copy of this can be found at the below link:

http://library.college.police.uk/docs/APP-Community-Security-Policy-2014.pdf

In addition anything that places that confidence at risk, no matter how generic, would undermine any trust or confidence individuals have in the police service. Therefore, at this moment in time, it is my opinion that for these issues the balance test favours neither confirming nor denying that information is held.

No inference can be taken from this refusal that the information you have requested does or does not exist.

Attachments

13444_Attachment

Bookmark the permalink.

Comments are closed