Businesses and authorities across the world need to get together
and come up with a suitable punishment to act as a deterrent to
virus writers, hackers and cyberfraudsters
If you arrived at the office one Monday morning and found your desk
ransacked and private documents missing, you would call the police
immediately. Yet comparable crimes take place on business computers
every hour of every day and are almost always left unreported to
the authorities.
The IT press is constantly filled with stories of the latest
computer viruses to affect companies. This year alone we've seen an
assortment of high profile infections such as Code Red, Nimda, Anna
Kournikova, Homepage and Naked Wife.
If your company was hit by one of these viruses this year, you no
doubt updated your anti-virus software and cleaned up any computers
that had been hit. You may also have renewed your security policy,
but did you consider reporting the crime to the police? Would you
even know who you should contact?
Historically, computer crime units around the world have been under
funded and shown little interest in investigating virus-related
crime.
Cybercrime cases that have been investigated have been those
involving fraud, hacking or pornography where there were easily
identifiable victims and the political will to investigate and
catch those responsible. The few virus cases that are investigated
tend to revolve around those infections that make national news,
when the authorities have to be seen to react.
Many less famous viruses have actually caused more damage to
businesses and have been overlooked by the authorities - despite
strong leads.
Even when virus writers are caught there is no guarantee that they
will be severely sentenced. David Smith, author of the Melissa
virus and arguably the inspiration for the many e-mail worms seen
since, pleaded guilty in the US in December 1999 to causing more
than $80m (£57m) worth of damage. Two years' on he has still not
been sentenced.
Onel de Guzman, the suspected author of the Love Bug, escaped
prosecution because at the time of the offence there were
insufficient computer crime laws in the Philippines.
Jan de Wit, author of the Anna Kournikova worm, was found guilty in
a Dutch court but was sentenced to just 150 hours of community
service.
De Wit's sentence was tiny because so few companies were willing to
come forward and admit that they had been hit. In an
Internet-connected world it is essential that people know where to
report cybercrime and that the authorities understand that viruses
do not recognise national boundaries. All nations need to develop
computer crime laws and work together to enforce them.
Many companies are afraid to admit, even to the police, that they
have been the victims of a computer virus because they fear the
potential damage to their public image. The computer crime
authorities need to educate business as to how they can help them
fight virus writers, hackers and computer fraud.
Part of that education process includes establishing methods by
which modern businesses would feel comfortable reporting
infections, possibly in a confidential way, and share evidence with
the police.
Recently, some in the security industry have spread fear suggesting
that terrorists could use viruses to launch an attack on economies
on the other side of the world.
The reality is that if cyberterrorism was an effective way of
striking hard at the heart of another country's infrastructure it
would already have happened. Viruses make poor weapons because they
don't care who they infect, and are relatively trivial to stop.
Even the most sophisticated viruses can be blocked by a mixture of
common sense and safe computing practice - and anti-virus companies
seldom take more than a few hours to deliver a cure.
It is worth remembering that virus writers are not criminal
masterminds. Some have littered their code with clues and, in
extreme cases, their real names, addresses and telephone
numbers.
Virus perpetrators are not harmless or unaware of the damage they
are causing.
Businesses need to work with the authorities to ensure that these
criminals get their day in court, and that the sentences dished out
are high enough to act as deterrents.
Graham Cluley is senior technology consultant at Sophos
Anti-Virus