I am writing to make a request for information under the Freedom of Information Act 2000 and the Environmental Information Regulations 2004. If this request is too wide or unclear, I would be grateful if you could contact me, as I understand that under the Act, you are required to advise and assist requesters. If any of this information is already in the public domain, please can you direct me to it, with page references and URLs if necessary. I understand that you are required to respond to my request within the 20 working days after you receive this letter. 1. Does your organisation adhere to the Network Security guidance outlined by the National Cyber Security Centre, within its ’10 Steps to Cyber Security’? o Yes o No 2. Do you ensure that security patches for critical vulnerabilities are routinely patched within 14 days, as recommended by the National Cyber Security Centre? o Yes o No 3. Have you experienced any form of cyber attack on your network in the past two years? o Yes o No 4. Have you suffered from any service outages on your network in the last two years, however small? o Yes o No 5. Did any of these outages cause a loss, reduction or impairment to your organisation’s delivery of essential services? o Yes o No 6. Was the root cause of the service outage identified and confirmed – at the time or afterwards? o Yes o No 7. Is it possible that any service outages you have suffered in the last two years was caused by a cyber attack – such as ransomware, DDoS attack, or malware? o Yes o No 8. Are you aware that Distributed Denial of Service (DDoS) attacks are a significant contribution to service interruptions, outages and downtime? o Yes o No

---

Our ref: FOI-4401-1718/GH

Thank you for your request received by Transport for London (TfL) on 6 February 2018 asking for information about cyber security.

Your request has been considered under the requirements of the Freedom of Information Act 2000 and our information access policy. I can confirm that we do hold the information you require.

TfL does manage the risk of attacks on the network, including cyber attack, however we consider that the disclosure of information requested would assist a third party to mount an attack and therefore would be exempt under Section 24(1) - National Security. Release of information under the Freedom of Information Act is a release to the public both at home and abroad. Therefore TfL must consider how any potential recipient of the information might use it, rather than make assumptions about the intentions of the individual making the request.

Providing the details of any outages experienced could be used to assist anyone wishing to harm our network in this way. Similarly, we consider that disclosure of action taken to prevent such attacks could be used by a third party with malicious intent to test TfL’s capability to defend itself against attack. This knowledge could be used to mount an attack at a later date.

The Centre for the Protection of National Infrastructure have stated that: “The UK is facing an ongoing, persistent threat of cyber attack from other states, terrorists and criminals operating in cyberspace”. http://www.cpni.gov.uk/threats/other-threats/#sthash.h2fCtmiw.dpuf

The current threat level from international terrorism for the uk is assessed as SEVERE. The National Security Strategy categorises Hostile attacks upon UK cyber space by other states and large scale cyber crime as a tier one priority risk. https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/61936/national-security-strategy.pdf

The London transport system is a critical piece of national infrastructure and as such we employ rigorous safeguards to protect it from cyber attack. Like other organisations we are subject to regular attempted cyber attacks. These attacks are unlawful under the Computer Misuse Act, and whilst the motive is not always apparent, we are aware of the risk to critical national infrastructure that may result from a successful attack.

Section 24(1) is subject to a public interest test, and we recognise that there is significant public interest in understanding the level and nature of attacks recorded by Transport for London. However, we consider that there is a stronger public interest in protecting national security, which would be undermined by the disclosure of the requested information.

If you are not satisfied with this response please see the attached information sheet for details of your right to appeal.

Yours sincerely

Graham Hurt

FOI Case Officer

FOI Case Management Team

General Counsel

Transport for London

Back to top

---