Computer Crime Problems Research Center

Scott Charney,
Kent Alexander

COMPUTER CRIME

I. INTRODUCTION

Two photographs hung side by side on the wall. The first depicted a homicide detective's worst nightmare. A body lay twisted on the floor, a gaping wound in the chest. Across the room, on the floor, was a large pistol. On the white wall above the victim's body, scrawled in the victim's own blood, were the words, "I'll kill again, you'll never catch me."

The second photograph depicted the same room, the same victim. But in this photo, the wall was "clean." The gaping chest wound was gone, replaced with a small head wound from which blood trickled. The gun was clutched in the victim's hand.

Was this a vicious homicide, or a suicide? Which picture told the real story? Because the original photograph was taken with a digital camera, telling which photo was real, and which one was created by merely rearranging binary digits, may be difficult.

This is, of course, only a mock scenario. However, at a meeting of the Federal Computer Investigations Committee (FCIC) in 1991, a demonstration of such a scenario was provided [1]. The Committee had been established by a handful of federal and state law enforcement personnel who were among the first to appreciate how emerging technologies were providing new opportunities for criminals and creating new challenges for law enforcement officials. For this group, the point of this demonstration was not lost: an apparently ordinary photograph may not be so ordinary, and one must be technologically astute enough to realize the potential for digital alteration.

The reliability of evidence is but one issue raised by emerging technologies. More importantly, the launching of malicious programming codes through global computer networks and international hacker attacks is no longer the fanciful idea of science fiction writers and screenwriters; it is existing reality. Often termed "computer crime," the offenses actually are the product of a merger between two related but distinct technologies—computers and telecommunications. The criminal potential is enormous, and the Justice Department's introduction to crimes committed in cyberspace was indeed a startling one.

II. EARLY CASES AND A FEDERAL INITIATIVE

In 1986, an astronomer at the University of California at Berkeley was assigned to solve a vexing but apparently minor problem at the Berkeley computer laboratory [2]. Berkeley was running two accounting programs which kept track of the use of Berkeley computers and billed their users. Because these programs were tracking the same information, their results should have been the same. Yet for some unknown reason, there was a $.75 discrepancy.

Clifford Stoll's investigation revealed that an unauthorized user had penetrated the Berkeley system. This hacker had given himself an account by creating a user identification code in one accounting system, but had failed to create a similar account in the second system. Put another way, one accounting system recognized his presence and billed him while the other did not. Thus, the $.75 error.

Stoll, having already determined that there had been an unauthorized use of Berkeley's computers, contacted various federal law enforcement authorities. Not surprisingly, no federal agency expressed interest in devoting resources to a $.75 case. Undeterred, Stoll began his own investigation, keeping records of the hacker's activities and working with both local and foreign phone companies to trace the source of the attacks. Stoll ultimately discovered that the source of the attack was a German hacker, Markus Hess, who had been paid by the KGB to ferret out U.S. military secrets [3]. Thus, both the law enforcement and intelligence communities learned two valuable lessons. First, networked information is at risk from outside access. Second, the financial loss to the victim does not necessarily determine the seriousness of the intrusion, and cases cannot be screened solely on the basis of financial harm.

The Stoll adventure turned out to be the first of three specific events that, in combination, served to galvanize federal law enforcement's computer crime efforts. The second event was the Morris worm [4]. Robert Morris, a Cornell University student, developed a program in 1988 designed to attack computers throughout the Internet [5]. After the worm penetrated the target computer, it would consume the computer's available memory, resulting in the shutdown of the computer. Before the worm could be neutralized, it had crippled approximately 6,200 computers and caused over 98 million dollars in damage. If Stoll's experience taught us that our information was vulnerable, the Morris worm proved that our hardware was equally at risk.

The third critical event was a 1989 attack on BellSouth, a regional Bell operating company, by a hacker group known as the Legion of Doom (LOD)[6]. By penetrating BellSouth's administrative computers, including the Loop Maintenance Operating System (LMOS) and the Computer Operating System for Mainframe Operations (COSMOS), the LOD gained the ability to alter, disrupt, and, according to some of its members, shut down local telephone service. Considering the critical importance of communication facilities in matters of national security and emergency preparedness, as well as the telephone's central role in American life, the LOD attack cast a dark shadow on the computer revolution.

Although the Hess, Morris, and LOD cases were handled successfully, it was clear that emerging computer and telecommunications technologies would pose new challenges for the law enforcement community. Ubiquitous computing (the widespread integration of computers into our daily lives) was not simply changing the way we live, but changing the way criminals conduct business. It was imperative that the federal government develop a comprehensive program to anticipate and respond to these changes. With this in mind, the Criminal Division of the Department of Justice (DOJ) proposed, and the Attorney General's Economic Crime Council endorsed, a Computer Crime Initiative. As a result, in September 1991 a distinct Computer Crime Unit was created within the General Litigation Section of the Justice Department. On October 13, 1996, this unit was elevated to section status, and renamed the Computer Crime and Intellectual Property Section. This section now consists of eleven prosecutors assigned to work full-time on computer crime.

But what exactly is "computer crime?" Although the term is not subject to a precise definition, computer crime denotes the use of computers by individuals in one of three ways. First, a computer may be the target of the offense. In these cases, the criminal's goal is to steal information from, or cause damage to, a computer. Second, the computer may be a tool of the offense. This occurs when an individual uses a computer to facilitate some traditional offense such as fraud or theft (for example, a bank employee may use a computer program to skim small amounts of money from a large number of bank accounts, thus generating a significant sum for personal use). Third, computers are sometimes incidental to the offense, but significant to law enforcement because they contain evidence of a crime. Narcotics dealers, for example, may use a personal computer to store records pertaining to drug trafficking instead of relying on old-fashioned ledgers.

Why the great concern about computer crime? First, history teaches that criminals will frequently abuse new technologies to benefit themselves or injure others. Automobiles are an apt example. Designed to provide transportation for law-abiding individuals, the automobile soon became a target (e.g., car theft, carjacking), a tool (e.g., the getaway car in a bank robbery), and a weapon (e.g., hit-and-run). Clearly, computers are following the same route.

Moreover, concern about computer crime is being fueled by recent statistics that reveal the sheer number of intrusions and the damage being caused.

