Request ID: FOI-1027-2223 Date published: 15 September 2022
You asked
Hello,
Please could you provide me with,
1.1. Provide me with the total expenditure TfL has incurred on contractors within the CSIRT between December 2020- July 2022
1.2. Provide me with the total expenditure TfL has incurred on contractors within the CSIRT within 2022.
1.3. Provide me with details of how many contractors have been working within the CISRT at TfL for for more than 2 years
1.4 Provide me with the total value of the CSIRT budget for 2022
We answered
TfL Ref: FOI-1027-2223
Thank you for your request received by Transport for London (TfL) on 27 July 2022, asking for Cyber Security budgets.
Your request has been considered in accordance with the requirements of the Freedom of Information (FOI) Act and TfL’s information access policy. I can confirm TfL does hold the information you require.
However, in accordance with the FOI Act, we are not obliged to supply any of the information as it is subject to a statutory exemption to the right of access to information under section 31 of the FOI Act, which relates to law enforcement. Specifically, section 31(1)(a), which relates to information whose disclosure would be likely to prejudice theprevention or detection of crime.Release of information under the Freedom of Information Act is a release to the public at large. Therefore TfL must consider how any potential recipient of the information might use it, rather than make assumptions about the intentions of the individual making the request.
In this instance the exemption has been applied as disclosure of the information you have requested would pose a real threat to our IT systems, and consequently, the prevention or detection of crime as it would assist a third party to mount an attack on our IT systems. It is the sort of information that could be combined with other information available to an attacker or already in the public domain, to target our systems.
Expenditure on our cyber security management would allow an attacker to infer the level of protection and draw conclusions that could be used to assist in malicious activity, including attacks.
The London transport system is a critical piece of national infrastructure and as such we employ rigorous safeguards to protect it from cyber attack. Like other organisations we are subject to these regularly. These attacks are unlawful under the Computer Misuse Act, and whilst the motive is not always apparent, we are aware of the risk to critical national infrastructure that may result from a successful attack. We consider that releasing the information you have asked for would be likely to prejudice our efforts to prevent and detect future attacks and undermine our ability to safeguard our information systems.
The use of this exemption is subject to an assessment of the public interest in relation to the disclosure of the information concerned. We recognise the need for openness and transparency by public authorities, but in this instance we consider that there is greater public interest in safeguarding our information systems and to ensure that cyber attacks, or any other criminal activity is prevented wherever possible.
The Information Commissioner’s Office has previously issued a Decision Notice regarding the application of section 31 to withhold information in relation to cyber security. Whilst the information requested in the referenced case is different to the information you asked for, we believe the same arguments can be applied. Please see the decision in the following link: https://ico.org.uk/media/action-weve-taken/decision-notices/2016/1623677/fs_50600199.pdf
Please see the attached information sheet for details of your right to appeal.
Yours sincerely
Sara Thomas FOI Case Management Team General Counsel Transport for London
