Ready to blow the whistle on a cybercrime? Who ya gonna call?

Computerworld - You stumble across evidence of a computer crime, something you believe is clearly and unequivocally against the law. Your first step is to report the crime to your employer.

But as Computerworld has reported (see Dark secrets and ugly truths: When ethics and IT collide), it isn't always so simple. Maybe your employer doesn't know how to handle the situation you've uncovered, maybe your superiors don't believe you, or, worse yet, maybe they're choosing to ignore the problem. (It's hard not to be haunted by the case of Shawn Carpenter, the network security analyst fired from Sandia National Laboratories for independently pursuing a network security breach at the company.)

If your conscience wins the ethical debate over whether to report the suspected crime to law enforcement, you'll face another hurdle: finding a law enforcement agency that will listen.

With the possible exception (we hope) of a threat to homeland security, efforts to report cybercrime can become mired in a complex web of overlapping jurisdictions or might even be totally ignored.

Asked where citizens should report various cybercrimes, FBI spokeswoman Cathy Milhoan could not offer definitive guidance. "The lines are still blurry," she acknowledges.

Who you call depends on many factors, including how much money is involved, the media used (Internet? U.S. mail? Telephone?) and whether the criminal activity originated domestically or overseas.

Local? State? Federal?

Beyond that, Milhoan declined to give specific guidance for fear of stepping on other agencies' toes. "I don't want the message to come across that everybody should report their crimes to the FBI, because a lot of state and locals, as well as other government agencies, have their own cyberteams," she says.

Milhoan ticks off a bewildering list of Web sites and agencies. For civil actions, the Federal Trade Commission might be involved. If it touches the U.S. mail, the U.S. Postal Inspector might want to hear about it.

		Related Story: Dark secrets and ugly truths: When ethics and IT collide

Even experts like Chuck Martell, managing director of investigative services at Veritas Global, sometimes struggle on where they should turn. Martell is currently handling a case in which a former IT employee gained access to the corporate network by means of a backdoor.

But the monetary damages are relatively low, only $30,000, so the U.S. Attorney's Office won't take the case.

"We're literally having a problem finding a law enforcement agency that's interested," Martell says. "We've talked with the FBI, with the state police, with the local police department, trying to get someone to take this case."

Martell has a suggestion that might at first seem counterintuitive: Make your first call to a major law firm. It will likely be able to either advise you or refer you to a private investigator who can tackle the task of figuring out where to report the crime and advise you on what to do.

Investigative firms can also immediately send in forensic specialists, a critical step to prosecuting these cases, Martell stresses. "I can't tell you how many cases [we've had in which] the IT people have attempted to preserve things or try to see what's there, and they polluted the evidence by doing that."

Tam Harbert is a Washington-based freelance journalist specializing in technology, business and public policy.

• Dark secrets and ugly truths: When ethics and IT collide
• Your boss is spying on you right now. What can you do about it?
• Outsourcing managers' group touts ethics code
• Ballmer: Linux users owe Microsoft
• Shark Bait: Ethically dicey situations
• John Monaghan's blog: Ethics in system management
• Robert Mitchell's blog: Bill Gates' piracy confession