Brothels, systems administrators from hell, and radio-controlled bomb-defusing robots were just some of the topics raised by US and Australian law enforcement authorities attending a special session of global threats to IT security at the World IT Business Forum in Adelaide today.
The forum, which is a prelude to the World Congress on Information Technology 2002, tackled a broad range of thorny issues relating to cybercrime which the FBI estimates costs companies worldwide $3 trillion a year.
While IT security is no longer just a technical problem, but a corporate governance issue for the board room, Australasian Centre for Policing Research director Commander Barbara Etter said its importance is not reflected in expenditure.
Etter said an estimated .0025 per cent of total private sector revenue is spent on IT security, which is less than the total amount spent by companies on coffee.
Citing an example of how laws are lagging behind the pace of technological change, South Australian Police Commissioner Mal Hyde said the act of visiting a brothel in Adelaide is illegal if services are paid for in cash but it is legal if paid by a credit card.
Hyde described cyberspace as a new frontier with few rules, making it an adventurer's playground.
US Department of Justice computer crime and intellectual property section deputy chief Phil Reitinger said for the private sector the internal threat is as great as the external attack, because there is no technology to protect companies from insiders.
System administrators, he said, hold the keys to the kingdom, and cited examples of what he referred to as "system administrators from hell".
Reitinger said there are plenty of examples of system administrators hacking into the company networks; in one case, he said, he came across an administrator who had an effigy of his boss that was used for shooting practise. "To law enforcement, the effigy is what we call a clue," he joked.
While Reitinger said there needs to be greater information sharing between government and the private sector, he did not necessarily support mandatory reporting of security breaches.
"Law enforcement is a service provider for private industry; [its executives] need to report security breaches to us so we can quantify the problem. I understand the fears of shareholder backlash in making such breaches public, but we are schooled to keep secrets; that's what we do best," he said.
Retired FBI agent and hacker profiler, Bill Tafoya however, claimed companies should be forced by law to report security breaches.
"Accurate information on cybercrime is vital to deal with the problem effectively. Reporting should be mandatory and insurance companies should not cover losses unless they are reported to police," Tafoya said.
In his paper on cyberterrorism and information warfare, Tafoya told war stories of radio-controlled, bomb-defusing robots, the use of steganography (hiding a secret message within a larger one so that others can not discern the presence or contents of the secret message) by al Qaeda and the use of computers in fighting the Gulf War.
He said about 90 per cent of security breaches are amateur hacks; 9.9 per cent are hired guns with accomplished skills sets and .1 per cent are world-class agent provocateurs.