A nationwide body for the UK's police forces is seeking proposals from penetration testing specialists as it gears up to launch a new procurement framework -- which will include a minimum of four suppliers.
Pen testing providers have 10 days left to get their proposals in, after the Police Digital Service (PDS) extended the deadline for submissions by 10 days on August 27 (from September 1 to September 10).
The PDS -- previously the "Police ICT Service" but rebranded in March -- is the delivery vehicle for the National Policing Digital Strategy 2020-2030, which emphasises the need for "the right level of security to mitigate cyber threats" and to "drive higher standards of cyber security across the service."
(Several US police forces have been hit by ransomware in 2021 as law enforcement becomes a target for increasingly emboldened cybercrime groups. In Washington DC, for example, a ransomware syndicate called Babuk hacked into the network of the city’s police department and threatened to leak the identities of confidential informants unless a ransom was paid. The group later leaked devastating details of officers’ past drug use, finances and in one incident, details of past sexual abuse.)
Police penetration testing framework's worth ~£1 million
The PDS currently provides a centralised suite of operational security services to police forces, including incident management, threat hunting, vulnerability assessments, malware analysis and pen testing co-ordination.
The new police penetration testing framework (worth approximately £1 million) is being established to "streamline the procurement of penetration testing on behalf of UK Policing" procurement documents say.
The framework's establishment comes as the UK public sector moves to modernise its approach ethical hacking, with the Ministry of Defence in August 2021 announcing the outcome of its first bug bounty programme.
(“The MoD has embraced a strategy of securing by design, with transparency being integral for identifying areas for improvement in the development process,” said MOD CISO Christine Maxwell at the time, noting that "it is important for us to continue to push the boundaries with our digital and cyber development to attract personnel with skills, energy and commitment. Working with the ethical hacking community allows us to build out our bench of tech talent and bring more diverse perspectives to protect and defend our assets.”)
The pen testers that do get signed up may find rich pickings. The National Policing Digital Strategy 2020-2030 pulls no punches in noting the police's "legacy technology and supplier lock-in; our organisational structures; underinvestment in key areas; conservative risk appetite; and inconsistent understanding of our data", noting that there is "much to do if we are to deliver tangible change by 2025 and lay the foundations for 2030."
In 2018, the police service in England and Wales spent ~£1.4 billion on technology. Approximately 30% of technology staff spend is on resources to maintain on premise infrastructure, with the IT budget approximately 11% of the annual policing spend. As the Digital Strategy notes: "The implementation of additional technology places an upward pressure on IT costs which we must mitigate by reducing expenditure on our legacy estate.