The largest issues affecting the decision on what to bring in (in order of priority) are information dissemination, investigative control, cost, and the associated legal issues. Once an incident is reported to law enforcement, information dissemination becomes uncontrolled. The same holds true for investigative control. Law enforcement controls the entire investigation, from beginning to end. This does not always have a negative effect, but the victim organization may have a different set of priorities.

Cost is always a concern, and the investigation costs only add to the loss initially sustained by the attack or abuse. Even law enforcement agencies, which are normally considered “free,” add to the costs because of the technical assistance that they require during the investigation.

Another area that affects law enforcement is jurisdiction. Jurisdiction is the geographic area where the crime had been committed and any portion of the surrounding area over or through which the suspect passed, en route to or going away from the actual scene of the crime. Any portion of this area adjacent to the actual scene over which the suspect, or the victim, might have passed, and where evidence might be found, is considered part of the crime scene. When a system is attacked remotely, where did the crime occur? Most courts submit that the crime scene is the victim’s location. What about “en route to”? Does this suggest that the crime scene also encompasses the telecommunication’s path used by the attacker? If so, and a theft occurred, is this interstate transport of stolen goods? There seem to be more questions than answers, but only through cases being presented in court can a precedence be set.

There are advantages and disadvantages for each of these groups previously identified. Internal investigators will know the victim’s systems the best, but may lack some of the legal and forensic training. Private investigators who specialize in high-technology crime also have a number of advantages, but usually result in higher costs. Private security practitioners and private investigators are also private businesses and may be more sensitive to business resumption than law enforcement.

If the victim organization decides to contact the local police department, the detective unit should be called directly. If 911 is called, a uniformed officer will arrive and possibly alert the attacker. Furthermore, the officer must create a report of the incident that will become part of a public log. Now, the chances for a discretionary dissemination of information and a covert investigation are gone. The victim organization should ask the detective to meet with it in plainclothes. When they arrive at the workplace, they should be announced as consultants. If it is appropriate for federal authorities to be present, the victim organization should inform the local authorities. Be aware that a local law enforcement agency may not be well equipped to handle high-tech crime. The majority of law enforcement agencies have limited budgets and place an emphasis on problems related to violent crime and drugs. Moreover, with technology changing so rapidly, most law enforcement officers lack the technical training to adequately investigate an alleged intrusion.

The same problems hold true for the prosecution and the judiciary. To prosecute a case successfully, both the prosecutor and the judge must have a reasonable understanding of high-technology laws and the crime in question, which is not always the case. Moreover, many of the current laws are woefully inadequate. Even though an action may be morally and ethically wrong, it is still possible that no law is violated (e.g., the LaMacchia case). Even when there is a law that has been violated, many of these laws remain untested and lack precedence. Because of this, many prosecutors are reluctant to prosecute high-technology crime cases.

Many recent judicial decisions have indicated that judges are lenient towards the techno-criminal just as they are with other white-collar criminals. Furthermore, the lack of technical expertise may cause “doubt,” thus rendering “not guilty” decisions. Because many of the laws concerning computer crime are new and untested, many judges have a concern with setting precedence that may later be overturned in an appeal. Some of the defenses that have been used, and accepted by the judiciary, are

•  If an organization has no system security or lax system security, that organization is implying that no company concern exists. Thus, there should be no court concern.

•  If a person is not informed that access is unauthorized, it can be used as a defense.

•  If employees are not briefed and do not acknowledge understanding of policy and procedures, they can use it as a defense.

The Investigative Process

As with any type of criminal investigation, the goal of the investigation is to know the who, what, when, where, why, and how. It is important that the investigator log all activity and account for all time spent on the investigation. The amount of time spent on the investigation has a direct effect on the total dollar loss for the incident, which may result in greater criminal charges and, possibly, stiffer sentencing. Finally, the money spent on investigative resources can be reimbursed as compensatory damages in a successful civil action.

Once the decision is made to further investigate the incident, the next course of action for the investigative team is to establish a detailed investigative plan, including the search and seizure plan. The plan should consist of an informal strategy that will be employed throughout the investigation, including the search and seizure:

•  Identify what type of system is to be seized.

•  Identify the search and seizure team members.

•  Determine if there is risk that the suspect will destroy evidence or cause greater losses.