Breaking the lock on CSCV

One volunteer’s perceptions of the programme, and reasons for leaving.

I was National Protect Lead at CSCV (Cyber Specials Cyber Volunteers) from autumn 2017 until February 2019, when I resigned from both my role and my membership. Over the last 6 months I’ve been asked repeatedly why I left and about the current status of the programme. Each time I’ll give a slightly different, condensed, version of events — often missing key facts or important details due to the complexity of the issues and the length of time needing covered. I now feel the time is right to finally put pen to paper and write about my experiences of the programme.

I’ll admit, I’m slightly nervous about posting this for fear of reprisal — and this is why it’s taken me ~6 months to finally write. I, and others, have already received fairly intimidating communications (I’ll go into this in detail in the article) from the current National Coordinator but I can’t stay silent any longer — regardless of the consequences.

This is a long read, and I make no apologies about that because it’s an important one. I’ve created a visual timeline of events to aid reading, and dumped relevant content in a Dropbox folder which can be found here.

A little bit of background

Law enforcement and the tech community have a pretty bizarre and complicated relationship. On the one hand there’re great attempts at reaching out and building bridges between two communities who, historically, haven’t always seen eye to eye. On the other hand we have ridiculous/offensive moments such as “Cyber Choices”, the continued misuse of the word “hacker”, and a general misunderstanding of how to interact with our community. As a result, the two groups’ relationship seems to rapidly bounce back and forth between friends and enemies, often without warning, with both groups claiming the other has done something unforgivable.

In autumn 2017, Tom Haye, then the leader of CSCV and the Hampshire Special Chief Officer, asked me to join the volunteer programme. The concept seemed relatively straightforward — bring policing into the modern age, volunteer our technical skillsets, and help keep the public safe from emerging threats. To me, CSCV was a chance to work with likeminded people to build bridges between the hacker/researcher and law enforcement communities.

It wasn’t a one way street for either group. Law enforcement would be able to tap into previously unavailable knowledge sources, detecting crimes they had previously missed. Similarly, volunteers would get so much out of the programme by being able to change perceptions about our industry from within law enforcement, being invited to conferences that were traditionally private affairs, and mingling with senior police officers from all over the country.

I’ll admit, at first I was skeptical about the programme as my prior interactions with law enforcement had been excruciatingly painful, for both parties. It can often feel as if we’re speaking completely different languages. However, after much discussion, I was convinced to join by Tom, his mission, and (frankly) his passion for change. I joined the national team as “National Protect Lead”. My role was focused on helping shape nationally consistent messaging, developing resources, and helping out with the day-to-day running of the programme.

Admittedly, my role with CSCV ended up being fairly difficult to balance with my “day job”. I give public talks, write articles, and develop software to combat growing cyber threats — all of which are “paid for” gigs. I was happy, however, to give up some of the potential revenue as I believed in the project and that others would be doing the same.

During the course of 2018, we did some amazing work building bridges, recruiting excellent volunteers, attending conferences, developing tools, assisting investigations, running hackathons, and solving crime. Publicly, the CSCV programme was a remarkable success and very well regarded — everything that we hoped it’d be. Behind the scenes, though, trouble was brewing.

A peek behind the curtain

By late 2018, the senior leadership team comprised 4 volunteers—myself, Tom, Greg Stevenson (Special Constable with Lincolnshire Police), and Ian Maxted (Safer Cyber Coordinator with Gloucestershire Constabulary)—as well as a paid-for project manager (Ian Davis), and the Senior Responsible Officer (ACC Richard Berry, also of Gloucestershire Constabulary) overseeing.

While we publicly promoted an attitude of being an agile and dynamic team, I was aware of a definite split in the senior leadership team. I often felt that I was just along for the ride, and a “lead” in name only for PR purposes. I was not alone in this—I, Greg, and even Tom would regularly find out about decisions or meetings which had occurred without our knowledge, days, weeks, or even months later. Everything, from day-to-day high level decisions (such as meetings with the SRO) to critical pieces of work (such as setting up a secure email provider) to the absolutely bizarre (the planned procurement of “tactical response” BMW X5s), was undertaken without so much as a heads up. Ideas, such as reforming CSCV as a CIC (Community Interest Company) were hashed out, and planned, long before we could even offer our input or judgement. The plans to make CSCV into a CIC were shelved due to constant pushback from Tom throughout 2018.

