Cisco is partnering with UK police forces to help train 120,000 officers in cyber security. The training will be delivered by the Cisco Networking Academy. It is all part of a deal to help officers expand their knowledge of what cyber security is and help them deal with the challenges it brings.
While this is positive news on one hand it does raise questions as to what it really means for police officers, the public and companies. Over the last 20 years police forces across the UK have funded numerous programmes to train officers in cyber security. This has ranged from creating cyber units in each force to centralizing expertise and creating cyber units.
The results have been less than impressive. Try reporting a cyber fraud to your local police force and it can be frustrating. The lack of skills and knowledge means they direct victims to banks and credit card companies rather than deal with it themselves. It can be difficult if not impossible to get a crime number which means that many insurers won’t engage in helping the victim.
This is all about education. Cyber and physical laws differ and there can be no obvious link between an offence on the Internet and the laws that police officers understand. There is often no evidence that an officer can sieze in order to deal with a crime. In addition crimes can be committed from overseas making any chance of a conviction unlikely.
With police forces are ranked by their clean-up rate, Chief Constables are unlikely to want an increase in unsolvable crimes. As with schools, hospitals and other institutions, this ends up being all about rankings. A low clearance rate makes a police force look bad and Chief Constables do not want that.
Compounding the problem is that even when the police have a suspect, they struggle to get the prosecutors to do anything. The Crown Prosecution Service has an unenviably rubbish record when it comes to prosecuting and securing convictions for cyber offenses.
Will this training change this?
Possibly. Unless officers have an understanding of what cyber crime is then they cannot begin to help the victim. If this programme delivers better support for victims and starts the process of investigation, it will have achieved some measure of success.
A better measure of success would be helping the police understand how to preserve the evidence of a cyber-crime. Unlike traditional crime, cyber crimes often leave little to no forensics at the scene. It requires a different approach to preserve the evidence. This problem is why the NCA sponsored a round of the Cyber Security Challenge Face to Face (F2F) competition that focused on the forensics.
Andy Beet, National Police Chiefs’ Council, Data Communications Group – Futures Lead said: “We are very pleased to be working with Cisco Networking Academy. By joining the programme, forces can access training designed to raise awareness and increase their understanding of cybercrime and cyber threats, while also gaining insights into the procedures used to defend networks.
“It’s important for all police officers to understand cybersecurity as fully as possible; by doing so they can develop their knowledge in this increasingly important area, improving security in both their professional and personal lives.”
Funding and time
What is not known at this time is how much it will cost and who will fund it. Most police forces are financially stretched to the limit. Many have cut back on equipment programmes and personnel due to the lack of funds. Chief Constables will want to see the Home Office pay for this. It, in turn, will inevitably look to push the costs downstream. This raises serious questions over the longevity and success of the programme.
There is also the question of time. Police forces are overstretched. They have been dealing with so many major incidents and events in the last two years that they owe officers significant amounts in terms of time off or overtime. With nobody to fill the gaps, the former means officers are not getting downtime and the latter option is beyond the budgets of local forces.
Time off to get trained will also reduce the number of officers on the ground. Some staff at Enterprise Times have experience of running training courses for police forces. Many fail to complete all the training and it has to be reduced to the minimum as a result. This means that the effective delivery of training will be a measure that has to be keenly watched.
What does the Cyber Security industry think?
Surprisingly, there has been limited comment from industry figures. Those that have spoken out have been cautiously supportive of the programme. A more positive note was struck by Stephen Burke, founder & CEO at Cyber Risk Aware.
Burke said: “This is a great move from the police force by making security awareness a priority. This emphasises the fact that any institution, no matter how big they are and no matter how sophisticated their technical defence are, still need to help staff and make them become aware of the cyber dangers they face as that’s how actors are going to breach defences.
“Cyber criminals target people not systems and only by thinking like your adversary can you defend against their methods. It goes without saying that technical defences are necessary requirements, but this coupled with people becoming more cyber aware, is a defence that can work effectively against cybercrime.
“By having a cyber risk aware police force, they can better assist the public around responding to a cyber incident or running community courses before an incident occurs.”
Enterprise Times: What does this mean
At face value it all sounds fabulous. Police officers getting new skills, closing the knowledge gap and victims finally able to get support when they suffer a cyber incident. The reality is different. There is no detail on who will pay, what level of training officers will get, how long it will take to train them and how local police forces will schedule the training. For it to be truly effective, Chief Constables will need to allow officers to actually investigate the crime.
This training is also only about police officers. There is no training programme to educate prosecutors or police forensic teams in how to deal with a crime. This means that any success will be limited until there is sufficient knowledge throughout the entire crime reporting and prosecuting chain.
Victims groups will want to see evidence that this programme can deliver benefits to those affected. That will take time.