III. THE SCOPE OF THE COMPUTER CRIME PROBLEM

Published reports estimating the number of computer incidents and the damage caused by computer criminals vary widely, but even the most conservative estimates suggest that both the number of incidents and the dollar losses are staggering.

Following the Morris worm incident of 1988, the Advanced Research Projects Agency (ARPA) [7] funded the Computer Emergency Response Team (CERT) [8] at Carnegie Mellon University to help ensure the availability and security of Internet resources. Their statistics indicate that, corresponding to the phenomenal growth of the Internet, [9] the number of security incidents reported to the CERT has increased by 498%, and the number of sites affected worldwide has increased by 702%. [10]

Three recent surveys of businesses further describe the depth of the problem. One survey of 246 companies revealed that the monthly rate of incidents involving the theft of proprietary information rose 260% from 1985-93 [11]. In another survey, almost one-quarter of the 898 organizations queried indicated that they had experienced some verifiable computer crime within the preceding twelve months [12]. In yet a third survey, 98.5% of the respondents indicated that their businesses had been victimized by computer criminals, with 43.3% reporting that they had been victimized more than twenty-five times. [13]

Alarming as these surveys are, security experts believe that most computer crimes are neither detected nor reported. [14] In fact, statistics compiled by one U.S. government agency supports this conclusion. [15] To test the security of this agency's computers, machines were deliberately "attacked." Of the 38,000 computers targeted, the attacked machines were successfully penetrated 65% of the time. System administrators at the successfully attacked sites detected only 4% of these penetrations. Of that 4%, only 27% reported it. Put another way, of the 38,000 machines attacked, 24,700 were penetrated, only 988 realized it, and only 267 reported the attack.

Taken together, these statistics have enormous implications for law enforcement for two reasons. First, they prove that the number of computer crime cases is growing as computer and network use increases. Second, and even more important, the current number of intrusions detected drastically underrepresents the scope of the problem.

This massive underreporting is about to change, however, and we anticipate that the number of reported incidents will increase exponentially. This is due, in part, to Computer Anomaly Detection Systems (CADS), computer programs which use the power of the computer to identify suspicious activity [16]. One recent test proved that for each intrusion identified by a system administrator, CADS identified over 100 more. CADS is a relatively new security measure, and one that is increasingly being used by system administrators. Computer crime professionals are just beginning to receive cases "opened" by the computer, and when the use of CADS becomes widespread, the numbers will be staggering.

Considering the large number of unreported intrusions, it is also not surprising that published reports estimating the damage caused by computer criminals vary widely. Again, however, even conservative estimates suggest that the losses are huge. As far back as 1991, it was believed that computer fraud was costing American businesses 5 billion dollars a year [17]. Reports from other countries were similar. For example, it was reported in 1991 that computer crime in the United Kingdom cost an estimated 2.5 billion pounds annually. [18] Although total losses remain difficult to calculate, more recent reports suggest that the growth in Internet use is paralleled by a corresponding rise in financial losses. In the United States, the losses are now estimated at $10 billion. [19] In the U.K., the British Banking Association has estimated that computer fraud is now costing businesses 5 billion pounds a year. [20]

The damage, however, cannot be measured in terms of dollars alone. As Clifford Stoll's book, The Cuckoo's Egg, makes clear, computer hackers pose a threat to the security of nations. [21] High-tech spying is becoming commonplace and hacker-spies are being actively recruited. When such hackers strike, they often do so by weaving through the communications network, and it may be extremely difficult to tell where they are coming from, what their motives are, who their employers are (if anyone), and what other locations they have attacked. Although Stoll's book documents a case of military espionage, these concerns are equally applicable to industrial espionage. Recently, nearly one-half of 205 of America's largest companies reported that their computers had been attacked and penetrated; 84% of these companies assessed their damages at upwards of $50,000 per incident [22]. With the increased use of computers and computer networks for developing and storing trade secrets, serious attention must be paid to this area.

Computer criminals have even threatened the public's general health and safety, as evidenced by recent attacks upon medical research data and patient files. In one virus incident, a British health authority lost vital information from its hematology department, and an Italian university lost almost a year of AIDS research data. [23] In the northeast United States, one large hospital was attacked by a virus, and more than 40% of its patient records were destroyed. [24] Exacerbating the public's new vulnerability to these viruses, now even traditional criminals are committing their crimes in new, exploitative ways. In the early 1990s a zoologist-turned-scam-artist received a two-and-a-half year prison sentence in absentia from Italian authorities following an fraud and extortion scheme involving 20,000 virus-infected disks. [25]

In light of the many ways that computers can be misused, how do we more accurately determine the scope of the problem? One answer lies in centralized reporting. Within the government, the private sector, and the academic sector, CERTs [26] have been created. Because reporting to a CERT allows the victim to obtain immediate technical assistance, victims naturally are more likely to report intrusions. To the extent that the CERTs see a pattern in the reports—for example, a certain virus may be widespread—they can assist in repair by contacting other victims and experts who may be working on the same problem. There are now many CERTs, each having its own domain or area of concern. These individual CERTs have organized the Forum of Incident Response and Security Teams (FIRST) to coordinate their efforts.

Although centralized reporting will ultimately provide more accurate statistics, it will still not represent the full scope of the problem. Unfortunately, many victims remain unwilling to report cases of computer abuse, and this makes it more difficult to quantify precisely the amount of damage perpetrated by computer criminals. The reasons for such nonreporting vary. In some cases, it is a simple business decision. The damage may be too minimal to justify the expenditure of time and staff necessary to pursue a criminal prosecution. Or the effect on a company's stock value may be too great. Alternatively, the business may decide to handle the matter administratively or internally, especially if it can be made whole by some administrative settlement. Some firms are simply embarrassed; they are concerned that bad publicity may be generated by a public airing of the incident. Others fear that exposing their system's vulnerabilities will merely encourage additional hacker attacks.

While we are not oblivious to various business concerns, we strongly encourage victims to report all criminal law violations. Equally important, we ask that crimes be reported immediately upon detection, for time is often of the essence in high-tech cases. When incidents are not reported, follow-up investigations are impeded, and the problem is likely to get much worse much faster.

