CRIME ENTERS THE INFORMATION AGE

Susan M. Anstead, University of Maryland University College, Fall 1997 (sbell@polaris.umuc.edu OR ansteadsue@aol.com)

INTRODUCTION

In recent years, our world has experienced significant changes brought on by the Internet. Data can be transferred between individuals and companies on opposite sides of the globe in mere seconds. One can browse a catalog and order a variety of products without ever leaving their home. Resources for quality research can be obtained without ever setting foot in a library.

But the Internet has also brought problems, such as new categories of crime that did not exist in the pre-computer age. Hacking and spreading computer viruses are everyday issues with computer users, and many other crimes are now being committed through the use of a remote computer, rather than in person. A criminal need no longer set foot in a bank to commit robbery -- there have been several examples of electronic bank robberies, using electronic transfers. In addition, the computer has been used to supplement already criminal behavior, such as child pornography and pyramid schemes.

The purpose of this paper is to outline types of crimes that have surfaced in this, the Information Age and to discuss technologies and procedures to minimize problems. In addition, topics of prevention and legislation which address the issue of Internet crime will be covered.

PROBLEMS RELATING TO COMPUTER CRIME

Prior to the introduction of computer networking, crimes were usually committed within one jurisdiction, be it a city, county, state, or country. But through the international networks that comprise the Internet, criminals have found a new medium. Laws, criminal justice systems, and international cooperation have not kept pace with technological changes, and only a few countries have adequate laws to address the problem. No country has resolved all the legal, enforcement, and prevention problems associated with computer crime.

On the International level, numerous factors hamper the effective prosecution of many computer crimes. First, there is no global consensus on what constitutes computer crime. Several organizations, such as the United Nations and the Organization for Economic Cooperation and Development (OECD) have attempted to address this, but their influence is sometimes limited. Given that computer crime is a relatively new phenomenon, there exists a lack of expertise on the part of police, prosecutors, and the courts in this field. Many people consider that current legal powers are inadequate for accessing computer systems in order to gain evidence in computer crimes, and there is a lack of consensus between different national procedural laws relating to the investigation of computer related crime. As with all crime, there is also a lack of global consensus on the legal definition of criminal conduct, and problems exist with extradition and law enforcement mechanisms that would permit international cooperation.[1]

FREQUENCY

It is very difficult to determine the amount of computer crime that occurs since it is a crime that often goes undetected. A recent General Accounting Office report estimated that Department of Defense computers alone are attacked some 250,000 times yearly, with 160,000 successful entries.[2] A similar study in May 1996 by the Defense Information Systems Agency found that as many as 250,000 attempts were made to breach defense department computer systems, and of those, 65% were successful.[3]

It is estimated that computer fraud in the United States alone exceeds $3 billion each year. This is significant considering that less than 1% of all computer fraud cases are detected, and over 90% of computer crime goes unreported. A study of BYTE magazine readers found that 53% have suffered losses of data that cost an average of $14,000 per occurrence.[4]

At any time, there are more than 2,500 viruses circulating worldwide, with new ones being developed daily. A survey of over 600 companies and government agencies in the United States and Canada showed that 63% found at least one virus on their computers in the past year.[5]

TYPES OF COMPUTER-RELATED CRIME

Computer-related crime can be classified into two areas: computer crime and all crimes other than direct computer crime. Computer crime consists of acts defined as criminal by Federal or State computer crime statutes and involve the use of a computer or computer information. Other crimes are those where the computer is used in the planning and/or execution of a crime. For the purposes of this paper, we will refer to all computer-related crimes as computer crimes.[6]

It is difficult to classify all the different types of computer crime. The Department of Justice defines computer crimes as "any violations of the law that involve a knowledge of computer technology for their perpetration, investigation, or prosecution."[7] It may be a target or the object of a crime, it may be the physical site of the crime, or it may be the instrument used to commit the crime. Some of the most widely known include the following:

