Brampton Factor: Fighting e-crime

What's the most effective way to crack down on cyber crime? Martin Brampton has a few ideas - and they're not about making an example of the occasional hacker.

For all the tough talking, there is no sign of an early end to e-crime. In fact, if we look more broadly at the ethical issues around e-crime we find ourselves in a very grey area. The 'e' in e-crime seems to simply add yet further obscurity to a muddled picture. And it is not clear that 'professionalising' IT would make a difference.

A recent innovation in digital malfeasance is called 'spear phishing'. This elaborates on the familiar phishing schemes that aim to extract private information from unsuspecting people. Spear phishing typically targets a number of employees of a single company, giving the impression the communication is coming from inside the company.

Favourite covers are the HR or IT departments, from which the spoof emails requesting password details appear to come. Of course we know from much research that people are remarkably willing to divulge passwords when asked nicely, and especially willing when the request seems to be official. So a haul of useful company logins is quickly obtained, all for the price of a relatively small number of easily disguised emails.

When there is talk of new legislation to deter e-crime, the culprits are usually depicted as either delinquent hackers or organised criminals. In fact, the reality seems much more confused. In the case of spear phishing, although there are many nefarious possibilities for someone in possession of a clutch of corporate logins, history suggests the phishers might well be rival companies.

A few years ago, Boeing was found in possession of 25,000 pages of stolen documents from rival Lockheed Martin. The fact that one company was spying on another for commercial advantages was regarded as a commonplace. What was unusual about the case was only the sheer quantity of material. As real paper documents, this is a considerable amount in bulk and weight. Electronic versions would have been very much easier to handle.

Another consideration for spear phishing is the well-known fact that insiders are frequently the biggest threat to an organisation. It is believed that most companies are victims of economic crimes, mostly misappropriation of cash or other assets, by management or employees. In a majority of cases, the problem is found only by accident or tip-off.

When it comes to straightforward fraud, government is a popular target. One might have thought that the rapid growth in e-procurement would have driven down costs. Yet the NHS is alleging that a number of drug companies have milked hundreds of millions of pounds through market rigging and excess charges. In this case, it is unlikely that all the money will be recovered. The NHS takes the view it is too expensive to secure clear-cut legal decisions, and will be looking for settlements. This contrasts with the situation in the US where punitive damages have been sought.

Lately, organised crime has turned its attention to a very simple VAT fraud. A trader imports goods, free of VAT and sells them with VAT added. The trader disappears with the VAT as clear profit. Popular goods for the fraud are mobile phones or memory chips - items that have high value and are easily transported. The sophisticated version is know as 'carousel' fraud, where the same goods are repeatedly imported and exported.

The scale of these frauds has reached a level where it has become a significant proportion of government finances. The traders engaged in these activities are using IT systems to efficiently create the documentation for the 'carousel'.

This raises the question of whether IT people should have ethical responsibilities in such matters. One of the factors that should be considered by advocates of professional status is that groups used for comparison often have to confront ethical issues. This is especially so in the case of doctors, for obvious reasons. The situation with lawyers is considerably more ambiguous. So should IT people have a responsibility to ensure that the systems they create cannot be used for fraud?

In situations like this, whistle-blowers seem to fare poorly. In another Boeing case involving documents stolen from a rival company, a Boeing scientist lost his job for disputed reasons. Another example is EU accountant Dorte Schmidt-Brown, who exposed the diversion of £3m of taxpayers' money into illegal funds, only to be left struggling against attacks on her by commercial interests. In cases such as these, could preventative action have been taken by IT professionals? The answer seems highly doubtful.

If we cannot expect IT people to stop fraud and deception, can we look to IT for solutions to the problems created by technology? Even though new technology creates opportunities for fraud, it is often much harder to find technical solutions. Chip and PIN security, for instance, could easily rebound to cardholders' cost. Obtaining the PIN seriously undermines the security, and although stores are being forbidden to have security cameras directed at tills, this is a key location for cameras and it is not clear how the ban can be enforced. Banks have a history of accusing card holders of being responsible for losses where the PIN is used.

These wider problems of fraud suggest the frequent scapegoating of individuals misses the point. Claims that the legal system is too soft and fails to convict criminals seem to be most justified in the case of corporate misdemeanours and large-scale fraud. Yet there is little sign that this is being tackled. Locking up the occasional hacker seems irrelevant to the real issues.