The U.S. Department of Justice (DOJ), in its manual on computer crime, defines such crime as "any violations of criminal law that involve a knowledge of computer technology for their perpetration, investigation, or prosecution." Being very broad, the definition, dating to 1989, remains valid. In its elaborations on the subject, DOJ divides computer crime into three categories: 1) crimes in which computer hardware, peripherals, and software are the target of a crime; the criminal is obtaining these objects illegally; 2) crimes in which the computer is the immediate "subject" or "victim" of a crime, i.e., the crime consists of attacks on a computer or a system, destruction or disrupting of which is the damage caused; and 3) crimes in which computers and related systems are the means or "instrument" by which ordinary crimes are committed, such as theft of identities, data, or money or the distribution of child pornography.
Computer Crime: Broad Focus
The first category is part of computer crime no doubt because computers are still surrounded by a halo of novelty. In the course of time, the theft of computers or software will no more be remarked upon than the theft of groceries or horses (e.g., "grocery crime" or "horse crime.") In the third category the computer is the principal means of obtaining other things and is thus analogous to "armed" robbery—where a weapon is the means of achieving the criminal end. The rapid spread of computers and computer systems, interconnected by wired or wireless means, has opened a new field in which criminals could operate. But all the crimes covered by the third category existed before computers.
Computer Crime: Narrow Focus
The second of DOJ's categories is the one most people associate with computer crime and also with "computer annoyance" in the form of "spam." These disruptions began innocently enough. The first virus, known as Elk Clone, was written by Rich Skrenta as a boy in the 9th grade around 1982. The virus resided on an Apple II disk and, on the 50th booting of the computer with that disk, displayed a little poem, entitled "Elk Cloner: the program with a personality," which said in part: It will get on all your disks / It will infiltrate your chips / Yes it's Cloner! Rich Skrenta has, since, gone on to become the co-founder and CEO of Topix.net, an Internet news service. Viruses have differentiated into other categories. Major forms and definitions are listed below as outlined by Ryan P. Wallace and associates writing in American Criminal Law Review:
- Viruses. These are programs that modify other computer programs so that they carry out functions intended by the creator of the virus. The Melissa Virus, for example (March 1999), disrupted e-mail service around the world.
- Worms. Worms have the functionality of viruses but spread by human action by way of the Internet hitch-hiking on mail.
- Trojan horses. As their name implies, these intruders pretend to be innocent programs. Users are persuaded to install something innocent-seeming on their computer. The Trojan horse then activates a more destructive program embedded in the innocent code.
- Logic bombs. Are destructive programs activated by some event or a specific date or time. Elk Cloner fit this category because it activated its message on the 50th booting of a disk. The same concept is used legally by companies that distribute time-limited samples of their software. The software disables itself after the passage, say, of 30 or 60 days.
- Sniffers. These are legitimate programs used to monitor and analyze networks. They can be deployed in a criminal fashion to steal passwords, credit card information, identities, or to spy on network activity.
- Distributed denial of service attacks. Such attacks are directed at Web sites by illegitimately causing multiple computers to send barrages of connection requests to the target site, thus causing it to crash.
The term "hacker" came to be applied to computer hobbyists who spent their spare time creating video games and other basic computer programs. The term acquired negative connotations in the 1980s when computer experts illegally accessed several high-profile databanks. Databases at the Los Alamos National Laboratory (a center of nuclear weapons research) and the Sloan-Kettering Cancer Center in New York City were among their targets. Access to systems by telephone linkage from any computer increased such attacks. Over time, the "hacker" label came to be applied to programmers and disseminators of viruses. The public perception of hackers continues to be that of a lone expert with a taste for mischief. But "hacking" has come to encompass a wide range of computer crimes motivated by financial gain. Indeed, the vital information kept in computers has made them a target for corporate espionage, fraud, and embezzlement efforts. With the growing sophistication in computer security programs and law-enforcement efforts has come the insight that many apparent "hacker" attacks come from well-informed insiders intent on spoil or, occasionally, on vengeance.
