Types of Computer Crime
By the 1990s computer-assisted crime had become a major element of white-collar crime. Like corporate crime, computer crime often goes unrecorded. The National Institute of Justice defines three different types of computer crimes:
- Computer abuse is a broad range of intentional acts that may or may not be specifically prohibited by criminal statutes. Any intentional act involving knowledge of computer use or technology�if one or more perpetrators made or could have made gain and/or one or more victims suffered or could have suffered loss.
- Computer fraud is any crime in which a person uses the computer either directly or as a vehicle for deliberate misrepresentation or deception, usually to cover up embezzlement or theft of money, goods, services, or information.
- Computer crime is any violation of a computer crime law.
Computer crime is faceless and bloodless, and the financial gain can be huge. A common computer crime involves tampering with accounting and banking records, especially through electronic funds transfers. These electronic funds transfers, or wire transfers, are cash management systems that allow the customer electronic access to an account, automatic teller machines, and internal banking procedures, including on-line teller terminals and computerized check processing.
Computers and their technology (printers, modems, computer bulletin boards, e-mail) are used for credit card fraud, counterfeiting, bank embezzlement, theft of secret documents, vandalism, and other illegal activities. Experts place the annual value of computer crime at anywhere from $550 million to $5 billion a year. Even the larger figure may be underestimated, because many victims try to hide the crime. Few companies want to admit their computer security has been breached and their confidential files or accounts are vulnerable. No centralized databank exists for computer crime statistics. Computer crimes are often counted under other categories such as fraud and embezzlement.
The first state computer crime law took effect in Florida in 1978. An Arizona law took effect two months later. Other states soon followed, and by 2000, Vermont was the only state without a specific computer crime provision.
In 1986 Congress passed the Computer Fraud and Abuse Act (PL 99-474) that makes it illegal to perpetrate fraud on a computer. The Computer Abuse Amendments of 1994 (PL 103-322) make it a federal crime "through means of a computer used in interstate commerce of communication�[to] damage, or cause damage to, a computer, computer system, network, information, data, or program�with reckless disregard" for the consequences of those actions to the computer owner. This law refers to someone who maliciously destroys or changes computer records or knowingly distributes a virus that shuts down a computer system. A virus program is one that resides inside another program, activated by some predetermined code to create havoc in the host computer. Virus programs can be transmitted either through the sharing of disks and programs or through electronic mail.
Computer giant Microsoft teamed with the FBI, Secret Service, and Interpol in November 2003 to announce the Anti-Virus Reward Program. Under the program, Microsoft will pay the monetary rewards for information leading to the arrest and conviction of anyone responsible for launching malicious viruses and worms on the Internet. The first two rewards were for information leading to the arrest and conviction of those responsible for the MSBlast. A worm and the Sobig virus.
CORPORATIONS AND COMPUTER CRIME.
The Computer Security Institute in San Francisco, California, conducted "The 2003 Computer Crime and Security Survey" with the participation of the FBI's San Francisco Computer Intrusion Squad. The study found that of 530 computer security practitioners from major U.S. corporations, government agencies, financial and medical institutions, and universities, some 56 percent had detected computer security breaches within the last 12 months. Three-quarters of respondents stated that their institution had suffered financial losses due to computer breaches. Financial losses of $201 million were reported by nearly half of the respondents due to breaches in their computer security.
According to the survey, the most serious financial losses resulted from the theft of proprietary information, with respondents reporting total losses of over $70 million. Denial of service, resulting in a total loss of $65 million, was the next most expensive security breach. Still, despite these significant financial losses, only 30 percent of respondents reported the computer intrusions to law enforcement. In part, this low level of reporting of computer crime to law enforcement may have to do with an unwillingness to reveal the proprietary nature of the information breached.
Survey respondents reported various types of attacks on or unauthorized uses of their computer systems. Eighty percent of respondents stated they had detected employee abuse of Internet access privileges, such as downloading pornography or pirating software. Eighty-two percent reported the detection of computer viruses, while 15 percent reported financial fraud, up from only 3 percent in 2000.
HOLDING A COMPANY HOSTAGE.
For a company, the most feared type of computer crime involves the sabotage or threatened sabotage of the company's computer system. It is almost impossible to determine how often this happens since very few companies ever report the incidents.
Most American companies of any size have become totally dependent on their computers. Management is generally unaware of how computers work and are fully
dependent on their systems administrator or the person responsible for keeping the computers running. In fact, in many companies, the systems administrator might be considered the most powerful person in the company, although his or her salary and title might not indicate it. While the computer system might have a sophisticated security system, these are often only a hindrance to an experienced systems analyst.
In the computer age, several new scenarios of employee threats have generated increasing concern. A disgruntled employee might want to take revenge on the company. A systems administrator responsible for the running of the company computer system might feel unappreciated. A discontented employee might create a "logic bomb" that explodes a month after he or she has left and destroys most of the company records, bringing the company's operations to a complete halt. An unhappy or overly ambitious systems administrator might walk into the company president's office and inform her that he wants a huge bonus or the computer system will cease to exist the next morning. The company cannot fire him or her for fear he or she will carry out the threat. They cannot hurriedly bring in a replacement because, by the time he or she could understand what had been done, the system could be destroyed.
Experts recommend that to avoid such potential disasters, a company should make sure no one person has complete knowledge and responsibility for a computer system. While this strategy would provide no guarantee against catastrophe, at least such incidents would be somewhat less likely. Many companies planning to fire a systems analyst often contact computer security firms beforehand to see what they can do. Although it appears cold, callous, and humiliating (and it often is), many companies now escort laid off or fired employees to their desks, helping them collect their possessions, and then accompany them to the door. They hope this harsh procedure will eliminate any opportunity for the former employee to do harm to the company's computer system. While it may be necessary, this tactic is particularly hard on honest workers who have worked many years for the company and see this severe treatment as their reward.
