Peter Sommer would like to see a new class of warning signs posted on the information superhighway: "Caution: Danger Ahead." "We are headed down the path to failure right now," says Sommer, a professor at the London School of Economics & Political Science and a respected expert on computer law.

Three versions of the signs would be needed, he says: 1. Beware of law enforcement agencies that fudge the truth about cybercrime. 2. Some paths are innately dangerous and can't be fixed. 3. Private road ahead - only safe for the wealthy and well insured.

Not quite 'just the facts'

The Feds hold a news conference announcing the imminent arrest of a suspect in "massive computer break-ins" or a "ruinous denial-of-service attack" or "theft of hundreds of thousands of credit-card numbers." But there is no arrest. Expectations are lowered. And those are just the computer crimes that make the news - most are handled with no publicity.

A month later, cybercops appear before a clearly confused congressional subcommittee, asking for more money, more wiretaps, bugs in computers and cell phones, weak encryption and permission to implement Clipper chip technology. They get at least some of what they ask for. Followed by no arrests.

Fixes that don't fix

Sooner or later, Sommer predicts, the public is going to catch on to the fact that "cyberattacks and attackers have become very sophisticated and can't be contained. A truly skilled hacker can't be traced. People are just going to have to accept that most computer crimes won't be solved. There are limits to what police can or cannot do."

Unless, of course, we're prepared to seriously compromise, even subvert, civil rights and civil liberties. Given some of the wiretapping proposals now on the table in Britain and the U.S., this is a distinct possibility.

But Sommer argues there is another choice, somewhat unpleasant, but less damaging to the fabric of society - namely, acceptance. "How do we handle the theft of car radios?" he asks. "We accept it. We accept that there is no solution, no recovery. It's nasty business, but there it is."

In other words, 'get over it'

Now, that's not going to be politically popular, so the federal government stubbornly refuses to fess up to the fact that most computer crime, especially less serious crimes, will never be solved. If the public insists that the police invest limited resources recovering stolen car radios, Sommer notes, "what's left toward solving other, more serious types of crimes?"

There are cases of people stealing millions through insider trading on the Net, multimillion-dollar fraud by boiler-chat-room stock manipulators. The latest involved an $8.4 million securities scam - and that's just one case. And according to the Government Accounting Office, an estimated $200 billion to $300 billion in Medicare fraud has been committed through self-referrals, kickbacks, bribes, overbilling and other ruses.

The challenge may require a whole new federal agency - independent of the Federal Bureau of Investigation and the National Infrastructure Protection Center - computer-savvy and mean, staffed and led by the most sophisticated geeks, and tasked - as they say in government-ese - with stopping multimillion or multibillion-dollar computer and Internet crime.

Everything else is car radios. Web page defacement? Fuggedaboudit. Credit-card theft? Hold the Web site responsible. Drive a business on the Web, it's your responsibility to get insured or pay the price.

So prove it!

Most old-fashioned crime is solved thanks to a snitch or the stupidity of the criminal. Proving computer crime is far more complex, in part because the rules of evidence in the U.S. require prosecutors to meet four very high standards, which Sommer characterized this way: "1. whether the theory or technique can be [and has been] tested, 2. the error rate associated with the method, 3. publication [of scientific articles on the subject] in a peer-reviewed journal and 4. whether the technique has gained widespread acceptance [as well as being] subject to extensive criticism."

What the government has failed to tell us is that meeting those legal standards, as they relate to computer crime, is close to impossible, given the current state of cyberforensics. Consider:

1. Theories about computer intrusion detection are just that - theories - and haven't been tested over time; they're too new.

2. No one knows the error rate associated with the method because there is no standard rating system for intrusion detection methods.

3. There are no computer crime publications analogous to, for example, the Journal of Agricultural Engineering, The New England Journal of Medicine, or Regulatory Toxicology and Pharmacology.

4. No single technique has gained widespread acceptance - to say nothing of having being subjected to extensive criticism.

"There is no magic bullet," Sommer insists, despite the popular fantasy of a so-called trace-back technology that would effortlessly track an intrusion through myriad connections, routers, switches, phones lines and computers.

Fortunately for prosecutors, most defense attorneys have scant understanding of the complex standards of proof in a computer crime case, which means many legally clueless hacker/cracker clients cop a plea. U.S. attorneys are delighted to settle for wrist-slap sentences because they avoid having to try the case and present evidence. A plea is another easy check in the win column. If defense lawyers actually understood the admissibility of cyberforensics evidence, the likelihood of a not-guilty verdict would be very high.

A conflict of interests

Cops care about arrests and convictions.

E-commerce cares about profits.

Fortunately, private security companies offer e-commerce a set of priorities more in tune with the business goals of dividends and profitability, Sommer says.

"First priority - prevention. Try to stop the theft before it occurs. Second priority - asset recovery. Get the stolen assets back," he explains. The very last priority for private security companies, Sommer says, is "the arrest, trial and conviction of the perpetrator."

So what we wind up with is a partial fix, for those wealthy enough to purchase it. And for the rest of us, peril and exposure. But can we do better? Or do we just have to "get over it?"