Legacy tech blunts UK top cops’ fight against serious crime • The Register
The UK’s National Crime Agency (NCA) clings to legacy systems and relies on an IT strategy that lacks clarity, a policing watchdog has found.
The NCA, which targets serious and organized crime, formed a National Data Exploitation Capability (NDEC) in a five-year program in 2018.
However, His Majesty’s Inspectorate of Constabulary and Fire & Rescue Services (HMICFRS), an independent auditor of police services, has found that many of its IT systems are outdated and unfit for purpose.
“The NCA recognizes and understands the problems these legacy IT systems present. A lack of investment in IT infrastructure means the NCA is burdened with technical debt – that is, the increasing cost of replacing outdated systems when fast solutions have been prioritized over long-term solutions,” the report said.
The watchdog argues that the NCA has also been slow to fully embrace the benefits of cloud-based technology, which has adverse practical consequences.
“For example, personnel can’t automatically transfer data between computer systems operating on each of the three security tiers of the Government Security Classifications Policy,” the report states. “This is a significant limitation, given the sensitivity of some of the material the NCA routinely handles.”
Inspectors found that the NCA had barely made any progress in moving off its legacy systems since its inception in 2013, having inherited much of its IT capability from predecessors such as the National Crime Squad and the Serious Organised Crime Agency.
In 2015, HMICFRS found the NCA faced “very significant challenges concerning science and technology” as a result of historical under-investment.
At the time, the watchdog found poor connectivity between different information systems, scant mobile computing capability, and fragile critical applications.
“This all has a materially detrimental effect on the NCA’s efficiency and effectiveness,” the report adds.
In the 12 years since its inception, the NCA has made limited progress in dealing with these issues, HMICFRS says.
The inspectors also found it difficult to find accurate costed plans for the NDEC program, “having received contradictory evidence in documents and interviews,” although the NDEC team said the final cost of the program would be around £92 million.
The NCA has begun implementing a ten-year IT strategy, according to information provided to the inspectors. At the time of the inspection in 2024, HMICFRS found the NCA had completed the first phase at a cost of £250 million. The second phase remains subject to the Home Office’s agreement to continue funding, and estimated costs of between £350 million and £500 million will depend on which options the parent department accepts.
HMICFRS says some data sets related to serious organized crime were not in the National Data Exploitation Capability data catalog. These included data from nine regional organized crime units. It also found no plans to use data from the Law Enforcement Data Service (LEDS), which is due to replace the Police National Computer in 2026.
The inspectors advise that by September 30, the NCA – working with the Home Office – should ensure its ten-year IT strategy has a timeline, an indicative budget, and a priority order for removing, replacing, developing, or merging its legacy IT systems.
NCA director general Graeme Biggar told The Register: “The report notes that the National Data Exploitation Capability (NDEC) has achieved the majority of its original objectives. It also praises the training provided to its officers, as well as their approach to ethical considerations including data protection.” He added that “in one three-month period, NDEC searches identified more than 2,100 potential links to serious and organized crime.”
“We are taking extensive action on areas identified in the report’s recommendations, much of which was well underway at the time of the inspection. This includes an agency-wide technology modernization programme.” ®
