Cyber attacks

FOI request reference: F0045372
Publication date: May 2016

Request:

Hi,

I would like to request the following information:

I would like to know how many attempts – successful  or non-successful – minor cyber attacks have been carried out on departmental computers over the past three years: 2013, 2014 and 2015.

I want to know about the following types of attacks:

  1. DDoS (Direct Denial of Service)
  2. Adware
  3. Phishing
  4. Tampering
  5. Spoofing
  6. Bluejacking
  7. Password attacks

For more information about the types of cyber I mean, follow this link:http://www.cybersecuritycrimes.com/types-of-cyber-attacks/

I do not need to know need to know the details of which department it came from or the details of any particular case. I just want the total numbers.

If the number of different types will exceed the money limit (which I don’t think it will) I would like you to collect the data up until the limit (i.e do one 1,2 & 3)

Best wishes

Outcome:

Information withheld

Response:

Thank you for your enquiry of 04 April 2016, in which you asked for information about minor cyber attacks carried out over the last three years on computers at The National Archives.

Your request has been handled under the Freedom of Information Act 2000 (FOIA)

The FOI Act gives you the right to know whether we hold the information you want and to have it communicated to you, subject to any exemptions which may apply.

Unfortunately, we are unable to provide you with the information you have requested. This is because the information is covered by the exemption at section 31(1)(a) of the FOIA.

Section 31(1)(a) exempts information if its disclosure is likely to prejudice the prevention or detection of crime.

This is a qualified exemption and as such, when it applies, we are required to conduct a Public Interest Test to see whether the information it covers can be released.  For the results of this test and a full explanation of this exemption and why it has been applied please see the explanatory annex at the end of this letter.

If you are dissatisfied with the handling of your request or the decision which has been reached, you have the right to ask for an internal review.  Internal review requests must be submitted within two months of the date of this response and should be addressed to:

Quality Manager
Public Services Development Unit
The National Archives
Kew
Richmond
Surrey
TW9 4DU

complaints@nationalarchives.gov.uk

Please mark your complaint clearly.  You have the right to ask the Information Commissioner (ICO) to investigate any aspect of your complaint.  However, please note that the ICO is likely to expect internal complaints procedures to have been exhausted before beginning his investigation.

Yours sincerely,

FOI Assessor
Freedom of Information Centre
Transfer and Access Department
The National Archives

Explanatory Annex

Your request in full

I would like to request the following information:

I would like to know how many attempts – successful  or non-successful – minor cyber attacks have been carried out on departmental computers over the past three years: 2013, 2014 and 2015.

I want to know about the following types of attacks:

  1. DDoS (Direct Denial of Service)
  2. Adware
  3. Phishing
  4. Tampering
  5. Spoofing
  6. Bluejacking
  7. Password attacks

For more information about the types of cyber I mean, follow this link:http://www.cybersecuritycrimes.com/types-of-cyber-attacks/

I do not need to know need to know the details of which department it came from or the details of any particular case. I just want the total numbers.

If the number of different types will exceed the money limit (which I don’t think it will) I would like you to collect the data up until the limit (i.e do one 1,2 & 3)

Exemption applied

Section 31: Law Enforcement

(1) Information which is not exempt information by virtue of section 30 is exempt information if its disclosure under this Act would, or would be likely to, prejudice—

(a) The prevention or detection of crime

Because section 31 is a qualified exemption, we are required to conduct a public interest test. This means that after it has been decided that the exemption is engaged, the public interest in releasing the information must be considered.  If the public interest in disclosing the information outweighs the public interest in withholding it then the exemption does not apply and the information must be released.  There is a presumption running through the FOIA that information should be released unless there are compelling reasons to withhold it.

The public interest has now been concluded and the balance of the public interest has been found to fall in favour of withholding information covered by the section 31(1)(a) exemption on this occasion.  Considerations in favour of the release of the information included the principle that there is a public interest in transparency and accountability through disclosure of information relating to public authority security issues.

However, release of this information would make The National Archives more vulnerable to crime; namely, a malicious attack on The National Archives’ computer systems.  As such release of this information would prejudice the prevention or detection of crime by making The National Archives’ computer system more vulnerable to hacking.  There is an overwhelming public interest in keeping government computer systems secure which would be served by non-disclosure.  This would outweigh any benefits of release. It was therefore decided that the balance of the public interest lies clearly in favour of withholding the material on this occasion.

Further guidance on section 31 can be found here:

https://ico.org.uk/media/for-organisations/documents/1207/law-enforcement-foi-section-31.pdf