Brian McKenna The UK’s National Hi-Tech Crime Unit hasannounced a ‘confidentiality charter’, allowingcompanies to report security breaches withoutfear of public disclosure. Brian McKennagauges user reaction. Will it break thepervasive culture of non-reporting?

What is a company to do? A nefarious hackerbreaches your security, but no damage has beendone. Do you run to the police, or chalk it upto experience?

Research carried out, in December 2002, among40 members of IISyG — a group of IT securitydirectors and managers in the City of Londonand in government — revealed that fear ofdamage to corporate reputation prevented overtwo-thirds (67%) of organisations fromreporting incidences of cybercrime last year.Companies scared of damaging their corporateimage are masking the true extent of cybercrime, according to the survey — which wasundertaken as a PR effort by Defcom, aninformation security services provider.

This survey appears to contradict the assertionrecently made by detective chief superintendentLen Hynds, head of the National High TechCrime Unit (NHTCU) that “it is not the fearof reputation damage that is stoppingcompanies reporting crime”. Hynds wasspeaking around the launch of a newConfidentiality Charter in December 2002,which allows companies to report securitybreaches anonymously to the NHTCU.

The charter seeks to assure companies thatthey can report cybercrime in completeconfidence, safe in the knowledge that suchinformation will be used for intelligence only— not as evidence. The Unit also promisesthat if corporates do decide to go down theinvestigation route then their businessprocesses will not be disrupted.

“It is essential that commercial organisations

are given assurances that they can report

attacks without the fear of adversely affecting

their business,” said Hynds, at the UK’s first e-

crime congress in December, attended by heads

of IT security from government, industry and

the police. “Two-thirds of companies prefer to

deal with these problems in-house — a short-

term and dangerous approach,” he added.

The charter is the first attempt, in the UK, to

formalize the process of investigating computer

crime, and address the problem of companies

failing to report offences. Under the charter, the

police have pledged to minimise disruption to

businesses when carrying out enquiries, remove

names when sharing information with others,

and distribute bulletins to warn companies of

new threats.

Tony Neate, industry liaison officer for the Unit

confirmed that his experience, since joining in

October 2001, was that confidential reporting

was part of the NHTCU’s culture. “We’ve just

formalized that process with the charter, which

is, essentially, about providing a way for industry

to interact with us securely and efficiently”.

What is the point, though, from a corporate

viewpoint, of reporting for intelligence

purposes? What’s to be gained? “We disseminate

the intelligence that we gather, in such a way

that the original reporting source is protected.

We have a lot of experience of doing that”,

Neate says.

Intelligence is shared with sister UK agencies

like the National Criminal Intelligence Service

(NCIS), the National Infrastucture Security

Co-ordination Centre (NISCC) and the

Unified Incident Reporting and Alert Scheme

(UNIRAS). It is also disseminated to industry

bodies through briefings and other means.

38 0167-4048/03 ©2003 Elsevier Science Ltd

UK police promise charter toguard good names

“For instance, let’s say an exploit is enabled by aspecific form of social engineering”, says Neate.“We’d pass that on as a generic piece ofintelligence, protecting the source.

“Confidentiality is absolute in all areas exceptwhere human rights — the right to life and theright to a fair trial — are concerned.”

The charter was designed with input from theConfederation of British Industry (CBI) and theCrown Prosecution Service. In some cases thepolice may decide not to prosecute offenders ifno major crime or violation of the EU’s humanrights legislation has taken place.

Hynds believes that his Unit has establisheditself as the UK’s centre for excellence for lawenforcement in the hi-tech crime arena, and isdeveloping effective new relationships withbusiness and the IT security industry.

“People in industry fear that if they call us inwe’re going to walk in the door, switch off theservers, and cause them massive losses. We justdon’t work like that.

“Our experience has been that fear of businessdisruption has been a greater deterrent tocompanies reporting computer crime thanconcerns about confidentiality”.

The Defcom survey’s findings might, however,trouble the NHTCU. If security breaches arenot reported, funding and resources cannot beproperly allocated, both inside and outsideorganisations, to resolve security vulnerabilitiesand catch cybercriminals.

David Howorth, director of sales and businessdevelopment at Defcom, said, apropos theresearch: “Companies are still failing to reportattacks on their computer systems, for fear ofdamaging their reputation, despite theNHTCU’s introduction of the ConfidentialityCharter.”

Defcom’s research also revealed that 30% of thecompanies at the IISyg meeting are notearmarking any specific percentage of their

overall IT budget to information security.Another 23% devote less than 1% of their totalIT spend to ensuring the security of theircomputer systems.