Computer network break-ins. By using tools installed on a remote computer, an individual breaks in to computer systems to steal data, plant viruses or "Trojan Horses," or to create problems of a less serious nature by changing user names or passwords.[8] Sometimes, network break-ins are facilitated by individuals within the organization. Kevin Poulson was so good at cracking government and military systems that the defense industry offered him a job as a security-cleared consultant, testing the integrity of Pentagon security systems. However, Poulson continued to hack his way into these systems at night, and in 1989, he was convicted on 19 counts of conspiracy, fraud, wiretapping, and money laundering. He conspired to steal classified military orders, cracked an Army computer, and snooped into an FBI investigation of former Philippine president Fernando Marcos. His indictment was later amended to include charges of espionage and possession of classified documents.[9]
Industrial espionage. The act of retrieving information about product development and marketing strategies.[10]
Copyright infringement. With the numerous number of documents available through the Internet, enforcing copyrights is becoming difficult. One of the most controversial cases of copyright infringement on the Internet involves the Church of Scientology. Dennis Erlich, a former member of the Church, loaded copies of stolen works of the Church of Scientology onto an Internet bulletin board. He was accused of violating trademarks. Erlich continued to post such materials, despite orders to cease and desist.[11]
Software piracy. Illegally copied and/or distributed software create serious financial problems for the originators of copyrighted software program. CYBERSTRIKE, an FBI investigation, recently collected evidence where individuals and groups had disseminated protected and/or restricted and copyrighted software through the use of computer bulletin boards systems, Internet FTP, and Internet IRC.[12] In addition there is a common problem with software licenses. According to the law, a license must exist for each copy of software installed on a computer. However, particularly in many office environments, programs are simply copied from one computer to another.
Child pornography. This is one of the few computer crimes that is illegal both on and off the Internet. It involves images of children in varying stages of dress and performing a variety of sexual acts. A recent child pornography case involving Bulletin Board Systems (BBS) extended beyond the online world. Gene Howland and Daniel Van Deusen ran a BBS containing graphic sex stories and images, including child pornography. Using this bulletin board, they lured two teenage boys to their home and sexually assaulted them. Both Howland and Van Deusen were indicted on charges of sexual assault, aggravated sexual assault, and indecency with a child.[13]
"Mail bombings" (assault). With the increase in the use of electronic mail has come the problem of individuals instructing a computer to repeatedly send electronic mail to a specified person's e-mail address, thus overwhelming the recipient's personal account and potentially shutting down the entire system. Many question if this is illegal, but it is certainly disruptive. An example of mail bombings involved Michelle Slatella and Josh Quittner. Someone jammed their mailboxes with thousands of unwanted pieces of e-mail, finally shutting down their Internet access. In addition, their telephone had been reprogrammed to forward calls to an out-of-state number, where callers heard lewd messages.[14]
Password sniffers. Programs have been developed that monitor and record the name and password of network users as they log in, jeopardizing security at a site. Security experts at Carnegie Mellon University estimated last year that more than a million passwords have already been stolen on the Internet.[15]
Spoofing. In order to gain access to a system that might otherwise be restricted, one computer can be disguised to "look" like another. Accesses to the shadow Web are funneled through the attacker's machine, allowing the attacker to monitor all of the victim's activities including any passwords or account numbers the victim enters. The attacker can also cause false or misleading data to be sent to Web servers in the victim's name, or to the victim in the name of any Web server. In short, the attacker observes and controls everything the victim does on the Web.[16]
Credit card fraud. The United States Secret Service believes that half a million dollars may be lost annually by consumers who have credit card and calling card numbers stolen from online databases.[17] MSN Australia sent all local customers a warning e-mail in April 1997, alerting users to a "rogue message." This message demanded that subscribers' forward their credit card numbers, bank name, address and other confidential details to a source claiming to be the "MSN Credit Department." The fraudulent e-mail claimed: "Due to a complicated problem with our system, we have lost the information that links your account's sign-on name and password with our billing record." Customers were requested to provide their normally confidential details immediately. For complying, users were promised a 50 per cent discount on their next monthly bill. MSN denied sending the original message.[18]
Viruses. A program that spreads by making copies of itself. It is generally spread by writing copies of themselves into other programs or into boot records of disks. Viruses can cause various types of problems, from making strange graphics appear on the screen to crashing an entire network.

