In recent years, our world has experienced significant changes brought on by the Internet. Data can be transferred between individuals and companies on opposite sides of the globe in mere seconds. One can browse a catalog and order a variety of products without ever leaving their home. Resources for quality research can be obtained without ever setting foot in a library.
But the Internet has also brought problems, such as new categories of crime that did not exist in the pre-computer age. Hacking and spreading computer viruses are everyday issues with computer users, and many other crimes are now being committed through the use of a remote computer, rather than in person. A criminal need no longer set foot in a bank to commit robbery -- there have been several examples of electronic bank robberies, using electronic transfers. In addition, the computer has been used to supplement already criminal behavior, such as child pornography and pyramid schemes.
The purpose of this paper is to outline types of crimes that have surfaced in this, the Information Age and to discuss technologies and procedures to minimize problems. In addition, topics of prevention and legislation which address the issue of Internet crime will be covered.
PROBLEMS RELATING TO COMPUTER CRIME
Prior to the introduction of computer networking, crimes were usually committed within one jurisdiction, be it a city, county, state, or country. But through the international networks that comprise the Internet, criminals have found a new medium. Laws, criminal justice systems, and international cooperation have not kept pace with technological changes, and only a few countries have adequate laws to address the problem. No country has resolved all the legal, enforcement, and prevention problems associated with computer crime.
On the International level, numerous factors hamper the effective prosecution of many computer crimes. First, there is no global consensus on what constitutes computer crime. Several organizations, such as the United Nations and the Organization for Economic Cooperation and Development (OECD) have attempted to address this, but their influence is sometimes limited. Given that computer crime is a relatively new phenomenon, there exists a lack of expertise on the part of police, prosecutors, and the courts in this field. Many people consider that current legal powers are inadequate for accessing computer systems in order to gain evidence in computer crimes, and there is a lack of consensus between different national procedural laws relating to the investigation of computer related crime. As with all crime, there is also a lack of global consensus on the legal definition of criminal conduct, and problems exist with extradition and law enforcement mechanisms that would permit international cooperation.
It is very difficult to determine the amount of computer crime that occurs since it is a crime that often goes undetected. A recent General Accounting Office report estimated that Department of Defense computers alone are attacked some 250,000 times yearly, with 160,000 successful entries. A similar study in May 1996 by the Defense Information Systems Agency found that as many as 250,000 attempts were made to breach defense department computer systems, and of those, 65% were successful.
It is estimated that computer fraud in the United States alone exceeds $3 billion each year. This is significant considering that less than 1% of all computer fraud cases are detected, and over 90% of computer crime goes unreported. A study of BYTE magazine readers found that 53% have suffered losses of data that cost an average of $14,000 per occurrence.
At any time, there are more than 2,500 viruses circulating worldwide, with new ones being developed daily. A survey of over 600 companies and government agencies in the United States and Canada showed that 63% found at least one virus on their computers in the past year.
TYPES OF COMPUTER-RELATED CRIME
Computer-related crime can be classified into two areas: computer crime and all crimes other than direct computer crime. Computer crime consists of acts defined as criminal by Federal or State computer crime statutes and involve the use of a computer or computer information. Other crimes are those where the computer is used in the planning and/or execution of a crime. For the purposes of this paper, we will refer to all computer-related crimes as computer crimes.
It is difficult to classify all the different types of computer crime. The
Department of Justice defines computer crimes as "any violations of the law that
involve a knowledge of computer technology for their perpetration,
investigation, or prosecution." It may be a target or the object of a crime,
it may be the physical site of the crime, or it may be the instrument used to
commit the crime. Some of the most widely known include the following:
At this point, it is impossible for networked computer users to guarantee they will be safe from computer crime. There are, however, many things they can do to lower their risk.
In order to keep access to the network limited to those with authorization, most networks now have firewalls. These hardware and software components are installed in the network and operate by checking and blocking selected incoming network traffic. Firewalls are still in their infancy, and are not foolproof.
Another feature used to protect information traveling over networked systems is encryption. Through encryption, readable text is transformed into indecipherable text which can only be deciphered by the intended receiver. Currently, there is a great deal of controversy over encryption, specifically how advanced the encryption program can be, and whether legal authorities can or should have access to the encrypted data. Government agencies, particularly those involved in National Security, are concerned that the development of sophisticated encryption programs will hamper their efforts to intercept sensitive information. For example, such agencies are often involved in monitoring the activities of anti-government organizations through deciphering communications. If these organizations are permitted to use advanced encryption programs, government agencies are concerned that the result would be a national security threat.
The biggest encryption controversy is over how tightly the government should regulate the technology. Law enforcement officials would like access, with a court order, to all systems. The Clinton administration has backed them and has supported tight controls on the export of encryption technology.
