Vinod Kumar is of the opinion that despite the benefits the Internet has brought to the corporate community, it has also attracted its fair share of undesirable elements. He says that stringent and uniform laws have to implemented across boundaries in order to curb cyber crime

Recent technological adva-nces mean that many companies now conduct much of their business online and manage a significant proportion of their operations via e-mail. The Internet has revolutionised the way businesses approach and conduct work. Most would say it has improved relationships with customers and suppliers and streamlined operations around the world, and also dramatically improved global communications. In many ways the Internet is like a community—with an ever-increasing population realising the advantages of working online.

Despite the benefits the Internet has introduced to the corporate community, it has also attracted its fair share of undesirable elements keen to misuse its usage. Illegal entry, forgery, fraud and pornography are all common offences in the ‘real’ world—and it’s no different in the ‘virtual’ one too. Though it is impossible to estimate the true extent of crimes committed via the Internet, it is probably safe to assume that as the Internet grows in popularity the amount of cyber crime will also increase.

Of all the cyber crimes committed, hacking and virus writing are amongst the most common. Businesses in particular are most likely to be victims of these than any other Internet-related offences. According to a survey carried out by the Department of Trade and Industry, 78 percent of large UK businesses have suffered an IT-related security breach in the past 18 months. In addition, 33 percent of UK businesses have stated that their worst incident was a virus infection. These figures indicate that IT security-related crimes, and computer viruses in particular, pose a real threat to most organisations. Despite the widespread nature of these crimes, the conviction rate is relatively low—only a handful of virus authors have ever been caught and charged.

One of the main reasons for this is public perception. Currently, opinion is such that creating a virus that brings companies to a standstill is not met with the same level of outrage as a crime against an individual. Although attacking and harming a person is a far more malicious crime than causing financial loss to a faceless organisation, some recognition of the damages wreaked by hacking and virus writing is desperately needed. Frauds who secretly steal millions from public funds face severe penalties if caught, so surely virus writers and hackers who cause the same level of financial destruction should be dealt with in a similar vein.

Another problem of cyber crime is that there are no uniform laws. Some countries, such as the UK, have cyber crime laws like the Computer Misuse Act (1990) that are well implemented. Other territories have laws that have yet to be fully implemented, while some countries and yet to make provisions for cyber crimes within their judicial system at all. Hence, if there are no relevant laws in the country where the virus originated, no one can be found guilty of breaking them.

The perception of virus writers also differs from country to country. The writer of the infamous Love Bug, Onel de Guzman, wrote and distributed the virus in the Philippines. When polled, citizens of the country declared that they were proud of the fact that the virus originated there. Unsurprisingly, de Guzman has never been charged for his crime. In 2001, Jan de Wit wrote the Anna Kournikova computer worm and was initially offered a job by the Major of Sneek, The Netherlands (his home town), in recognition of his talents. He subsequently turned himself over to the police and was sentenced to 150 hours of community service.

Other hackers and virus creators have not been so lucky. In 1995, Christopher Pile was sentenced to 18 months imprisonment in the UK for the creation of the SMEG viruses. In addition, American virus author David L Smith was sentenced to 20 months in custody in 2002 for writing and distributing the Melissa virus. Most recently, a man from Surrey was arrested for writing and distributing the T0rn rootkit—a tool used to aid the hacking of Linux servers. He is currently on bail pending further police enquiries. Tougher measures like these undeniably send out a strong message to would-be cyber-criminals. However, whilst this is welcomed, there still needs to be more global consistency in the way these crimes are dealt with.

There are no national boundaries on the Internet, so malware is able to spread across the globe in a matter of hours. To reflect this, governments and law enforcement agencies need to present a unified approach to dealing with this type of crime and decide how they can best work together to tackle it. In the case of the T0rn arrest, Scotland Yard’s Computer Crime unit and the FBI worked together on the case. To address the problem of worldwide cybercrime, more co-operation like this needs to occur.

Another problem is the fact that many people don’t come forward to report cybercrimes, which means that any figures that are produced are more than likely to be vastly underestimated. Companies in particular are reluctant to admit to being a victim of this type of crime because security breaches remain taboo. Part of the reason the Anna Kourinkova author received a relatively light sentence was because only 55 companies actually came forward and admitted that they had been hit by the virus.

There is also some confusion relating to reporting of these crimes. Businesses are unlikely to contact the local police after discovering that that the corporate network has been infected. Scotland Yard and the National High Tech Crime Unit in the UK, and the FBI in the US, amongst others, are able to deal with this type of offence, but most people simply would not think about alerting these authorities about what might be consider to be quite a meaningless crime that should be dealt with by technical experts.

Although it is true that virus writing and hacking can have serious consequences, there are some who tend to over-estimate the capabilities of malicious code. In the wake of the events of September 11th it is understandable that all forms of security are under scrutiny. However, whether computer viruses and hacking exploits really make good terrorist weapons is debatable. It is reasonable to assume that if this is the case, they would have been used by now.

The potential effects of this type of crime are often blown out of proportion. There is a limit to what virus writers and hackers are able to achieve. Sometimes it can also be forgotten that it is possible to protect yourself against this type of attack—often relatively easily. There is no doubt that cyber criminals can cause significant harm, but the scale of the problem needs to be kept in perspective. Separating the real situation from the hype is an important part of dealing with this type of offence and ensuring that the punishment fits the crime.

Vinod Kumar is the director of Satcom Technologies and partner of Sophos (India). He can be contacted at vinod@satcomindia.com