Boot sector infector. A virus that hides in the boot sector of a disk or the partition of a hard disk and takes over control of the computer system when it is booted.[19]
Application program infector. Those viruses which attach to any executable file, usually COM or EXE files. It will infect every program run until the computer is shut off.[20]
Macro virus. A virus which attaches to a word-processing or spreadsheet file as a macro. Once the file is accessed, it replaces the standard macro with the virus which infects all subsequent documents.[21]
Trojan Horses. A program hidden in a downloaded file that does something that the programmer intended but that the user would not want if they knew about it in advance. It can programmed to delete files or damage the hard drive. It can read any file that the system has read-access to, and send it anywhere via electronic mail. It can alter files that the system has write-access to.[22]
Worms. A self-sufficient program that spreads by spawning copies of itself on other hosts in the network.[23]
Logic or time bomb. A program that is activated or triggered after or during a certain event, such as after a certain number of executions or on a certain day.[24]

Fraud. Illegal entrepreneurs and businesses on the Internet have appeared throughout the Internet, including pyramids and other supposed money-making schemes.[25] An example of recent online fraud involved Fortuna Alliance, an alleged pyramid scheme run over the World Wide Web. The Federal Trade Commission (FTC) officials estimate that this scheme pulled in more than $6 million by promising investors $5,250 monthly for an investment of no more than $250 each month.[26] Another recent situation involved consumers having their computer modems switched automatically to expensive international numbers when trying to download special software to view sexually explicit images for free. Without the users' knowledge, their modem was disconnected, and then redialed a 900-type number routed through the former Soviet Republic of Moldavia and terminated in Canada. This resulted in the users getting hefty phone bills, often totaling hundreds or thousands of dollars. On November 3, 1997, the FTC ruled that these consumers will get full credit for the calls, totally more than $2.74 million.[27]
Terrorism. Although this has not yet become a serious issue at this point, there is much concern that it will in the future. Some of the concerns include the possibility of individuals:

remotely accessing processing control systems of food manufacturers and changing the levels of supplements to toxic levels;
placing computerized bombs around a city, all simultaneously transmitting a unique numeric pattern, with each bomb receiving the other's patterns. If one bomb stops transmitting, all the bombs detonate;
disrupting banks, international financial transactions, and stock exchanges;
attacking air traffic control systems; and
remotely altering formulas of medications of pharmaceutical manufacturers.[28]

In 1986, the Organization for Economic Cooperation and Development (OECD) published the report Computer-Related Crime: Analysis of Legal Policy which surveyed the existing laws and proposals for reform in a number of Member States and recommended a list of abuses that countries should consider prohibiting and penalizing by criminal laws. These include:

"The input, alteration, erasure, and/or suppression of computer data and/or computer programs made willfully with the intent to commit an illegal transfer of funds or of another thing of value."
"The input, alteration, erasure, and/or suppression of computer data and/or computer programs, or other interference with computer systems, made willfully with the intent to hinder the functioning of a computer and/or telecommunication system."
"The input, alteration, erasure, and/or suppression of computer data and/or computer programs made willfully with the intent to commit forgery."
"The infringement of the exclusive right of the owner of a protected computer program with the intent to exploit commercially the program and put in on the market."
"The access to or the interception of a computer and/or telecommunication system made knowingly and without the authorization of the person responsible for the system, either by infringement of security measures or for other dishonest or harmful intentions."[29]

PREVENTION

At this point, it is impossible for networked computer users to guarantee they will be safe from computer crime. There are, however, many things they can do to lower their risk.

In order to keep access to the network limited to those with authorization, most networks now have firewalls. These hardware and software components are installed in the network and operate by checking and blocking selected incoming network traffic. Firewalls are still in their infancy, and are not foolproof.[30]

Another feature used to protect information traveling over networked systems is encryption. Through encryption, readable text is transformed into indecipherable text which can only be deciphered by the intended receiver. Currently, there is a great deal of controversy over encryption, specifically how advanced the encryption program can be, and whether legal authorities can or should have access to the encrypted data. Government agencies, particularly those involved in National Security, are concerned that the development of sophisticated encryption programs will hamper their efforts to intercept sensitive information. For example, such agencies are often involved in monitoring the activities of anti-government organizations through deciphering communications. If these organizations are permitted to use advanced encryption programs, government agencies are concerned that the result would be a national security threat.[31]

The biggest encryption controversy is over how tightly the government should regulate the technology. Law enforcement officials would like access, with a court order, to all systems. The Clinton administration has backed them and has supported tight controls on the export of encryption technology.

