Is Cybercrime Really Underreported?

The prevailing wisdom is that most companies dont report computer attacks. But when is a crime a crime?

. What's this?

By

August 15, 2002CSO — Captain Jan Hoganson is pretty proud of Sacramentos High-Tech Crimes Task Force, one of five task forces built with California state grants of more than $2 million each. Agents from nine counties, the Secret Service, FBI, Postal Service, Forest Service and U.S. Attorneys Office all work togethermost of them literally under one roofto coordinate crime-fighting across jurisdictions and geographies. Its a way to break down the boundaries, says Hoganson, who is sturdy and approachable enough to play the good cop in any Hollywood blockbuster. We offer one-stop shopping.

Yet few of the high-tech crimes the task force deals with are the kind that CIOs usually concern themselves with. The group got its start helping local hardware companies who had problems with products being stolen off their loading docks. Today, typical cases involve counterfeit software, stolen cellular telephones, forged checks and satellite television pirating. The group also has a computer forensics lab for doing investigations for themselves and other agencies. But cases of hacking? Not really.

Now, Hoganson is scratching his head about why. He wonders, are these kinds of cases getting swept under the carpet?

Thats what conventional wisdom suggests. In the most recent survey done by the Computer Security Institute and San Francisco FBI, only 36 percent of respondents who experienced a computer intrusion reported it to law enforcement. The Department of Justice and the Census Bureau are puzzled enough about whats happening that theyre launching a new survey just to learn about computer crimenever mind prosecuting it. Were simply trying to get a measure of what kinds of crimes are occurring, the frequency, the scope, how big the damage is, if it varies by sector, says Ramona Rantala with the Bureau of Justice Statistics. Everybody talks about how computer crime is growing, but nobody really knows the extent of the problem.

According to at least one security expert, though, it may be a lot smaller than anyone expects. At least in financial services, a vast majority of security incidents do not require law enforcement, says Stephen Katz, a consultant who is the former chief information security and privacy officer for Merrill Lynch and former CISO for Citigroup. Theres not a case, Katz says. There are intrusion attempts, theres no actual money loss, theres no actual crime.

In the physical world, an attempted break-insomeone creeping around a loading dock at nightis indeed viewed as a crime, and a security guard would call the police department, which would send a nearby squad car to investigate. Thats not how things work in the virtual world, though, where a technician guarding an intrusion detection system could stay busy doing nothing but reporting attempted break-insassuming, of course, he had the permission to do so.

In the end, getting companies to report computer crimes may be both more rudimentary and more complicated than anyone hoped. Maybe the problem isnt that companies arent reporting cybercrime. Maybe the problem is that they havent even figured out, in the computer world, exactly when a crime becomes a crime. Until companies and courts sort that out, the kinds of cases handled by Captain Hogansons high-tech crimes unit arent likely to change.

Read more about data protection in CSOonline's Data Protection section.

Other stories by Sarah D. Scalet

What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?
RESOURCE CENTER