The press is full of stories and theories about the Target data intrusion because criminals stole vendor credentials for up to 110 million payment cards and personal records between Nov. 27 and Dec. 15. This has, of course, excited public condemnation and finger pointing at software suppliers like BMC. Crimes against technology are rift, yet for some reason not taken seriously. I live in the U.K. where it is a serious crime to open a letter addressed to someone else, let alone read and possibly copy the contents. However, if I put those same contents in an email and somebody intercepts and reads that email, it is not regarded as serious as opening a letter. In reality, it is a lot easier to open an envelope than an email, and the contents are just as private. Until we regard these crimes with equal severity, we will never reduce computer crim
Note that I am using the words “crime” and “criminal.” Terms like “hacker” glamourize computer crime. Which sounds worse “stolen” or “hacked”? In my personal experience, I have never worked with anybody in IT that has been sacked or prosecuted for computer crime. What would most companies do if they discovered an IT person committing computer fraud in their company? The company would probably ask them to leave, but that would be the end of it. Would you want your customers to know that their information had been misused? The result is that this person goes back into the employ pool to ply their criminal ways elsewhere.
We also have the case of Australian Julian Assange who is holed up in the Ecuadorian embassy in London. He’s wanted in Sweden for sexual assault and in the U.S. for one of the largest leaks of classified U.S. documents. He claims that if Sweden were to extradite him to the U.S., he would be tried for computer crimes and possibly executed. Interestingly, he sees sexual assault as being less important than computer crime.
Here is an interesting thought. What will happen to the perpetrators of the Target credit card breach if they live in a country that does not have an extradition treaty with the United States? Would a computer crime be sufficient to convince that country to hand over the criminals? There has been a recent example of this where a British citizen, Gary McKinnon, was accused of gaining access to nearly a hundred U.S. military and NASA computers between 2000 and 2001. He never denied the allegations, but because the sentences for his crime in the U.S. are much longer, he fought to be tried in the U.K. So here we have a dichotomy: do we try someone where they perpetrated the crime or where the target of their crimes reside? International IT laws are woefully weak.
Let’s stop putting the blame on technology companies and recognize that we are dealing with dedicated criminals who are stealing our information, cash, and reputations while leaving behind heartache. Just ask those folks who have their identities stolen. These criminals are not modern day Robin Hoods. We need to work together internationally to combat these criminals. Fix the system and change the mindset is the way forward.
What do you think?