Over 20% of the population of the world and over 60% of that of the UK population now use the Internet to do business, learn or play. The proportion of criminals who use it to identify and exploit victims is at least similar. So who is policing it – everyone or no-one?
Hundreds, perhaps thousands of regulatory and law enforcement organisations around the world claim jurisdiction but almost none exercises it with any degree of determination or competence – save with regard to child abuse.
I recently attended the ACPO E-crime Conference to speak on the many current initiatives and was brought back to earth with a jolt. Apart from the Metropolitan Police and City of London police with their specialist units for anti-terrorism and card fraud, over 90% of UK police e-crime resource is once again fully occupied on child protection.
The situation is akin to that at the time of Operation Ore with forensics backlogs of 6 months to 2 years – only worse. Then the allegations were complicated by the associated card frauds. Today the leads are much better, coming from the social networking and peer-to-peer networks sites to which the predators have migrated, following their targets.
It is six years since EURIM published “E-Crime – A new opportunity for partnership“, calling for law enforcement to at least match the emerging criminal partnerships. The six papers published in the course of the subsequent EURIM-ippr “Partnership Policing” study found consensus on nearly sixty recommendations for action – mainly to reduce barriers to co-operation and make better use of existing spend. The other papers were on: Protecting the Vulnerable , Supplying the Skills for Justice, Reducing Opportunities for e-Crime, the Reporting of Cybercrime and the organsation of Co-operation.
Today we have globally integrated criminal malware and information supply chains while the UK has yet to replace the National High Tech Crime Unit, wiped out by mistake rather than design, during the creation of SOCA.
The impact of the Internet on society is akin to that of the railways, only more so, including with regard to the need for cross-boundary policing. By the time the police forces of the railways were finally brought together to form the British Transport Police, they accounted for over half of reports of theft, by volume and by value. One major difference between railway policing and on-line policing is that it was relatively easy to report rail-related theft (goods lost or stolen in transit or from passengers) albeit there were regular complaints that little was done as result. Today it is almost impossible to report Internet related theft and almost nothing will be done if it is.
That means you, like the railway companies who still pay for the British Transport Police Force today, have to protect yourselves and your customers from all other forms of computer assisted crime, from information theft, fraud and impersonation to denial of service and associated extortion. And according to Kew associates you are spending well over £3 billion a year doing so.
That is good news for all the information security industry but it is not good news for the consumers who are being routinely defrauded nor the shareholders of the banks, insurance companies, retailers, publishers and other user businesses, including the pension funds that will maintain you in your dotage, you hope.
A tenth of that spend, used collectively to track, trace and remove those causing the current mayhem would give massive return all round.
Meanwhile, however, a third of the 1.2 billion Internet users already access it via mobiles which might be anywhere in the world – and moving. Even when the hate e-mail comes from the neighbour next door it may require co-operation from Telcos and ISPs around the world to confirm this. That is best organised via a team that has staff continuity, not the normal police rotation. It also needs to be multi-disciplinary, capable of immediate reaction alongside the incident response teams of industry, the fire brigades (albeit engaged in electronic shoot-outs), not just the fire investigators, working out who did the damage after the event. More-over much of the work will undoubtedly be in support of investigations into all those traditional crimes that are increasingly organised (or in the case of teenagers boasted about) over Internet-enabled mobiles.
The UK Internet Governance Forum meets on Friday and includes with workshops on strategies for cutting Internet crime, disorder and fraud and on personal Internet safety and empowering people. Those discussions will inform the creation of the E-Crime Reduction Partnership that Ministers (both Home Office and Depertment for Business) have said they welcome.
Law and order was brought to the Wild West by the Pinkerton Men, hired by the banks and railway companies, and by Sheriffs and Deputies hired by town shopkeepers to protect their trade. The UK’s only unit actively investigating and prosecuting on-line fraud, the DCPCU, is funded by industry. Meanwhile the members of the Internet Enforcement Group, deploy more resources to protect copyright on-line than are available to law enforcement for investigating the use of the Internet by would-be child abusers.
It is said that only the discipline imposed by organised crime saves the Internet from melt-down: “They wish to milk the cow, not kill it”. Hence the replacement of mass virus attacks by phishing to recruit botnets for targeted extortion in parallel with collecting and collating personal information to impersonate anyone who is creditworthy, whether or not they actually have funds worth stealing.
Time is running out if you do not wish to rely on the self-discipline of criminals to preserve confidence in the on-line world.
The last of the EURIM-ippr Reports, on the organisation of Interent Policing, “Building Cybercommunities: Beating Cybercrime” , raised the thorny issues of democratic accountability for policing partnerships where the bulk of the contribution comes from industry, not the “public purse”. It bears re-reading before you make your inputs to discussion at the UK Internet Governance Forum.