 
|
|
27 April 2007 Police criticised on cybercrimeSA Mathieson at Infosecurity Europe in London British police are failing to tackle cybercrime, according to speakers at an Infosecurity Europe hacking panel discussion on 26 April – including one from a police force. “We don’t have much of a budget for investigating any cybercrime,” said a speaker from the audience who described himself as “an ITSO for a police force” outside London. He asked the panel if they could suggest how to convince the government to increase such spending. Mark, a political and security activist who runs the privacy-focused SpyBlog web-site (http://spyblog.org.uk/), replied that cybercrime is not included in the performance measures set for chief constables by the Home Office. “Part of that is because people are reluctant to report cybercrimes,” he said, adding that perhaps individuals should start reporting every phishing attack to the police, to raise the profile of such attempted fraud. Jon Collins, principal analyst at research firm Freeform Dynamics, said much cybercrime was recorded under laws other than cybercrime-specific legislation such as the Computer Misuse Act 1990, which was criticised by several panel members for being hard to use and out-of-date. Collins added that attackers should be prosecuted for losses to the business and damage to individuals, rather than for hacking itself. However, panel members felt that valuing damage by hackers was difficult, and open to abuse. When asked whether organisations overestimate such damage, Gary McKinnon, who is under threat of extradition to the United States for hacking into more than 90 systems run by the US Department of Defense, replied: “The US government certainly does.” McKinnon said that to qualify for an extraditable prison sentence, $5,000 of damage was required: “They claim that every machine I was in, I did exactly $5,000 of damage. They are obviously not shopping at PC World.” He said little else during the discussion, and forwent the chance to make a detailed opening statement, explaining that he had only agreed to attend two days previously. In his brief introduction, McKinnon said: “I took up the role of the hacker for my own reasons.” In an interview with the BBC last year (http://news.bbc.co.uk/1/hi/programmes/click_online/4977134.stm), he said he was looking for evidence of secret extra-terrestrial technology capable of producing energy for free, and gained entry by using a script which searched for administration passwords which had not been altered from their default values. SpyBlog’s Mark, who prefers not to publicize his surname, outlined the judgement in a commercial case decided last year, where a British company accused a Russian firm of organizing the hacking of its computer systems from abroad. Mark said the judge decided in favour of the British firm, but rejected its costs of £10,000 for each server. “You don’t get charged the cost of police investigation, even if it costs millions of pounds,” he said. On the question of how to get organisation to protect themselves and the personal data they hold against hacking, Peter Wood, chief of operations for penetration tester First Base Technologies, said that financial repercussions are the key. In a capitalist society, “it’s the only weapon we have,” he said, adding that the current level of fines – such as the UK Financial Services Authority’s £980,000 penalty against Nationwide building society in February – may not be adequate. SpyBlog’s Mark added that fines would not force state-sector organisations into bolstering their infosecurity, as any penalties were paid by the public from taxation. But he added that adverse publicity – particularly in tabloid newspapers – sometimes helped, noting that his criticism of an email information service run by the UK Security Service MI5 was acted upon only when taken up by the BBC and the Mail on Sunday newspaper.
|
|