We are also aware that victims sometimes fail to report high-tech crimes because of a widespread misconception that government officials do not understand computer crimes well enough to prosecute the computer criminal. While there may have been some truth to this view five years ago, the DOJ's recent successes and extensive training programs demonstrate that this is an outdated perception. Indeed, it is important in this regard to understand the ongoing law enforcement challenge, and what is being done to meet it.

IV. UNDERSTANDING THE LAW ENFORCEMENT CHALLENGE

The increased use of computers and computer networks has raised significant challenges for law enforcement personnel. Even a relatively mundane computer use, such as a drug dealer storing records on a personal computer, raises challenges for investigators. While any federal agent can open a ledger book and begin reading paper entries, not every federal agent should be searching that personal computer. In fact, the agent executing the electronic search may not be familiar with the criminal's hardware and software, the special techniques that can be used to hide data, [27] and the special utilities that may aid his or her search efforts 28].

In fact, the different ways in which criminals can use computers has created many new challenges, not only for law enforcement, but for computer security professionals as well. Although the list is not all-inclusive, some of the following issues are critical.

A. The Shift to an Intangible Environment

The shift from a corporeal environment—where items are stored in a tangible form that can be physically carried, such as information written on paper—to an intangible, electronic environment means that computer crimes, and the methods used to investigate them, are no longer subject to traditional rules and constraints. Consider, for example, the way the crimes of theft and criminal mischief have changed. Before the advent of computer networks, the ability to steal information or damage property was to some extent determined by physical limitations. A burglar could only break so many windows and burglarize so many homes in a week. During each intrusion, he could take away only what he could carry. While this conduct is by no means trivial, the amount of property he could steal or the amount of damage he could cause was restricted by physical limitations.

In the information age, these limitations no longer apply. Criminals seeking information stored in networked computers with dial-in access can access that information from virtually anywhere in the world. The quantity of information that can be stolen, or the amount of damage that can be caused by malicious programming code, may be limited only by the speed of the network and the criminal's equipment. Moreover, such conduct can very easily occur across state and national borders.

The lack of physical boundaries not only creates opportunities for criminals, but raises novel issues for law enforcement personnel. For example, when agents seek a search warrant, Rule 41 of the Federal Rules of Criminal Procedure requires that they seek the warrant in the district where the property to be searched is located. In other words, if agents wish to search a file cabinet in lower Manhattan in New York City, they would apply for a warrant in the Southern District of New York.

But suppose an informant indicates that she was working on her computer in lower Manhattan and saw that her company was keeping a second set of books in an effort to defraud shareholders and the Internal Revenue Service. Based upon this information, agents might get a warrant from the Southern District, enter the office, and copy this critical evidence. Although this would appear to be a straightforward case, what if the informant's computer was part of a local area network (LAN) whose server—the computer on which these records were stored—was actually located in New Jersey? Would a warrant issued in New York support such a seizure? Or suppose the offending company was a multinational corporation and the server was located in a foreign country? What would be the international ramifications of executing a search on a foreign computer system without consulting that country's authorities?

The other major impact caused by the shift to intangibles is that many of the existing theft, damage, and extortion laws protect physical property. Thus, new crimes may need to be defined. [29]

B. The Commingling of Data

Another significant issue is created by commingling, which is the ability of an individual to use one computer to (1) conduct both legal and criminal activities and/or (2) store both contraband and legally possessed material. Commingling is a serious problem defying simple solution. The fact is, one computer can be used simultaneously as a storage device, a communications device (to send, store, or retrieve electronic mail), and a publishing device. Moreover, that same computer can be used simultaneously for both lawful and criminal ventures. For example, individuals who distribute child pornography or copyrighted software over computer bulletin board services (BBSs) may also be publishing a legitimate newsletter on stamp collecting or offering an electronic mail service. By seizing the BBS, we stop the illegal distribution of contraband. At the same time, we may interfere with the publication of the newsletter and the delivery of electronic mail, some of which may affect BBS users with no connection to the illegal activity.

This is by no means a theoretical problem. In Steve Jackson Games, Inc. v. United States Secret Service,[30] the government searched and seized a BBS in an effort to recover stolen information. The owner of the BBS and some of his users then sued the government, claiming a violation of (1) 42 U.S.C. § 2000aa, prohibiting the government from searching for or seizing any work product materials possessed by a person reasonably believed to have a purpose to disseminate to the public a newspaper, book, broadcast, or other similar form of public communication, and (2) 18 U.S.C. § 2703, restricting government access to electronic communications in electronic storage. Although the district court found that the government had acted in good faith upon a valid warrant, the government was still held civilly liable and ordered to pay damages. Since a BBS investigation may involve the seizure of innocuous material that is hopelessly commingled with contraband, this difficult issue can be expected to arise frequently in the future.

C. Open vs. Secure Systems

When the Internet started as the ARPANET [31] more than twenty-five years ago, it was used primarily by large government organizations, academic institutions, and corporations—trusted users, who presented no crime problem. Of course, as the Internet became available to all, the crime problem increased. This called for increased security, such as access controls with audit trails, and keystroke monitoring that tracks the user's every keystroke and the computer's response. Significantly, these security tools generally involve surveillance; they indicate who signed on, at what time, for how long, and even the nature of their activities while logged on. These tools, if unwisely used, would allow one to monitor the keystrokes of a secretary and then announce with fanfare that the secretary was fired because of hitting the backspace key an average of twenty-two times per minute, thus proving to be a bad typist. This, of course, raises an important issue: how do we protect systems without creating an Orwellian, surveillance-style society?

D. Anonymity or Accountability

One important feature of the Internet is the availability of anonymous communications. [32] There are certainly reasons to allow anonymity in communications networks. For example, whistleblowers—individuals who wish to report misconduct by others, including government agencies or corporations—may wish to remain anonymous, fearing retribution. Those concerned about their privacy may wish to obtain information on a product, but not end up on hundreds of mailing lists for catalogs and phone solicitations. A group of rape victims may wish to convene an electronic meeting to discuss their experiences, but not reveal their identities.

There is another group of individuals who want anonymity: criminals. A primary goal of every criminal scheme is to avoid getting caught, and anonymous remote communications may help criminals avoid detection and arrest. Thus, from both a societal and a law enforcement perspective, accountability is necessary; that is, individuals who harm others must be accountable for their conduct.