On the other side are most U.S. software companies. They maintain that export regulations make it difficult to compete with international companies that do not have to meet the same requirements. Also on this side are privacy advocates, who aim to keep the government from monitoring private conversations.[32]

Currently, there are two bills in Congress regarding encryption. The first is the Security And Freedom Through Encryption (SAFE) Act of 1997 sponsored by Rep. Robert Goodlatte (R-Va.), and is backed by software companies.[33] The following are specific points in the bill:

Gives all Americans the freedom to use any type of encryption anywhere in the world, and allows the sale of any type of encryption domestically;
Prohibits the government from creating a back door into peoples' computer systems (mandatory key escrow);
Creates criminal penalties for the unlawful use of encryption in furtherance of a crime -- up to 5 years imprisonment for a first offense, and up to 10 years for each subsequent offense; and
Modernizes U.S. export controls to permit the export of generally available software, and other types of software and hardware under a license if a product with comparable security is commercially available from foreign suppliers (creates a level playing field).[34]

The second bill, sponsored by Sen. John McCain (R-Ariz) and Sen. Robert Kerrey (D-Neb.) is the Secure Public Networks Act (SPNA), which has the support of the Senate Commerce, Science, and Transportation Committee. According to the sponsors, this legislation relies on market incentives rather than strict mandates to enhance security on public networks, and punishes those who violate privacy laws. It creates a basis for using security measures necessary for network commerce and communications without compromising the government's ability to fight crime and terrorism.[35]

The bill includes the following provisions:

creates strong privacy protections for network users;
preserves the rights of private citizens to use encryption;
creates market-based incentives for the development and deployment of encryption systems that use key recovery technology;
limits government access to decoding keys;
penalizes those who would abuse their authority to violate privacy;
provides for immediate liberalization of the rules for the export of encryption products without a license; and
requires continuous review of encryption export policies to assure that only a national security finding by the President can block the free export of encryption products generally available in foreign markets.[36]

The bill also provides for speedy processing of individual licenses that permit the sale of controlled encryption products to foreign customers. The SPNA makes it easier to export encryption software than current law.[37]

The legislation is tough on those who would use encryption technology to commit crime or use their position to violate privacy and property rights. The bill also includes a voluntary system of federal registration for key recovery agents and certificate authorities. These service providers would be required to meet minimum standards that would give users confidence that their security is being protected when using a registered agent or authority.[38]

Another form of protecting networked data is through the use of an authentication program. These programs run checks to prove that the user or system is actually who or what it claims to be.[39] The process of identifying an individual is usually based on a username and password. In security systems, authentication is distinct from authorization, which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual.[40]

Companies can reduce their risk by avoiding dial-in connections, or they should have trace-back protocols on the network so the network can ensure all access is authorized.[41] Businesses operating networked computer systems should consider instituting some or all of the following components to assist in preventing computer crime:

Placing a login banner to ensure that unauthorized users are warned that they be subject to monitoring;
Turning on audit trails;
Using keystroke level monitoring if the warning banner is displayed;
Requesting trap and tracing from the local telephone company; and
Using Caller Identification.[42]

Those companies who provide Internet access should consider the following additional measures:

Provide protocols and software that encrypt the user name, password, and IP address combinations at the source;
Provide protocols and software that prevent access to files of encrypted passwords;
Deliver systems to customers in a secure state;
Develop protocols and programs with reasonable protections against denial- of-service attacks; and
Accelerate development of protocols and programs that provide reasonable privacy for such user programs as e-mail.[43]

Although much of the responsibility for preventing computer crime falls on businesses, individuals connected to networks should also undertake steps to protect themselves. These include:

Backing up important files;
Using a good password for network access controls;
Ensuring permissions are set properly on files that can be accessed by others;
Encrypting, or storing offline, files that are particularly sensitive;
Not sending user identification items, such as social security numbers, addresses, phone numbers, personal data, or credit card numbers across the Internet unless it is encrypted at the source; and
Using an encryption program if you want e-mail to be private.[44]

LAWS

The first comprehensive Federal computer crime statute was the Computer Fraud and Abuse Act of 1986.[45] This Act amended Title 18 of the United States Code Section 1030 to increase penalties for six types of computer activities:

the unauthorized access of a computer to obtain information of national security with the intent to injure the United States or give advantage to a foreign nation;
the unauthorized access of a computer to obtain protected financial or credit information;
the unauthorized access into a computer system used by the federal government;
the unauthorized interstate or foreign access of a computer system with an intent to defraud;
the unauthorized interstate or foreign access of computer systems that results in at least $1,000 damage; and
the fraudulent trafficking in computer passwords affecting interstate commerce.[46]

