The police must not leave firms to fend for themselves, says Richard Starnes
The Home Office report, The Future of Net Crime Now, should be top of your business reading list. It details the main information security threats facing UK businesses and advocates a practical approach to tackling these growing concerns.
Although it is hard to disagree with the recommendations of the report, its apparent reliance on two-year-old data is a concern. Some might surmise that it implied a lack of priority for the policing of high-tech crime.
Funding for the investigation of high-tech crime across the UK's 43 police forces in 2003 was less than £250,000 per force: £10m in total. This is equivalent to the consultancy fees for the roll-out of the Criminal Records Bureau, and is a modest proportion of the forces' annual £7bn budget.
Add the increased use of computers in international terrorism and child pornography, without an associated rise in law enforcement funding, and it is clear why there has been so little progress in prosecuting the criminals who have assailed the private sector with high-tech attacks over the past two years.
I am not arguing that large corporate firms, well aware of information security risks, should be offered further protection at the expense of more vulnerable members of our society. However, it is clear that the failure to tackle crimes against private enterprise early helps criminal activities to flourish, and that not investing resources now will lead to greater calls on staff and policing budgets in the future.
The threat of pay gaps
In an effort to stem the tide of internet crime, the Home Office report advocates that businesses should pursue private criminal prosecutions, rather than going through the Crown Prosecution Service. However, pushing businesses to take the fight to the criminals could have a deleterious effect on staffing in the police.
As the commercial risks of internet crime have become increasingly apparent, firms have increased their information security spend. Worldwide spending on security software is expected to rise 15.6%, from £5.1bn in 2004 to £5.9bn this year, according to analyst firm IDC.
However, this increase also threatens to reopen the pay gaps between information security workers in the public and private sectors, risking an outflow of skilled personnel from the police force into better-paid advisory jobs in the private sector. As recently as last summer the disparity between public and private sector IT workers' pay had been reduced so that public sector employees were earning 86% of their private sector equivalents' pay, from an earlier low point of just 60%. This trend, however, could quickly be reversed.
One way to halt such a migration is to increase public-private collaboration to ensure that skills are more evenly distributed. The report suggests secondment of police officers to private firms, but fails to fully explore ways of bringing in private sector workers on criminal investigations.
It recommends the creation of high-tech special constables drawn from the private sector to complement the police force. This may prove too demanding for private firms; a less time-intensive, ad hoc placement of private sector workers on criminal investigations at pinch points would perhaps be more effective.
This would help redress the "experience deficit" in the private sector by creating opportunities for a larger group of IT professionals to work alongside the police. It would also bring flexibility and more staff to these investigations without the problems of managing a permanent adjunct.
The report has come to the right conclusions, in that the policing of internet crime needs to be moved from a specialist capability to a mainstream one. However, it should be careful that its recommendations do not lead to public and private efforts moving in opposite directions.
Rather than dividing efforts through special constables and private prosecutions, far more can be achieved with a concerted approach. Supplementing the strength and skills of the existing National Hi-Tech Crime Unit with private sector investment and more staff would create a formidable force to defend against those who seek to turn our technology against us.
Richard Starnes is director of incident response at Cable & Wireless and president of the Information Systems Security Association UK