The threat from cyber-attacks is ever present, from the headline grabbing incidents that cripple organisations and result in major reputational damage, to the less well known but equally damaging. NPCC cyber lead, Temporary Commissioner Pete O’Doherty of the City of London Police, tells me about why trust and confidence underpins the police’s role in both preventing and responding to cyber-attacks to keep the public safe.
Speaking at the Police Digital Summit, Pete told the audience,
“Each cyber-attack slows us down and chips away at public confidence.”
I wanted to understand what he meant by that. He explains, “The police is held to a higher level of responsibility because of the nature of what we do. The impact is then higher.” The police process so much public data and adds Pete, the public rightly ask if they can trust the police to look after it.
And yet, looming in the background of our conversation is the data breach by Police Service Northern Ireland that made headlines in August when personal information about over 10,000 officers was accidentally published. That had implications for officer safety that went well beyond reputational damage. We talk about how the police can deal with this ‘first level of defence’ failure that comes from simple human error.
Good training, governance and practices are tools to prevent these incidents from happening, he responds. “We need to test our resilience, to reduce the probability of staff becoming vulnerable to cyber-attacks but we also need to be on the front foot as the threat evolves. What we don’t want is for a crisis to bring it to everyone’s attention.”
Cyber attacks and a chance to learn
Learning from crisis is one way to embed skills and awareness and Pete refers to 2017 WannaCry cyber-attack on the NHS which resulted in cyber resilience becoming a strategic policing requirement. I ask Pete whether six years on from WannaCry, whether cyber is still seen as something that belongs in the IT department.
“I do think that if you spoke to any Chief Constable, none of them would say it’s not a priority of theirs.” He recognises it is complex and that through a police officer’s career there is very little time spent on digital technology. We do rely on IT teams, but it is everyone’s responsibility and that must be based on knowledge of threat and impact.”
If cyber is a business problem, how can forces find the time and oxygen to deal with it among all the other competing priorities? Pete says that,“Cyber is a vehicle for modern warfare,” talking about the ‘hostile state’ and how it is the biggest threat facing police. “The police accept the threat and the need to do more about it. The question is how.” He goes on to describe cyber as an end-to-end problem, saying that the language of the hostile state is not new and there are different ‘threat actors’ with different motivations.
43 ways of doing things
With 43 police forces in England and Wales as well as Police Scotland, PSNI and the British Transport Police, how can a national organisation like the NPCC ensure that forces are consistent in their approach to dealing with cyber threats? “You can’t have a position where each police force has its own approach to cyber security using different systems. It’s expensive and it’s not coordinated. We need to work as a service. It’s the whole premise of defend as one.” Pete is clear that discussion needs to take place at a national level, but admits, “We are slower to implement policy and practice; navigating that can be challenging.”
In addition to this, there is a structure for cyber that sounds cumbersome as it straddles national regional and local. He says not. “I don’t think it’s cumbersome. In terms of reacting to reports of cybercrime, it works well. It does need to be more agile. I have to say the difficulty comes partly from Action Fraud, the national reporting centre for fraud and cybercrime, that effectively pushes cybercrimes to policing to investigate; then you’ve got the national cybercrime unit that pushes investigations down to policing to investigate and that’s where we need to be a bit more coordinated. But I do think in the main the system works effectively.”
Getting ahead of the threat
There is an urgency to the way that Pete speaks, he is filled with the language of pace and agility and the need to get ahead of the threat. When the nature of the threat is changing more quickly than the understanding and knowledge of those expected to respond, I worry that they will never be ahead.
Pete says this is a leadership challenge, but one that’s different from those that have come before. He explains that younger people joining police now have knowledge and skills in the IT space that their leaders may not have.
“We must create a culture where senior decision making is informed by juniors in the organisation who may have more digital awareness than them. It’s a reverse leadership requirement.”
He adds that this may take time to evolve from a transactional to a transformational approach. He explains, “Transactional means being hierarchical but transformational is a culture where people are empowered based upon what you bring to the table – knowledge, ideas and perspective. It’s lateral decision making.”
Impact on public confidence
Sounds difficult but Pete says policing has moved towards this approach and there is still much work to be done. “If a cyber-attack was to happen, I don’t think people understand quite how much impact it can have on public confidence.” He expands on the topic of governance to show the measurements that need to be made for success. He says that it’s true to some extent that where there is more accountability people are more likely to focus on that.
This makes me think about whether what gets measured gets done and how that forms part of accountability. I ask whether HMICFRS is going to do more on cyber in its inspections of police forces. He responds with a smile, telling me ‘You are on it’, as he confirms he is indeed talking to the inspectorate about a thematic inspection and how cyber resilience and cyber security can form part of the PEEL process. The last thematic inspection on cyber was in 2019 and even in the space of four years the cyber challenge will look very different.
The Policing Minister told the same audience at the Summit that he had a personal commitment to technology, adding “I will do whatever I can do to clear the obstacles in your path.” Let’s hope that helps to meet the challenge that Pete sets out here for policing to get ahead of the evolving cyber threat.