Not Protectively Marked Operation Cabin - Closure of Investigation Report Introduction July 2012 Operation Cabin is the investigation into the unauthorised data breach at the Climate Research Unit (CRU) at the University of East Anglia (UEA) in Norwich and the subsequent publication of data on the Internet in the weeks leading up to the COP15 Climate Conference in Copenhagen in November 2009 . The published data was in a file entitled FOIA 2009 and included approximately 1000 e-mails that fuelled challenges to the work of the CRU, the reliability of climate science generally and the conclusions of the Intergovernmental Panel on Climate Change (IPCC). Further data taken during the original breach was published shortly before the COP 17 Climate Conference in Durban in 2011. The data was in a file entitled FOIA 2011 and included 23 documents, 5292 e-mails and 220 000 files including another zip file, which are all protected by individual passwords. The investigation has been undertaken by Norfolk Constabulary with some support from SO15 (International Liaison). The National Domestic Extremism Team provided resources and financial support as well as being a link with other agencies and the CT Network. Technical expertise has been provided by PCeU and QinetiQ. The CRU at the UEA is generally regarded to be one of six centres of excellence for research on climate change worldwide and has made significant contributions to global debate on climate change and to various reports, including those produced by the IPCC. The IPCC is the leading international body for the assessment of climate change and was established by the United Nations Environment Programme and the World Meteorological Organisation to provide the world with a clear scientific view on the current state of knowledge in climate change and its potential environmental and socio-economic impacts. As a consequence of the data breach the reputation and integrity of the CRU was called into question and in particular the integrity of its Director, Professor Phil JONES, was challenged. He was vilified in some sections of the media and within the climate change sceptic community. The criminal investigation has, from the outset, intentionally been a proportionate investigation into the data breach. The criminality alleged is offences under the Computer Misuse Act 1990 and faced with the global nature of the incident the SIO's investigative mindset has been to deal with the obvious and to pursue only those lines of enquiry that are most likely to identify who was responsible for the breach. Put simply it is not possible to 'investigate the Internet', nor is it proportionate to send teams of officers around the world to interview people who may be of interest to the investigation in the absence of a substantial evidence base to support such activity. In addition to the criminal investigation there has been an investigation by the Information Commissioners Office (ICO) into allegations that the UEA did not comply with the Freedom of Information Act (FOI) when faced with a large number of FOI requests relating to the work of the CRU. There have also been three separate independent reviews into the work of the CRU. The first was undertaken by the House of Commons Science and Technology Committee to 1 Not Protectively Marked Not Protectively Marked July 2012 examine the implications of the disclosure for the integrity of scientific research, review the scope of the independent Sir Muir RUSSELL review announced by the UEA, and review the independence of international climate data sets. The second review was undertaken by an International Panel, chaired by Lord Oxburgh, with the objective of assessing the integrity of the research published by the CRU. The third was the Independent Climate Change E-mails Review, chaired by Sir Muir RUSSELL, with the objective of examining allegations arising from the publication of the emails about the behaviour of CRU scientists and the honesty, rigour and openness with which they acted. Context The debate on global warming is widely reported and centres upon whether it is occurring at all and if so is it anthropogenic (caused by mankind) or as a consequence of natural processes. There are significant political and commercial influences surrounding the climate debate, which include oil producing nations such as Saudi Arabia, emerging economies such as China and existing major economies such as the USA and Russia. Alongside the political and commercial interests there exists a global network of climate change sceptics who variously believe that climate change is not happening or if it is, that mankind is not responsible. The debate between the sceptics and proponents of climate change theory manifests itself in various websites, blogs and discussions forums, sometimes referred to as the 'Blogosphere'. The COP15 Climate Change Conference was held in Copenhagen between 7th and 18th December 2009. It was the 15th conference of parties to the United Nations Framework Convention on Climate Change with 192 governments represented, in excess of 35k people attending and 100 major states being represented for the last three days. The publication of data from the