Network Security (1296/18)

Request

  1. Does your organisation adhere to the Network Security guidance outlined by the National Cyber Security Centre, within its ’10 Steps to Cyber Security’?
    • Yes
    • No
  1. Do you ensure that security patches for critical vulnerabilities are routinely patched within 14 days, as recommended by the National Cyber Security Centre?
    • Yes
    • No
  2. Have you suffered from any service outages on your network in the last two years, however small?
    • Yes
    • No
  1. Did any of these outages cause a loss, reduction or impairment to your organisation’s delivery of essential services?
    • Yes
    • No

 

  1. Was the root cause of the service outage identified and confirmed – at the time or afterwards?
    • Yes
    • No
  1. Is it possible that any service outages you have suffered in the last two years was caused by a cyber attack – such as ransomware, DDoS attack, or malware?
    • Yes
    • No
  1. Are you aware that Distributed Denial of Service (DDoS) attacks are a significant contribution to service interruptions, outages and downtime?
    • Yes
    • No

Response

Questions 6 and 7 are not valid questions the wording – “is it possible” and “are you aware” is asking for opinion and does not relate to recorded information. Please note that even if the question were re-worded, they would be highly likely to attract the exemptions outlined below.

West Midlands Police will neither confirm nor deny that information is held relevant to your request for questions 1-5, as the duty in Section 1(1)(a) of the Freedom of Information Act 2000 does not apply by virtue of the following exemptions:

REASONS FOR DECISION

The Freedom of Information Act places two responsibilities on public authorities, the first of which is to confirm what information it holds and secondly to then disclose that information, unless exemptions apply.

In this case West Midlands Police will neither confirm nor deny the existence of any relevant data by virtue of:

Section 23(5) – Information Supplied by, or Relating to, Bodies Dealing with Security Matters

Section 24(2) – National Security

Section 30(3) – Investigations and Proceedings Conducted by Public Authorities

Section 31(3) – Law Enforcement

These exemptions and explanatory notes are shown here:

https://www.app.college.police.uk/app-content/information-management/freedom-of-information/#freedom-of-information-exemptions

Section 23 is a class based absolute exemption and there is no requirement to consider the public interest.

Section 30 is a class based qualified exemption which requires the public interest in the appropriateness of neither confirming nor denying information is held to be considered.

Sections 24 and 31 are prejudice based qualified exemptions, thereby both evidence of harm and public interest considerations need to be articulated.

Harm in Confirming or Denying that Information is held

Policing is an information-led activity, and information assurance (which includes information security) is fundamental to how the Police Service manages the challenges faced. In order to comply with statutory requirements the College of Policing Authorised Professional Practice for Information Assurance, has been put in place to ensure the delivery of core operational policing by providing appropriate and consistent protection for the information assets of member organisations, see below link:

https://www.app.college.police.uk/app-content/information-management/

In order to achieve this goal, it is vitally important that information sharing takes place with other police forces and security bodies within the UK to support counter-terrorism measures in the fight to deprive terrorist networks of their ability to commit crime.

To confirm or deny whether West Midlands Police has completed all of the ‘10 steps to cyber security’ or suffered any DDoS attacks or any other forms of cyber-attacks, would identify vulnerable computer systems and provide actual knowledge, or not, that these incidents have taken place within individual force areas. This would be extremely useful to those involved in terrorist activity as it would enable them to map vulnerable information security databases.

Public Interest Considerations

Section 24(2) National Security

Factors favour complying with Section 1(1)(a) confirming that information is held

The public are entitled to know how public funds are spent and how resources are distributed within an area of policing. To confirm whether or not the ‘10 steps’ have been completed or if any cyber-attacks have occurred, would enable the general public to hold West Midlands Police to account ensuring we are properly protected and all such breaches are recorded and investigated appropriately. In the current financial climate of cuts and with the call for transparency of public spending this would enable improved public debate.

 Factors against complying with Section 1(1)(a) neither confirming or denying that information is held

Security measures are put in place to protect the community we serve. As evidenced within the harm, confirming or denying the requested information, would highlight to terrorists and individuals intent on carrying out criminal activity if there are vulnerabilities within West Midlands Police.

Taking into account the current security climate within the United Kingdom, no information (such as the citing of an exemption which confirms information pertinent to this request is held, or conversely, stating ‘no information is held’) which may aid a terrorist should be disclosed. To what extent this information may aid a terrorist is unknown, but it is clear that it will have an impact on a force’s ability to monitor terrorist activity.

Irrespective of what information is or isn’t held, the public entrust the Police Service to make appropriate decisions with regard to their safety and protection and the only way of reducing risk is to be cautious with what is placed into the public domain.

The cumulative effect of terrorists gathering information from various sources would be even more impactive when linked to other information gathered from various sources about terrorism. The more information disclosed over time will give a more detailed account of the tactical infrastructure of not only a force area but also the country as a whole.

Any incident that results from such a disclosure would, by default, affect National Security.

Section 30(3) Investigations

Factors favouring complying with Section 1(1)(a) confirming that information is held

Confirming or denying whether information exists relevant to this request would lead to a better informed general public by identifying that West Midlands Police are adequately protected and robustly investigate cyber-attacks. This fact alone may encourage individuals to provide intelligence in order to assist with investigations and would also promote public trust in providing transparency and demonstrating openness and accountability into where the police are currently focusing their investigations.

The public are also entitled to know how public funds are spent, particularly in the current economic climate.

Factors against complying with Section 1(1)(a) neither confirming or denying that information is held

Modern-day policing is intelligence led and West Midlands Police share information with other law enforcement agencies as part of their investigation process. To confirm or not whether West Midlands Police has alerted other agencies of cyber-attacks could hinder the prevention and detection of crime as well as undermine the partnership approach to investigations and enforcement.

Should offenders take evasive action to avoid detection, police resources may well be diverted from frontline duties and other areas of policing in order to locate and apprehend these individuals. In addition, the safety of individuals and victims would also be compromised.

Section 31(3) Law Enforcement

Factors favouring complying with Section 1(1)(a) confirming that information is held

Confirming that information exists relevant to this request would lead to a better informed public which may encourage individuals to provide intelligence in order to reduce these attacks.

Factors against complying with Section 1(1)(a) neither confirming nor denying that information is held

Confirmation or denial that information is held in this case would suggest West Midlands Police take their responsibility to protect information and information systems from unauthorised access, destruction, etc., dismissively and inappropriately.

Balancing Test

The points above highlight the merits of confirming or denying whether the requested information exists. The Police Service is charged with enforcing the law, preventing and detecting crime and protecting the communities we serve. As part of that policing purpose, information is gathered which can be highly sensitive relating to high profile investigative activity.

Weakening the mechanisms used to monitor any type of criminal activity, and specifically terrorist activity would place the security of the country at an increased level of danger.

In order to comply with statutory requirements and to meet NPCC expectation of the Police Service with regard to the management of information security a national policy approved by the College of Policing titled National Policing Community Security Policy has been put in place. This policy has been constructed to ensure the delivery of core operational policing by providing appropriate and consistent protection for the information assets of member organisations. A copy of this can be found at the below link:

http://library.college.police.uk/docs/APP-Community-Security-Policy-2014.pdf

In addition anything that places that confidence at risk, no matter how generic, would undermine any trust or confidence individuals have in the Police Service. Therefore, at this moment in time, it is my opinion that for these issues the balance test favours neither confirming nor denying that information is held.

No inference can be taken from this refusal that the information you have requested does or does not exist.

Attachments

No attachments

Bookmark the permalink.

Comments are closed