Crime and retribution

The presence on the internet of those with malicious intentions has been the subject of Hollywood blockbusters, so it is fair to assume that most business leaders are aware of the threat. But perhaps less well understood is how the business can respond if its IT security is breached.

What is e-crime?
E-crime is any crime that is committed electronically. As such it is a very broad category that can include race and hate crimes, theft, blackmail and extortion. Business leaders are particularly concerned about activities that can lead to the disruption or destruction of IT systems and those that involve the theft of data.

That being said, it is worth remembering that organisations are liable for the actions of their employees. This means that where an employee downloads unlawful material, sends abusive mail or uses the organisation’s systems to commit a crime, the employer may become liable for that unlawful behaviour.

And while IT leaders may naturally focus on limiting their organisation’s exposure to external threats, they must also ensure that their employees are aware that if they access someone else’s wireless network without consent, or use company email systems to make threats, they may be committing an offence. Computer use policies can mitigate these risks.

Is e-crime an issue solely for the IT department?
For many businesses their internet presence is critical. For some it is the main way in which their customers communicate with them, while for many it is the sole sales channel and principal means of communication. This means that a denial-of-service attack that interrupts this online presence can be disastrous.

Furthermore, with the increase in online business there has been an increase in the amount of data that is held electronically and which can be accessed remotely. Often the data in question is of a personal nature. Loss of personal data not only damages the reputation of a business, but is also a breach of the Data Protection Act 1998 (DPA).

The DPA imposes an obligation on data controllers to keep personal data secure. In particular it requires an organisation to put in place appropriate technical and organisational measures to ensure that such data is kept secure. But what does appropriate mean?

The act stipulates that when determining what is appropriate security, organisations must take account of the current state of the technology available and the cost to the organisation of putting security in place. However, it goes further and provides that consideration must also be given to the nature of the data concerned and the harm that would be suffered if the security were breached. So if sensitive or financial data is held, then the greater the harm if such data is hacked.

How can IT ensure that enterprise security meets regulatory requirements?

The most important thing that a business can do is to review the security that it has in place. This means reviewing not only the logical and physical security in place, but also the organisational aspects of security. Do processes enhance security? Do staff understand the potential risks?

With this in mind, useful lessons are often learned when a third party is asked to try to penetrate those systems. Loopholes and weaknesses in defences can be highlighted in a controlled environment. However, IT leaders should control the parameters of the testing, through restricting the areas that may be accessed and stipulating what the tester may do with any data they manage to access as part of the penetration test.

Unfortunately we all know that IT systems can never be 100 per cent secure. There are too many variables and technology moves too quickly. It is important that businesses put in place a plan to deal with what happens if their systems are attacked. Once a plan has been put in place, test it. You do not want to find out that the plan is flawed in the event of an actual attack.

What should IT do in the aftermath of an attack?

First and foremost, IT obviously needs to restore systems and data and to plug any holes in the security. IT leaders should then review the potential harm caused by any loss of data and the best way of mitigating such loss.

If the police are to catch and prosecute the perpetrators, then IT needs to think about preserving the evidence. Electronic evidence needs to be treated with care. It is important that the integrity of the data is preserved and that it can be demonstrated that no changes have been made. It is essential that there are audit trails logging any access to systems and changes made.

It is also important to limit access to any affected data to those within the business who know and understand the consequences of accessing such data. Because they may be called to give evidence, it is important that users understand the impact of their actions.

Where there is any doubt, forensic IT experts can assist ­ – ensuring that electronic footprints are not left all over the data. If data is to be relied on in evidence, it will be essential to be able to demonstrate that such evidence has not been changed in any way.

Can regulations keep pace with the fast-changing world of e-crime?

It may seem odd in an environment that changes as rapidly as the electronic one, that the principal law relating to computer crime in the UK is nearly 20 years old. The Computer Misuse Act (CMA), which was enacted in 1990 and updated recently, is still the main piece of legislation dealing with computer crime in the UK.

The key objective of the CMA is to preserve the integrity of computer programs and of data. When it was enacted, the CMA introduced three new offences into English Law:

• A general hacking offence involving the unauthorised access to computer material;
• An aggravated hacking offence where a system is hacked with the intention of commissioning or facilitating another offence;
• Unauthorised modification, which was intended to deal with viruses, worms, trojans and the like.

When the All Party Internet Group conducted its review of the CMA in 2004, its main concern was that the CMA as worded meant that certain types of denial-of-service attacks were not covered by the act.

It was absurd that the question of whether an offence was committed could depend on the technology and methodology adopted by the perpetrator. Accordingly, the CMA was amended, and with effect from 1 October 2008 it now covers all forms of denial-of-service attack.

The other significant addition to the CMA is that of “making, adapting, supplying or offering to supply any article intending to be used to commit” any of the offences already mentioned. The test is whether the person believes that it is likely that the article they are supplying will be used to commit an offence.

This change to the CMA caused a stir in the press. The concern is that the new offence is so widely drafted that it will also catch legitimate software tools used by security service providers. Time will tell what impact this new offence will have on legitimate providers of such tools.

Jon Fell is a partner at international law firm Pinsent Masons