This is not, however, solely a criminal law issue; it has broad civil ramifications. For example, suppose an individual sends out an electronic mail message to thousands of people claiming the boss is depressed and a sexual pervert. The individual's employer reads this message, takes offense, and consults an attorney. The goal in doing so is to sue for damages, thereby discouraging the individual from sending such defamatory messages in the future. The attorney recognizes that the case has merit but after further investigation determines that the message came through an anonymous remailer. Thus, the message writer cannot be sued, and it might be impossible to stop future transmissions or seek damages.

Obviously, this is not the type of network to which we aspire: one where individuals are repeatedly defamed, and recipients are bombarded with anonymous messages containing such material. Of course, if enough of such messages are sent to unwanted recipients, we also run the risk that user mailboxes will become cluttered with useless messages, and legitimate messages may not be delivered. It is not enough to say that anonymous messages can simply be filtered out, not if we believe as a society that anonymous messages may be important and should be received.

When discussing this issue with civil liberties groups, they frequently note that communications systems have often offered anonymity. For example, an individual can go to a pay phone and make an anonymous call, or send a letter with no signature or return address. Although this is true, the analogy is flawed. The telephone and mail systems allow predominantly one-to-one communications. Although it is possible to call thousands of people anonymously, doing so takes a lot of time, not to mention a lot of pocket change. By contrast, the one-to-many nature of the Internet alters the scope of communications.

There is, of course, a middle ground between anonymity and accountability: confidentiality. Although a user's identity is generally not known in a confidential system, his or her identity is known to a third party. Thus, in appropriate circumstances (such as through the use of a court order), the identity of a sender can be determined. The problem with this approach is that a promise of confidentiality is sometimes not enough. For example, a crime victim may hesitate to cooperate with the police, fearing retaliation from a defendant, and may ask for assurances that his identity will remain confidential. In response, the government may indicate that permanent confidentiality cannot be assured, because a public trial may be necessary. This risk of disclosure may present a serious problem for the witness, and serve to discourage the type of participation that anonymity encourages.

In the long run, we will need to find a way to balance competing interests—allowing for anonymity in appropriate places but not allowing criminals to benefit from the anonymous capabilities of the Internet. For example, police tip lines that allow for anonymous communications represent such an approach. It might be possible to allow individuals to congregate in certain places where anonymity is assured, with each individual participant on notice as to the benefits—and risks—associated with anonymous communications.

V. THE LAW ENFORCEMENT RESPONSE

A. Training, Training, and More Training

Despite some celebrated convictions, [33] there is lingering concern as to whether federal law enforcement can keep up with the rapid technological changes witnessed in the last decade. However, the Department of Justice is prepared for the challenge and, along with the Federal Bureau of Investigation (FBI), the Secret Service, and other investigative agencies, is committed to assigning highly trained prosecutors and agents to cases involving high-tech crime.

As an important first step, both the FBI and the Justice Department created dedicated computer crime units in 1991. [34] The FBI's Unit, known as the National Computer Crime Squad, is located in Tyson's Corner, Virginia, and is part of the Washington Metropolitan Field Office of the FBI. [35] It has one supervisory special agent and ten special agents dedicated to computer crime matters. The Justice Department's prosecutorial expertise is based in its Computer Crime Section, located in Washington, D.C. This Section contains eleven federal prosecutors with specialized training in computer and telecommunications technologies. Additionally, in early 1995, the DOJ initiated the Computer/Telecommunications Coordinator program in each of the ninety-three United States Attorney's Offices, designating at least one Assistant United States Attorney to serve as an in-house, high-tech expert.

The training provided to the agents and prosecutors assigned to information technology crimes never ends. They start with the fundamentals—basic computer and telecommunications hardware and software training—and move on to more advanced topics—SS7 and TCP/IP protocol training [36] The goal is not to make them computer experts, but to ensure that they can understand the terminology used by the perpetrators and victims, interact intelligently with witnesses, and present their case in understandable terms to judges and juries.

Although training agents and prosecutors is of primary concern, part of our educational program entails speaking to computer security professionals with whom we share interests and concerns. These public appearances are significant for two reasons. First, they help us to appreciate the forces at work in the computer community and the effect they have on law enforcement. For example, the shift from "open systems" which promote connectivity and interoperability to "open but secure systems," which more strictly limit computer abuse, will create new and significant sources of evidence (for example, an intrusion detection system may provide a comprehensive record of an intruder's conduct). Our contact with computer security professionals has also allowed us to understand why, from a law enforcement perspective, security appears lax at so many computer sites: it is hard to justify the cost of security when the threat, although real, has not yet affected the day-to-day operations of a business. It is often not until an individual site is actually victimized that corporate management reacts to the computer crime problem.

The second purpose of our public appearances is to allow us to explain to computer professionals what they should expect from law enforcement if they do become a victim of computer abuse and seek our assistance. Law enforcement is continually striving to conduct thorough investigations with minimal disruption to agencies or businesses. Still, computer professionals must recognize that it is simply not possible for investigators and prosecutors to become instant experts in every type of system, in light of the wide array of computers and operating systems on the market. For instance, in the Legion of Doom case,[37] the successful prosecution would have been impossible without the perseverance, expertise, and support of BellSouth. Therefore, we will often need the victim to assist us in our efforts.

Exactly what assistance will we need? In every criminal case, we must prove both that a crime occurred and that a certain individual, or group of individuals, is responsible. Put another way, we must ascertain what was done by whom. If there was damage to a computer system, we need to know the extent of the damage and the cost of repair. If information was stolen, we need to know the type of information, how it was stolen, and its value.

How we prove identity depends upon how the crime was committed. If we suspect an insider, we will interview employees to discover who had both an opportunity and a motive to commit the crime. If an outsider is suspected, we will often be required to work closely with the telephone companies and Internet service providers to pinpoint the source of the attack. If this is the case, the victim can again provide assistance. If a computer system is actively maintaining audit trails, [38] as many do, they may provide a significant starting point in such an investigation by showing the port of entry. [39] If the victim's employees have had personal contact with the intruder, as is sometimes the case, this too will be important.

