Lack of reporting hits cybercrime fight

[InfoSec News <isn () c4i org>]

http://news.zdnet.co.uk/story/0,,t269-s2109168,00.html

Thursday 25th April 2002
Matt Loney  

Police and industry are caught in a catch-22 over reporting of
cybercrime; to break the cycle, police are introducing confidentiality
agreements and online tools

A reluctance by UK industry to report cybercrime incidents to police
is resulting in a lack of statistics and intelligence which is in turn
hampering the fight against cybercrime. It's a vicious catch-22.

The industry points to confusion over just which police agency
cybercrime should be reported to, together with a lack of follow-up by
police when crimes are reported. But the police say the reporting
process is as easy as for normal crime, and say that to really boost
staffing in key agencies it needs the statistics -- which it cannot
get unless more cybercrime is reported.

To try to break the cycle, the National High-Tech Crime Unit is
introducing new measures such as confidentiality agreements and an
online crime reporting service, according to the NHTCU's tactical and
technical industry liaison officer Tony Neate.

Citing the Information Security Breaches Survey 2002, which was
published at Infosec on Tuesday by PricewaterhouseCoopers, Neate noted
that only 41 percent of UK companies said regarded as 'very important'
the reporting of a serious incident to police. "For many companies,
reporting the crime to the police is a last priority," said Neate.

When it comes to online fraud, the ratio of reported incidents may be
even smaller, according to David Spinks, director of information
assurance at outsourcing giant EDS, which manages more than 3.5m
desktop PCs on behalf of its clients. "It is my view the amount of
security breaches reported is only tip of iceberg. For every one
admitted might be 100 more held within companies. We don't have the
right statistics showing breaches of crime related to security
systems."

A major cause of this, believes Spinks, is that there is no central
point of contact with law enforcement. "We have five or six different
law enforcement agencies who ware all saying we're responsible for
cybercrime. Ideally we need one body."

Roland Perry, vice chairman of the Internet Crime Forum, agrees: "It
is not obvious who are right people to report crime to," he said. The
ideal solution solution, he said, would be a one-stop shop. "Where do
you go if you get a Nigerian email?" he said, referring to the
well-known email scam carried out from West African -- mainly Nigerian
-- states, which he estimates to be worth £50m a year. "Do you report
it to the National Criminal Intelligence Service, the Metropolitan
Police, or the Fraud Squad, the NHTCU or your local police? If you
take one of these emails to your local police, what is the chap behind
the desk supposed to do with it?"

At the NHTCU, Neate denied the situation was this complicated. "We are
looking at an online cybercrime reporting system," said Neate, for
reporting such crimes to the Unit. But, he added, not everyone needs
to use this. "There are 43 police forces in this country. If your
house is broken into you phone your local police force. That's how we
deal with it, that's how we have always dealt with it. If you get West
African scam letters or discover paedophile activity, you can report
it to your local police," Neate said crimes reported to local police
will be passed on to a national law enforcement agency where
necessary.

"We are a national organisation, we deal with serious organised crime
on a national and trans-national basis. We want confidential reporting
but we have to be realistic -- there are 40 of us now, rising to 90 in
the next year or two."

Minor email scams will probably not be dealt with by the NHTCU, said
Neate, but large extortion rackets will be, for instance. Neate
admitted that there are a lot of grey areas in the middle. "If it is
serious and organised and we have the resources at the time we will
investigate. We want more people, but so does every law enforcement
agency, and we will not get more unless we get more statistics, and we
can't get stats unless industry reports the crimes."

To aid better reporting, the NHTCU is now prepared to protect the
confidentiality of victims of e-crime, signing non-disclosure
agreements where necessary. "Why? Because we want to lock up the bad
guys, but can't do that unless industry tells us what the problems
are."

The NHTCU, said Neate, will keep companies' names "extremely
confidential -- there may be incidents that come in that only three
people in the office will know about." And the attitude of the police
has changed drastically over the past few years, he added. "Three
years ago the police might have come in and taken your systems away --
possibly causing more damage than the criminals did. We now work with
you -- it may take months, even a year, but it works, and there
doesn't not have to be any publicity."

So seriously is any contract of confidentiality taken, said Neate,
that if at trial the defence asks for the original evidence, the NHTCU
will plead public interest immunity. "But if we are forced by the
judge we will stop the investigation and not go any further. We take
it that seriously. If we make a mistake once with one company then we
are dead in the water."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.