On the other side are most U.S. software companies. They maintain that export regulations make it difficult to compete with international companies that do not have to meet the same requirements. Also on this side are privacy advocates, who aim to keep the government from monitoring private conversations.
Currently, there are two bills in Congress regarding encryption. The first is the Security And Freedom Through Encryption (SAFE) Act of 1997 sponsored by Rep. Robert Goodlatte (R-Va.), and is backed by software companies. The following are specific points in the bill:
The bill includes the following provisions:
The legislation is tough on those who would use encryption technology to commit crime or use their position to violate privacy and property rights. The bill also includes a voluntary system of federal registration for key recovery agents and certificate authorities. These service providers would be required to meet minimum standards that would give users confidence that their security is being protected when using a registered agent or authority.
Another form of protecting networked data is through the use of an authentication program. These programs run checks to prove that the user or system is actually who or what it claims to be. The process of identifying an individual is usually based on a username and password. In security systems, authentication is distinct from authorization, which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual.
Companies can reduce their risk by avoiding dial-in connections, or they should have trace-back protocols on the network so the network can ensure all access is authorized. Businesses operating networked computer systems should consider instituting some or all of the following components to assist in preventing computer crime:
The first comprehensive Federal computer crime statute was the Computer Fraud and Abuse Act of 1986. This Act amended Title 18 of the United States Code Section 1030 to increase penalties for six types of computer activities:
One of the most famous cases involving this statute was United States v. Morris (Second Circuit, 1991). This case regarded the 1989 prosecution of Robert Tappan Morris, a Cornell University graduate student who released a computer "worm" across the Internet as an experiment to demonstrate the inadequacies of existing computer security networks. However, the worm replicated itself and re- infested computers at a much faster rate than Morris had anticipated, causing computers across the country to come to a halt. Morris was convicted of preventing the authorized use of a "federal interest computer". However, through this case, it was determined that the Computer Fraud and Abuse Act omitted references to what is called malicious code -- computer viruses that can alter, damage or destroy computerized information.
As a result, the Computer Crime and Abuse Act was amended in 1992 to include the following acts:
One noteworthy case involving the ECPA is United States v. Riggs (11th Circuit, 1992). Riggs was a hacker who accessed a telephone company's system without authorization to download a text file detailing the operation of the company's 911 system. He then transferred the file to another computer through an interstate computer network. He was convicted, based on the ECPA, citing his use of fraudulent means to access the telephone company's system and his attempts to disguise his authorized access.
In recent years, numerous organizations have been formed to study and combat computer crime. In February of 1992, the Federal Bureau of Investigation (FBI) instituted the National Computer Crime Squad (NCCS), whose purpose is to investigate violations of the Computer Fraud and Abuse Act. Violations of the Computer Fraud and Abuse Act include intrusions into government, financial, most medical, and "Federal interest" computers. Federal interest computers are defined by law as two or more computers which involved in the criminal offense and are located in different states. Therefore, a commercial computer which is the victim of an intrusion coming from another state is a "Federal interest" computer.
The National Computer Crime Squad investigates the following types of crimes:
In 1992, the Federal Bureau of Investigation established one of the most effective groups in handling computer crime, the Computer Analysis and Response Team (CART). CART is specialized group of forensic examiners with the technical expertise and resources to examine computers, networks, storage media and computer-related materials in support of FBI investigations. The Computer Analysis and Response Team (CART) assists FBI field offices in the search and seizure of computer evidence and provides technical support for the investigation and prosecution of cases involving such evidence. CART includes a state-of-the-art forensic Laboratory comprised of computer specialists located at FBI Headquarters and a network of trained and equipped special agents assigned to both selected FBI field offices and the FBI Western Regional Computer Support Center in Pocatello, Idaho. CART conducts examinations in which information is extracted from magnetic, optical, and similar storage media and converted into a form which is usable to investigators or prosecutors.
Groups have also been formed in the private sector to combat computer crime. The CERT Coordination Center is an organization that grew from the computer emergency response team formed by the Defense Advanced Research Projects Agency (DARPA) in November 1988 in response to the needs identified during the Internet worm incident. CERT also works with the Internet community to facilitate its response to computer security events involving Internet hosts, takes proactive steps to raise the community's awareness of computer security issues, and conducts research targeted at improving the security of existing systems.
CERT provides a number of services, including 24-hour technical assistance for responding to computer security incidents, product vulnerability assistance, technical documents, and seminars. In addition, the team maintains a mailing list for CERT advisories, and provides a web site, and an anonymous FTP server where security-related documents, CERT advisories, and tools are available.