B. Domestic Coordination

The speed with which an individual engaging in computer crime can cross interstate or international boundaries to commit massive theft or cause widespread damage raises yet another concern for law enforcement: investigative coordination. Since a hacker can quickly move from state to state utilizing existing circuit-switched and public data networks,[40] many different victims may, in short order, be reporting intrusions to federal and local authorities, thus leading to parallel investigations. At the federal level alone, multiple agencies may have jurisdiction over the same federal offense. For example, the Computer Fraud and Abuse Act specifically grants concurrent jurisdiction to both the FBI and the Secret Service. [41] Additionally, if the victim is a government agency, both agency personnel and that agency's Inspector General may conduct an investigation into the hacker's conduct. In such circumstances, there is always the risk that investigators from the different agencies may unnecessarily duplicate efforts or, even worse, inadvertently interfere with one another.

The ability of computer criminals to cross state boundaries easily requires that law enforcement carefully coordinate all computer crime investigations. The same centralized reporting that is enabling us to better understand the scope of the computer crime problem also enables us to allocate resources carefully and handle multidistrict investigations. Routinely, members of the Justice Department's Computer Crime Section, the FBI, and the Secret Service share information regarding ongoing computer crime investigations. The goal is to ensure that all multidistrict or multiagency cases are coordinated from a central point or, in the vernacular, that the left hand always knows what the right hand is doing. To assist in this effort on the prosecutorial side, the United States Attorney's Offices around the country are required to report all computer crime investigations and prosecutions to the Justice Department's Computer Crime Section.

C. International Coordination

Domestic coordination solves only part of the problem. Succinctly put, computer crime is a worldwide problem calling for an organized international response.

Not surprisingly, heavily computerized countries are frequently victimized by computer-related crimes such as viruses. Less-developed countries are not immune, however. As these nations begin to computerize, they too become fertile ground for hackers. The vulnerability of both modern and modernizing nations has been highlighted by recent events:

* A Christmas card message sent over BitNet, the international aca demic computer network, landed in 2,800 machines on five conti nents, including IBM's internal network. It took only two hours for the benign virus to spread 500,000 infections worldwide, forcing IBM to shut the network down for several hours to make repairs. [42]
* Pirate bulletin boards contain information regarding computer vul nerabilities and are being used to develop and perfect new computer viruses. Such bulletin boards have been found throughout the United States as well as in Bulgaria, Italy, Sweden, and the former Soviet Union [43].
* In China, it was reported that a computer hacker defrauded a Chi nese bank of approximately $200,000 through money transfers [44].
* Recent reports indicate highly prolific virus writers are working in Bulgaria. [45]

As on the domestic front, international computer offenses differ from traditional international crimes. First, they are easier to commit. In the narcotics context, for example, the product must be carried physically, which requires human effort, vehicles for conveyance, and a route of passage between nations. Each of these requirements poses difficulties for criminals and offers opportunities for law enforcement. We are often able to dismantle a narcotics network by apprehending a courier at the border and then turning this individual against his employers.

Such opportunities simply do not exist in the computer context. Hackers are not hampered by the existence of international boundaries because property need not be physically carried, but can be shipped covertly via telephone and data networks. A hacker needs no passport and passes no checkpoints. She simply types a command to gain entry. Additionally, there is little need for manpower because a hacker, working alone, can effectively steal as much information as she can read.

Second, computer crime has not received the emphasis that other international crimes have attracted. For an international program to be effective, the nations involved must recognize that the criminal conduct in question poses a domestic threat and that international cooperation is necessary to respond effectively to the problem. In the United States, one of the most heavily computerized nations in the world, our society has not until recently mobilized against computer criminals, despite having been the frequent target of such computerized attacks for years. [46] Although our society has now recognized the seriousness of the threat, it is not surprising that other, less computerized countries have not yet joined in our chorus of concern.

The result is that many countries have weak laws, or no laws, against computer hacking. This is a major obstacle to international cooperation because countries without computer crime laws are often reluctant to devote significant resources to investigating such offenses.

For that reason, the United States has joined international efforts to raise public consciousness about computer crime and encourage other countries to enact or strengthen their computer crime laws. In fact, other countries have been working both domestically and internationally in this area. Australia, Denmark, and the U.K. have recently arrested hackers who attacked U.S. computers, [47] and the Germans were responsible for the Cuckoo's Egg prosecutions. [48] Other countries have also been working closely with U.S. officials and share our concern about computer crime. [49] As part of this international effort, the Organization of Economic Cooperation and Development's (OECD) 1992 Guidelines for the Security of Information Systems call for prompt assistance from all parties in cases where information security has been breached. [50] Additionally, the Council of Europe's recent Recommendation R95 calls for "expedited and adequate procedures" so that evidence can be obtained internationally [51].

VI. EXISTING LAWS AND THE NEED FOR NEW ONES

As noted above, a computer crime may simply be a high-tech rendition of a traditional offense. Thus, as in other areas of federal criminal law, one individual act may violate several criminal statutes. For example, a computerized scheme designed to steal money from the government may constitute both wire fraud [52] and theft of government property. [53] Such conduct may also violate the Computer Fraud and Abuse Act, [54] a statute specifically tailored by Congress to address computer crimes.

Last amended on October 3, 1996, the Computer Fraud and Abuse Act contains eleven separate provisions designed to protect the confidentiality, integrity, and availability of data and systems. Section 1030(a)(1) protects the confidentiality of classified information. This provision makes it a crime to knowingly access a computer without or in excess of authorization and then obtain classified information. To constitute an offense, the actor must have reason to believe that such information could be used to the injury of the United States or to the advantage of any foreign nation, and the actor must either willfully send the information to a person not entitled to receive it or willfully retain the information and fail to return it to the government. This crime is a felony. [55]

Section 1030(a)(2) contains three separate provisions which protect the confidentiality of unclassified data. This section it makes it a crime to access a computer without or in excess of authority and obtain (1) financial information from a financial institution or credit reporting company, (2) any information in the possession of the government, or (3) any private information where the defendant's conduct involves interstate or foreign commerce. It is important to note that "obtaining information" includes simply reading the material. It is not necessary that the information be physically moved or copied. [56]

The penalty for a violation of this section depends on the value of the information obtained, or the use to which the information is put. Merely obtaining the information is a misdemeanor, but the crime is a felony if the offense was committed for purposes of commercial advantage or private financial gain; the offense was committed in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or of any State; or the value of the information obtained exceeds $5,000 [57].