CRU appears to have been timed to undermine the conference and to hinder global agreement on measures to limit the extent of temperature increases. This theory is supported by the subsequent publication of further data on the run up to COP 17 held in Durban between 28th November and 9th December 2012. Technical Architecture - CRU (NB. At the time the offence took place.) The UEA had an ICT infrastructure, which provided a network for the entire university, and individual faculties had their own ICT facilities within the overall network. The architecture included a server and back-up server called 'CRUWEB08' and 'CRUBACK3' respectively. CRUBACK3 was the source of the data taken from the CRU and published on the Internet. The server was located in a secure room with swipe card access, CCTV coverage and an alarm system. 2 Not Protectively Marked Not Protectively Marked Timeline of Events July 2012 Investigative journalists, climate bloggers and authors worldwide are amongst those who have published theories on the sequence of events leading to the publication of the CRU data. In summary, o o o o o o o o June 2009 - a data request is made under FOI, which is refused. This is followed by a relatively high number of similar requests in what appears to have been an orchestrated campaign. September 2009 - Attacks on CRUWEB08 and ultimately CRUBACK3 originating from several IP addresses in 3 different countries. Approximately 4GB of data downloaded. October 2009 - Further attacks on CRUWEB3 via CRUWEB08 from several IP addresses 4 further countries. Approximately 50GB of data downloaded. 12th November 2009 - date of last e-mail included in the data published on the Internet. 17th November 2009 - Data contained in a file entitled FOIA 2009 published on the Internet and 'mirrored' around the world 20th November 2009 - Media become aware of the data breach. UEA report to the Police. 23rd November 2009 - major investigation launched 22nd November 2011 a file entitled FOIA 2011 uploaded onto a Russian website with links to the data being placed on climate based websites. Gold Group A Gold Group was established to oversee the response to what was clearly a critical incident with significant global implications. Investigation Set Up Designated as a category 'A' major investigation, D/Supt Julian GREGORY was appointed as SIO on the basis that his skill set as Director of Intelligence, PIP3 and CT SIO meant that he was suited to the nature of this particular investigation. DCI Jes FRY from the Joint MIT was appointed as D/SIO and due to other commitments within the Joint MIT was replaced two weeks later by D/Insp Andy GUY from the Joint MIT. Both officers are experienced investigators and suitable for the role. Early engagement with the CTIU (East) provided a link with the CT Network, including the National Co-ordinator for Domestic Extremism. Over time the level of resources working on the investigation has been commensurate with the level of activity required with resources being allocated through the weekly MIT prioritisation meeting. On occasions this was limited due to lengthy waiting periods for responses to international enquiries. 3 Not Protectively Marked Not Protectively Marked Hypothesis July 2012 The original hypothesis was that the data had been taken by a person or persons unknown ranging from an individual acting alone to an organised group engaged in espionage or offences linked to terrorism and potentially linked to foreign governments and/or organisations with significant commercial interests. Whilst the terrorism element quickly receded the other elements of the hypothesis remained current throughout the investigation. Investigative Strategy From the outset there was a clear steer from Gold to conduct a proportionate investigation to: o o o Establish what data was accessed and/or taken and published Establish who was responsible Secure sufficient evidence to mount a successful prosecution if appropriate Lines of enquiry were established in order to meet the objectives set by Gold and to account for information available at that time. At the outset it was not known if there had been a physical breach of security at the UEA or whether the data had been taken as a result of someone 'hacking' in from outside. It was also not known if the offender(s) had connections with or was assisted by members of staff from the UEA. Technical Investigation This is probably the most important line of enquiry and it was undertaken by QinetiQ under the direction of the SIO team, with the approach being to start with the UEA and to work outwards. In simple terms this meant that examination of hardware from the UEA, primarily CRUWEB08 and CRUBACK3, was undertaken in order to identify attacks, establish what had happened and to identify the source of those attacks (IP addresses). An early decision was taken not to investigate the publication of FOI 2009 on the Internet given that it had been 'mirrored' on a large number of websites and any investigation would be time consuming and resource intensive, with a low likelihood of success. It is important to understand that unlawful activity on the Internet will inevitably involve the use of proxy servers. A proxy server is a server (a computer system or an application) that acts as an intermediary for requests from clients seeking resources from other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource available from a different server. The proxy server evaluates the request as a way to simplify and control their complexity. Offenders commonly use proxy servers located in countries where it is known that it will be difficult for law enforcement agencies to get access to data. Additionally, it is normal for the transaction logs on proxy servers to be switched off or to be overwritten within 24 or 48 hours. It is, therefore, relatively easy for the perpetrator(s) to have 'hopped' around the world from server to server in order to conceal their tracks. 