This does not come as a particular surprise since the London Metropolitan Police Service is credited with being among the first modern organized law enforcement agencies in the world. What does surprise most people is the fact that this department runs like a business. That's because in general, the public does not tend to view government service as a company. Businesses come and go but government, in one form or another, is a constant presence.
Yet in truth, government is a service that operates like a corporation and law enforcement is a business unit of that government corporation, with an annual budget. Within the law enforcement business unit there are a number of divisions, just as expected in a corporation. In law enforcement, the divisions would include traffic, robbery, homicide, street crime, drugs and high-tech crime rather than common company divisions like business development, sales or marketing. It seems logical that law enforcement wouldn't need divisions like sales and marketing - it already has enough customers. However, each of these divisions has statistic-led performance indicators that are used to allocate budget, personnel and additional resources. With controlled budgets and limited resources, law enforcement is required to apply statistical justification to effort and the use of resources just like any business. And, if there are no statistics demonstrating a need for service in a particular division, then there is no need, ergo no staffing, no budget, and no resources.
According to Detective Sergeant Clive Blake of the Scotland Yard Computer Crime Unit (CCU), "Since the formation of the CCU, a good partnership has developed between the unit and various sectors of the IT industry, and some limited sponsorship arrangements have taken place. We are seeking to develop and improve this liaison, to encourage not just the formal reporting of crimes by industry, but informal information sharing to enable the effective and accurate identification of trends, methodologies and risks, which will provide us with evidence to develop a more accurate threat assessment. Currently, the accountancy-led performance indicators under which law enforcement must operate suggest there is a limited demand for resources within the field of IT crime. Therefore our funds and resources are diverted into areas of high demand and profile such as street crimes, due to better statistical evidence to support this demand. We are aware of the higher level of unreported computer crime, and have been unable to properly tackle the problem despite our ability and competence to do so."
Within the 2002 CSI/FBI Computer Crime and Security Survey of 389 respondents experiencing computer intrusions, 34 percent reported those incidents to law enforcement. This statistic shows a marked improvement from 1996 when only 17 percent declared that they had reported incidents to law enforcement. However, this year also shows a 2 percent decrease in reporting of incidents to law enforcement compared with 2001. That means a 2 percent decrease in reporting, in spite of an 18 percent increase in annual total losses compared to 2001. In addition, CERT/CC received 52,658 total incident reports for 2001 and has already received 26,829 incident reports for the first quarter of 2002. Given the data, why has there been an apparent decrease of reporting to law enforcement and what can be done about it?
According to Detective Superintendent Mick Deats, Deputy Head of the National Hi-Tech Crime Unit (NHTCU) (www.nhtcu.org), "The National Hi-tech Crime Unit is aware that there is significant under-reporting of hi-tech crime, in particular by business and industry. It has been recognized that there can be reluctance on the part of business and industry to report hi-tech crime due to commercial concerns. By working together with business and industry, the NHTCU aims to break down these barriers. We are currently working in partnership with business and industry to develop a confidential reporting mechanism and in the future for an online crime reporting system for business and the wider general public."
There are many reasons cited by industry as to why computer crime goes unreported: potential to damage reputation, adverse publicity, share price impact, stockholder lawsuits and even board-level concerns of criminal and civil liability due to an alleged lack of due diligence. Other factors inhibiting reporting include the perception that law enforcement is incapable of understanding the problem, or that they lack the technical capability to investigate such matters.
Blake understands the reluctance within industry to report computer misuse matters to police. In his view, industry must be reassured that law enforcement is competent to deal with such matters - and with discretion. Within the CCU, there are a number of officers who have trained at personal expense to achieve Masters Degree and CISSP levels in IT security. In addition, the Scotland Yard unit has already undertaken numerous high-level, sensitive investigations involving major U.K. and foreign companies and governments.
Businesses need to also understand that computer criminals are aware that they face a low risk of prosecution. As a result, the law does not and cannot act as an effective deterrent to computer crime. Society must move to an era where socially responsible corporation citizens are willing to report and assist in the prosecution of these criminals as a matter of policy, instead of simply patching up the hole and burying the cost in their balance sheets.
Robert Jones, chairman of the Interpol European Working Group on information technology crime sums it up well, "There is a strong element of circularity among the causes of under-funding of computer crime and high-technology crime units within law enforcement. Law enforcement senior management allocates resources for the prevention, detection and prosecution of particular classes of crime according to the perceived magnitude of the threat. Industry, the 'customer,' fails to report incidents for a variety of reasons. In order to break this circularity, the awareness of senior management on all sides needs to be raised, and attitudes must change or be changed."
Richard R. Starnes, CISSP, is a lead CISSP CBK Instructor, (ISC)² (www.isc2.org) and team leader, cyber attack tiger team (CATT), EMEA, Cable & Wireless internet services.