Cash crisis aids e-criminals

Patchy and inconsistent reporting of IT crime means the police are unable to secure funding proportionate to the problem, experts warned last week.

As part of a range of proposals to tackle e-crime, IT lobby group Eurim called for a standard web-based form for reporting attacks. Eurim said such a mechanism would encourage firms to work with the police.

"Reporting systems are likely to be swamped unless material is received in a form suitable for automatic collation, analysis and forwarding," Eurim warned.

The lack of a standard reporting model is a problem, agreed the head of IT security at a large investment bank. "It would be beneficial to have standards for the data being collected and processed," he said. "But it's going to be very difficult to get agreement on what to put in those standards."

Eurim said firms lack confidence in law enforcement agencies' ability to deal with computer crime. Richard Starnes, security evangelist with IT training firm ISC2, said the appointment of investigating officers with recognised security credentials could increase firms' trust in the skills of the police.

Eurim also suggested the use of industry experts in "special constable" roles to provide skills lacking in the public sector. Under this system, staff could be asked to participate in investigations on an ad hoc basis while keeping their regular jobs.

Starnes welcomed this suggestion. "The investigators would get someone with experience and knowledge, and once the inquiry is over the employee is returned to the company with investigation experience," he said.

The reluctance of many firms to report security breaches hampers the ability of law enforcement agencies to get more funding for initiatives to deal with threats, according to Robert Jones, chairman of the Interpol European Working Party on Technology Crime. "Problems start with under-reporting. A lot of companies do not want to admit to being compromised so you get non-representative crime figures," he said.

Extra funding could also help to retain IT experts in the public sector, which finds it hard to compete with private-sector salaries. Starnes noted that public-sector IT security professionals with investigative experience are often poached by the private sector, making it hard for some government bodies to retain expertise.

However, Jones said UK law enforcement agencies must share some blame for the lack of expertise. He said the policy of rotating staff can create skills shortages. Police officers with years of experience in IT, who are then asked to transfer to traffic control, for example, might decide to take their skills elsewhere, Jones added.