In order to increase the ability of law enforcement officials to handle computer crimes, the Federal Law Enforcement Training Center near Brunswick, Georgia now trains police officers in "cyber-sleuthing". Some of the courses offered in this program include:
The Commission, in a report released in October 1997, concluded that the "development of the computer and its astonishingly rapid improvements have ushered in the Information Age that affects almost all aspects of American commerce and society". A personal computer and a telephone connection to an Internet Service Provider anywhere in the world are enough to cause a great deal of harm. However, the Commission acknowledges that it has "not discovered an imminent attack or a credible threat sufficient to warrant a sense of immediate national crisis." Yet, according to MSNBC Online, the Commission warned President Clinton that "some kind of sneak attack -- domestic or foreign -- is inevitable."
The full text of the report is not available to the public for security reasons; therefore specific recommendations of the Commission are not available. We do know, however, that they have recommended a sector-by-sector cooperation and information sharing strategy, involving cooperation between owners and operators and appropriate government agencies, particular the National Institutes of Standards and Technology (NIST) and the National Security Agency (NSA). The Commission also recommends creating a national warning center, with companies reporting all attempts at computer break-ins. However many believe that this will not materialize, as many businesses are reluctant to reveal exactly how vulnerable they are to computer sabotage.
According to MSNBC Online, the Commission has also recommended that the government increase current spending to prevent hackers from using computer networks to sabotage U.S. infrastructure to $1 billion by 2004. As a result of numerous attempts to break into the White House electronically (daily attempts according to some sources), a $10 million contract was recently awarded to improve and protects the computers there.
It is clear that the proliferation of computers throughout the world poses numerous threats to personal, business, and national safety. Through the use of computer networks, we in the Information Age are witnessing a world without boundaries. These open communications provide citizens of the world unheard of opportunities to obtain information that would previously been unavailable. But in any society, there are individuals and factions that make use of beneficial resources for criminal means, and in this new global arena, we are faced with problems not encountered with earlier types of crime. Most laws and means of enforcement do not extend beyond governmental boundaries, making enforcement of computer crimes more difficult. Many agencies (both public and private) are working to find solutions to these problems, and progress is being made. At the same time, many governments are now cooperating when dealing with cross-national crimes.
The potential threat to individuals, businesses, and governments is substantial. Individuals could lose entire systems as a result of viruses. Businesses may be jeopardized if a competitor accesses their network and steals trade secrets. Government security could be threatened if critical systems, such as those controlling weapon systems, are illegally accessed. But the greatest threat could come as a result of attacks on critical infrastructures, such as pharmaceutical and food companies, utilities, and transportation systems.
It is vital that the nations of the world continue to work towards protecting computer networks and individual systems by enacting laws and punishments to deter potential computer criminals. They must agree on a minimum standard of what will be considered criminal so that enforcement can occur. At the same time, the computer industry must continue to develop ways to keep networks safe. This will occur through enhancing current security systems and working with the government to find an acceptable means of encryption.
However, I believe it is important for general computer users to keep the level of concern over computer crime to realistic levels. Yes, there are threats. When airlines began transporting people worldwide, there were few controls to ensure that passengers would not be subjected to terrorist acts, or that passengers would transport illegal items internationally. But over the years, we have developed safety and security measures to ensure that any risk is minimized. Yes, incomprehensible acts still occur, but those who travel realize that their risk of being involved in such a situation is slim. Our world will never be completely safe, and we should expect no more of computer networks than we do other forms of worldwide infrastructure.
The Internet is in its infancy. We are still in a learning stage. Through laws and technology, the networked computer world will continue to prosper and threats to computer security will be minimized.
 International Review of Criminal Policy -- United Nations Manual on the
Prevention and Control of Computer Related Crime. (1997, September 23).
[Online]. Available at http://www.IFS.univie.ac.at/~npr2gq1/rev4344.html.
 Rodger, Will. Cybercops Face Net Crime Wave. (1996, June 17). [Online]. Available at http://www.zdnet.com/intweek/print/960617/politics/doc1.html.
 Flick, Anthony R.. Crime and the Internet. (1997, October 3). [Online]. Available at http://www.rwc.uc.edu/bezemek/PaperW97/Flick.htm.
 Is There a Security Problem in Computing?. (1997, September 23). [Online]. Available at http://jaring/nmbu.edu/notes/security.htm.
 Rose, Lance (1995). NetLaw. Berkeley, California: Osborne McGrall-Hill. pp. 201-202.
 A Crime By Any Other Name. Church of Scientology International. (1995). [Online]. Available at http://www.theta.com/goodman/crime.htm.
 Owens, Charles L.. Computer Crimes and Computer Related or Facilitated Crimes, Statement Before the Subcommittee on Technology, Terrorism, and Governmental Information, Committee on the Judiciary, United States Senate. (1997, March 19). [Online]. Available at http://www.fbi.gov/congress/compcrm/compcrm.htm.
 A Crime By Any Other Name
 Elmer-Dewitt, Philip. Terror on the Internet, TIME Domestic. (1994, December 12). [Online]. Available at http://www.pathfinder.com/@@mtzwqQQA*x06kbeS/time/magazine/domestic/1994/941212/941212.technology.html.