Section 1030(a)(3) is a strict trespass provision protecting computers used full-time or part-time by the government. Any unauthorized access violates this statute, even if no damage is done or no property is stolen. If the computer is used only part-time by the government, the prosecution must show that the defendant's conduct affected the government's use of the computer [58].

Section 1030(a)(4) punishes those who use computers in schemes to defraud victims of property. This crime proscribes an individual from knowingly and with intent to defraud accessing a "protected computer" without or in excess of authorization, and by means of such conduct furthering the intended fraud and obtaining anything of value. There is an exception which provides that if the only thing obtained is less than $5,000 of computer crime, this fraud provision does not apply. [59]

The term "protected computer" is significant. A protected computer is one used exclusively by the United States or a financial institution; one used partly by the United States or a financial institution, in which the defendant's conduct affects the government's or financial institution's operation of the computer; or any computer which is used in interstate or foreign commerce or communications. The last portion of this definition is extremely important because it allows a computer owned by a private company to be a "protected computer" and thus be protected by the statute [60].

Section 1030(a)(5) creates three separate offenses, two felonies and one misdemeanor, depending upon the intent and authority of the actor. Under this provision, whoever knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage, without authorization, to a protected computer is guilty of a felony [61]. It does not matter whether the actor is an outsider (e.g., a hacker) or an insider (e.g., a disgruntled employee); anyone who intends to cause damage without authority can be prosecuted.

Damage is broadly defined to include any impairment to the integrity or availability of data, a program, a system, or information, that (1) causes loss aggregating to at least $5,000 in value during any one-year period to one or more indivduals; (2) modifies or impairs, or potentially modifies or impairs, the medical examination, diagnosis, treatment, or care of one or more individuals; (3) causes physical injury to any person; or (4) threatens public health or safety. [62]

The other two provisions of 1030(a)(5) govern access without authority; that is, they only cover outsiders. An individual who intentionally accesses a protected computer without authorization and, as a result of such conduct, recklessly causes damage is guilty of a felony [63]. By contrast, an individual who intentionally accesses a protected computer without authorization and, as a result of such conduct, causes damage is guilty of a misdemeanor when it cannot be shown that the damage caused was either intentional or reckless [64].

Section 1030(a)(6) prohibits trafficking in passwords or other similar information through which a computer may be accessed without authorization if such trafficking affects interstate or foreign commerce or such computer is used by or for the government. [65]

Section 1030(a)(7) punishes anyone who, with intent to extort any money or other thing of value from any person, firm, association, educational institution, financial institution, government entity, or other legal entity, transmits in interstate or foreign commerce any communication containing any threat to cause damage to a protected computer. This provision deals with a new threat: hackers who threaten to crash systems if not given system privileges, money, or other things of value. [66]

In addition, the sentencing provisions of the Computer Fraud and Abuse Act need to be amended. First and foremost, individuals convicted under 18 U.S.C. § 1030 are sentenced pursuant to United States Sentencing Guideline § 2F1.1. [67] In determining the appropriate sentence under that Guideline, the most significant factor is the amount of loss caused by the defendant. Yet many computer crimes involve nonfinancial harms such as invasion of privacy. For example, in one recent case, the defendants stole 176 credit reports from a credit reporting company, thus acquiring personal information on many unsuspecting individuals [68]. Working with the United States Sentencing Commission's Computer Fraud Working Group, [69] the Department is seeking to have such nonmonetary harms addressed by the sentencing court.

Moreover, under current law, someone who violates the statute more than once is subject to enhanced penalties only if the same subsection is violated twice. For example, if an individual violates the computer crime statute by committing fraud by computer [70] and later commits another computer crime offense by intentionally destroying medical records, [71] that individual is not a recidivist because the conduct violated two separate subsections. The law should provide that anyone who is convicted of committing a computer offense and later uses a computer for unlawful purposes again should be subjected to enhanced penalties.

The Department of Justice will, of course, press for other appropriate changes. We have noted in the past that the provision protecting classified government information has such an enhanced specific intent requirement [72] that prosecutors would rarely if ever charge it; similar conduct is punishable under 18 U.S.C. § 793(e),[73] an espionage statute, with a lesser intent requirement. Congress also needs to consider a forfeiture provision, one that will allow government authorities to take away the defendant's computer if it is used to commit a criminal offense. As we have seen in the drug and pornography areas, the ability to take away the instrumentalities of the crime provides an excellent deterrent to further transgressions. More than that, taking away the perpetrator's weapon simply evidences good old-fashioned common sense.

The move to an intangible environment also requires that we re-evaluate those statutes that rely on the movement of corporeal items before affixing liability. For example, in United States v. Brown, [74] the Tenth Circuit held that the Interstate Transportation of Stolen Property Statute [75] did not apply to the interstate transportation of source code (computer programming code). [76] The court held that, by its very terms, the statute applies only to "goods, wares and merchandise" and that this language does not cover intangible property [77]. In the new electronic environment, however, information is often stolen electronically, [78] and the laws must be updated to address this reality.

VII. DEVELOPING COMPUTER CRIME POLICIES

As federal law enforcement efforts against computer crime have intensified, some individuals have criticized the government's efforts to address this growing problem. For example, some individuals believe that the government should not prosecute individuals who merely trespass in computer systems, absent some proof of damage (for example, the destruction of files). There have been times, unfortunately, when the unauthorized use of computers has been implicitly, if not explicitly, condoned even by those in the computer security community, thus supporting this view. Comments like, "well, that's how I got started," and "how do you expect them to learn?" are commonplace. In the past, law enforcement officers used to joke that if they caught a hacker, he would be punished with job offers. Regrettably, like many jokes, there is a grain of truth in the premise. Some well-known hackers have used their illegal activities as a line on their resumes. Other computer hackers, boasting about their illegal exploits, have opened "computer security consulting firms." Indeed, in the quest to identify and employ computer "experts," some in the computer industry have failed to recognize that their hiring practices may send inappropriate messages to the public at large.

The government's position is absolutely clear: it is not "okay" to intrude into systems without authority, and curiosity is not a justification for infringing on the privacy and property rights of others. The fact that someone has the ability to access your credit report, trade secrets, or other information does not give them the right to do so.

