Legacy tech blunts UK top cops' fight against serious crime, inspectors find
(2025/09/09)
- Reference: 1757404927
- News link: https://www.theregister.co.uk/2025/09/09/nca_legacy_tech/
- Source link:
The UK's National Crime Agency (NCA) clings to legacy systems and relies on an IT strategy that lacks clarity, a policing watchdog has found.
The NCA, which targets serious and organized crime, formed a National Data Exploitation Capability (NDEC) in a five-year program in 2018.
However, His Majesty's Inspectorate of Constabulary and Fire & Rescue Services (HMICFRS), an independent auditor of police services, has found that many of its IT systems are outdated and unfit for purpose.
[1]
"The NCA recognizes and understands the problems these legacy IT systems present. A lack of investment in IT infrastructure means the NCA is burdened with technical debt – that is, the increasing cost of replacing outdated systems when fast solutions have been prioritized over long-term solutions," the report said.
[2]
[3]
The watchdog argues that the NCA has also been slow to fully embrace the benefits of cloud-based technology, which has adverse practical consequences.
"For example, personnel can't automatically transfer data between computer systems operating on each of the three security tiers of the Government Security Classifications Policy," the report states. "This is a significant limitation, given the sensitivity of some of the material the NCA routinely handles."
[4]
Inspectors found that the NCA had barely made any progress in moving off its legacy systems since its inception in 2013, having inherited much of its IT capability from predecessors such as the National Crime Squad and the Serious Organised Crime Agency.
In 2015, HMICFRS found the NCA faced "very significant challenges concerning science and technology" as a result of historical under-investment.
At the time, the watchdog found poor connectivity between different information systems, scant mobile computing capability, and fragile critical applications.
[5]
"This all has a materially detrimental effect on the NCA's efficiency and effectiveness," the report adds.
In the 12 years since its inception, the NCA has made limited progress in dealing with these issues, HMICFRS says.
[6]UK tech minister booted out in weekend cabinet reshuffle
[7]So much for the paperless office: UK government inks £900M deal for printers etc.
[8]UK DARPA clone spared savings squeeze while Treasury raided government
[9]UK Home Office hikes tech consultant spend to £350M despite pledge to cut costs
The inspectors also found it difficult to find accurate costed plans for the NDEC program, "having received contradictory evidence in documents and interviews," although the NDEC team said the final cost of the program would be around £92 million.
The NCA has begun implementing a ten-year IT strategy, according to information provided to the inspectors. At the time of the inspection in 2024, HMICFRS found the NCA had completed the first phase at a cost of £250 million. The second phase remains subject to the Home Office's agreement to continue funding, and estimated costs of between £350 million and £500 million will depend on which options the parent department accepts.
HMICFRS says some data sets related to serious organized crime were not in the National Data Exploitation Capability data catalog. These included data from nine regional organized crime units. It also found no plans to use data from the Law Enforcement Data Service (LEDS), which is due to replace the Police National Computer in 2026.
The inspectors advise that by September 30, the NCA – working with the Home Office – should ensure its ten-year IT strategy has a timeline, an indicative budget, and a priority order for removing, replacing, developing, or merging its legacy IT systems.
NCA director general Graeme Biggar told The Register : "The report notes that the National Data Exploitation Capability (NDEC) has achieved the majority of its original objectives. It also praises the training provided to its officers, as well as their approach to ethical considerations including data protection." He added that "in one three-month period, NDEC searches identified more than 2,100 potential links to serious and organized crime."
"We are taking extensive action on areas identified in the report's recommendations, much of which was well underway at the time of the inspection. This includes an agency-wide technology modernization programme." ®
Get our [10]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aL_6uHe0vgfYniR_C-F3ngAAAAM&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aL_6uHe0vgfYniR_C-F3ngAAAAM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aL_6uHe0vgfYniR_C-F3ngAAAAM&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aL_6uHe0vgfYniR_C-F3ngAAAAM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aL_6uHe0vgfYniR_C-F3ngAAAAM&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2025/09/08/uk_cabinet_reshuffle_tech/
[7] https://www.theregister.com/2025/09/08/uk_government_printer_deal/
[8] https://www.theregister.com/2025/09/04/aria_spending_review/
[9] https://www.theregister.com/2025/09/03/home_office_consultant_bill/
[10] https://whitepapers.theregister.com/
The NCA, which targets serious and organized crime, formed a National Data Exploitation Capability (NDEC) in a five-year program in 2018.
However, His Majesty's Inspectorate of Constabulary and Fire & Rescue Services (HMICFRS), an independent auditor of police services, has found that many of its IT systems are outdated and unfit for purpose.
[1]
"The NCA recognizes and understands the problems these legacy IT systems present. A lack of investment in IT infrastructure means the NCA is burdened with technical debt – that is, the increasing cost of replacing outdated systems when fast solutions have been prioritized over long-term solutions," the report said.
[2]
[3]
The watchdog argues that the NCA has also been slow to fully embrace the benefits of cloud-based technology, which has adverse practical consequences.
"For example, personnel can't automatically transfer data between computer systems operating on each of the three security tiers of the Government Security Classifications Policy," the report states. "This is a significant limitation, given the sensitivity of some of the material the NCA routinely handles."
