“When you speak to cyber-criminals and ask them what keeps them awake at night, they worry about other criminals attacking them,” says Steve Santorelli of security research group, Team Cymru. “They don’t worry about the police kicking down their door.”
This assertion from the former Detective Sergeant of Scotland Yard’s Computer Crime Unit demonstrates how the battle against cyber-crime is still being lost. Such is the weakness of the current infrastructure dealing with law enforcement online, perpetrators continue to run riot without serious fear of reprimand. The almost free-for-all climate helps explain why 1.5 million of us fall victim to cyber-crime every single day.
When dissecting the problems with ITProPortal, Santorelli described the “cross-jurisdictional nightmare” that sees a typical cyber-crime case passed from one body to another, with no single authority taking responsibility. Only a fraction of the cyber-crimes that occur actually get detected, so the process of dealing with incidents needs to be incisive. It also needs to send a clear message to the offenders, acting as a deterrent to help curb illegal activity.
But Santorelli’s experiences not only prove this is not the case, they paint a quite alarming picture that shows the extent of the inadequacies with law enforcement on the Internet. Of the small amount of crimes that are noticed, Santorelli says an even smaller subset of these actually get reported to the police; a smaller subset are properly recorded; a smaller subset then get investigated; a smaller subset lead to an arrest; and an even smaller subset end with a guilty verdict. Thus, a truly miniscule proportion of the original cyber-crimes committed actually result in people given time in prison. It is little wonder police hats, sirens and truncheons scarcely figure in the dreams of the average hacker.
The painstaking game of pass the parcel means a significant cyber-crime usually takes over six months to be dealt with properly, when in reality you have about six hours before the relevant data “becomes stale” and the whole job becomes immeasurably more difficult, says Santorelli. Persuading the authorities to set up agencies that could be notified instantly and take the investigation on with real purpose is not something that is close to happening, however.
“First, they [law enforcers] don’t have enough specially trained officers,” Santorelli explains. “Police officers around the world haven’t got the skills or the resources and there simply aren’t enough specialists. By the time you train up police officers [for dealing with cyber-crime] and identify really good ones, they just jump ship to the private sector,” he said, referencing his own career switch from Scotland Yard to Microsoft’s Internet Crime Investigations team.
The issue is obviously exacerbated when the private sector hoards all of the brain power and experience when it comes to cyber-crime, and not just because public sector groups are being deprived of expertise. There is also the problem that security threats and breaches that are discovered within companies are rarely shared to the benefit of the wider IT community, as businesses don’t want to cause panic that will drive away custom from their industry, or have their own reputations damaged by appearing exposed and insecure.
There are, of course, incidences when major firms have been forced to admit to security problems to avoid further trouble, and Santorelli says there are signs that attitudes are beginning to change, but he nevertheless describes a “fundamental stigma” still being attached to reporting cyber-crime on your organisation. Rather than being seen as doing the right thing in highlighting a problem that others can subsequently seek to avoid, companies are regarded as victims whose services cannot necessarily be trusted. Even organisations who suffer a technical glitch rather than a hack, such as NatWest this summer, suffer terrible publicity and a customer backlash, Santorelli pointed out. The stakes are unmistakably high for companies when it comes to the reputation of their technical infrastructure.
As a result, “nobody wants to report these issues,” Santorelli says. “It was the case in 1999 when I joined the computer crime unit and it’s still the case now.” Unfortunately, without the culture of reporting, cyber-police have neither the opportunities nor the required intelligence to improve their campaign against Internet crime.
To begin addressing the predicament, a stronger international body dealing with cyber-crime must be established, according to Santorelli, who says “we need a UN for the Internet.” Despite there being a clear necessity for such an organisation, some would say the idea is fanciful at this stage – in which case, existing groups like the International Cyber Security Protection Alliance (ICSPA), established in July 2011, need proper backing from governments around the world.
But, unsurprisingly, financial implications are key to slowing progress on this front, with cyber-investigations being extremely costly and politicians being reluctant to free up the funds. Tackling cyber-crime has never been a vote winner, Santorelli notes, allowing the policing of our online world to be shunted aside all too readily; superseded by more tangible and populist vows from politicians concerning the ‘material’ world.
Yet, as the financial implications of losing the battle against cyber-crime become increasingly apparent, the authorities may soon have little choice but to loosen the purse strings to support the cyber-police. Last year, Symantec calculated that the cost of actual cyber-crime, combined with the financial hit of the time being lost by the victims, amounted to a staggering $388 billion (£245 billion) globally over a year. “[C]ybercrime costs the world significantly more than the global black market in marijuana, cocaine and heroin combined ($288 billion),” the study said.
Tackling cyber-crime may be expensive, but a continuation of the status quo may be far, far more costly.
Article researched in collaboration with Team Cymru - a specialised Internet security research firm formed by a dedicated group of technologists passionate about making the Internet more secure.