Cybercrime: Business and the law on different pages
5th March 2004 (The Star)
By H. AMIR KHALID

KUALA LUMPUR: Law enforcement agencies' focus on prosecuting and sentencing perpetrators of cybercrime is sometimes at odds with corporate victims' aim of ensuring business continuity, according to Universiti Teknologi Mara's Dr Zaitun Hanim.

As such, this might affect cooperation between businesses and the law on dealing with cybercrime, she told the Third International MSC Cyberlaws Conference here.

Part of the problem in enforcing the law was that the process of investigating and prosecuting crimes could be disruptive to the victim's business, causing harm even as it tried to remedy it.

Another was that business-confidential information could be exposed in the course of the trial.

And finally, even if the culprit were convicted, cybercrime laws made no provision for the victim to receive restitution for the damage suffered.

"Apparently, companies value enforcing the law less than they do maintaining their business and profits, which is only human," she said.

What companies preferred to do in the case of a damaging cyberattack was prevent future occurrences and minimise the harm done to their reputation, which could affect future business.

To this end, their priorities were to fix their security problem, take internal disciplinary action against the wrongdoer if applicable, and resume normal business as soon as possible.

Because of these considerations, businesses were reluctant to report cybercrimes.

Dr Zaitun cited National ICT Security and Emergency Response Centre (Niser) statistics that said only a minority of victims were willing to report cyberattacks against them, because of an unwillingness to go through a legal process out of which they would get little back.

The result of the "under-reporting" was a lack of reliable information about cybercrimes, which hampered action against cybercriminals, which in turn reinforced the idea that there was little to be gained by reporting them to the authorities, she said.

Dr Zaitun suggested that law enforcement bodies establish lines of communications with the private sector and find ways to ensure confidentiality of sensitive business information.

Generally, she said, the authorities needed to be sensitive to business needs even while prosecuting crimes against those businesses.