Ian M would often hold meetings with various people and promise volunteer help, guidance, or even development resource without running it past the rest of the team. It definitely felt like he believed himself to be above us in the organisation. This wouldn’t normally be an issue, but we often only found out about these projects very near their deadline. A perfect example would be the CyberTools app — a reference library on all things “cyber” for the non-technical front line response officers. Greg was landed with this at the last minute, and then had to work tirelessly to help deliver the project.

It should be noted that as a direct result of Greg’s work on the CyberTools project, law enforcement was saved from paying an extortionate amount in development costs (one alternative solution was quoted at £500,000, per force). As a result, he has been rightfully shortlisted for the Lord Ferrers Award.

Another example was during a conference in November 2018. Due to the success of CSCV, Ian M, Ian D, Richard and I were invited to the Netherlands to showcase some projects, and mindset of the CSCV programme, to an international audience. During the presentation I was shocked to hear about a project, codenamed “Warthog”, which Ian M freely offered to the audience but I had never heard of it before that very moment. This was even more frustrating and embarrassing after our talk, when various members of Dutch Police approached me specifically to ask about the project and its potential uses. It later transpired that the project was nothing more than vaporware.

This split in the leads team was also evident in the day-to-day running of the programme. For example, we used Slack as a comms platform to engage with all the volunteers. Greg, Tom, and I would regularly speak with volunteers on Slack at all hours. Answering any questions, engaging with the community, sharing resources and knowledge, we were the only ones giving any form of programme updates to the wider group of volunteers (at this point, numbering around 80 people from students right up to Chief Constables). The Slack platform was truly the heart of CSCV.

During the course of 2018 we also had weekly, or fortnightly, catch up calls with the volunteers. This was an opportunity for everyone to share any projects they were working on, “target forces” or groups that we may want to interact with, and get to know the other team members better. We were a community with a common goal, after all.

Often, Ian D and Ian M would be unavailable, offline, or seemingly just actively avoiding questions from volunteers (and leads). Ian M would regularly only chime in with a negative comment about the decision (usually about day-to-day things such as dates/times for a group chat) that was made by the entire volunteer group. Occasionally, he would appear on Slack at the last minute with an “urgent formal ask” for one or many of the volunteers, disappearing when they needed feedback or clarification on the work they had done.

Similarly, Ian D would often ignore emails from potential new recruits instead passing them off to Tom, or myself, to onboard. This was particularly frustrating as part of Ian D’s paid role was to onboard new volunteers and help with recruitment.

Website and email issues

In mid-December 2018, the CSCV website went down without warning. Given that we were known as a team of “technical experts”, and had a number of volunteers who were currently, or formerly, web developers in their “day jobs”, it was particularly embarrassing that we had a non-functioning website.

Ian M took ownership of fixing the situation. After a week without any visible progress, complete lack of responses, and not satisfactory responses to our requests for updates, Greg and I took it upon ourselves to fix the website. At this point we had received multiple comms from members of the public and potential applicants, wondering if the programme was still alive. Every day that we didn’t have a working website, our reputation was being damaged. It took us a total of 45 minutes to fix, migrate, and get back up and running again.

It then transpired that, during that week of downtime, over a thousand pounds had been paid to a third party for unnecessary support. An expensive frittering away of money that I’d expect from a panicking non-technical person, not an ex-ethical hacker.

Another clashing point was over Operationally Secure (OS) email. Originally our cscv.uk domain was used as a sort of staging ground before we could be fully migrated to the police.uk domain. Ian M had been working on setting us up with OS email since mid 2018 but, as no progress was made, I was tasked by Tom with finding out the status and identifying why it was stalling. In the meantime the senior leadership team agreed that we would use Office 365 Business as an intermediary step and allow a swifter switch over to Office 365 E3. This however received quite a bit of negativity from Ian M himself.

Often, as a direct result of something Ian M didn’t agree with (despite being given multiple chances to object beforehand), he would send a sharp message complaining about an action or decision and then change his Slack settings to “do not disturb” — effectively making him uncontactable. This created an atmosphere of stepping on eggshells when trying to move the programme forward.

During the first part of the email migration, constant pushback was given by Ian M, despite having multiple chances to raise an issue before work was undertaken.

I spent countless hours poring over government documentation on what constituted as “OS” and came up with a plan to move all emails, which were on Ian M’s private 20i hosting account, to Office 365 E3. This was met with constant pushback and criticism from Ian M — despite me making more headway in a week than he had apparently done in 6 months.

While travelling to a conference in Peterborough, where I had been invited to speak as National Protect Lead for CSCV, I received several negative comments from Ian M via direct messaging on Slack. I had sent him a polite message a few days prior notifying him that I was progressing the OS email task and offering the ability to work together to get the problem resolved. This was a common theme where he’d only get involved to state his dissatisfaction about the direction after the work had begun (despite being given multiple chances to object beforehand).

