Cyber Security Contract - 641/21

Date Responded 16 June 2021

Provision of information held by Northumbria Police made under the Freedom of Information Act 2000 (the 'Act')

As you may be aware the purpose of the Act is to allow a general right of access to information held at the time of a request, by a Public Authority (including the Police), subject to certain limitations and exemptions.

You asked:

1. Can I enquire if Northumbria Police have a cyber security contract in place?
2. When does this contract expire?
3. Who is the supplier?
4. Who is the contact person who manages the cyber security procurement process for Northumbria Police?
5. What are their contact details?

By ‘cyber security’, I mean the application of technologies, processes and controls to protect systems, networks, programs, devices and data from cyber-attacks. Essentially what contracts the police have in place to protect their IT systems.

In Response:

Following receipt of your request, searches were conducted with the ICT Department of Northumbria Police. I can confirm that the information you have requested is held by Northumbria Police.

1. Northumbria Police does not have one cyber security contract. The Force has a number of Cyber Security products and services in place.

With regards to points 2 & 3:
This detail will not be disclosed as we have assessed harm could be caused in such disclosure and therefore have considered that the following exemptions are relevant to withhold.


S24 (1) National Security
S31 (1) Law Enforcement

Sections 24, and 31 are prejudice based qualified exemptions and there is a requirement to articulate the harm that would be caused in its disclosure as well as carrying out a public interest test.

Harm

To disclose information to the public at large as to what contract details we have in place to protect police systems would show criminals what the capacity, tactical abilities and capabilities of the force are, allowing them to potentially target specific areas of the UK to conduct their criminal/terrorist activities. Any information identifying such contract utilised could be used to the advantage of terrorists or criminal organisations. Information that undermines the operational integrity of these activities will adversely affect public safety and have a negative impact on both national security and law enforcement.

Factors favouring disclosure - Section 24
The public are entitled to know what public funds are spent on and what security measures are in place, and by confirming what is in place would lead to a better-informed public.

Factors against disclosure - Section 24
By disclosing this information would make those security measures less effective. This would lead to the compromise of ongoing or future operations to protect the security or infra-structure of the UK and increase the risk of harm to the public, ie a cyber-criminal could use such information to attack a particular police force. The information is sensitive in nature if it would highlight vulnerabilities. For instance, if it is known that a particular supplier is used this could then identify what systems are in place and if a piece of software has weaknesses and a force was to disclose they use this then those weaknesses could be exploited. A cyber-attack could negatively affect the infrastructure of policing. By affecting the infrastructure of policing the nation’s security will be more vulnerable to terrorism.

Factors favouring disclosure - Section 31
This would enable the public to have a better understanding of the effectiveness of the police and about how the police protect systems used. It would greatly assist in the quality and accuracy of public debate, which could otherwise be steeped in rumour and speculation. Where public funds are being spent, there is a public interest in accountability and justifying the use of public money.

Factors against disclosure- Section 31
The release of this type of information would better inform a criminal on how to cyber-attack the police. If a force was hacked and this lead to their IT systems not working efficiently then a negative impact would occur on the prevention or detection of crime. Cyber-crime can lead to forces being unable to carry out their objectives. Northumbria Police would not want to provide information that could lead to criminals being better informed on the vulnerabilities, or perceived vulnerabilities a force has.

Balance Test

The security of the country is of paramount importance and the Police service will not divulge any information if to do so would place the safety of an individual at risk, undermine National Security or compromise law enforcement.

Whilst there is a public interest in the transparency of policing operations and providing assurance that the police service is appropriately and effectively engaging with the threat posed by various groups or individuals, there is a very strong public interest in safeguarding the integrity of police systems, investigations and operations in the highly sensitive areas such as extremism, crime prevention, public disorder and terrorism prevention.

As much as there is public interest in knowing that policing activity is appropriate and balanced this will only be overridden in exceptional circumstances. The areas of police interest discussed above are sensitive issues that reveal security systems and therefore it is our opinion that for these issues the balancing test for disclosure is not made out.

4&5.
This information will not be disclosed, as this is not a public facing role, and by doing so we rely on the following exemption.
Section 40 (2) - Personal Information
Section 40 (2) is a class based absolute exemption and there is no requirement to consider the public interest in disclosure. That being said where Section 40(2) is engaged in order to make the exemption absolute there needs to be evidence that a data protection principle would be breached by disclosure. In this case it would not be fair to process information which, we believe by providing all the information you have requested, could lead to the identification of an individual. Therefore the first principle of the Data Protection Act would be breached.
Any contact needed can be made by dialing 101 and asking for the IC&T department.

back to top