There's no 911 for cybercrime. If there were, would you call?
Security pro Nick Selby is running a survey to see who REALLY calls the authorities when they're hacked. Here's why.
By Nick Selby
April 25, 2012 — CSO —
If you work for a large corporation, you hear lots of talk about corporate responsibility, and that's great. But I can't help but point out that, whether it is intentional, there is a massive and growing hypocrisy in the corporate world when it comes to prosecuting crime.
When I worked at a large company about 20 years ago, a mid-level manager told me the company showed it was serious about crime when he called the police about some minor vandalism to the doorways of our corporate headquarters. I'm certainly not saying that companies shouldn't act aggressively to ensure that employees and the public observe the rule and the spirit of law. Quite the contrary.
But it's anecdotally clear that most companies simply don't call the authorities when they experience criminal losses through online attacks. We in the industry know this, but I wonder if the assumptions we make as to why this is so are correct. It's especially important to consider this now, as we're in the middle of what can only be called a "conversion convergence" which continues to see increases in use of the Internet to monetize stolen information and to launder ill-gotten gains.
I've often said that there is no 9-1-1 for cybercrime. But I wonder: If there were, would anyone call?
I'm not so sure.
In handling computer incidents and advising companies which have been the victims of intellectual property theft in the millions of dollars, one thing we hardly ever hear is, "Let's prosecute." Actually, the concept of prosecuting a cyber breach seems so quaint as to paint the utterer with the brush of someone hopelessly out of touch. We in the business know the chances of a successful capture and prosecution of those responsible for a given act of cyber crime are nearly nil (unless you've gotten exceptionally greedy, irritated the FBI or US Secret Service, gotten your hack in Time or stolen the email of someone famous).
In fact, at this point, calling the authorities after you're hacked won't actually get you much. With my vandalism example above, at least the cops could provide directed patrol of your headquarters. No one's gonna patrol your network. Criminals and victims know this: When non-tough-guy Ashton Kutscher goes all Charles Bronson and says he's "coming for" those who hacked his Twitter account, law enforcement's failure to provide a deterrent is highlighted. Outside those very high-profile cases, you're pretty much out of luck when it comes to getting law enforcement help on a computer crime.