We’d often receive sharp responses from Ian M after perceptively stepping on his toes — despite all attempts at contacting him beforehand.

It appears that, despite the headway I had made, Ian M went directly to Richard and overruled me and Tom, placing the tasking firmly back within Ian M’s hands. It wouldn’t be fully resolved for a further 8 months.

So, while we were giving the outward impression of being a cohesive unit with a strong message, in reality we were working as two different teams, with two different hierarchies, and two totally different agendas: Greg, Tom, and I in one camp, and Ian D, Ian M, and Richard in another.

All internal battles aside, I honestly thought that it was simply a matter of time before we could all work seamlessly as a single entity for the benefit of the programme, policing, and the public. So, quite unlike me, I gritted my teeth and bore the pain for a year.

Funding was sought

While programmes like CSCV are voluntary programmes, and (for the most part) volunteer-led, they still cost money to operate. Travel expenses, conference tickets, and hosting hackathons needed to be covered somehow. With this in mind, in June 2018 we requested around £1.2 million in funding from the Home Office to cover any expenditure moving forward, and cover some of our previous costs that Hampshire Constabulary had graciously funded to date. (Note: The CSCV project started as a small conceptual programme within Hampshire Constabulary, hence why Hampshire Constabulary is elsewhere referred as the “host force”).

In late-December 2018, we got an unofficial heads up that our funding request would be approved, albeit at a reduced rate of £150,000 for 2018/2019, £220,000 for 2019/2020, and that money would come “soon”. It was at this point that it felt like both Ian M and Richard started taking more of an active interest in the programme. This might have been coincidental, but I felt there was a noticeable shift in attitude.

In early January 2019, I received a private message from Ian D via Slack asking me to set up a new “National Coordinator”, Barbara Spooner, with access to our email system and resources. Barbara had retired from the NCA that same month and was (and still is) an NCA Special.

After asking for some clarification, it was made clear that the decision was “out of our hands” and made by the SRO, Richard. This came as a complete shock to me and Greg. It came as even more of a shock to Tom who, as the programme leader, was effectively— at best — being demoted, and — at worst — being replaced. I accepted that the SRO had a plan, and assumed that Barbara would likely bring a wealth of experience, contacts, and resource to the team, despite not being technical. It should be noted that Richard mentored Barbara for the 3 years leading up to her departure from the NCA and had been actively seeking employment for Barbara post NCA retirement.

It very quickly became apparent that both Ian D and Ian M had been well aware of Barbara, her background, and her proposed new role well before her appointment, as these had been discussed in earlier meetings that the remainder of the leads team had not been privy to. Yet again, a decision had been made without consulting half of the senior leadership team, let alone notifying any of the volunteers.

The budgeting spreadsheet

In February 2019, Ian D began work on a budgeting spreadsheet showing how the funding would be allocated. Although I was not initially privy to the document and felt, yet again, that some leads were being excluded, I eventually managed to attain a copy. I hoped that a few thousand would be available to help with presentations, cyber protect sessions, and making those sessions more interactive and impactive. Upon opening the spreadsheet, I immediately noticed some entries which made me recoil in horror.

At first I assumed there was some sort of typo, or mislabeling with the figures, so I started asking around the rest of the senior leadership team. Both Tom and Greg were equally as confused about who the remuneration was intended for. I spent a lot of time on the phone with Ian D (who, at that time, was the only paid member of CSCV) asking him to clarify, and/or justify, who the funding was for, but didn’t get an answer to this. £650 per day is an extreme rate in my opinion, but if it were justified I’d have had less of an issue.

My suspicion at the time was that, with the coincidental timing of Barbara joining the programme, this money was going to be paid to her as a salary. This might be acceptable if we had followed some sort of hiring process, rather than her being shoehorned in without any form of vetting, technical experience, consultation with the full leads team, or, seemingly, even a clearcut role in the programme.

In my desperation, due to the complete lack of adequate response, I turned to Slack and posted the following message in the leadership channel:

Of course, I received no clarification.

As my role at CSCV was very close to my day job, and I was disgusted that someone would be paid £650 per day for doing [undefined], I decided that the time was right to walk away. Since I had a good relationship with many of the volunteers, and since they had been largely kept in the dark about the running of the programme, I felt it was important to let them know that I was leaving and why.

On the 11th of February 2019, I sent an email to the other leads and posted my final message to the general channel of our Slack workspace (meaning all volunteers see it):