A new report from public spending watchdog the National Audit Office (NAO) has criticised delays in replacing the Police National Computer (PNC). A new system, the National Law Enforcement Data Service (NLEDS) will replace the PNC by 2025/26, leaving the current set-up in place until then. But support for a crucial database currently expires three years earlier, in 2023, and experts have warned this could leave public data vulnerable to exploitation. The PNC currently contains the data of 13 million people and 64 million vehicle records and drivers licence holders in the UK.
The NLEDS was due to come into service last year, and was designed to replace both the Police National Database (PND) and the PNC. After ballooning costs, delays and significant police concerns that the system was not meeting its criteria, the project was reset and delayed, and it was decided the PND would not be part of the update. The delay came after the results from an external review found that “the system being constructed would be difficult to maintain and adapt, and included a component that was already obsolete” according to the NAO report. The cost of the new system had increased by 68% to £1.1bn.
Based on a Fujitsu mainframe computer, support for the PNC had been due to expire at the end of this year, but the Home Office has agreed a new £9m deal with Fujitsu to provide additional support until the system is replaced. But support for a Software AG database expires in 2023, and though this could be extended 12 months, no such agreement has yet been signed. “If NLEDS is not ready, the PNC will need to be moved off the mainframe onto a supported operating system from 2025 or run unsupported.” the NAO report says.
What is the Police National Computer?
The PNC has been referred to as the most important national policing information system in the UK. It is used by front line officers from all 45 national police forces as well as 127 other organisations with access to its data.
The PNC and PND are vital to effective law enforcement says Brian Higgins, security specialist at cybersecurity firm Comparitech. “This is an all too familiar, yet alarming and shambolic affair,” he says. “It’s no surprise that after almost 50 years of operation support for the PNC platform will soon expire. What is difficult to countenance is the inability of those responsible to see this coming and plan ahead effectively to ensure continuity of secure operations for day-to-day, front-line users.”
This is an all too familiar, yet alarming and shambolic affair.
Brian Higgins, Comparitech
Not only does the PNC hold vast amounts of essential data on criminals, it also offers potentially life-saving information to first responders on access to weapons and behaviour, enabling law enforcement to carry out risk assessments, Higgins adds.
How secure is the PNC?
The security of the PNC is therefore paramount to the safety of workers on the front line of law enforcement. It also houses extremely valuable Personally Identifiable Information (PII) data. Despite this, the Home Office has decided to accept the risk of running the PNC without support for the database after 2024, the NAO report says, considering the threat of a breach as “moderate”.
This will make the information on the PNC incredibly vulnerable to attack says Kim Bromley, senior cyber threat intelligence analyst at cybersecurity company Digital Shadows. “Systems are more likely susceptible to vulnerabilities when they are close to reaching end of life status,” she says. “Without support from the manufacturer, emerging vulnerabilities will not be patched, leaving them open to exploitation by cyber threat actors”.
Not only is the information vulnerable, but this lapse in security is coming at a time when attacks exploiting vulnerabilities such as these are increasingly common, adds Bromley. “Vulnerability exploitation is an increasingly popular method by which cyber threat actors gain initial access to target organisations,” she says. “Once access is gained, threat actors can use that access to perform a range of nefarious activities, including ransomware, supply-chain attacks, and cyber espionage”.
The information on the police databases makes them attractive targets for cybercriminals. “PNC and PND contain significant amounts of sensitive data,” Bromley says. “Should it be exposed, the data of individuals within PNC and/or PND could be used for fraud, such as fraudulent benefit claims or applying for credit in another name. In addition, the physical locations of criminals and potential witnesses and victims are held in these systems, resulting in physical security risks for these individuals if released”.
Continuously delaying the update of the Police National Computer is an expensive exercise. The annual cost of keeping the PNC running as it is now is £21m as opposed to the expected annual cost of NLEDS at £17m. Bromley adds that there could be other costs for the government. “Public opinion on how safe their data is could decline,” she says. “This delay is also highly likely to increase costs, which could result in public disquiet if the spending doesn’t result in increased security of the public’s data”.
In a statement to The Independent, the Home Office said: “The police continue to have full access to vital information while the service is implemented, with the Police National Computer remaining operational until the transition is complete,” adding that the new system will be more effective and provide “substantial savings” for taxpayers.