The research says that almost half (48%) ofcompanies are failing to produce internal ITsecurity vulnerability reports and communicatethem up to board level. The research reports,too, that police initiatives in the area ofcybercrime are ranked as having the leastimpact on the reporting of security breaches byalmost a third (32%) of respondents.

City reservations

“I’m surprised it’s as few as 67% failing toreport. Companies are paranoid about thingsgetting into press, you know”, a head of securityat a leading City institution tells Computers &Security. He goes on to confirm that the charterhas, so far, made little impact on his life.

“I’m not sure what the charter is, to be honest.Look, if the NHTCU discovered somethingduring an investigation into a company thatsuggested that they hadn’t put the propercontrols in place to prevent a breach fromhappening then I would guess that the FSA[Financial Services Authority] would get to findout about it. And most people would assumethat.

“If the NHTCU were to say they will carry outtheir investigation in such a manner that theyagree not to pass information on to othergovernment agencies then companies mightchange their minds. But I am not sure peoplewill necessarily believe protestations that thepolice won’t disrupt your business. People dofear that they’ll put yellow tape around yourwork stations and you won’t see your computersfor a year; and that they’ll be in plastic bags inan evidence room before something does ordoesn’t come to court.

“Also, what will happen in terms ofprosecution? It is outside your control.”

UK police promise charter to guard good names

Brian McKenna

39

The same head of security, who prefers to guardhis anonymity, concludes: “If the perceivedcapability and user friendliness of the NHTCUwas such that it would be a painless experience— that they wouldn’t take your computersaway, and they would do a professional job —then you’d be more likely to call them in. Forone thing they’d be cheaper than aconsultancy.”

Spencer Pratt, director of professional servicesat Defcom, admits that the NHTCU is“addressing a major issue that has stoppedpeople from reporting crime in the past. Whenwe are looking at breach investigation we woulddefinitely put it to our clients as an option. Butit is up to the client.”

His experience, through the company’s securitybreach investigation service, is that “mostclients don’t want to investigate at such a levelthat they have to go to court. They want toknow how it happened, what the people did,and what may have gone missing. They want tofix it and keep it quiet. They are just notinterested in preparing a case for court.

“In the last few years we’ve had very few peoplewho’ve wanted to approach the authorities orstart prosecuting. Once you approach the policeit goes into the public arena.

“Also, what is the point of reporting somethingwhen nothing can be done? If you’ve gotsomeone breaking in from a country whichdoesn’t have internet laws, there is nothing youcan do apart from securing your system andmonitoring it more closely.”

Tony Neate, from the National Hi-Tech CrimeUnit, takes some exception here. “Things havechanged over the last two years with thecoming into existence and the work of theNHTCU. Our international connections aregreat. For example, we have good links intoRussia and the other former Eastern Blocterritories, both via the Foreign andCommonwealth Office and, independently,

through Europol and Interpol. And we workthrough the G8 24/7 arrangement, which meanswe can secure evidence in 38 countries”.

Pratt, though, does agree that “it is a good ideato report, and maybe companies will be happierto come clean under the new initiative, but youalso have to put this back it into the real world.If you say: ‘you’ve got to report this’ then you’readding an extra layer of administration forpeople who are very busy.

“If a breach gets leaked out to the press and itbecomes a big story, then you are more likely togo down the prosecution route because that wayyou give out a strong message to the public.Indeed, the ones that have gone to court arethe ones that are found out by the press”.

Len Hynds, meanwhile, argues that the charterhas evolved from the real life experience of theUnit, where it has been approached byintermediaries like consultants and solicitorswho say: “‘hypothetically speaking, if we had aclient who had such and such a problem whatwould your action be?’ They then usually comeback with more precise questions, and,eventually, the client appears. That shows thatthere is a lack of understanding about how wework. It’s about a fear of loss of control.”

His colleague, Tony Neate, underscores theimportance of NOP research into corporatecyber crime commissioned by the National Hi-Tech Crime Unit in June 2002. 105 companieswere interviewed, and only three of thosedeclared themselves untouched by computer-enabled crime in 2002. However, only 56% hadinvolved the police. Some 9% of thoseinterviewed felt that the role of the NHTCUwas not at all relevant to them. The Unitdescribes these organisations as demonstrating‘extraordinary complacency. Effectively theysaid “it can ’t happen to me”. The other 90% ofthe sample would beg to differ from this,sometimes as a result of very painfulexperiences’. [Hi-Tech Crime: the impact on UKbusiness, 2002, p. 7].

40

UK police promise charter to guard good names

Brian McKenna