Dr TJ McIntyre: Fight against cybercrime needs funding, not more words
Published 11/12/2015 | 02:30
Is the Irish policing system capable of tackling computer crime? A report this week from the Garda Inspectorate makes it clear that the answer is no. There is no Garda cybercrime unit, which is of serious concern given the threat posed by cybercrime to key national infrastructure such as energy, transport and telecommunications systems.
When computers are seized as part of an investigation, there have been up to four year delays before they are forensically examined - leaving offenders at large in the meantime and causing prosecutions to collapse. At a basic level, one in three gardaí do not have an email account and some stations still do not have access to the PULSE database.
This is particularly concerning as computer crime grows. Surveys show that Ireland is above the EU average for online crimes against individual users - in the most recent figures 16pc of Irish users reported their social media or email accounts being hacked and 9pc were the victim of identity theft. There are no comparable statistics for attacks against businesses, but the presence in Dublin of internet giants such as Google, Facebook and Twitter makes it all the more important that the legal system should be able to deal with crimes attacking those companies and their users.
Why has the Irish response to computer crime been so weak? The answer is one of resources and management. The Computer Crime Investigation Unit - part of the Garda Bureau of Fraud Investigation - has done good work within those constraints. In 2009 it partnered with UCD to launch a Masters in Cybercrime Investigation to train gardaí and police from across Europe. Individual gardaí from that unit have gone on to influential roles in Interpol and the European Cybercrime Centre.
But a combination of inadequate resources and increased workload have swamped the unit. Today, almost every crime is a computer crime, in the sense that mobile phones, laptops and even devices such as game consoles are likely to contain evidence. The need to forensically inspect all these devices - using outdated equipment - has resulted in several-year delays and seem to have forced the unit into a position where it is running to stand still rather than responding to new developments.
This lack of resources has been exacerbated by a failure to update the law on computer crime. The main statute in this area dates back to 1991 and is in urgent need of reform. In 2002, Ireland signed the Council of Europe Convention on Cybercrime, which establishes a harmonised set of offences in this area, and the Department of Justice stated that implementing legislation for the Convention would follow shortly. In 2005 and again in 2013 European laws were passed which also required updates to the law on cybercrime. But there is still no sign of even draft legislation, despite repeated promises from successive ministers over the last 13 years, and it seems certain that there will be no new law before the next election.
What can be done to tackle these problems? The first step is acknowledgment that there is a problem, and the Department of Justice and Garda management should be given credit for finally admitting this.
Earlier this year Justice Minister Frances Fitzgerald announced additional funding for IT within the Garda Síochána, to include new forensics systems, and the Garda Commissioner has promised more staff for this area. An important aspect of this is decentralising forensics work - reducing the burden on the Computer Crime Investigation Unit and speeding up investigations by creating regional units enabling local gardaí to carry out preliminary investigations of seized computers and telephones. Two pilot projects are under way in Wexford and Cork to assess how this can work.
More generally, however, a shift in priorities is needed in both the Department and the Garda Síochána. The ongoing failure to update computer crime legislation is unacceptable - at a minimum, the Department should depart from its usual secretive drafting process and publish a set of proposals at this point for expert input. The Department also needs to make adequate resources available to the Garda Síochána to properly police computer crimes - and Garda management in turn needs to recognise the significance of computer crime by establishing a dedicated cybercrime investigation unit.
Dr TJ McIntyre is a lecturer in the UCD Sutherland School of Law and chair of Digital Rights Ireland