Companies choose to leave cybercriminals unpunished

May 21, 2001 
John Connell 
© 2001 TechRepublic, Inc. 

How would you respond if you just found that someone, somewhere, had been penetrating your company's computer system and stealing or tampering with sensitive information? If your plan is to track down the perpetrator and prosecute to the fullest extent of the law, you're going against the grain of how many organizations handle cybercrime incidents.

Although the exact number of nonprosecuted cases is unknown, security experts agree that the number of cybercrimes and the number of prosecutions are grossly disproportionate.
Surprisingly, this incongruity is not the result of failed attempts to press charges. Rather, it's because many companies choose to forego the prosecution process. Here's why some companies opt to leave cybercriminals unpunished.

The distance factor
A chief benefit of the Internet is its ability to facilitate communication and commerce throughout the world. However, the same technologies that bring foreign enterprises together also invite distant hackers to invade networks.

Tom Arnold, CTO of the global transaction service provider, CyberSource, believes that the global nature of e-commerce is a primary reason that many victimized companies fail to
pursue perpetrators. Although a company might be able to pinpoint the approximate origin of an attack to its system, it's often way too complicated for the company to do anything about the incident because it originated too far away.

"We're not talking about invasions from people down the street. Attacks can come from Kazakhstan, Moldova, wherever. Cybercriminals can do their damage from thousands of miles
away."

Conceivably, a domestic company could make an effort to track down and press charges against a foreign perpetrator, but there are countless strands of international red tape to reckon with in the process. Moreover, the costs of conducting an international hacker hunt often, in the end, outweigh the damages sustained by the organization.

"In the wake of an international incident like this, a company's resources can be better applied to preventative measures to secure the organization from future attacks," says Arnold.

Exposing an Achilles' heel
When word gets out that a firm's system has been penetrated by cyberthieves, customer and partner confidence in the firm can fade. Often, a company's reputation takes a hit when criminals strike. Jack Mattera, Vice President and Director of Training for the International Association of Computer Investigative Specialists (IACIS), claims that many firms prefer to keep quiet about an incident rather than run the risk of making a bad impression.

"In general, customers are already concerned about the security of their identities and other information. If a company can keep its customers' apprehension at bay, it will."

When it comes to reputation, customers aren't the only faction to worry about. Firms are reluctant to prosecute because it involves making a lot of private information readily available to the public and competitors through judiciary processes.

Tom Arnold says, "If a company's trade secrets or other proprietary information is stolen or disrupted, this is not information that a firm wants competitors to know about. While the competition may never get their hands on the information, just knowing that it's out there leaves the victimized firm vulnerable."

A call for change
So if firms are reluctant to prosecute cybercriminals, are the perpetrators being led to believe that they can get away with the crimes? According to Jack Mattera, yes; the number of cybercrimes will undoubtedly increase, and the companies' resistance to prosecute people will only exacerbate the growing number of incidents.

"Companies need to work together and go after these people. It's clear why they're reluctant, but the situation is only going to get worse unless efforts are made to hold cybercriminals responsible for their actions."

But, as for now, many companies are far too guarded to work with competitors in such risky areas as security and the prosecution of people who have penetrated their systems.