Telephony & Storage (262A/23)
Request
1. Telephony and UC/ Collaboration
a. Please confirm the manufacturer of your telephony system(s) that are currently in place.
b. When is your contract renewal date?
c. Who maintains your telephony system(s)?
d. Do you use Unified Communications or Collaboration tools?
e. If so which ones?
2. Microsoft
a. What Microsoft 365 licence do you have across the business e.g. E3, E5.
b. Which partner looks after your Microsoft tenant?
c. Where do you host your applications? Do you have on-premise infrastructure or do you host your applications in public or private cloud? Which?
3. Storage
a. Does your organisation use on-premise or cloud storage or both?
b. Please confirm the on-premise hardware manufacturer.
c. Please confirm your cloud storage provider.
d. What is your annual spend on cloud storage?
e. How do you back up your data and with who e.g. Backup as a Service?
Response
I can confirm that this information is held by West Midlands. However, while some of this information is attached (262A_23_attachment.pdf), we are withholding part of the information by virtue of the following exemption:
Section 31(1)(a)(b) – Law enforcement
This exemption and explanatory notes are shown here:
In line with the above, I am required to evidence the prejudice (harm) and complete a public interest test (PIT) on disclosure. Please find this as follows:
Harm
Cyber criminality is on the increase and as well as attacks on individuals, attacks are also targeted to disrupt critical national infrastructure organisations. An example is the WannaCry ransomware attack in 2017, where lives were put at risk and services damaged when the NHS and many other organisations worldwide were affected.
Between September 2021 and August 2022, businesses and organisations in the UK reported hundreds of cyber incidents to the National Cyber Security Centre, 63 of which were significant enough to require a national level response. The incidents included a range of malicious cyber activity such as ransomware, reconnaissance, malware and network intrusions, data exfiltration and disruption of services and systems.
The points above therefore highlight that no organisation is immune to attacks on its systems and infrastructure, and to release details of the IT equipment, software, or services could pose a threat from hostile actors, who could use this knowledge to their advantage in an attempt to infiltrate one of our suppliers or exploit vulnerabilities in our products and use them to gain access to West Midlands Police systems.
The police service is charged with enforcing the law and protecting the public, and a successful attack that affected its systems could severely reduce its ability to carry out its core role of law enforcement and put individuals at risk of harm.
Public Interest Test
Section 31 – Factors favouring disclosure:
Disclosure of the requested information would lead to a better-informed public as to the software and services used by West Midlands Police. This could reassure the public that the IT solutions we utilise are up to date, secure and robust.
Section 31 – Factors against disclosure:
Disclosing information about the software and applications we use would provide individuals or groups intent on criminal activity, with knowledge that they may use to attempt to cause disruption to our services and reduce the policing capability of the force.
Knowing the very real threat that exists regarding attacks of this kind, releasing information that might assist an offender would show that West Midlands Police take their responsibility to protect information and information systems from unauthorised access, destruction, etc., dismissively, and inappropriately.
Balancing Test
For a public interest test, factors that favour disclosure need to be measured against factors against disclosure. It is important to note though that ‘public interest’ in this context is not what interests the public, or a particular individual, but what will be the greater good, if released to the community as a whole.
I acknowledge the importance of police forces being open transparent, and in this case, this will help to further public knowledge in the software and services we utilise. However, this needs to be balanced against the potential impact release could have on our ability to effectively carry out our law enforcement role.
The police service is charged with enforcing the law, preventing and detecting crime
and protecting the communities we serve. Providing information that would allow criminals to disrupt the force’s systems and weaken our ability to carry out these roles, cannot be in the public interest.
Therefore, it is my opinion that the factors for disclosure are outweighed by the factors against. West Midlands Police will never knowingly release information that would, or would be likely to, prejudice the prevention or detection of crime and the apprehension or prosecution of offenders.