“IT crime constitutes an ‘enormous’ threat to our society!”
This is one of the headlines you can easily find in newspapers and cover articles in magazines.
The media focus on the importance of computers and networks in our daily life on the one hand, but stress the possibility for criminal misuse of this equipment on the other. This attention in the media gives the unwary very sensational headlines, which can be misused by specialists in the field to sell their products. The pressure on government services to do something about high-tech crime, which threatens our society, becomes greater every day. In the real world, our sense of security has been manipulated, but also people are made to feel insecure in the virtual world. A question we all have to ask is whether the criminal phenomena described to us by the media is realistic or do the media exaggerate the threat to us and to our society?
The simple truth is that we don't know. Governments do not know, nor does any other authority or so-called specialist. They can't give you any reliable figures about the extent to which high-tech methods are used to commit traditional crimes, or the extent to which they are used against the integrity, confidentiality and availability of computer systems, networks and computer data as well as the misuse of those systems and data.
Most of the computer crime units of different national law enforcement services state that they have an excessive workload and ask for more personnel and equipment. They also complain about not being understood by their senior management. However, when you ask them, "How heavy is the workload within your section?" or, "What information can you provide to your senior officers?" a silence falls.
The question law enforcement agencies have to ask themselves is: "Does information and communication technology (ICT) crime exist, and if so, how big is the threat arising from this phenomenon?"
Official crime statistics sometimes give a picture of computer crimes in the most restricted sense. These statistics do not report those cases where ICT equipment is used to commit traditional crimes or where ICT equipment had to be investigated to prove that a person committed a traditional offence. The statistics concerning computer-related crimes that have been kept by Interpol up to now are not useable for management purposes or for strategic analysis.
The Interpol European Working Party on Information Technology Crime (EWPITC) therefore decided to endeavor to provide an answer to these questions by sponsoring a statistics project to produce a standardized information and communication technology crimes metric. The group implemented a survey on the use of ICT in the commission of crime by sending out a questionnaire to the computer crime units of all Interpol members worldwide. As a result we discovered a number of problems in comparing the results of the respondents.
Firstly, not all the applicants could answer the EWPITC in the way they had been asked to, and secondly, due to differences in national laws, they did not use the same definitions. Only 8.4 per cent of the member states of Interpol could report useful figures. Even though the survey covered 1999-2000, most respondents only could provide figures for the year 2000.
The few answers that were received, and the irrelevance of most of the answers to the stated goals, strengthened the view that a standardization of ICT crime registration is necessary. One thing became clear from the survey - most countries are interested in a tool that can be used to measure computer crimes.
An unexpected fact is that even the computer crime units within the law enforcement agencies don't have any real idea of the workload they have. Looking at the answers, only a few details (number of cases, sometimes a division into crime categories) are measured by the units themselves. But information about things like ICT forensic investigations, which give these units the majority of their workload, could not be specified.
The conclusion that has to be drawn is that this survey, as expected, did not lead to a conclusion that is valid as a uniform statistic on ICT crime, even though some figures are useful.
Therefore the Interpol EWPITC decided to design a new questionnaire where all definitions were based on those used in the Cyber-Crime Convention of the Council of Europe. As already mentioned above, one of the main problems when comparing cybercrime figures from different countries is the inconsistency of definitions. Even within European countries there are major difficulties when one has to speak about crime levels. One can't use the technical jargon used by the ICT world or by members of the cyber underworld. For example, almost everywhere "hacking" means an act of illegal access or accessing an ICT system without authorization. However, in one country a security measure has to be broken, while in another country the simple fact of accessing is sufficient.
Other things this statistical tool will measure, and which law enforcement specialists are dealing with, are the ICT methods used by criminals, the methods used by the police to investigate these offences, the forensic methods which were deployed and the problems which were encountered by law enforcement. Interpol will also measure everyday statistics like the type of material seized during the investigation, because computer crime forensics investigations are not limited to computers, as they also have to search the memories of many different types of electronic devices.
The survey will be sent out every year in the hope that law enforcement agencies worldwide will begin to collect statistics on a unified basis, thus allowing valid comparison. With these new unified statistics, law enforcement and prosecutors will be able to conduct substantive strategic analyses of the subject. Government and law making bodies will have accurate statistics with which to evaluate and adapt legislation. It will also allow those legislative bodies to better direct international co-operative efforts. These statistics will give senior law enforcement management a better understanding of the magnitude and impact of ICT-related crime. This will allow them to develop their anti-crime strategic policy more effectively with an accurate picture of the workload of their computer crime specialists.
The reality is that in the private sector computer crime reporting is quite low, due mainly to the fear of adverse publicity; all victims file a complaint with their law enforcement services. This leads to the fact that we still have a 'black hole' in our knowledge of crimes committed in the field of ICT. Perhaps if the police could give more exact information about what is happening in the fight against the misuse of ICT-equipment or the Internet, the public would realize that it could trust things like Internet banking, e-commerce, sending emails, etc., without fear of becoming a victim. To achieve this needs the help of all public and private players in the entire ICT field to inform the public, without any hidden agenda.
Interpol is serious about its fight against criminals and the use of ICT equipment in their criminal activities. The role Interpol has taken, together with many national law enforcement officers, by investing in the work of the Interpol European Working Party on Information Technology Crime (EWPITC), and the fact that it is the first organization which has shown itself willing to maintain statistics for all the above mentioned goals, both now and in the future, confirms its commitment. Interpol has been and continues to be an example in this field for all other international police organizations.
For more information on the Interpol European Working Group on Information Technology Crime see www.interpol.int/public/technologycrime.