There are certain crimes we report to the police without any real expectation that the perpetrators will be charged, let alone convicted.
Someone smashes our car window, steals a bike from our garage, or hacks into our small but profitable e-commerce site. In all of these cases, the police will gather information, take statements and file reports. But once that’s done, they’ll inevitably move on to bigger crimes.
The triage of police investigations: safety first
Law enforcement’s priority is always the crimes that pose the greatest threat to citizens’ safety. As Sgt. Paul Batista, who works in the Ottawa Police high-tech crimes unit, puts it, violations of property, whether it’s theft or damage from hacking, can ultimately be resolved with money. Human bodies, on the other hand, “are a little bit more difficult to fix.”
Usually operating on a meager budget, computer forensics teams in police departments spend virtually all their time analyzing data associated with violent crimes and combating the rampant exploitation of children. There’s very little money left over to investigate complaints of network breaches.
Hacking can be a very big deal for a small business, though, whose Web site might constitute the livelihood of many different people. In some cases, repeated cyber-attacks force these companies to make the terrible choice of either paying protection money to criminals, or closing shop for good.
Small businesses are responsible for a great majority of hacking complaints received by the Ottawa Police, says Batista. By contrast, large enterprises are highly unlikely to report such crimes.
With big companies, especially banks, “if you’ve been hacked that means you can’t be trusted,” he says. “A company that’s been compromised that way would not want to advertise that. They wouldn’t want to have the police investigate it, they wouldn’t want their clients to know, they wouldn’t want the general public to know.
“They certainly wouldn’t want the papers to know.”
Hackers and the courts
But smaller companies, some of which don’t even have an IT department, let alone dedicated IT security professionals on staff, have little choice when they find themselves in the crosshairs of a hacker. Lacking the capital to spend on security, they’ll call the police as a last-ditch attempt to protect themselves.
Unfortunately, this rarely turns out well. For starters, the police are “leery” of such requests because they view them as akin to being “used as a collection agency,” says Batista.
More to the point, he says, hacking charges are very difficult to investigate and prosecute, and even when they do catch someone and make the charges stick, the victims might not get the result they wanted. The recidivism rate for hackers is high, he says.
Batista compares the punishments meted out for hacking to ordering someone to stop swearing. The offender might avoid using colourful language for a little while, but old habits are hard to break.
“It’s the same thing with these criminals,” he says. “If they find a way in, if they hack a company and they’re successful and they generate some resources or some benefit from it, they’ll do it again to a different company. And then they’ll keep doing it until they eventually get caught and they’ll be under court orders not to play with a computer, or whatever it is.
“But within a couple years they’re going to re-offend, because that’s their skill set.”
Distributed-Denial-of-Service attacks are particularly damaging and practically impossible to prosecute in some cases, says Batista. These days, people can go online and hire a hacker from Southeast Asia for $400 to perform a DDoS attack, he says.
Canadian law enforcement officials and other Western countries are powerless to do anything because they don’t have reciprocal agreements or a history of cooperation with the origin country.
When these hackers use extortion tactics, threatening to knock down sites unless they’re paid, small businesses will be in critical condition, says Batista.
“There are some companies out there that I’m aware of that have already crossed that bridge, and they’ve had to fold up shop because they can’t afford the protection that’s required to run the business.”
The need for private security
IT security vendors are constantly warning that companies aren’t taking network security seriously enough. Some aren’t doing a proper cost-benefit analysis of why they should improve their defences, and consider it a big investment without much payoff. Medium to large enterprises often already have some sort of system in place, but need to modernize it with intelligent malware detection, inside-the-firewall security, sandboxing, DDoS protection, and so on.
Hopefully, we’ll see a more proactive approach to information protection by all businesses, including those that don’t think they can afford more than the most rudimentary on-premise network security. The fact that they’re reduced to calling the cops surely indicates how great the demand is.
The most likely route to get there would be more built-in security offered by public cloud providers, some of which offer little or none. Economies of scale make it feasible for providers to give even small companies proper security at affordable prices.
Both parties would profit from this. Given what extortionists are charging, it shouldn’t be tough sell.
Learn more by downloading the Allstream whitepaper, ‘Quantifying the Financial Risk of DDoS.’