Since the spread of the Internet, "spam" has acquired the meaning of "unsolicited e-mail." Spam came under relatively mild regulation with the passage of the Controlling the Assault of Non-Solicited Pornography and Marketing Act, also officially called the CAN-SPAM Act of 2003 (Public Law 108-197). It became effective in December of 2003 and took effect on January 1, 2004. The Act requires that senders of unsolicited commercial e-mail label their messages, but Congress did not require a standard labeling language. Such messages are required to carry instructions on how to opt-out of receiving such mail; the sender must also provide its actual physical address. Misleading headers and titles are prohibited. Congress authorized the Federal Trade Commission to establish a "do-not-mail" registry but did not require that FTC do so. CAN-SPAM also prevents states from outlawing commercial e-mail or to require their own labeling. Since 2003 other bills have been proposed but have not been enacted.
In effect, based on the provisions of CAN-SPAM, spam is not a computer crime unless, according to U.S. Code, Title 18, No. 1037, violation is committed "in furtherance of any felony under the laws of the United States or of any State." Despite its legal status, spam is both a major annoyance and extracts a cost. According to Ryan P. Wallace et. al., "Estimates put the total cost of spam to American businesses in 2003 at more than $10 million in lost productivity and anti-spam measures."
INCIDENCE AND COSTS
The FBI Survey
As reported by the Federal Bureau of Investigation in its 2005 FBI Computer Crime Survey, 64.1 percent of 2,066 companies surveyed reported some kind of computer crime incident in 2005 resulting in financial loss; all told, 5,389 incidents were reported. Small businesses were well-represented in the survey: more than half of the respondents (51.2 percent) had a range of 10 to 99 employees. Responding organizations experienced 2.75 incidents on average. Half of the respondents had 1 to 4 incidents, 19 percent had 20 or more incidents, the rest fell in between. Large organizations tended to have the most incidents.
The total cost of incidents reported by this group of companies was $31.7 million. The largest losses, amounting to $12 million, were associated with viruses, worms, and Trojan horses. The next four categories, in order, were thefts of laptops, desktops, and personal digital assistants ($3.5 million), financial fraud ($3.2 million), and network intrusion ($2.6 million). The smallest category, with a cost of $52,500, was Web-site defacement.
As already stated, slightly over 64 percent experienced financial losses. The FBI extrapolated this result to the nation as a whole but intentionally made its assumptions conservative. The agency assumed that only 20 percent of a total population of 13 million companies would have experienced losses rather than 64 percent, as in its sample. The downward shift was in part based on the likelihood that respondents to the FBI survey may have done so because they were more aware of problems through experience. But the FBI also recognized that actual victimization rate may have been much higher than the 20 percent assumed. In any case, the conservative assumption used produced a total loss for the nation of $67.2 billion in 2005.
The CSI/FBI Survey
The Computer Security Institute (CSI) describes itself as "the world's leading membership organization specifically dedicated to serving and training the information, computer and network security professional." With FBI cooperation, CSI has been conducting the CSI/FBI Computer Crime and Security Survey every year for a decade; its 2005 survey was the tenth. It is both a smaller and a larger survey than the FBI survey summarized above in that it looks at fewer but larger organizations. In 2005 CSI surveyed 699 organizations; these included governmental entities and universities as well as businesses; only 20 percent of survey respondents were organizations in the 1 to 99 employee category. Ninety-one percent of respondents reported financial losses; these amounted to $130.1 million (over against $31.7 million by 2006 organizations in FBI's 2005 survey). CSI made no attempt to extrapolate its loss figure to the nation as a whole.
The pattern of losses reported in the CSI/FBI survey shows up some interesting differences. The top loss category was also from viruses ($42.8 million); second ranked was unauthorized access ($31.2 million); third was theft of proprietary information ($30.9 million). These three categories accounted for 80.6 percent of all damages.
Only 20 percent of respondents reported incidents to law-enforcement agencies, an all-time low level already reached in 2004. The principal reasons given for not reporting incidents was that such information, reaching the public, would hurt stock price or aid competitors. Based on the survey results, "inside jobs" are as frequent as attacks by hackers or criminals from the outside.