Violations of this Act can result in result in fines and up to 20 years in prison.[47]

One of the most famous cases involving this statute was United States v. Morris (Second Circuit, 1991).[48] This case regarded the 1989 prosecution of Robert Tappan Morris, a Cornell University graduate student who released a computer "worm" across the Internet as an experiment to demonstrate the inadequacies of existing computer security networks. However, the worm replicated itself and re- infested computers at a much faster rate than Morris had anticipated, causing computers across the country to come to a halt. Morris was convicted of preventing the authorized use of a "federal interest computer". However, through this case, it was determined that the Computer Fraud and Abuse Act omitted references to what is called malicious code -- computer viruses that can alter, damage or destroy computerized information.[49]

As a result, the Computer Crime and Abuse Act was amended in 1992 to include the following acts:

those who, without the knowledge and authorization of the persons or entities who own or are responsible for a computer, bring about the transmission of a program, information, code, or command to a computer or computer system with the intent to cause damage to the computer or information in the computer or prevent the use of the system;
those who act with reckless disregard or with a substantial and unjustifiable risk of damage or loss, and would create a civil cause of disregard or a substantial and unjustifiable risk of damage or loss, and would create a civil cause of action to obtain compensatory damages or injunctive relief for any person who suffers damage or loss by reason of a violation of this section; and
those who destroy e-mail messages or access them without authorization.[50]

In another attempt to legislate computer crimes, Congress amended the federal wiretap law in 1986, passing the Electronic Communications Privacy Act (ECPA) to expand federal jurisdiction and to criminalize the unauthorized interception of stored and transmitted electronic communications.[51] Specific provisions of the ECPA include the following acts:

the interception of electronic communications sent over wire, radio, or optical facilities (Interception includes listening in on these communications.);
intentionally disclosing (or attempting to disclose) to another person the contents of any electronic communication where the contents were obtained through the illegal interception of an electronic communication;
intentionally using (or trying to use) the contents of an illegally intercepted electronic communication; and
accessing facilities through which electronic communications are provided if the individual making access did not have authorization to do so, and they obtained access to any communication stored on that facility, altered any communication stored on that facility, or prevented authorized access to communications stored there.[52]

Depending on which provision of the ECPA is violated, penalties can include fines up to $250,000 and/or up to one year in prison.[53]

One noteworthy case involving the ECPA is United States v. Riggs (11th Circuit, 1992).[54] Riggs was a hacker who accessed a telephone company's system without authorization to download a text file detailing the operation of the company's 911 system. He then transferred the file to another computer through an interstate computer network. He was convicted, based on the ECPA, citing his use of fraudulent means to access the telephone company's system and his attempts to disguise his authorized access.[55]

GROUPS

In recent years, numerous organizations have been formed to study and combat computer crime. In February of 1992, the Federal Bureau of Investigation (FBI) instituted the National Computer Crime Squad (NCCS), whose purpose is to investigate violations of the Computer Fraud and Abuse Act.[56] Violations of the Computer Fraud and Abuse Act include intrusions into government, financial, most medical, and "Federal interest" computers. Federal interest computers are defined by law as two or more computers which involved in the criminal offense and are located in different states. Therefore, a commercial computer which is the victim of an intrusion coming from another state is a "Federal interest" computer.[57]

The National Computer Crime Squad investigates the following types of crimes:

intrusions of the Public Switched Network (telephone networks);
major computer network intrusions;
network integrity violations;
privacy violation;
industrial espionage;
pirated computer software; and
other crimes where the computer is a major factor in committing the criminal offense.[58]

New and evolving computer and information technologies present law enforcement with the challenge of protecting the nation's critical infrastructures and electronic networks from criminal and terrorist computer attacks. As a result, the FBI has established the Computer Investigations and Infrastructure Threat Assessment Center (CITAC) to coordinate the criminal, counterterrorism and counterintelligence responsibilities of the FBI relating to computer intrusions and threats.[59] Its creation allows the FBI to view cases from both law enforcement and counterintelligence perspectives. CITAC and the components under CITAC will provide support for law enforcement at all levels, and every Special Agent in Charge of an FBI field office has a working group of local officials identifying critical infrastructure vulnerabilities, as well as planning and preparing for foreseeable contingencies.[60]