Although infrequent, charges have at times been brought against those who destroy a company's computer system. In February of 1998 the U.S. Department of Justice brought charges against a former chief computer network program designer of Omega, a high-tech company that did work for NASA and the U.S. Navy. The designer had worked for the company for 11 years. After he was terminated, it was alleged that in retaliation he "intentionally caused irreparable damage to Omega's computer system by activating a 'bomb' that permanently deleted all of the company's sophisticated software programs." The loss cost the company at least $10 million in sales and contracts.
Juvenile Computer Hacking Is No Joke
Illegal accessing of a computer, known as hacking, is a crime committed frequently by juveniles. When it is followed by manipulation of the information of private, corporate, or government databases and networks, it can be quite costly. Another means of computer hacking involves creation of a "virus" program.
Cases of juvenile hacking have been going on for at least two decades and have included: six teens gaining access into more than 60 computer networks, including Memorial Sloan-Kettering Cancer Center and Los Alamos National Laboratory in 1983; several juvenile hackers accessing AT&T's computer network in 1987; and teens hacking into computer networks and Web sites for NASA, the Korean Atomic Research Institute, America Online, the U.S. Senate, the White House, the U.S. Army, and the U.S. Department of Justice in the 1990s.
In 1998 the U.S. Secret Service filed the first criminal case against a juvenile for a computer crime. The computer hacking of the unnamed perpetrator shut down the Worcester, Massachusetts, airport in 1997 for six hours. The airport is integrated into the Federal Aviation Administrative traffic system by telephone lines. The accused got into the communication system and disabled it by sending a series of computer commands that changed the data carried on the system. As a result, the airport could not function. (No accidents occurred during that time.) According to the Department of Justice, the juvenile pled guilty in return for two years' probation, a fine, and community service.
United States Attorney Donald K. Stern, lead attorney on the case against the juvenile observed that:
Computer and telephone networks are at the heart of vital services provided by the government and private industry, and our critical infrastructure. They are not toys for the entertainment of teenagers. Hacking a computer or telephone network can create a tremendous risk to the public and we will prosecute juvenile hackers in appropriate cases.�
On December 6, 2000, 18-year-old Robert Russell Sanford pled guilty to six felony charges of breach of computer security and one felony charge of aggravated theft in connection with cyber attacks on U.S. Postal Service computers. Sanford, a Canadian, was placed on five years probation, although he could have been sentenced to up to 20 years in prison. Sanford was also ordered to pay over $45,000 in restitution fines for the cyber attacks.
On September 21, 2000, a 16-year-old from Miami entered a guilty plea and was sentenced to six months detention for illegally intercepting electronic communications on military computer networks. The juvenile admitted that he was responsible for computer intrusions in August and October of 1999 into a military computer network used by the Defense Threat Reduction Agency
(DTRA), an arm of the Department of Defense. The DTRA is responsible for reducing the threat against the United States from nuclear, biological, chemical, conventional and special weapons.
Vulnerability of the Defense Department
Investigators from the U.S. General Accounting Office (GAO), in a report prepared for two Congressional committees, observed that the Pentagon experienced as many as 250,000 "attacks" on its computers in 1995, probably by computer hackers cruising the Internet. The Pentagon figures imply that in 65 percent of the attempts, hackers were able to gain entry into a computer network. The investigators warned, "The potential for catastrophic damage is great, especially if terrorists or enemy governments break into the Pentagon's systems." The report stated that the military's current security program was "dated, inconsistent and incomplete."
Even after this warning, in 1998, hackers broke into unclassified Pentagon networks and altered personnel and payroll data, in what Deputy Defense Secretary John Hamre called "the most organized and systematic attack the Pentagon has seen to date." In 1999 there were a reported 22,124 cyber attacks against the Department of Defense alone, costing the government an estimated $25 billion to bolster computer security procedures in order to ward off future attacks.
The Internet is no different than any other form of potential commerce. While most businesses are honest, potential frauds abound. The Internet Fraud Complaint Center (IFCC) was founded on May 8, 2000, by the National White Collar Crime Center and the FBI to monitor the problem of Internet fraud. According to the IFCC 2002 Internet Fraud Report (National White Collar Crime Center, 2003), in 2002 the IFCC received 75,063 complaints, an increase of 445 percent from 16,838 complaints in 2000. Internet auction fraud was the most common complaint (46.1 percent), followed by nondelivery of ordered merchandise (31.3 percent), and credit and debit card fraud (11.6 percent). The FTC reports that in 2003 victims of Internet fraud lost nearly $200 million, with a median loss of $195. Some 55 percent of all fraud reported to the FTC in 2003 involved the Internet, an increase from 45 percent in 2002. Investigation and prosecution of Internet fraud is difficult because the perpetrator and victim of the crime are often hundreds or even thousands of miles away from each other. But the IFCC recommends several steps consumers can take to minimize the risk that they will be victims of fraud.
- Before using an online auction service, learn as much as possible about how it works, what is expected from you, and what is expected from the seller.
- Learn as much as possible about the seller of any merchandise you are buying. Be cautious if the mailing address is a post office box. Call the seller's phone number to see if it is correct and working.
- Be aware that sellers in foreign countries operate under different laws that may be to your disadvantage if there is a later problem.
- Never give out your social security number or driver's license number to a seller. There is no need for this information and such actions may lead to identity theft.
- Use a credit card, which gives you the option to dispute charges later. Always make sure that the Web page is secure before giving out your credit card numbers.