Thursday 23 June 2011

Cybercrime – whose fingernails should be slowly pulled out?

Returning home on the underground from a fine performance of the opera Simon Boccanegra last night, I spotted a familiar face sitting opposite me. Why, it was no other than Professor Peter Sommer, of the LSE, surely Britain’s greatest legal mind in the field of information system security, digital investigations and digital forensics. Peter is the sort of person you try to engage before he is snapped up by the other side. As his website modestly infers: His criminal instructions have included not only the obvious “hacking” and “computer fraud” cases but also terrorism, harassment, corruption, software piracy and murder. A number of these have made headlines and a few have altered the way in which these crimes were subsequently investigated and charged.

No, he had not been at the opera. But his evening engagement was probably just as sociable, no doubt dining with some other superstars of the cybercrime world. I’m not suggesting for one moment that he was mixing with a bunch of criminals. Oh no, I’m sure that he would have been networking with those whose lives are engaged principally with the academic study of, and the battle against, cybercrime.

For those who don’t know, Simon Boccanegra has a complicated plot. Full of malevolent deeds, threats to the civil society, duplicity, mistaken identity, and evil people working their devious plans, which end in disaster for the key actor. Come to think of it, this is also a pretty apt description of cybercrime today.

I suspect that whatever gathering Peter had attended, it had also attracted some of the senior investigators who would have been well aware of circumstances surrounding the recent detention of an Essex teenager, suspected of masterminding an international computer hacking ring. Apparently, this 19 year old is now hailed “mastermind of the Lulzsec hacker group”.

According to The Telegraph, he has been charged with five offences under the Criminal Law Act and Computer Misuse Act, including an attack on the website of the Serious Organised Crime Agency on Monday. He is also alleged to have attacked the website of the British Phonographic Industry, which organises the annual Brit Awards, last October and the website of the International Federation of the Phonographic Industry last November. And, when the Brits have finished with him, is also wanted for questioning in the US over a cyber attack on the Facebook website.

Who said that British education standards were failing? If our schools can produce people with this ability at the age of 19, I wonder what other software stars are currently lurking in their bedrooms, their skills unbeknownst to their parents. When I was a kid, I could imagine myself to be Dr Who, and fight imaginary space invaders from the comfort of my bedroom. These days, young people are capable of actually engaging in a cyber war from the comfort of their bedrooms. Their individual ingenuity is pitted against the collective experience of teams of programmers many years their senior. Yet they can still win this “unequal” battle – without ever having to go out with their mates.

But whose fingernails ought to (metaphorically) be slowly pulled out as the crime is being investigated? Should they be those of the alleged hacker – or should they be those of the programmers who originally devised the flawed protective security measures? Of course the miscreants shouldn’t hack into stuff that isn’t theirs, but surely so also there is parallel obligation on the software community not to design software which contains the flaws that are evidently so easily exploited by members of the Lulzsec group and their like. If I’m paying good money for cybersecurity, then I want the people whom I bought the product from to suffer when it lets me down. Not just their company - I want individual accountability, here.

Where will it end?

In tears, for the person who proves to be the easiest target. If we’re not careful, we’ll spend too much time going after the individuals in their bedrooms, rather than using our scarce resources to create electronic defences that are robust enough to overcome unusually gifted teenagers.


Image credit:

It’s the logo of the Lulzsec group