In 1985, in the first test case on hacking in the UK, two men were accused of forgery, essentially for using a BT phone line to break into the Duke of Edinburgh's email box. They were freed on appeal and are now both successful security consultants. Poacher turned gamekeeper remains a career option for hackers due to the intelligence of those involved, and the need for expertise in the IT industry's most secretive career niche.
But the concept of reformed hackers working within the establishment sits uneasily with many in the mainstream IT industry. For example, Charles Palmer, head of IBM's Ethical Hacking unit, believes "reformed" hackers can't be trusted, and says he wouldn't dare put clients at risk by using them.
Not surprisingly, the government is struggling to achieve the right balance of deterrent and enforcement. The fiasco over the Prince Philip hackers ultimately led to the Computer Misuse Act of 1990 and the creation of the National Hi-Tech Crime Unit in 2001, which is a focus for investigation into such activities. But with a three-year budget of just £25m and a remit covering everything from hacking to major computer fraud, most believe that it is scraping the surface at best.
Yet at least the unit has goaded the government into reviewing the Computer Misuse Act, in light of its inadequacy in dealing with denial-of-service attacks. These typically flood Web or email servers with requests and lead to system crashes.
Once again, hackers are a few years ahead of the law. They are taking advantage of the fact that firms are looking ever more favourably at Web services, but have not properly addressed the security issues. They are also exploiting the fact that many firms have recently come to rely on email, and do not yet understand the need to protect their email servers from attack.
The fact is that developing denial-of-service attacks and macro viruses are now the most popular hacker activities. Forget breaking into the Pentagon and launching a few nukes, hackers love nothing more than putting a spanner into e-commerce sites, or taking advantage of Outlook's flimsy security and raiding users' address books.
The law is not a sufficient deterrent, and it will probably be a long time before it is amended. In the meantime, firms will have to do more to protect themselves. Most are now aware of the importance of firewalls and physical protection, but their security still has gaps. The recent DTI annual Information Security Breaches survey found that only 25 percent of UK firms have a security policy in place. The DTI estimates that half of firms suffer one malicious attack each year.
The Information Assurance Advisory Council (IAAC) says 95 percent of UK companies fail to take adequate measures to protect electronic data. It argues that firms should increase security budgets from a typical one percent to between three to five percent.
For the government, funding specialist police units and changing the law to deter attacks is not a vote winner, so there is no sense of urgency. Firms therefore have to guard themselves, which requires constant vigilance and the advice of experts. It seems that well-paid jobs in the mainstream will remain an option for hackers for some time to come.
Have your say: contact IT Week
reader comments