UNITED KINGDOM (ZDNet UK) - Speaking at the recent Infosecurity Europe conference, Peter Sommer, a lawyer specializing in Internet law, said the police do not have enough resources to tackle Internet crimes, with little prospect of much improvement in the next few years.
"Firms cannot expect police to routinely solve cybercrime, and businesses must bear the responsibility to protect themselves," said Sommer.
He said problems faced by the police include limited resources, a lack of adequate legislation and a reluctance by firms to spend time and money on collecting evidence.
In the U.S., firms are increasingly using hacking tools to attack the systems of hackers. Thirty-two percent of Fortune 500 companies have installed counter-offensive software, according to a survey by security consultancy WarRoom Research. Tactics include launching Trojan horse attacks to damage and disable a hacker's computer, and automated scripts that can erase an attacker's hard drive or hijack e-mail.
However, Sommer pointed out that such measures could cause companies to break the law. "There is no clear line between cyber defense and attack," he said. If a company launches a counter-attack after detecting a hacker, it could inflict damage on a third party--because hackers often launch attacks via other companies' systems. This raises issues of legal liability for any damage caused, though the law in this area is still unclear.
To improve protection for U.K. firms, Sommer argued that legislation should be brought up to date, because the Computer Misuse Act 1990, which details laws for the prosecution of computer crime, takes no account of the Internet, and has not yet been updated to cover offences such as denial of service (DOS) attacks.
The extent of the problem faced by companies and the police is illustrated by the fact that the Love Letter virus is estimated to have cost firms $10 billion (£7 billion) worldwide, while the high-profile teenage hacker Mafia Boy caused $1.7 billion (£1.3 billion) of damage globally, according to research by security specialist Para-Protect.
Bob Ayers, vice president of Para-Protect Europe, said, "Police can't cope with the volume of cybercrime, prosecution can't match the rate of offences and penalties are out of proportion with the damage caused, so firms are becoming cyber vigilantes."
The U.K.'s recently launched National Hi-Tech Crime Unit did not attend the conference and said that its members were still in training. Ayers said the unit's decision not to attend was a mistake for a government body that was trying to forge close relationships with U.K. technology companies.