Types of computer crime
Date: November 25, 2005Source: Computer Crime Research Center
By:
NextVII. DEVELOPING COMPUTER CRIME POLICIES
As federal law enforcement efforts against computer crime have intensified, some individuals have criticized the government's efforts to address this growing problem. For example, some individuals believe that the government should not prosecute individuals who merely trespass in computer systems, absent some proof of damage (for example, the destruction of files). There have been times, unfortunately, when the unauthorized use of computers has been implicitly, if not explicitly, condoned even by those in the computer security community, thus supporting this view. Comments like, "well, that's how I got started," and "how do you expect them to learn?" are commonplace. In the past, law enforcement officers used to joke that if they caught a hacker, he would be punished with job offers. Regrettably, like many jokes, there is a grain of truth in the premise. Some well-known hackers have used their illegal activities as a line on their resumes. Other computer hackers, boasting about their illegal exploits, have opened "computer security consulting firms." Indeed, in the quest to identify and employ computer "experts," some in the computer industry have failed to recognize that their hiring practices may send inappropriate messages to the public at large.
The government's position is absolutely clear: it is not "okay" to intrude into systems without authority, and curiosity is not a justification for infringing on the privacy and property rights of others. The fact that someone has the ability to access your credit report, trade secrets, or other information does not give them the right to do so.
Moreover, victims and law enforcement agencies cannot ignore intrusions by "well intentioned, merely curious" hackers. First of all, when an intrusion is initially discovered, it is by no means clear that the perpetrator is well intentioned. The victims will not know the identity or motive of the intruder, and they will therefore have no choice but to spend time and money investigating the intrusion. They will have to change compromised passwords, thereby inconveniencing authorized users, and spend significant amounts of money and time checking and rechecking their systems for malicious programming code, trap doors, and Trojan horses. [79]
Even after the intruder is apprehended, it would be imprudent to assume, based upon age, background, and statements, that the person caused no damage to the system. Because any statement made by the intruder may be self-serving (that is, motivated by his desire to minimize culpability for illegal conduct), the victim must still fully check system integrity. Any other action would subject the victim to harsh and justifiable criticism should later problems occur. In short, even if the hacker appears to have caused no damage, his actions still require that expensive remedial measures be taken.
Even assuming, for the sake of argument, that a victim could determine satisfactorily that the intruder is a "good person," such intrusions still pose a threat to computer systems and users. First, a curious intruder, although well intentioned, may still recklessly or negligently cause damage to a computer system. Robert Morris, for example, has said that he never intended to cause such massive damage with his worm. [80] Nevertheless, he crippled more than 6,000 computers and inconvenienced numerous users. Second, a curious intruder who merely browses through a user's file is violating the privacy rights of that user.
It is misguided to suggest, as some do, that such intrusions do not warrant law enforcement intervention. An outsider who entered a company office and began reading files in a file cabinet would no doubt be arrested for trespass. Similarly, it would be improper and a violation of federal law for someone to open and read another person's mail, even if lax security, such as an unlocked mailbox, permitted the intrusion. It would be no defense, of course, that the trespasser was merely curious and had no sinister use for the information beyond finding out what the letters said.
There is no basis to treat differently a trespasser who accesses information by computer. Computer networks may provide easy access to a system, but an unauthorized user has no more right to enter than the trespasser who tests the doorknobs of private homes after travelling on the interstate highway system. The bottom line is that certain individuals insist on going where they do not belong and should not be. These individuals pose a significant risk to the public welfare if they disrupt the computer systems they access. A policy that shows no tolerance for their unauthorized access is appropriate.
Moreover, it behooves law enforcement, the professional computer community, and educators to actively promote ethical standards and educate users at the earliest possible time. For example, the current trend is to put computers in the hands of our children as early as possible, usually in grade school. This is, without a doubt, a positive development because it serves to enhance both educational and career opportunities. At the same time, however, we have not stressed that computers, improperly used, can cause serious harm to others. Therefore, it is imperative that along with early access, we stress responsible, ethical behavior. We must teach respect for privacy and property rights. And we must soundly reject arguments that advocate infringing upon those rights.
Our other enforcement policies will also be based upon sound legal principles and public policies. For example, our decision that, in appropriate cases, we will prosecute juveniles pursuant to the juvenile delinquency statutes[81] is based on the fact that many intruders, although under eighteen, are equally, if not more, capable of stealing information and damaging systems as their older counterparts. Although age will of course be a factor in deciding how to dispose of a case, we simply cannot decline to prosecute juveniles who are violating federal law and putting the nation's computers at risk.
VIII. CONCLUSION
Emerging technologies are creating new challenges for law enforcement personnel. It is a mistake to believe, however, that these problems are insurmountable. Through education and coordination—both domestic and international—and through regular updates of our laws, law enforcement can keep pace with technological advances. The next decade should offer us the benefits of living in the information age without leaving us unnecessarily vulnerable to high-tech criminals.
1 The Federal Computer Investigation Committee was formed in 1986 to develop and maintain a network of working-level experts in the computer crime area. The FCIC is an association of investigators, attorneys, and other professionals involved in the prevention, detection, investigation, and prosecution of computer crime.
2 See generally CLIFFORD STOLL, THE CUCKOO'S EGG (1990) (discussing Clifford Stoll's investigation of a spy through a maze of computers).
3 Computers throughout the world are linked via telephone lines. Hess, using a personal computer and modem, contacted a computer located at a local university in Bremen. That computer had access to Tymnet (a data carrier) and, using that service, Hess connected to the computer at Berkeley. The Berkeley computer was on the Internet, see infra note 5, and therefore had access to the Milnet (a military network containing sensitive, unclassified information). A full description of Hess's attack and Stoll's exploits can be found in Stoll's book, THE CUCKOO'S EGG. See supra note 2.
4 See United States v. Morris, 928 F.2d 504 (2d Cir. 1991). A "worm" is a self-contained computer program (unlike a "virus," which must attach itself to other programs), which duplicates itself and then attempts to penetrate computer systems and cause damage.
5 The Internet (Net) is a worldwide network linking over five million users in more than 65 countries. It continues to grow at a phenomenal pace (greater than 10% per month).
6 United States v. Riggs, 967 F.2d 561 (11th Cir. 1992). This case is an appeal arising out of the "Legion of Doom" prosecution. See also United States v. Riggs, 739 F. Supp. 414 (1990) (A separate prosecution based on the alleged theft and publication of a "911" computer text file. The case was ultimately dismissed by the court.).
7 The Advanced Research Projects Agency is part of the Department of Defense (DOD).
8 The Computer Emergency Response Team is part of the Software Engineering Institute at Carnegie Mellon, which is a federally-funded research and development center.
9 From 1991-95, the number of Internet hosts increased from approximately 750,000 to more than 5 million, an increase of over 500%. Statistics from the Computer Emergency Response Team, Carnegie Mellon University, Pittsburgh, PA.
10 In 1994, the last full year for which CERT statistics are available, CERT catalogued 2,340 security incidents involving 50,600 sites worldwide.
11 Richard Power, Current and Future Danger: A CSI Primer on Computer Crime &Information Warfare, 1995 COMPUTER SEC. INST. 1, 1-2. Only 32 of these companies were willing to quantify their losses, which amounted to $1.8 billion.
12 Id....
Add comment
Email to a Friend