4 Not Protectively Marked Not Protectively Marked July 2012 It is highly relevant to note that QinetiQ are of the view that the attack upon the UEA ICT infrastructure was highly sophisticated and was undertaken by a person or persons who were highly competent and who knew how to conceal their activity. Other Investigative Activity The series of IP addresses linked to the original attacks identified by QinetiQ are located in 7 countries. International enquiries were undertaken with the intention to secure activity logs, if available, from the named IP addresses in order to assess the viability of further enquiries. The police investigation was unable to retrieve all of the data requested that would enable a realistic prospect of mounting a prosecution within the timescales set by the limitation on proceedings (see below). With regard to the publication of FOIA 2011 enquiries identified that of the four websites known to have been used to signpost FOI 2011 one was administered from within the UK. Enquires were undertaken, including the execution of a search warrant and the seizure of computers, in an attempt to identify the persons(s) responsible for the publication of the data. The developer of the software used to encrypt FOI 2011 was contacted. Having established that it was freeware and that no records were likely to exist in relation to who has downloaded this software this line of enquiry has not been pursued any further. QinetiQ have discontinued the service they provided for forensic technical investigation and Hewlett Packard were engaged to compare the data contained in FOI 2011 with that held on CRUBACK3. They have confirmed that it is likely to have originated from the original attack on the UEA ICT infrastructure. Limitation on Proceedings The primary offence under investigation was the unauthorised access to computer material under s.1 Computer Misuse Act 1990. The Act provides the following limitations on proceedings: 11(2) Subject to subsection (3), proceedings for an offence under section 1 may be brought within a period of six months from the date on which evidence sufficient in the opinion of the prosecutor to warrant the proceedings came to his knowledge. 11(3) No such proceedings will be brought by virtue of this section more than three years after the commission of the offence. Given that the offences were discovered in November 2009 and appear to have been committed during September and October of that year the investigation realistically had to be concluded by late summer 2012 if there was going to be time to prepare a case for prosecution. Recommendation for Gold Group 5 Not Protectively Marked Not Protectively Marked July 2012 When considering the closure of the investigation the following factors were of primary importance: o o o o o The likelihood of the responses to existing international enquiries leading to fruitful line of enquiry was questionable. The level of sophistication used by the perpetrator(s) suggested that any IP addresses identified as a consequence of enquiries would relate to proxy servers and would only be a point on the trail. If IP addresses were identified from the awaited international enquiries these newly identified IP addresses would still have to be resolved. It is likely that in relation to FOIA 2009 that this data will no longer stored by the relevant ISP. Further lines of enquiry were likely to be time consuming. The time limitation on proceedings means that proceedings would have to be brought within less than six months. In light of the points above there did not appear to be sufficient time to complete the investigation, interview any perpetrators (who may be abroad) and prepare a case sufficient to support a decision by CPS to support a prosecution. Legislation and international protocols may prevent the extradition of persons abroad being relocated to the UK for any proceedings. o Conclusion Following consideration of the above points and discussion with the Metropolitan Police Service Police Central e-crime Unit, a decision was taken by the Gold Group to close the investigation as the limit of restrictions on proceedings meant that were further information to be received from the international enquiries there would be insufficient time to conduct the necessary follow-up enquiries prior to the time limit being reached. The UEA has been informed of the decision to close the investigation. 6 Not Protectively Marked