E-crime is a difficult term to define - we all probably
have a different interpretation of what it means.
The term covers many different areas, including, phishing,
hacking, extortion, denial of service attacks, advanced fee fraud,
money laundering; virus writing, distributing malicious code,
bot-herding, grooming, distributing paedophile material, internet
abuse in the workplace, intellectual property theft, online piracy
of copyright material, and spamming.
This list is by no means exhaustive, but it does serve to
highlight the diversity of the challenges facing those trying to
prevent or investigate e-crimes, either on the internet or in the
corporate domain.
Many of these crimes are covered by conventional legislation,
whereas those of a truly technical nature - where, in effect, a
computer is the victim - are catered for under the Computer Misuse
Act 1990.
But that law was enacted in the year in which Microsoft Windows
version 3 was released - a time when the internet was a much
smaller and entirely different place.
When we consider the technical evolution of the internet since
1990, the wide scale deployment of computers within businesses and
the tremendous uptake in home computing it is not surprising that
there is a need to update this legislation.
The recent amendments proposed by the Home Office are welcome,
and it is likely that they will undergo some revision as a result
of public consultation. This consultation is a vital part of the
change process and interested parties should work together with the
Home Office to ensure that we have legislation fit to address the
current, and emerging, 21st century cyber threats.
There have been relatively few prosecutions for e-crime in any
jurisdiction around the world. This could be interpreted as
indicating a low level of criminal activity in this area, but I
firmly believe that this is not the case.
According to Spamhaus, the international NGO that monitors
malicious computer activity, the UK frequently has the largest
percentage of compromised computers connected to the internet of
any country around the world. In many cases compromised machines
may be hosting several different infections, each of which
represents an offence under the Computer Misuse Act.
The fact that there are many thousands, if not millions, of
compromised machines around the world gives some indication of the
prevalence of at least one of the forms of cybercrime. The
constantly evolving nature of the internet and related technology
is destined to create new vulnerabilities, many of which will be
exploited by the criminal fraternity.
Clearly, legislation needs to keep pace with emerging threats,
otherwise incidents with a high financial impact may occur and law
enforcement may not be in a position to respond, so ultimately no
public interest prosecution can be launched.
Notwithstanding the need for evolving legislation, more
attention should be drawn to IT security. Almost every hacking case
reported to the Metropolitan Police Computer Crime Unit was
preventable, if appropriate policy and procedures had been in
place.
Responsibility for raising IT security awareness rests with
government, law enforcers, ISPs, equipment manufacturers, retailers
and employers. Generally people's IT security awareness is quite
low.
Government and industry partnership is essential if we are to
address this issue. The Get Safe Online campaign is a prime example
of how successful this can be. By raising awareness we can address
confidence and trust issues relating to online trading. If people
are confident they are secure online they are more likely to engage
in online transactions.
All employers should review their IT security policies and
ensure that processes are in place to monitor and review the
management of those policies.
Home users need anti-virus products and firewalls, and should
renew subscriptions to these services at the end of the licence
period. Failure to keep them up to date will probably result in the
individual or corporate system being compromised. At best this
means someone else is using part of your processor's capacity, at
worst it will result in online identity theft. In the case of
businesses this can have a crippling effect.
Detective inspector Chris Simpson is head of the
Metropolitan Police Computer Crime Unit