In 1992, the Federal Bureau of Investigation established one of the most effective groups in handling computer crime, the Computer Analysis and Response Team (CART).[61] CART is specialized group of forensic examiners with the technical expertise and resources to examine computers, networks, storage media and computer-related materials in support of FBI investigations. The Computer Analysis and Response Team (CART) assists FBI field offices in the search and seizure of computer evidence and provides technical support for the investigation and prosecution of cases involving such evidence. CART includes a state-of-the-art forensic Laboratory comprised of computer specialists located at FBI Headquarters and a network of trained and equipped special agents assigned to both selected FBI field offices and the FBI Western Regional Computer Support Center in Pocatello, Idaho. CART conducts examinations in which information is extracted from magnetic, optical, and similar storage media and converted into a form which is usable to investigators or prosecutors.[62]

Groups have also been formed in the private sector to combat computer crime. The CERT Coordination Center is an organization that grew from the computer emergency response team formed by the Defense Advanced Research Projects Agency (DARPA) in November 1988 in response to the needs identified during the Internet worm incident. CERT also works with the Internet community to facilitate its response to computer security events involving Internet hosts, takes proactive steps to raise the community's awareness of computer security issues, and conducts research targeted at improving the security of existing systems.[63]

CERT provides a number of services, including 24-hour technical assistance for responding to computer security incidents, product vulnerability assistance, technical documents, and seminars. In addition, the team maintains a mailing list for CERT advisories, and provides a web site, and an anonymous FTP server where security-related documents, CERT advisories, and tools are available.[64]

In order to increase the ability of law enforcement officials to handle computer crimes, the Federal Law Enforcement Training Center near Brunswick, Georgia now trains police officers in "cyber-sleuthing".[65] Some of the courses offered in this program include:

Computer Evidence Analysis Training Program;
Criminal Investigations in an Automated Environment Training Program;
International Financial Fraud Training Program;
Microcomputers for Investigators Training Program;
Seized Computer and Evidence Recovery Specialist;
Telecommunications Fraud Training Program;
White Collar Crime Training Program; and
Windows Applications for Investigators Training Program.[66]

Even the White House has become involved in the study of computer crime. On July 15, 1996, President Clinton signed Executive Order 13010 establishing the President's Commission on Critical Infrastructure Protection.[67] The Commission was chartered to conduct a comprehensive review and recommend a national policy for protecting critical infrastructures and assuring their continued operation. A large part of the Commission's studies involve computer threats.

The Commission, in a report released in October 1997, concluded that the "development of the computer and its astonishingly rapid improvements have ushered in the Information Age that affects almost all aspects of American commerce and society".[68] A personal computer and a telephone connection to an Internet Service Provider anywhere in the world are enough to cause a great deal of harm. However, the Commission acknowledges that it has "not discovered an imminent attack or a credible threat sufficient to warrant a sense of immediate national crisis."[69] Yet, according to MSNBC Online, the Commission warned President Clinton that "some kind of sneak attack -- domestic or foreign -- is inevitable."[70]

The full text of the report is not available to the public for security reasons; therefore specific recommendations of the Commission are not available. We do know, however, that they have recommended a sector-by-sector cooperation and information sharing strategy, involving cooperation between owners and operators and appropriate government agencies, particular the National Institutes of Standards and Technology (NIST) and the National Security Agency (NSA).[71] The Commission also recommends creating a national warning center, with companies reporting all attempts at computer break-ins. However many believe that this will not materialize, as many businesses are reluctant to reveal exactly how vulnerable they are to computer sabotage.[72]

According to MSNBC Online, the Commission has also recommended that the government increase current spending to prevent hackers from using computer networks to sabotage U.S. infrastructure to $1 billion by 2004.[73] As a result of numerous attempts to break into the White House electronically (daily attempts according to some sources), a $10 million contract was recently awarded to improve and protects the computers there.[74]

CONCLUSION

It is clear that the proliferation of computers throughout the world poses numerous threats to personal, business, and national safety. Through the use of computer networks, we in the Information Age are witnessing a world without boundaries. These open communications provide citizens of the world unheard of opportunities to obtain information that would previously been unavailable. But in any society, there are individuals and factions that make use of beneficial resources for criminal means, and in this new global arena, we are faced with problems not encountered with earlier types of crime. Most laws and means of enforcement do not extend beyond governmental boundaries, making enforcement of computer crimes more difficult. Many agencies (both public and private) are working to find solutions to these problems, and progress is being made. At the same time, many governments are now cooperating when dealing with cross-national crimes.