 University of Michigan Information Technology Policies and Guidelines. (1997, October 14). [Online]. Available at http://www.skyinet.net/noc/pw-security.html.
 Web Spoofing: An Internet Con Game. (1997, October 14). [Online]. Available at http://www.cs.princeton.edu/sip/pub/spoofing.html.
 Voss, Natalie D.. Crime on the Internet, Jones Telecommunications and Multimedia Encyclopedia. (1997, September 23). [Online]. Available at http://www.digitalcentury.com/encyclo/update/crime.html.
 MSN (Microsoft Network) Users Hit By Credit Card Fraud. (1997, October 14). [Online]. Available at http://www.creditnet.com/cgi-bin/netforum/scams-ripoffs/a/3--1.
 Is There a Security Problem In Computing?
 Chess, David. Things That Go Bump In the Net. (1997, September 23). [Online]. Available at http://www.research.ibm.com/xw-D953.bump.
 Aguilar, Rose. Pyramid Cases at Peak of Online Fraud. C/Net. (1996, June 4). [Online]. Available at http://www.news.com/news/item/0,4,1480,00.html.
 Rodger, Will.
 ABC News Online. Feds Clamp Down on Internet Fraud. (1997, November 4). [Online]. Available at http://www.abcnews.com/sections/scitech/internetfraud1104/index.html.
 Collin, Barry. The Future of CyberTerrorism: Where the Physical and Virtual Worlds Converge. (1997, September 23). [Online]. Available at http://www.acsp.uic.edu/OICJ/CONFS/terror02.htm.
 International Review of Criminal Policy.
 Flick, Anthony R.
 Digital Security: Who Holds the Keys?. Washington Post Online. (1997, September 25). [Online]. Available at http://www.washingtonpost.com/wp-srv/tech/analysis/encryption/encrypt.htm
 SUMMARY OF THE SECURITY AND FREEDOM THROUGH ENCRYPTION (SAFE) ACT OF 1997. (1997, October 30). [Online]. Available at http://www.house.gov/goodlatte/enc_sum.htm.
 Kerrey, Bob (Senator). Private, Market-Based Key Recovery System Will Protect National Security and Personal Privacy. (1997, October 30). [Online]. Available at http://www.senate.gov/~kerrey/encrypt/rollcall.html
 Flick, Anthony R.
 PC Webopaedia. (1997, October 30). [Online]. Available at http://www.pcwebopaedia.com/authentication.htm  Federal Bureau of Investigation National Computer Crime Squad. (1997, October 5). [Online]. Available at http://www.fbi.gov/programs/nccs/compcrim.htm.
 Howard, John D.. An Analysis of Security Incidents On the Internet, Chapter 16, Conclusions and Recommendations. Carnegie Mellon University. (1997, April 7). [Online]. Available at http://www.cert.org:80/research/JHThesis/Chapter16.html.
 Flick, Anthony R.
 Biros, Mark J. and Urban, Thomas F.. New Computer Crime Statutes Close Loopholes. National Law Journal. (1997, September 23). Available at http://www.ljx.com/securitynet/articles/0325nlj.htm.
 Rasch, Mark D.. Computer Security: Legal Lessons in the Computer Age, Security Management. (1996, April). [Online]. Available at http://www-swiss.ai.mit.edu/6.805/articles/rasch-comp-law-html.
 Sandberg, Chris. Computer Crime and the Law, InfoNation. (1997, September 23). [Online]. Available at http://www.info-nation.com/comcrime.html.
 Biros, Mark J. and Urban, Thomas F.
 Federal Bureau of Investigation National Computer Crime Squad
 Freeh, Louis J.. Statement Before the United States Senate Committee on the Judiciary and the United States House of Representatives Committee on the Judiciary, Subcommittee on Crime. (1997, June 4). [Online]. Available at http://www.fbi.gov/congress/oversight/clear.htm]
 Investigative Operations and Support Section, Federal Bureau of Invetigation. (1997, October 14). [Online]. Available at http://www.fbi.gov/lab/report/compana.htm
 The CERT Coordination Center FAQ. (1997, August 12). [Online]. Available at http://www.cert.org/cert.faqintro.html.
 A Crime By Any Other Name.
 Federal Law Enforcement Training Center Catalog of Training Programs. (1997, October 14). [Online]. Available at http://www.ustreas.gov/treasury/bureaus/fletc/97fedcat.asc
 Report Summary: The President's Commission on Critical Infrastructure Protection. (1997, October). [Online]. Available at http://www.pccip.gov/summary.html.
 MSNBC Online. Report: Essential Computers at Risk. (1997, October). [Online]. Available at http://www.msnbc.com/news/117803.asp.
 Report Summary: The President's Commission on Critical Infrastructure Protection.
 MSNBC Online.