A reluctance by UK industry to report cybercrime incidents to police is resulting in a lack of statistics and intelligence which is in turn hampering the fight against cybercrime. It's a vicious catch-22.
The industry points to confusion over just which police agency cybercrime should be reported to, together with a lack of follow-up by police when crimes are reported. But the police say the reporting process is as easy as for normal crime, and say that to really boost staffing in key agencies it needs the statistics -- which it cannot get unless more cybercrime is reported.
To try to break the cycle, the National High-Tech Crime Unit is introducing new measures such as confidentiality agreements and an online crime reporting service, according to the NHTCU's tactical and technical industry liaison officer Tony Neate.
Citing the Information Security Breaches Survey 2002, which was published at Infosec on Tuesday by PricewaterhouseCoopers, Neate noted that only 41 percent of UK companies said regarded as 'very important' the reporting of a serious incident to police. "For many companies, reporting the crime to the police is a last priority," said Neate.
When it comes to online fraud, the ratio of reported incidents may be even smaller, according to David Spinks, director of information assurance at outsourcing giant EDS, which manages more than 3.5m desktop PCs on behalf of its clients. "It is my view the amount of security breaches reported is only tip of iceberg. For every one admitted might be 100 more held within companies. We don't have the right statistics showing breaches of crime related to security systems."
A major cause of this, believes Spinks, is that there is no central point of contact with law enforcement. "We have five or six different law enforcement agencies who ware all saying we're responsible for cybercrime. Ideally we need one body."
Roland Perry, vice chairman of the Internet Crime Forum, agrees: "It is not obvious who are right people to report crime to," he said. The ideal solution solution, he said, would be a one-stop shop. "Where do you go if you get a Nigerian email?" he said, referring to the well-known email scam carried out from West African -- mainly Nigerian -- states, which he estimates to be worth £50m a year. "Do you report it to the National Criminal Intelligence Service, the Metropolitan Police, or the Fraud Squad, the NHTCU or your local police? If you take one of these emails to your local police, what is the chap behind the desk supposed to do with it?"
At the NHTCU, Neate denied the situation was this complicated. "We are looking at an online cybercrime reporting system," said Neate, for reporting such crimes to the Unit. But, he added, not everyone needs to use this. "There are 43 police forces in this country. If your house is broken into you phone your local police force. That's how we deal with it, that's how we have always dealt with it. If you get West African scam letters or discover paedophile activity, you can report it to your local police," Neate said crimes reported to local police will be passed on to a national law enforcement agency where necessary.
"We are a national organisation, we deal with serious organised crime on a national and trans-national basis. We want confidential reporting but we have to be realistic -- there are 40 of us now, rising to 90 in the next year or two."
Minor email scams will probably not be dealt with by the NHTCU, said Neate, but large extortion rackets will be, for instance. Neate admitted that there are a lot of grey areas in the middle. "If it is serious and organised and we have the resources at the time we will investigate. We want more people, but so does every law enforcement agency, and we will not get more unless we get more statistics, and we can't get stats unless industry reports the crimes."
To aid better reporting, the NHTCU is now prepared to protect the confidentiality of victims of e-crime, signing non-disclosure agreements where necessary. "Why? Because we want to lock up the bad guys, but can't do that unless industry tells us what the problems are."
The NHTCU, said Neate, will keep companies' names "extremely confidential -- there may be incidents that come in that only three people in the office will know about." And the attitude of the police has changed drastically over the past few years, he added. "Three years ago the police might have come in and taken your systems away -- possibly causing more damage than the criminals did. We now work with you -- it may take months, even a year, but it works, and there doesn't not have to be any publicity."
So seriously is any contract of confidentiality taken, said Neate, that if at trial the defence asks for the original evidence, the NHTCU will plead public interest immunity. "But if we are forced by the judge we will stop the investigation and not go any further. We take it that seriously. If we make a mistake once with one company then we are dead in the water."