The potential threat to individuals, businesses, and governments is substantial. Individuals could lose entire systems as a result of viruses. Businesses may be jeopardized if a competitor accesses their network and steals trade secrets. Government security could be threatened if critical systems, such as those controlling weapon systems, are illegally accessed. But the greatest threat could come as a result of attacks on critical infrastructures, such as pharmaceutical and food companies, utilities, and transportation systems.

It is vital that the nations of the world continue to work towards protecting computer networks and individual systems by enacting laws and punishments to deter potential computer criminals. They must agree on a minimum standard of what will be considered criminal so that enforcement can occur. At the same time, the computer industry must continue to develop ways to keep networks safe. This will occur through enhancing current security systems and working with the government to find an acceptable means of encryption.

However, I believe it is important for general computer users to keep the level of concern over computer crime to realistic levels. Yes, there are threats. When airlines began transporting people worldwide, there were few controls to ensure that passengers would not be subjected to terrorist acts, or that passengers would transport illegal items internationally. But over the years, we have developed safety and security measures to ensure that any risk is minimized. Yes, incomprehensible acts still occur, but those who travel realize that their risk of being involved in such a situation is slim. Our world will never be completely safe, and we should expect no more of computer networks than we do other forms of worldwide infrastructure.

The Internet is in its infancy. We are still in a learning stage. Through laws and technology, the networked computer world will continue to prosper and threats to computer security will be minimized.

@1997, Susan Marie Anstead Bell, University of Maryland University College. (sbell@polaris.umuc.edu OR ansteadsue@aol.com)

