Let's bring e-crime into the open

There are some basic problems with electronic crime. We don't know how much of it there is, we can't detect it, we can't prevent it, and even if we do catch someone at it, it's hard to prosecute them. High-profile hackers like Kevin Mitnick get slapped down big-time, but is this a response to their specific crime? Or are the police and the justice system just venting their frustration at the knowledge that many others are getting away with it?

The law is doing its best within the current limitations, but even the UK government admits that there are things that need to be improved. The Home Office announced a strategy for dealing with e-crime on 14 July, led by home office minister Caroline Flint.

Now, for veteran watchers of government and IT, this might be cause for concern, not rejoicing. We have seen too many knee-jerk government initiatives diving in without understanding the issues. How can we be sure the government won't muddy the waters with short-term efforts designed to gain publicity, not fix a problem?

The initiative will not be a quick fix. It won't produce any legislation until 2004, and will spend time before that scoping the problem, with the help of the EURIM parliamentary IT lobby group and the influential think tank, the Institute for Public Policy Research (IPPR). This sounds slow, but the alternative would be meddling. From September, we can expect to see new legislation starting to be formed -- and where existing legislation works, resources being sent in new directions.

Ms Flint has mastered her brief, and is thinking about the issues. We saw her on 14 July, taking comments from EURIM and members of the industry. If the consultation goes well (and you can get involved through EURIM) we could all make cyberspace a bit safer for business and pleasure. Here are some directions I'd like to see industry and government moving in.

Let's get good figures by encouraging reporting
Many e-crimes are not reported, or they do not show up in the crime figures. Let's change that. Under-reporting happens partly because e-crime overlaps with other crimes. As well as "pure" e-crimes, which only exist in cyberspace, such as denial of service attacks or hacking, there are many "old" crimes, such as fraud or paedophilia, which have taken on a new life thanks to new technology. Police reports don't break out "old" crimes with an electronic element, so even the crimes that the police know about are not listed. There are now recommendations to change this, so expect to see figures getting more reliable. A harder job will be to persuade businesses hit by e-crime not to keep it to themselves. The National Hi-Tech Crime Unit reckons that 50 percent of businesses don't report e-crimes, because they fear the disruption it would cause, and they believe the police don't have the resources to deal with the crime anyway. It is easy to find examples of this. A friend of mine once caught an employee -- on the server room CCTV camera -- taking memory from the company's servers to sell it. Instead of being prosecuted, the employee was dismissed with a bad reference, just to get the matter sorted quickly and quietly. A year later, my friend met a colleague in a different company, who had just had the same thing happen. And it was the same criminal. If firms can sort out the problem quickly and cover it up, they often prefer to tell no-one. And that means that the culprits can strike again. The only way round this is to convince businesses that the police can deal effectively with reports of e-crime. It is hard to see how this can be done without more resources: I expect this to be a focus of discussion this autumn. Already, Ms Flint is suggesting that the initiative may not need new money, but a redirection of funds, by applying "joined up government" ideas. Who prevents crime? Users or vendors?
Security technology is increasing, but so are the tools of the criminals. What isn't growing fast enough is knowledge, so systems are not being built and maintained to prevent crime. Big firms can afford to have security specialists, but the knowledge gap is colossal among end-users, especially home users and small businesses that have no full-time IT staff. Everyone I know has an elderly relative who continually needs security advice. The scary thing is that many businesses know as much about security as your auntie. Consider BT's glee at selling a million broadband connections. How many of those have a firewall? And how many of those firewalls are installed and working properly? BT has little incentive to make users secure, and users don't understand enough to demand it. The situation is much like the car industry in the 1980s. Cars were sold on performance, and manufacturers laughed at the idea of selling cars on security or safety. It was easy to break into a car, and the manufacturer made a small but significant amount of money every time it replaced a lock, so really why should it worry at all? The situation changed (and car crime has actually fallen dramatically) because it became in the makers' interests to make cars more secure. The police applied pressure, and drivers opted to buy cars with better locks. This could happen, because locks, alarms and immobilisers are things people can understand. We can only make the same thing happen in IT if security can be turned into something that users want to understand, and if vendors can talk in language they understand. "We must get information to consumers, and give them tools to protect themselves," said Ms Flint. She wants to see e-crime prevention included in routing crime prevention work done by the police, such as leaflets. It is tempting to suggest that vendors be required by law to sell secure systems, but I can't see this working. The difficulty is the definition of secure systems, which would lock us into a level of security appropriate to today, not tomorrow. Ms Flint clearly wants consumer education to "pull" secure systems out of vendors, rather than have to apply government pressure. Nailing the criminals: should we change the law?
The UK has a Computer Misuse Act which has served us very well since 1990. Despite the technological area it covers, it is one of the shortest, most easily understood acts we have. It is wrapped in legal language, of necessity, but it takes the very sensible route of not getting into the specifics of technology. However, there are things that may need to be changed here. The Computer Misuse Act was created before the Internet was widely used, and there are some implications that it did not foresee. It may need to be changed so it works better for crimes committed across borders. For example, the penalties it specifies are not currently extraditable, so it can be hard to bring a prosecution under the Computer Misuse Act of a crime committed against you by someone based abroad. The Internet Crime Forum is looking at how the Computer Misuse Act might be changed. "The courts are favourably interpreting the Act for 21st century technology," said Ms Flint. "We must be mindful of the fact that the next advance could be round the corner. We must hit the target, but leave enough flexibility." In the end, the biggest driver to making this happen is user awareness. We have power over the vendors in a recession. If it becomes clear that users won't buy systems that are insecure, then vendors will jump to it. But it will require scrutiny, as vendors -- and governments -- can attempt to follow their own agendas (in digital rights management, and identity issues) under the guise of crime prevention. Simply in the interests of efficiency, I'd like to see lots of reasoned input to the government's thinking at this stage, to (for this time, at least) avoid the tiresome spectacle of concerned rational users trying to help the government change short-sighted, hurried legislation.