Asset Management (392A/23)
Request
1a. How do you manage the maintenance, servicing, and location of your assets. If you have a software solution, what is this called? If you use multiple systems for different assets, please list the system and its use.
1b. How much does this software cost?
1c. When does the contract expire?
1d Who is responsible for the procurement of this system?
1e. What are your plans to improve the way you manage your assets?
2a. How do you manage the upkeep and issuing of PPE and clothing. If you a software solution, what is this called?
2b. How much does this software cost?
2c. When does the contract expire?
2d. Who is responsible for the procurement of this system?
Response
I can confirm that this information is held by West Midlands. However, while the majority of this information is attached (392A_23_attachment.pdf), we are withholding part of the information for question 1, by virtue of the following exemption:
Section 31(1)(a)(b) – Law enforcement
This exemption and explanatory notes is shown here:
In line with the above, I am required to evidence the prejudice (harm) and complete a public interest test (PIT) on disclosure. Please find this as follows:
Harm
Cyber criminality is on the increase and as well as attacks on individuals, attacks are also targeted to disrupt critical national infrastructure organisations. An example is the WannaCry ransomware attack in 2017, where lives were put at risk and services damaged when the NHS and many other organisations worldwide were affected.
Between September 2021 and August 2022, businesses and organisations in the UK reported hundreds of cyber incidents to the National Cyber Security Centre, 63 of which were significant enough to require a national level response. The incidents included a range of malicious cyber activity such as ransomware, reconnaissance, malware and network intrusions, data exfiltration and disruption of services and systems.
The points above therefore highlight that no organisation is immune to attacks on its systems and infrastructure, and to release details of the IT equipment, software, or services could pose a threat from hostile actors, who could use this knowledge to their advantage in an attempt to infiltrate one of our suppliers or exploit vulnerabilities in our products and use them to gain access to West Midlands Police systems.
The police service is charged with enforcing the law and protecting the public, and a successful attack that affected its systems could severely reduce its ability to carry out its core role of law enforcement and put individuals at risk of harm.
Public Interest Test
Section 31 – Factors favouring disclosure:
Disclosure of the requested information would lead to a better-informed public as to the software and services used by West Midlands Police. This could reassure the public that the IT solutions we utilise are up to date, secure and robust.
Section 31 – Factors against disclosure:
Disclosing information about the software and applications we use would provide individuals or groups intent on criminal activity, with knowledge that they may use to attempt to cause disruption to our services and reduce the policing capability of the force.
Knowing the very real threat that exists regarding attacks of this kind, releasing information that might assist an offender would show that West Midlands Police take their responsibility to protect information and information systems from unauthorised access, destruction, etc., dismissively, and inappropriately.
Balancing Test
For a public interest test, factors that favour disclosure need to be measured against factors against disclosure. It is important to note though that ‘public interest’ in this context is not what interests the public, or a particular individual, but what will be the greater good, if released to the community as a whole.
I acknowledge the importance of police forces being open transparent, and in this case, this will help to further public knowledge in the software and services we utilise. However, this needs to be balanced against the potential impact release could have on our ability to effectively carry out our law enforcement role.
The police service is charged with enforcing the law, preventing and detecting crime and protecting the communities we serve. Providing information that would allow criminals to disrupt the force’s systems and weaken our ability to carry out these roles, cannot be in the public interest.
Therefore, it is my opinion that the factors for disclosure are outweighed by the factors against. West Midlands Police will never knowingly release information that would, or would be likely to, prejudice the prevention or detection of crime and the apprehension or prosecution of offenders.