[ISN] Lack of reporting hits cybercrime fight

From: InfoSec News (isnat_private)
Date: Fri Apr 26 2002 - 01:09:04 PDT

  • Next message: InfoSec News: "[ISN] Microsoft Yanks Office Tools After Security Report"

    Thursday 25th April 2002
    Matt Loney  
    Police and industry are caught in a catch-22 over reporting of
    cybercrime; to break the cycle, police are introducing confidentiality
    agreements and online tools
    A reluctance by UK industry to report cybercrime incidents to police
    is resulting in a lack of statistics and intelligence which is in turn
    hampering the fight against cybercrime. It's a vicious catch-22.
    The industry points to confusion over just which police agency
    cybercrime should be reported to, together with a lack of follow-up by
    police when crimes are reported. But the police say the reporting
    process is as easy as for normal crime, and say that to really boost
    staffing in key agencies it needs the statistics -- which it cannot
    get unless more cybercrime is reported.
    To try to break the cycle, the National High-Tech Crime Unit is
    introducing new measures such as confidentiality agreements and an
    online crime reporting service, according to the NHTCU's tactical and
    technical industry liaison officer Tony Neate.
    Citing the Information Security Breaches Survey 2002, which was
    published at Infosec on Tuesday by PricewaterhouseCoopers, Neate noted
    that only 41 percent of UK companies said regarded as 'very important'
    the reporting of a serious incident to police. "For many companies,
    reporting the crime to the police is a last priority," said Neate.
    When it comes to online fraud, the ratio of reported incidents may be
    even smaller, according to David Spinks, director of information
    assurance at outsourcing giant EDS, which manages more than 3.5m
    desktop PCs on behalf of its clients. "It is my view the amount of
    security breaches reported is only tip of iceberg. For every one
    admitted might be 100 more held within companies. We don't have the
    right statistics showing breaches of crime related to security
    A major cause of this, believes Spinks, is that there is no central
    point of contact with law enforcement. "We have five or six different
    law enforcement agencies who ware all saying we're responsible for
    cybercrime. Ideally we need one body."
    Roland Perry, vice chairman of the Internet Crime Forum, agrees: "It
    is not obvious who are right people to report crime to," he said. The
    ideal solution solution, he said, would be a one-stop shop. "Where do
    you go if you get a Nigerian email?" he said, referring to the
    well-known email scam carried out from West African -- mainly Nigerian
    -- states, which he estimates to be worth 50m a year. "Do you report
    it to the National Criminal Intelligence Service, the Metropolitan
    Police, or the Fraud Squad, the NHTCU or your local police? If you
    take one of these emails to your local police, what is the chap behind
    the desk supposed to do with it?"
    At the NHTCU, Neate denied the situation was this complicated. "We are
    looking at an online cybercrime reporting system," said Neate, for
    reporting such crimes to the Unit. But, he added, not everyone needs
    to use this. "There are 43 police forces in this country. If your
    house is broken into you phone your local police force. That's how we
    deal with it, that's how we have always dealt with it. If you get West
    African scam letters or discover paedophile activity, you can report
    it to your local police," Neate said crimes reported to local police
    will be passed on to a national law enforcement agency where
    "We are a national organisation, we deal with serious organised crime
    on a national and trans-national basis. We want confidential reporting
    but we have to be realistic -- there are 40 of us now, rising to 90 in
    the next year or two."
    Minor email scams will probably not be dealt with by the NHTCU, said
    Neate, but large extortion rackets will be, for instance. Neate
    admitted that there are a lot of grey areas in the middle. "If it is
    serious and organised and we have the resources at the time we will
    investigate. We want more people, but so does every law enforcement
    agency, and we will not get more unless we get more statistics, and we
    can't get stats unless industry reports the crimes."
    To aid better reporting, the NHTCU is now prepared to protect the
    confidentiality of victims of e-crime, signing non-disclosure
    agreements where necessary. "Why? Because we want to lock up the bad
    guys, but can't do that unless industry tells us what the problems
    The NHTCU, said Neate, will keep companies' names "extremely
    confidential -- there may be incidents that come in that only three
    people in the office will know about." And the attitude of the police
    has changed drastically over the past few years, he added. "Three
    years ago the police might have come in and taken your systems away --
    possibly causing more damage than the criminals did. We now work with
    you -- it may take months, even a year, but it works, and there
    doesn't not have to be any publicity."
    So seriously is any contract of confidentiality taken, said Neate,
    that if at trial the defence asks for the original evidence, the NHTCU
    will plead public interest immunity. "But if we are forced by the
    judge we will stop the investigation and not go any further. We take
    it that seriously. If we make a mistake once with one company then we
    are dead in the water."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri Apr 26 2002 - 04:31:03 PDT