Request ID: FOI-0648-2223 Date published: 11 July 2022
You asked
Please provide copies of all invoices from the previous year to date (14th June 2022) which relate to billing of any and all of the following computer software and related hardware:
- Security Information Management (Sometimes referred to as SIEM)
- Endpoint Detection and Response (Sometimes referred to as EDR)
We answered
TfL Ref: FOI-0648-2223
Thank you for your request received by Transport for London (TfL) on 14 June 2022, asking for Cyber Security invoices.
Your request has been considered in accordance with the requirements of the Freedom of Information (FOI) Act and TfL’s information access policy. I can confirm TfL does hold the information you require.
However, in accordance with the FOI Act, we are not obliged to supply any of the information as it is subject to a statutory exemption to the right of access to information under section 31 of the FOI Act, which relates to law enforcement. Specifically, section 31(1)(a), which relates to information whose disclosure would be likely to prejudice theprevention or detection of crime.Release of information under the Freedom of Information Act is a release to the public at large. Therefore TfL must consider how any potential recipient of the information might use it, rather than make assumptions about the intentions of the individual making the request.
In this instance the exemption has been applied as disclosure of the information you have requested would pose a real threat to our IT systems, and consequently, the prevention or detection of crime as it would assist a third party to mount an attack on our IT systems. It is the sort of information that could be combined with other information available to an attacker or already in the public domain, to target our systems.
A SIEM is a solution used for centrally storing and monitoring sources of information collected about networks, systems, and user activity, primarily for the purpose of identifying malicious activity. Endpoint Detection and Response is a solution used for monitoring and identifying suspicious behaviour on servers and desktops. Both are fundamental cyber security controls. The level of spend on a given control would allow an attacker to infer the level of protection and draw conclusions. It would also reveal the extent of our engagement with such vendors which could give some context to the types of attacks we deal with and provide an attacker with valuable insight into our security posture.
The London transport system is a critical piece of national infrastructure and as such we employ rigorous safeguards to protect it from cyber attack. Like other organisations we are subject to these regularly. These attacks are unlawful under the Computer Misuse Act, and whilst the motive is not always apparent, we are aware of the risk to critical national infrastructure that may result from a successful attack. We consider that releasing the information you have asked for would be likely to prejudice our efforts to prevent and detect future attacks and undermine our ability to safeguard our information systems.
The use of this exemption is subject to an assessment of the public interest in relation to the disclosure of the information concerned. We recognise the need for openness and transparency by public authorities, but in this instance we consider that there is greater public interest in safeguarding our information systems and to ensure that cyber attacks, or any other criminal activity is prevented wherever possible.
The Information Commissioner’s Office has previously issued a Decision Notice regarding the application of section 31 to withhold information in relation to cyber security. Whilst the information requested in the referenced case is different to the information you asked for, we believe the same arguments can be applied. Please see the decision in the following link: https://ico.org.uk/media/action-weve-taken/decision-notices/2016/1623677/fs_50600199.pdf
Please see the attached information sheet for details of your right to appeal.
Yours sincerely
Eva Hextall FOI Case Management Team General Counsel Transport for London