ENDNOTES

[1] International Review of Criminal Policy -- United Nations Manual on the Prevention and Control of Computer Related Crime. (1997, September 23). [Online]. Available at http://www.IFS.univie.ac.at/~npr2gq1/rev4344.html.
[2] Rodger, Will. Cybercops Face Net Crime Wave. (1996, June 17). [Online]. Available at http://www.zdnet.com/intweek/print/960617/politics/doc1.html.
[3] Flick, Anthony R.. Crime and the Internet. (1997, October 3). [Online]. Available at http://www.rwc.uc.edu/bezemek/PaperW97/Flick.htm.
[4] Is There a Security Problem in Computing?. (1997, September 23). [Online]. Available at http://jaring/nmbu.edu/notes/security.htm.
[5] IBID
[6] Rose, Lance (1995). NetLaw. Berkeley, California: Osborne McGrall-Hill. pp. 201-202.
[7] A Crime By Any Other Name. Church of Scientology International. (1995). [Online]. Available at http://www.theta.com/goodman/crime.htm.
[8] IBID
[9] IBID
[10] IBID
[11] IBID
[12] Owens, Charles L.. Computer Crimes and Computer Related or Facilitated Crimes, Statement Before the Subcommittee on Technology, Terrorism, and Governmental Information, Committee on the Judiciary, United States Senate. (1997, March 19). [Online]. Available at http://www.fbi.gov/congress/compcrm/compcrm.htm.
[13] A Crime By Any Other Name
[14] Elmer-Dewitt, Philip. Terror on the Internet, TIME Domestic. (1994, December 12). [Online]. Available at http://www.pathfinder.com/@@mtzwqQQA*x06kbeS/time/magazine/domestic/1994/941212/941212.technology.html.
[15] University of Michigan Information Technology Policies and Guidelines. (1997, October 14). [Online]. Available at http://www.skyinet.net/noc/pw-security.html.
[16] Web Spoofing: An Internet Con Game. (1997, October 14). [Online]. Available at http://www.cs.princeton.edu/sip/pub/spoofing.html.
[17] Voss, Natalie D.. Crime on the Internet, Jones Telecommunications and Multimedia Encyclopedia. (1997, September 23). [Online]. Available at http://www.digitalcentury.com/encyclo/update/crime.html.
[18] MSN (Microsoft Network) Users Hit By Credit Card Fraud. (1997, October 14). [Online]. Available at http://www.creditnet.com/cgi-bin/netforum/scams-ripoffs/a/3--1.
[19] Is There a Security Problem In Computing?
[20] IBID
[21] IBID
[22] Chess, David. Things That Go Bump In the Net. (1997, September 23). [Online]. Available at http://www.research.ibm.com/xw-D953.bump.
[23] IBID
[24] IBID
[25] Aguilar, Rose. Pyramid Cases at Peak of Online Fraud. C/Net. (1996, June 4). [Online]. Available at http://www.news.com/news/item/0,4,1480,00.html.
[26] Rodger, Will.
[27] ABC News Online. Feds Clamp Down on Internet Fraud. (1997, November 4). [Online]. Available at http://www.abcnews.com/sections/scitech/internetfraud1104/index.html.
[28] Collin, Barry. The Future of CyberTerrorism: Where the Physical and Virtual Worlds Converge. (1997, September 23). [Online]. Available at http://www.acsp.uic.edu/OICJ/CONFS/terror02.htm.
[29] International Review of Criminal Policy.
[30] Flick, Anthony R.
[31] IBID
[32] Digital Security: Who Holds the Keys?. Washington Post Online. (1997, September 25). [Online]. Available at http://www.washingtonpost.com/wp-srv/tech/analysis/encryption/encrypt.htm
[33] SUMMARY OF THE SECURITY AND FREEDOM THROUGH ENCRYPTION (SAFE) ACT OF 1997. (1997, October 30). [Online]. Available at http://www.house.gov/goodlatte/enc_sum.htm.
[34] IBID
[35] Kerrey, Bob (Senator). Private, Market-Based Key Recovery System Will Protect National Security and Personal Privacy. (1997, October 30). [Online]. Available at http://www.senate.gov/~kerrey/encrypt/rollcall.html
[36] IBID
[37] IBID
[38] IBID
[39] Flick, Anthony R.
[40] PC Webopaedia. (1997, October 30). [Online]. Available at http://www.pcwebopaedia.com/authentication.htm [41] Federal Bureau of Investigation National Computer Crime Squad. (1997, October 5). [Online]. Available at http://www.fbi.gov/programs/nccs/compcrim.htm.
[42] IBID
[43] Howard, John D.. An Analysis of Security Incidents On the Internet, Chapter 16, Conclusions and Recommendations. Carnegie Mellon University. (1997, April 7). [Online]. Available at http://www.cert.org:80/research/JHThesis/Chapter16.html.
[44] IBID
[45] Flick, Anthony R.
[46] IBID
[47] IBID
[48] Biros, Mark J. and Urban, Thomas F.. New Computer Crime Statutes Close Loopholes. National Law Journal. (1997, September 23). Available at http://www.ljx.com/securitynet/articles/0325nlj.htm.
[49] IBID
[50] Rasch, Mark D.. Computer Security: Legal Lessons in the Computer Age, Security Management. (1996, April). [Online]. Available at http://www-swiss.ai.mit.edu/6.805/articles/rasch-comp-law-html.
[51] Sandberg, Chris. Computer Crime and the Law, InfoNation. (1997, September 23). [Online]. Available at http://www.info-nation.com/comcrime.html.
[52] IBID
[53] IBID
[54] Biros, Mark J. and Urban, Thomas F.
[55] IBID
[56] Federal Bureau of Investigation National Computer Crime Squad
[57] IBID
[58] IBID
[59] Freeh, Louis J.. Statement Before the United States Senate Committee on the Judiciary and the United States House of Representatives Committee on the Judiciary, Subcommittee on Crime. (1997, June 4). [Online]. Available at http://www.fbi.gov/congress/oversight/clear.htm]
[60] IBID
[61] IBID
[62] Investigative Operations and Support Section, Federal Bureau of Invetigation. (1997, October 14). [Online]. Available at http://www.fbi.gov/lab/report/compana.htm
[63] The CERT Coordination Center FAQ. (1997, August 12). [Online]. Available at http://www.cert.org/cert.faqintro.html.
[64] IBID
[65] A Crime By Any Other Name.
[66] Federal Law Enforcement Training Center Catalog of Training Programs. (1997, October 14). [Online]. Available at http://www.ustreas.gov/treasury/bureaus/fletc/97fedcat.asc
[67] Report Summary: The President's Commission on Critical Infrastructure Protection. (1997, October). [Online]. Available at http://www.pccip.gov/summary.html.
[68] IBID
[69] IBID
[70] MSNBC Online. Report: Essential Computers at Risk. (1997, October). [Online]. Available at http://www.msnbc.com/news/117803.asp.
[71] Report Summary: The President's Commission on Critical Infrastructure Protection.
[72] MSNBC Online.
[73] IBID
[74] IBID

This page hosted by Get your ownFree Home Page