Richard Starnes has worked with Interpol and is a security evangelist with IT training and security certification company ISC2. He is an internationally recognised expert on computer crime, invest- igation and response, so he has a good overview of the current threats, and strategies for combating them. Starnes believes the UK police have the right attitude to fight computer crime, but would be able to do a better job if they had more funding and co-operation from industry. "The US may have been [fighting computer crime] for longer on a national scale - with the exception of Scotland Yard, which set up the first dedicated computer crime unit in 1984. But the UK is probably in front with its thinking," he says.
Starnes adds that UK policing could be hampered by a lack of skills and technical resources, however. "The issue is this: the US has a lot of resources, they have programmes to train up the prosecutors and judges, the FBI has a dedicated computer crimes unit and most state police departments have the same. This is not the case in the UK," Starnes explains.
One reason for difficulties in the UK is that law enforcement agencies here often lose skilled personnel to the private sector. This is a bugbear for public sector organisations that train up employees only to see them poached by private companies able to offer higher wages.
"The issue of losing technical staff to the private sector is a risk, and it's a very old problem," says Starnes. "For a long time the public sector has been seen as the training ground for industry."
He adds, "You go into [combating] IT crime after a number of years as a detective, you get good at it and then you leave for double the salary. As an enforcement agency, you've lost that experience."
However, the loss of staff is not always simply due to better salaries in the private sector, says Starnes. "People go into law enforcement to make a contribution, but after five to 10 years they have a family and children - supporting this is difficult on a law enforcement salary," argues Starnes. "In industry you can increase your salary and reduce your working hours."
To encourage staff to stay in the public sector the government should improve the quality of the work experience, not just wages, according to Starnes. "The government should look at more innovative ways of retaining that experience," he says. "Money is a good place to start, but surveys on employee relations usually rank salary about third or fourth in terms of importance. More important things are job satisfaction and quality of life."
Starnes adds that employees' quality of life can be improved by lessening the workload and making it easier to cope with the information that comes into the organisation. The solution may therefore be to improve the way systems are linked, thus making investigations a simpler activity.
"Computer crime units are massively undermanned and under-funded. We need the ability to easily bring in intelligence, data from different parts of the government and private sector. A unified intelligence database, to properly facilitate investigations, would be a great help," says Starnes.
Starnes adds that law-enforcement personnel should also be encouraged to obtain security qualifications. This would encourage firms to report security breaches by reassuring them that the police have the skills to deal with the issues effectively.
"There is a trust element that is affecting industry's reporting of events to the law enforcement organisations. [Many companies] are very reluctant to bring the police in," Starnes argues.
The problem would be reduced if officers had recognised security qualifications, says Starnes. "Leaving a business card that makes [their qualifications] clear would instil confidence in victims," he adds.
ABOUT RICHARD STARNES
Richard Starnes is head of incident response for managed security operations at Cable & Wireless, and security evangelist at training firm ISC2.
He has served on Interpol's IT security working parties, and is a member of the Internet Crime Forum.
He has won the ISC2 award twice for co-operation between law-enforcement agencies and industry.
