Analysis: Crime and punishment

By Paul Trotter

Posted on 23 Jan 2003 at 12:46

Internet-based crime is growing in the corporate and public consciousness, and the problem is certainly given high billing by the government. It set up the National High-Tech Crime Unit (NHTCU) in April 2001 and after nearly two years' experience with technically savvy perpetrators and the businesses that have been targeted by them, the NHTCU has sent out a harsh warning - to the business community.

It seems businesses have been less than willing to report security breaches, no matter how big or small, and one can see their point. It would do little for a company's customer or shareholder confidence if information relating to a serious security breach were made public.

Organised crime groups are employing hackers to place child pornography onto unsuspecting companies' servers, then selling the content on a pay-per-view basis while the network manager remains unaware. Many company bosses opt to brush these matters under the carpet.

This doesn't help the company fight back, and it certainly doesn't help the NHTCU clamp down on these offences. From the law-enforcement agency's perspective, an unreported crime might as well be a non-existent crime.

But detective chief superintendent Len Hynds insists that a call to the cops doesn't mean companies will have to wash their dirty linen in public.

Hynds, head of the NHTCU, announced his solution to the problem in December 2002. The Confidentiality Charter is designed to assure victims that such matters can be reported in a discreet manner.

The exchange of information will help the NHTCU to more effectively understand and combat high-tech crime. If the criminal act is deemed serious enough to warrant the unit's immediate attention, an early consultation period will discuss the financial implications related to the public disclosure of intellectual property (IP) and commercially sensitive information. Steps will be taken to ensure this information isn't revealed, and the NHTCU will commit to 'undertake operational, tactical or strategic activity' as a result of the consultation.

But there exists an even bigger problem in the minds of company bosses, and it's one the NHTCU admits may be harder to tackle.

'It seems that for some, IT security is seen as an IT issue and not a mission-critical corporate concern,' said Hynds. 'For some, it represents a time-consuming and unproductive overhead.'

For all the NHTCU's promises to follow up major security breaches, the fact remains that businesses - particularly smaller ones - may be unwilling to spend time reporting offences unless they're confident of tracking down the hacker or IP thief.

By December 2002, the unit had been involved in 11 operations and had arrested 30 people engaged in computer-related crime. It's clear its immediate concern is with organised crime, and most e-crime victims are unlikely to be able to provide information on offences such as drug and arms trafficking.
The NHTCU isn't intended to investigate all crimes committed using technology, but the government claims progress has been made in educating and supporting local police forces.

'You can't expect every police force to have an equal capacity in this area, but the NHTCU support can help,' Bob Ainsworth MP, parliamentary under-secretary of state, told PC Pro. 'A major part of its work is to respond to enquiries from local forces.'

Of the original £25 million designated to set up the NHTCU, £10 million was divided between the 43 local police forces in England and Wales. Each force has a local computer crime unit and part of the purpose of December 2002's E-Crime Congress was to stress the importance of high-tech crime to officers across the nation.