Re: Should the cybercrime reporting be obligatory for businesses?

From: Andrijani (treebirds@hotmail.com)
Date: 03/28/02 

From: treebirds@hotmail.com (Andrijani)
Date: 27 Mar 2002 19:08:34 -0800

unruh@physics.ubc.ca (Bill Unruh) wrote in message news:<a7r8qc$dr9$1@nntp.itservices.ubc.ca>...
> In <MPG.170a9157281c9da998969b@127.0.0.1> XXXXXsebastian_cole@hushmail.comXXXXX (Sebastian Cole) writes:
>
> ]In article <d9b483d3.0203250341.32ba863f@posting.google.com>,
> ]treebirds@hotmail.com says...
> ]> Dear all,
> ]> I would like to get some comments on the topic that I post here. I
> ]> would like to get some comments for the topic that I post here.
> ]> An article in the newspaper (The AGE, March 5, 2002) that I read,
> ]> Cybercrime a $3 trillion nightmare, raises the issue about the
> ]> necessary reporting of cybercrime through law enforcement. Is it
> ]> possible to make the reporting of cybercrime as mandatory for
> ]> companies?
> ]> My own view is that it is impossible in the current situation to make
> ]> organizations report cybercrime through law enforcement. The reasons
> ]> are:
> ]> 1. the inertia of law to respond to the development of technology.
>
>
> ]irrelevent. crimes are to be reported, otherwise, it becomes a crime not
> ]reporting it.
>
> Why? What in the world are the police going to do whith that huge volume
> of information? Assault is a crime, and assault is when someone touches
> you without your permission. Is every touching to be reported to the
> police? It would be insane.
> Reporting is not some magic panacea. Are youwilling to shell out of your
> own pocket for the massive amount of paperwork this would generate? Or
> did you think it was all for free?
>
>
> ]> 3. Lastly, many companies do not have enough standard security policy
> ]> or have different view about the necessity to implement security
> ]> systems.
>
>
>
> ]companies not performing up to a set standard should be held liable for
> ]their actions. criminal prosecution of system administrators is a viable
> ]option. not report crimes should be treated as a criminal offense.
>
> Why? Jails are not full enough? Guards do not have enough to do?
> Too may judges sit in court twiddling their thumbs because they are so
> underutilised? sysadmins are too plentiful and need to be reduced?

Dear Sebastian,

Generally, people might say that it's necessary to report a crime.
However, cybercrime is unique due to the global effect of the crime
and the usage of computer (internet) to do this crime. I would like to
clarify why it is impossible to make cybercrime reporting be mandatory
for businesses in the current situation:

Firstly, Internet is a relatively new technology. When the first time
it was developed, people did not consider security as a prioritize
issue. Most of us see the benefits of this technology to our lives. As
the internet has been grown rapidly and some people use this
opportunity to do a crime, the security issues raise. At that time,
people just realize the importance of security and protection to their
system. The increasing victims of cybercrime have triggered the
necessity of using law enforcement to handle this problem. Thus, it's
very obvious that law has been lack behind. It is created once the
technology is quite well-developed and used broadly.
Yet, it's true that some effort has been taken by Law to combat this
crime However, many criminal laws still cannot tackle the cybercrime
problems.
A good web site to look at is:
http://www.uncjin.org/Documents/EightCongress.html

Even, in the last convention on cybercrime held by the European
Committee on November last year, we can see the dependency of criminal
offences on domestic laws. As we know, not all domestic law is able to
provide adequate law to prevent the crime. Therefore, effort to make
domestic laws can cooperate and closer each other needs to be taken.
See also:
http://conventions.coe.int/tratey/EN/projects/cybercrime27.htm.

Secondly, as the main purpose of most businesses is to gain profit,
money (cost-benefit analysis) is always the dominant factor in making
investment decisions. Do we need to invest in a system that cannot
return any profit??? Why do we need to implement a strong security
system if the risk from not using the system can still be acceptable?
And how much do we need to spend for the resources (experts and IT
staff), equipment, etc to create a secure system and maintain it? Do
we need to always report every cybercrime issue if it does not
potentially affect businesses or communities as a whole? Who wants to
deal with a company or a person who cannot be relied on or be
trusted????
What is the measurement of secure as different organization types will
have different needs and goals?

Therefore, it is very difficult to make the cybercrime reporting as
mandatory. It may take some time for businesses to be ready to do it.
Besides that, law, technology, and businesses should be balance.
Perhaps making mandatory for only certain organizations would be a
better approach.

Regards,
Andrijani S.

Relevant Pages