Cybercrime and punishment

Businesses and authorities across the world need to get together and come up with a suitable punishment to act as a deterrent to...

Businesses and authorities across the world need to get together and come up with a suitable punishment to act as a deterrent to virus writers, hackers and cyberfraudsters

If you arrived at the office one Monday morning and found your desk ransacked and private documents missing, you would call the police immediately. Yet comparable crimes take place on business computers every hour of every day and are almost always left unreported to the authorities.

The IT press is constantly filled with stories of the latest computer viruses to affect companies. This year alone we've seen an assortment of high profile infections such as Code Red, Nimda, Anna Kournikova, Homepage and Naked Wife.

If your company was hit by one of these viruses this year, you no doubt updated your anti-virus software and cleaned up any computers that had been hit. You may also have renewed your security policy, but did you consider reporting the crime to the police? Would you even know who you should contact?

Historically, computer crime units around the world have been under funded and shown little interest in investigating virus-related crime.

Cybercrime cases that have been investigated have been those involving fraud, hacking or pornography where there were easily identifiable victims and the political will to investigate and catch those responsible. The few virus cases that are investigated tend to revolve around those infections that make national news, when the authorities have to be seen to react.

Many less famous viruses have actually caused more damage to businesses and have been overlooked by the authorities - despite strong leads.

Even when virus writers are caught there is no guarantee that they will be severely sentenced. David Smith, author of the Melissa virus and arguably the inspiration for the many e-mail worms seen since, pleaded guilty in the US in December 1999 to causing more than $80m (£57m) worth of damage. Two years' on he has still not been sentenced.

Onel de Guzman, the suspected author of the Love Bug, escaped prosecution because at the time of the offence there were insufficient computer crime laws in the Philippines.

Jan de Wit, author of the Anna Kournikova worm, was found guilty in a Dutch court but was sentenced to just 150 hours of community service.

De Wit's sentence was tiny because so few companies were willing to come forward and admit that they had been hit. In an Internet-connected world it is essential that people know where to report cybercrime and that the authorities understand that viruses do not recognise national boundaries. All nations need to develop computer crime laws and work together to enforce them.

Many companies are afraid to admit, even to the police, that they have been the victims of a computer virus because they fear the potential damage to their public image. The computer crime authorities need to educate business as to how they can help them fight virus writers, hackers and computer fraud.

Part of that education process includes establishing methods by which modern businesses would feel comfortable reporting infections, possibly in a confidential way, and share evidence with the police.

Recently, some in the security industry have spread fear suggesting that terrorists could use viruses to launch an attack on economies on the other side of the world.

The reality is that if cyberterrorism was an effective way of striking hard at the heart of another country's infrastructure it would already have happened. Viruses make poor weapons because they don't care who they infect, and are relatively trivial to stop.

Even the most sophisticated viruses can be blocked by a mixture of common sense and safe computing practice - and anti-virus companies seldom take more than a few hours to deliver a cure.

It is worth remembering that virus writers are not criminal masterminds. Some have littered their code with clues and, in extreme cases, their real names, addresses and telephone numbers.

Virus perpetrators are not harmless or unaware of the damage they are causing.
Businesses need to work with the authorities to ensure that these criminals get their day in court, and that the sentences dished out are high enough to act as deterrents.

Graham Cluley is senior technology consultant at Sophos Anti-Virus

Read more on Antivirus, firewall and IDS products