Moreover, victims and law enforcement agencies cannot ignore intrusions by "well intentioned, merely curious" hackers. First of all, when an intrusion is initially discovered, it is by no means clear that the perpetrator is well intentioned. The victims will not know the identity or motive of the intruder, and they will therefore have no choice but to spend time and money investigating the intrusion. They will have to change compromised passwords, thereby inconveniencing authorized users, and spend significant amounts of money and time checking and rechecking their systems for malicious programming code, trap doors, and Trojan horses. [79]

Even after the intruder is apprehended, it would be imprudent to assume, based upon age, background, and statements, that the person caused no damage to the system. Because any statement made by the intruder may be self-serving (that is, motivated by his desire to minimize culpability for illegal conduct), the victim must still fully check system integrity. Any other action would subject the victim to harsh and justifiable criticism should later problems occur. In short, even if the hacker appears to have caused no damage, his actions still require that expensive remedial measures be taken.

Even assuming, for the sake of argument, that a victim could determine satisfactorily that the intruder is a "good person," such intrusions still pose a threat to computer systems and users. First, a curious intruder, although well intentioned, may still recklessly or negligently cause damage to a computer system. Robert Morris, for example, has said that he never intended to cause such massive damage with his worm. [80] Nevertheless, he crippled more than 6,000 computers and inconvenienced numerous users. Second, a curious intruder who merely browses through a user's file is violating the privacy rights of that user.

It is misguided to suggest, as some do, that such intrusions do not warrant law enforcement intervention. An outsider who entered a company office and began reading files in a file cabinet would no doubt be arrested for trespass. Similarly, it would be improper and a violation of federal law for someone to open and read another person's mail, even if lax security, such as an unlocked mailbox, permitted the intrusion. It would be no defense, of course, that the trespasser was merely curious and had no sinister use for the information beyond finding out what the letters said.

There is no basis to treat differently a trespasser who accesses information by computer. Computer networks may provide easy access to a system, but an unauthorized user has no more right to enter than the trespasser who tests the doorknobs of private homes after travelling on the interstate highway system. The bottom line is that certain individuals insist on going where they do not belong and should not be. These individuals pose a significant risk to the public welfare if they disrupt the computer systems they access. A policy that shows no tolerance for their unauthorized access is appropriate.

Moreover, it behooves law enforcement, the professional computer community, and educators to actively promote ethical standards and educate users at the earliest possible time. For example, the current trend is to put computers in the hands of our children as early as possible, usually in grade school. This is, without a doubt, a positive development because it serves to enhance both educational and career opportunities. At the same time, however, we have not stressed that computers, improperly used, can cause serious harm to others. Therefore, it is imperative that along with early access, we stress responsible, ethical behavior. We must teach respect for privacy and property rights. And we must soundly reject arguments that advocate infringing upon those rights.

Our other enforcement policies will also be based upon sound legal principles and public policies. For example, our decision that, in appropriate cases, we will prosecute juveniles pursuant to the juvenile delinquency statutes[81] is based on the fact that many intruders, although under eighteen, are equally, if not more, capable of stealing information and damaging systems as their older counterparts. Although age will of course be a factor in deciding how to dispose of a case, we simply cannot decline to prosecute juveniles who are violating federal law and putting the nation's computers at risk.

VIII. CONCLUSION

Emerging technologies are creating new challenges for law enforcement personnel. It is a mistake to believe, however, that these problems are insurmountable. Through education and coordination—both domestic and international—and through regular updates of our laws, law enforcement can keep pace with technological advances. The next decade should offer us the benefits of living in the information age without leaving us unnecessarily vulnerable to high-tech criminals.

1 The Federal Computer Investigation Committee was formed in 1986 to develop and maintain a network of working-level experts in the computer crime area. The FCIC is an association of investigators, attorneys, and other professionals involved in the prevention, detection, investigation, and prosecution of computer crime.

2 See generally CLIFFORD STOLL, THE CUCKOO'S EGG (1990) (discussing Clifford Stoll's investigation of a spy through a maze of computers).

3 Computers throughout the world are linked via telephone lines. Hess, using a personal computer and modem, contacted a computer located at a local university in Bremen. That computer had access to Tymnet (a data carrier) and, using that service, Hess connected to the computer at Berkeley. The Berkeley computer was on the Internet, see infra note 5, and therefore had access to the Milnet (a military network containing sensitive, unclassified information). A full description of Hess's attack and Stoll's exploits can be found in Stoll's book, THE CUCKOO'S EGG. See supra note 2.

4 See United States v. Morris, 928 F.2d 504 (2d Cir. 1991). A "worm" is a self-contained computer program (unlike a "virus," which must attach itself to other programs), which duplicates itself and then attempts to penetrate computer systems and cause damage.

5 The Internet (Net) is a worldwide network linking over five million users in more than 65 countries. It continues to grow at a phenomenal pace (greater than 10% per month).

6 United States v. Riggs, 967 F.2d 561 (11th Cir. 1992). This case is an appeal arising out of the "Legion of Doom" prosecution. See also United States v. Riggs, 739 F. Supp. 414 (1990) (A separate prosecution based on the alleged theft and publication of a "911" computer text file. The case was ultimately dismissed by the court.).

7 The Advanced Research Projects Agency is part of the Department of Defense (DOD).

8 The Computer Emergency Response Team is part of the Software Engineering Institute at Carnegie Mellon, which is a federally-funded research and development center.

9 From 1991-95, the number of Internet hosts increased from approximately 750,000 to more than 5 million, an increase of over 500%. Statistics from the Computer Emergency Response Team, Carnegie Mellon University, Pittsburgh, PA.

10 In 1994, the last full year for which CERT statistics are available, CERT catalogued 2,340 security incidents involving 50,600 sites worldwide.

11 Richard Power, Current and Future Danger: A CSI Primer on Computer Crime & Information Warfare, 1995 COMPUTER SEC. INST. 1, 1-2. Only 32 of these companies were willing to quantify their losses, which amounted to $1.8 billion.

12 Id. at 2.

13 See David L. Carter & Andra J. Katz, A National Survey on Computer-Related and Technology Crime 1 (Oct. 1995) (unpublished summary findings of survey, Michigan State University).