[4]
Inspectors found that the NCA had barely made any progress in moving off its legacy systems since its inception in 2013, having inherited much of its IT capability from predecessors such as the National Crime Squad and the Serious Organised Crime Agency.
In 2015, HMICFRS found the NCA faced "very significant challenges concerning science and technology" as a result of historical under-investment.
At the time, the watchdog found poor connectivity between different information systems, scant mobile computing capability, and fragile critical applications.
[5]
"This all has a materially detrimental effect on the NCA's efficiency and effectiveness," the report adds.
In the 12 years since its inception, the NCA has made limited progress in dealing with these issues, HMICFRS says.
[6]UK tech minister booted out in weekend cabinet reshuffle
[7]So much for the paperless office: UK government inks £900M deal for printers etc.
[8]UK DARPA clone spared savings squeeze while Treasury raided government
[9]UK Home Office hikes tech consultant spend to £350M despite pledge to cut costs
The inspectors also found it difficult to find accurate costed plans for the NDEC program, "having received contradictory evidence in documents and interviews," although the NDEC team said the final cost of the program would be around £92 million.
The NCA has begun implementing a ten-year IT strategy, according to information provided to the inspectors. At the time of the inspection in 2024, HMICFRS found the NCA had completed the first phase at a cost of £250 million. The second phase remains subject to the Home Office's agreement to continue funding, and estimated costs of between £350 million and £500 million will depend on which options the parent department accepts.
HMICFRS says some data sets related to serious organized crime were not in the National Data Exploitation Capability data catalog. These included data from nine regional organized crime units. It also found no plans to use data from the Law Enforcement Data Service (LEDS), which is due to replace the Police National Computer in 2026.
The inspectors advise that by September 30, the NCA – working with the Home Office – should ensure its ten-year IT strategy has a timeline, an indicative budget, and a priority order for removing, replacing, developing, or merging its legacy IT systems.
NCA director general Graeme Biggar told The Register : "The report notes that the National Data Exploitation Capability (NDEC) has achieved the majority of its original objectives. It also praises the training provided to its officers, as well as their approach to ethical considerations including data protection." He added that "in one three-month period, NDEC searches identified more than 2,100 potential links to serious and organized crime."
"We are taking extensive action on areas identified in the report's recommendations, much of which was well underway at the time of the inspection. This includes an agency-wide technology modernization programme." ®
Get our [10]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aL_6uHe0vgfYniR_C-F3ngAAAAM&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aL_6uHe0vgfYniR_C-F3ngAAAAM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aL_6uHe0vgfYniR_C-F3ngAAAAM&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aL_6uHe0vgfYniR_C-F3ngAAAAM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aL_6uHe0vgfYniR_C-F3ngAAAAM&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2025/09/08/uk_cabinet_reshuffle_tech/
[7] https://www.theregister.com/2025/09/08/uk_government_printer_deal/
[8] https://www.theregister.com/2025/09/04/aria_spending_review/
[9] https://www.theregister.com/2025/09/03/home_office_consultant_bill/
[10] https://whitepapers.theregister.com/
Re: Of more serious concern...
Anonymous Coward
It is not good optics when the po-po give the reason for an arrest as 'someone may have been caused anxiety'.
The police are not there to protect the thin of skin, mentally unwell or perpetually offended.
Of more serious concern...
Is the lack of will to investigate real crimes (shoplifting, burglary, fraud, ...) because there are so many "woke crimes" to investigate ("Those books look a bit brexity", "Someone may find that post offensive"*).
A real example:
A few years ago I got a call from someone claiming that "your phone order from Vodafone is due to be delivered tomorrow". I hadn't placed an order, so I contacted Vodafone who told me that my business account had been used to purchase 4 iPhones - I had not done so, and it appears no attempt was made to "validate" the order, other than the person who placed it knowing the number of the phone associated with the account (business name and phone number available on my website)!
So, as there was obviously a scam in progress, on the way home I stopped at the police station in Durham to report the crime. This was at ~21:00 - the station was closed, with a phone outside being available to automatically connect to their control centre. Not a good start. Anyway, I told them what was up and was told I could not report the crime as it was being committed against Vodafone ("It is up to them if they want to report it, but they will probably just let it go").
I though that was the end of things, but, the next day, I get a call from "Vodafone" to say that these phones (which had arrived) had "been sent in error" and that "a courier would be dispatched to collect them" - obviously how the scammers get hold of them. Given this new information, I called the police to explain that the (stolen) phones were to be collected from me the next day. They decided there was nothing they could do.
The following day, Royal Mail arrived to collect the parcel (to, unknowingly, deliver it to the scammers). I explained what was going on and said I would not hand the phones over to them. I did, however, manage to get the address of where they were to be delivered. I again called the police with this extra information, but was again told there was nothing they could do.
A quick check online showed that the delivery address was a flat in Southampton, with Google Street View having a nice picture of the layout. It would have been so easy for the police to monitor that address and arrest the people who were using it - likely as a "safe" delivery drop for many, many stollen phones.
It was about then that I lost any faith in the police being interested in solving crimes that have significant, financial impact on the rest of the population.
* not to be confused with posts that insight violence or other crimes.