Captain Jan Hoganson is pretty proud of Sacramento’s High-Tech Crimes Task Force, one of five task forces built with California state grants of more than $US2 million each. Agents from nine counties, the Secret Service, FBI, Postal Service, Forest Service and US Attorney’s Office all work together — most of them literally under one roof — to coordinate crime-fighting across jurisdictions and geographies. “It’s a way to break down the boundaries,” says Hoganson, who is sturdy and approachable enough to play the good cop in any Hollywood blockbuster. “We offer one-stop shopping.”
Yet few of the high-tech crimes the task force deals with are the kind that CIOs usually concern themselves with. The group got its start helping local hardware companies who had problems with products being stolen off their loading docks. Today, typical cases involve counterfeit software, stolen cellular telephones, forged checks and satellite television pirating. The group also has a computer forensics lab for doing investigations for themselves and other agencies. But cases of hacking? Not really.
Now, Hoganson is scratching his head about why. He wonders, are these kinds of cases getting swept under the carpet?
That’s what conventional wisdom suggests. In the most recent survey done by the Computer Security Institute and San Francisco FBI, only 36 per cent of respondents who experienced a computer intrusion reported it to law enforcement. The Department of Justice and the Census Bureau are puzzled enough about what’s happening that they’re launching a new survey just to learn about computer crime — never mind prosecuting it. “We’re simply trying to get a measure of what kinds of crimes are occurring, the frequency, the scope, how big the damage is, if it varies by sector,” says Ramona Rantala with the Bureau of Justice Statistics. “Everybody talks about how computer crime is growing, but nobody really knows the extent of the problem.”
According to at least one security expert, though, it may be a lot smaller than anyone expects. At least in financial services, a vast majority of security incidents do not require law enforcement, says Stephen Katz, a consultant who is the former chief information security and privacy officer for Merrill Lynch and former CISO for Citigroup. “There’s not a case,” Katz says. “There are intrusion attempts, there’s no actual money loss, there’s no actual crime.”
In the physical world, an attempted break-in — someone creeping around a loading dock at night — is indeed viewed as a crime, and a security guard would call the police department, which would send a nearby squad car to investigate. That’s not how things work in the virtual world, though, where a technician guarding an intrusion detection system could stay busy doing nothing but reporting attempted break-ins — assuming, of course, he had the permission to do so.
In the end, getting companies to report computer crimes may be both more rudimentary and more complicated than anyone hoped. Maybe the problem isn’t that companies aren’t reporting cybercrime. Maybe the problem is that they haven’t even figured out, in the computer world, exactly when a crime becomes a crime. Until companies and courts sort that out, the kinds of cases handled by Captain Hoganson’s high-tech crimes unit aren’t likely to change.