14 Power, supra note 11, at 3.

15 GEN. ACCT. OFFICE, INFORMATION SECURITY: COMPUTER ATTACKS AT DEPARTMENT OF DEFENSE POSE INCREASING RISKS 20 (1996).

16 Computer Anomaly Detection Systems (CADS) are computer programs being developed by both the government and the private sector. A simple example is a program that monitors when individuals log on to a computer system. Assuming a certain user logs on every day between 8 a.m. and 9 a.m., the computer can notify a system administrator whenever that user's password is entered at any other time. Thus, a hacker who uses that password at 3 a.m. will be "spotted" by the computer.

17 Katie Hafner, Computer Crimes and Misdemeanors—Morris Code, NEW REPUBLIC, Feb. 19, 1990, at 15. See also Peter Stephenson & Martin Kratz, Managers Can Take Steps to Stop Virus Attacks, INFOWORLD, Jan. 9, 1989, at 51.

18 Watch Out! There's a Computer Criminal About, FINANCIAL TIMES, Mar. 6, 1991, (citing statistics compiled by the Confederation of British Industry and PA Consulting).

19 Power, supra note 11, at 2.

20 Carter & Katz, supra note 13, at 7.

21 See STOLL, supra note 2.

22 Hardy, Firms Are Hurt by Break-Ins at Computers, WALL ST. J., Nov. 21, 1996, at B4.

23 Christopher Elliot, Experts to Classify Computer Viruses, DAILY TELEGRAPH, Mar. 10, 1991, at 2.

24 Laura DiDio, A Menace to Society (Computer Viruses May Begin to Take Their Toll in Lives as Well as Dollars), NETWORK WORLD, Feb. 6, 1989, at 71, 84.

25 Jail Sentence Following Virus Scam, COMPUTER FRAUD & SEC. BULL., June 1, 1993.

26 See supra note 8 and accompanying text.

27 For example, "compression" is the use of formulas to reduce the size of documents by replacing repeating patterns with shorter representations. "Encryption" is the use of mathematical algorithms to scramble data to protect its confidentiality.

28 For example, programs that can find hidden or deleted files.

29 See discussion on the need for legislative reform, infra Part VI.

30 816 F. Supp. 432 (W.D. Tex. 1993).

31 The Internet was originally named ARPANET because it was funded by ARPA, the Advanced Research Projects Agency. See supra note 7.

32 Today, such anonymity is possible. In fact, new technological enhancements may even allow for anonymous commerce (for example, digital cash). See John K. Halvey, The Virtual Marketplace, 45 EMORY L.J. 959 (1996).

33 See United States v. Riggs, 967 F.2d 561 (11th Cir. 1992); United States v. Morris, 928 F.2d 504 (2d Cir. 1991). See also STOLL, supra note 2.

34 The Secret Service, which is part of the Treasury Department, also has a dedicated high-tech unit, the Electronic Crimes Branch.

35 The FBI has recently created two more high-tech units, one in San Francisco and the other in New York City.

36 TCP/IP protocols are the transmission control protocol/Internet protocols used for Internet communications. SS7 stands for Signalling System 7.

37 Riggs, 967 F.2d at 561.

38 Audit trails are records which contain, for example, who signed on, what time, and from where.

39 Large computer systems often have many phone lines through which users can access the system. Each path of entry connects the user to a specific port.

40 "Circuit-switched network" generally refers to the traditional telephone network. "Public data networks" are package-switched networks where messages are broken into small packets and independently routed to their destination.

41 See 18 U.S.C. § 1030(d) (1994).

42 Laura DiDio, Viruses Plague Networks, Jeopardize System Health, NETWORK WORLD, July 4, 1988, at 1, 30.

43 Susan Watts, Police Launch Search for Computer Virus Criminals, INDEPENDENT, Apr. 5, 1991, available in LEXIS.

44 11 COMPUTER SECURITY DIGEST 4 (1993).

45 Bulgarian Avenger Infects West's Computers, CJ INT'L, Mar.-Apr. 1991, at 12.

46 The earliest known case dates back to 1970. See Power, supra note 11, at 1.

47 Id.

48 See STOLL, supra note 2.

49 These countries include Australia, Canada, France, Germany, Japan, Sweden, and the U.K.

50 OECD, GUIDELINES FOR THE SECURITY OF INFORMATION SYSTEMS, 1, 11 (1992).

51 Council Recommendation for Problems of Criminal Procedural Law Connected with Information Technology, 1995 (R 95) 9, 12.

52 See 18 U.S.C. § 1343 (1994).

53 See 18 U.S.C. § 641.

54 18 U.S.C. § 1030 (1996).

55 § 1030(a)(1).

56 § 1030(a)(2).

57 § 1030(c)(2).

58 § 1030(a)(3).

59 § 1030(a)(4).

60 § 1030(e)(2).

61 § 1030(a)(5)(A).

62 § 1030(e)(8).

63 § 1030(a)(5)(B).

64 § 1030(a)(5)(C).

65 § 1030(a)(6).

66 § 1030(a)(7).

67 U.S. SENTENCING GUIDELINES MANUAL § 2F1.1 (1995).

68 United States v. Fernandez, No. 1:92-Cr-563 (S.D.N.Y. indictment filed July 8, 1992).

69 The United States Sentencing Commission's Computer Fraud Working Group was established to review the propriety of computer crime sentences under the United States Sentencing Guidelines.

70 18 U.S.C. § 1030(a)(4).

71 § 1030(a)(5).

72 § 1030(a)(1). It requires the government to prove that the classified information was obtained "with the intent or reason to believe that such information . . . is to be used to the injury of the United States, or to the advantage of any foreign nation." Id.

73 § 793(e) (1994) (relating to unauthorized possession and disclosure of information concerning the national defense of the United States).

74 925 F.2d 1301 (10th Cir. 1991).

75 18 U.S.C. § 2314 (1994).

76 Brown, 925 F.2d at 1307-09.

77 Id.

78 See, e.g., STOLL, supra note 2.

79 "Malicious programming code" is code that causes damage to computer systems. A "trap door" is code that allows a user to enter a system without authorization. A "Trojan horse" is a program which, on its face, has a legitimate purpose, but also has a hidden feature, such as a trap door.

80 United States v. Morris, 928 F.2d 504, 506 (2d Cir. 1991).

81 18 U.S.C. § 5031-5042 (1994).

Home | What's New | Articles | Links
Library | Staff | Contact Us

Copyright © Computer Crime Research Center, 2001-2002 All Rights Reserved.
Contact the CCRC Office at 380-612-735-907
contacts@crime-research.org