Bill Goodwin reports on IT professionals' concerns about
cybercrime
IT professionals have expressed serious concerns about the ability
of the UK's legal and judicial system to understand and deal with
the complexities of computer-related crime.
Feedback from more than 500 IT professionals paints a disturbing
picture of police forces that have limited resources and technical
knowledge, and judges and lawyers that do not understand the
seriousness of computer crime.
Their comments, made in a survey by Computer Weekly and
Infosecurity Europe, reveal widespread unease at the leniency with
which the courts treat the perpetrators of computer crime.
"It is difficult to put too light a figure on a sentence when some
of these people have caused billions of pounds worth of damage to
companies and private individuals," said one IT professional.
The ability of the police to deal with computer crime is seen as
patchy at best. Many see the formation of the National High-Tech
Crime Unit as a step in the right direction, but there are concerns
that it is underfunded, and that it can only tackle a small
fraction of the crimes reported to it.
Local police forces come in for particular criticism. "I have been
to a few police stations with IT-related crimes and the PCs I spoke
to did not have a clue as to what or whom I should speak to," said
one respondent.
In the courts, there is a strong body of opinion that computer
crime should be handled by trained IT-literate judges and lawyers.
Often trials are delayed by the need to explain even basic
technical terms. "It seems obvious that having people who have
never used IT involved in such cases is a waste of everyone's time
and money," said one IT professional.
One of the biggest areas of concern is the need for greater
international collaboration on computer crime. While hackers are
able to launch attacks from anywhere in the world, the police are
restricted by national boundaries.
"I don't think the people that commit crimes from overseas will
take any notice of the law unless there is total collaboration
across the globe," said one respondent.
Sign Computer Weekly's Lock Down the Law petition at
www.infosec.co.uk/IT
workers slate UK cybercrime - click here to view graphs
>>What IT staff say about computer crime
Comments made by
IT professionals in the Computer Weekly/ Infosecurity Europe
survey
On the UK's computer crime law
- "Common law is still very much based on Victorian ideas of what
constitutes property. It does not grasp that information is
property because you cannot see it"
- "There is no co-ordinated response. Jurisdiction issues, court
orders etc all conspire to make it almost impossible to stop denial
of service or other forms of attack"
- "The perpetrators of these crimes are almost always under 18,
so any new law will be pointless. Network security personnel is the
only alternative. However, this is neglected due to sheer
managerial laziness. Companies want to shirk their security
obligations"
On Sentencing of cyber criminals
- "A vast body of research exists to support the theory that
crime is not reduced by increasing sentence severity but by
significantly and publicly increasing the chances of offenders
being caught and prosecuted. Most criminals don't think they will
be caught"
- "At this time the whole legal structure needs a rethink - with
more effort put into making the punishment fit the crime, rather
than smacking wrists"
- "Cases such as theft of data should be handled in the same way
as if someone had actually broken into a building and stolen the
information"
- "There should be guidance for minimum sentencing to aid judges'
decisions as they do not necessarily understand what actions cannot
be done accidentally"
On international collaboration on computer crime
- "Judges and lawyers regard computer crime in relation to the
existing structure of Roman law (the basis for English law).
Computer crime knows no boundaries and can impact multiple levels
of society in countries with very different legal structures.
Computer crime and punishment should be defined and controlled at
an international not a national level"
- "It is getting much better but is hampered by lack of the right
people/knowledge within the law enforcement agencies"
- "There are still major gaps and, in some cases, overlaps
between the various organisations in the UK. Collaboration with
agencies outside the UK is even less developed due to different
laws in each continent and/or countries"
- "Collaboration is inadequate, outdated and shows a lack of
understanding of both the rapid change in the use of IT and the
original intentions"
- "Without an international set of laws to govern such matters it
will be next to impossible to implement a suitable
deterrent"
On the Police
- "Police have little or no understanding of cryptography and how
a cracker can break code to steal information"
- "The police do not have the necessary resources either in time,
expertise or manpower to actively combat his type of crime. The
Government plays lip service and does not put adequate resources in
unless it hurts it directly"
- "The nature of most offences does not interest the police.
Reaction/assistance is very poor"
- "Apart from specialists, the police do not see this as their
area. They have no knowledge, training, inclination or resources to
deal with computer crime"
- "Police are neck-cuffed to a system with regulations and laws
that are so antiquated that they stifle any hope of offering a true
threat to security violations"
On the Courts
- "I don't know a single barrister who could talk with authority
about items such as cipher key lengths, DES, cryptography, PGP,
public key and private key technology"
- "The courts don't seem to be able to grasp the technical
details and consequences"
- "All cases should be dealt with by computer-literate people.
Maybe even the jury should prove they have some basic
knowledge"
- "I have found lawyers specialising in IT law to be very good,
even excellent, but there is a huge gap between them and other
members of the legal profession - including judges"
Experiences of crime
- "We have suffered a number of cross-continental attacks"
- "The incidents were insufficiently serious to qualify for the
attention of the National High-Tech Crime Unit, and local forces do
not have sufficient expertise"
- "I have witnessed companies having their trade badly affected
by attacks/fraud/extortion. Companies do still need to take greater
care of their data, however"
- "Surrey Police Computer Crime Unit liaised with the FBI and is
investigating the spammer (well, the FBI in Billings, Montana, says
it is investigating the spammer)"
- "We have suffered a number of cross-continental attacks"
- "The incidents were insufficiently serious to qualify for the
attention of the National High-Tech Crime Unit, and local forces do
not have sufficient expertise"
- "I have witnessed companies having their trade badly affected
by attacks/fraud/extortion. Companies do still need to take greater
care of their data, however"
- "Surrey Police Computer Crime Unit liaised with the FBI and is
investigating the spammer (well, the FBI in Billings, Montana, says
it is investigating the spammer)"