Mobile Devices and Cyber Attacks (1455_17)
1) How many officers do you have within your constabulary across full time, part time and volunteers
2) How many devices are connected to central data services from outside of official government buildings? These would use Wifi/Home Broadband/LTE networks for example.
3) What is the breakdown of these devices (Laptops/Smartphones/Tablets etc)
4) How many recorded cyber attacks have you had 2015 and 2016
5) How much cost has been recorded against cyber defence (Prevention, Detection and Response) in the 2015 and then 2016
6) How many of these devices use only SSL (or derivative) security to encrypt data in motion to cloud and other data sources
We can confirm that some relevant information is held by West Midlands Police. However, while the majority of the information is attached to this email I am afraid that I am not required by statute to release all of the information requested. Please find attached. This letter serves as a Refusal Notice under Section 17 of the Freedom of Information Act 2000 (the Act) for the information relating to question 4 that has not been released.
REASONS FOR DECISION
West Midlands Police can neither confirm nor deny that information is held relevant to question 4 as the duty in Section 1(1)(a) of the Freedom of Information Act 2000 does not apply by virtue of the following exemptions:
Section 23(5) Information supplied by or concerning certain Security Bodies
Section 24(2) National Security
Section 31(3) Law Enforcement
Section 23 is a class based absolute exemption and there is nor requirement to evidence the harm or articulate public interest considerations to the applicant.
With Sections 24 and 31 being prejudice based qualified exemptions there is a requirement to articulate the harm that would be caused in confirming or not whether information is held as well as considering the public interest.
Harm in Confirming or Denying that Information is held
To confirm or deny whether ‘hacking’ of a computer system has taken place would identify vulnerable computer systems and provide actual knowledge, or not, that these incidents have taken place.
In order to counter criminal and terrorist behaviour it is vital that the police and other agencies have the ability to work together, where necessary covertly, in order to obtain intelligence within current legislative frameworks to ensure the arrest and prosecution of offenders who commit or plan to commit acts of terrorism, whereby their modus operandi may involve ‘hacking’ into secure databases.
In order to achieve this goal, it is vitally important that information sharing takes place with other police forces and security bodies within the United Kingdom in order to support counter-terrorism measures in the fight to deprive terrorist networks of their ability to commit crime.
To confirm or deny specific details of any breaches of information technology and security would be extremely useful to those involved in terrorist activity as it would enable them to map vulnerable information security databases.
Public Interest Considerations
Section 24(2) National Security
Factors favour complying with Section 1(1)(a) confirming that information is held
The public are entitled to know how public funds are spent and how resources are distributed within an area of policing. To confirm where information security breaches have occurred would enable the general public to hold WMP to account ensuring all such breaches are recorded and investigated appropriately. In the current financial climate of cuts and with the call for transparency of public spending this would enable improved public debate.
Factors against complying with Section 1(1)(a) confirming or denying that any other information is held
Security measures are put in place to protect the community that we serve. As evidenced within the harm to confirm where specific breaches have occurred would highlight to terrorists and individuals intent on carrying out criminal activity vulnerabilities within West Midlands Police .
Taking into account the current security climate within the United Kingdom, no information (such as the citing of an exemption which confirms information pertinent to this request is held, or conversely, stating ‘no information is held’) which may aid a terrorist should be disclosed. To what extent this information may aid a terrorist is unknown, but it is clear that it will have an impact on a force’s ability to monitor terrorist activity.
Irrespective of what information is or isn’t held, the public entrust the Police Service to make appropriate decisions with regard to their safety and protection and the only way of reducing risk is to be cautious with what is placed into the public domain.
The cumulative affect of terrorists gathering information from various sources would be even more impactive when linked to other information gathered from various sources about terrorism. The more information disclosed over time will give a more detailed account of the tactical infrastructure of not only a force area but also the country as a whole.
Any incident that results from such a disclosure would by default affect National Security.
Section 31 – Law Enforcement
Factors favouring complying with Section 1(1)(a) confirming that information is held
Confirmation that information exists relevant to this request would lead to a better informed public which may encourage individuals to provide intelligence in order to reduce such security breaches.
Factors against complying with Section 1(1)(a) neither confirming nor denying that information is held
Confirmation or denial that information is held in this case would suggest West Midlands Police take their responsibility to protect information and information systems from unauthorised access, destruction, etc., dismissively and inappropriately.
The points above highlight the merits of confirming or denying the requested information exists. The Police Service is charged with enforcing the law, preventing and detecting crime and protecting the communities we serve. As part of that policing purpose, information is gathered which can be highly sensitive relating to high profile investigative activity.
Weakening the mechanisms used to monitor any type of criminal activity, and specifically terrorist activity would place the security of the country at an increased level of danger.
In order to comply with statutory requirements and to meet NPCC expectation of the Police Service with regard to the management of information security a national policy approved by the College of Policing titled National Policing Community Security Policy has been put in place. This policy has been constructed to ensure the delivery of core operational policing by providing appropriate and consistent protection for the information assets of member organisations. A copy of this can be found at the below link:
In addition anything that places that confidence at risk, no matter how generic, would undermine any trust or confidence individuals have in the Police Service.
Therefore, at this moment in time, it is our opinion that for these issues the balance test favours neither confirming nor denying that information is held.