INTERNAL AND EXTERNAL THREATS
Andrew Harbinson, an expert in computer crime working for Ernst & Young in Ireland wrote recently in Accountancy Ireland that for every external attack there are 3 or 4 attacks on the inside. "This is for obvious enough reasons," wrote Harbinson. "To carry out a crime you need knowledge, motive and opportunity. An outsider may have a lot of motive and a degree of knowledge (depending on the internal security of the network) but an insider is likely to have all three." Harbinson also finds it notable that "in some surveys in the last couple of years the proportion of internal to external frauds has miraculously 'flipped,' with external frauds now stated as being more common." The most likely reason for this, in Harbinson's view, is a new regulatory climate produced by scandals like those involving Enron and Worldcom. "Companies are much more reluctant to admit to fraud, as to do so might have regulatory consequences. It is a matter of some concern that, instead of dealing with such issues, most companies appear to want to sweep them under the carpet." The CSI/FBI survey discussed above appears to substantiate this view by showing a decline in the reporting of such incidents in order to protect the stock price.
Computer security is concerned with preventing information stored in or used by computers from being altered, stolen, or used to commit crimes. The field includes the protection of electronic funds transfers, proprietary information (product designs, client lists, etc.), computer programs, and other communications, as well as the prevention of computer viruses. It can be difficult to place a dollar value on these assets, especially when such factors as potential loss of reputation or liability issues are considered. In some cases (e.g., military and hospital applications) there is a potential for loss of life due to misplaced or destroyed data; this cannot be adequately conveyed by risk analysis formulas.
The question most companies face is not whether to practice computer security measures but how much time and effort to invest. Fortunately, companies looking to protect themselves from computer crime can choose from a broad range of security options. Some of these measures are specifically designed to counter internal threats, while others are shaped to stop outside dangers. Some are relatively inexpensive to put in place, while others require significant outlays of money. But many security experts believe that the single greatest defense that any business can bring to bear is simply a mindset in which issues of security are of paramount concern.
Protection from Internal Threats
Whereas big corporations typically have entire departments devoted to computer system management, small businesses often do not have such a luxury. But common-sense measures that can be taken by managers and/or system administrators to minimize the danger of internal tampering with computer systems include the following:
- Notify employees that their use of the company's personal computers, computer networks, and Internet connections will be monitored. Then do it.
- Physical access to computers can be limited in various ways, including imposition of passwords; magnetic card readers; and biometrics, which verify the user's identity through matching patterns in hand geometry, signature or keystroke dynamics, neural networks (the pattern of nerves in the face), DNA fingerprinting, retinal imaging, or voice recognition. More traditional site control methods such as sign-in logs and security badges can also be useful.
- Classify information based on its importance, assigning security clearances to employees as needed.
- Eliminate nonessential modems that could be used to transmit information.
- Monitor activities of employees who keep non-traditional hours at the office.
- Make certain that the company's hiring process includes extensive background checks, especially in cases where the employee would be handling sensitive information.
- Stress the importance of confidential passwords to employees.
Protection from External Threats
Small businesses also need to protect their systems against outside attack. Firewalls may be expensive but may be worth the cost. The single greatest scourge from the outside are viruses of one kind or another. Business owners can do much to minimize this threat by heeding the following basic steps:
- Install and use anti-virus software programs that scan PCs, computer networks, CD-ROMs, tape drives, diskettes, and Internet material, and destroy viruses when found.
- Update anti-virus programs on a regular basis.
- Ensure that all individual computers are equipped with anti-virus programs.
- Forbid employees from putting programs on their office computers without company approval.
- Make sure that the company has a regular policy of backing up (copying) important files and storing them in a safe place, so that the impact of corrupted files is minimized. Having a source of clean (i.e., uninfected by viruses) backup copies for data files and programs is as important as it is elementary.
A variety of sources exist to assist small business owners with virus protection and Internet security measures. For example, several Web sites provide free virus warnings and downloadable antivirus patches for Web browsers, including www.symantec.com/avcenter and www.ciac.org. The Computer Security Institute provides annual surveys on security breaches at www.gocsi.com. Another useful resource is the National Computer Security Association (www.ncsa.com), which provides tips on Internet security for business owners and supplies definitions of high-tech terms.
Small businesses seeking to establish Internet security policies and procedures might begin by contacting CERT. This U.S. government organization, formed in 1988, works with the Internet community to raise awareness of security issues and organize the response to security threats. The CERT web site (www.cert.org) posts the latest security alerts and also provides security-related documents, tools, and training seminars. Finally, CERT offers 24-hour technical assistance in the event of Internet security breaches. Small business owners who contact CERT about a security problem will be asked to provide their company's Internet address, the computer models affected, the types of operating systems and software used, and the security measures that were in place.
Although computer viruses and theft of information pose the greatest financial threats to large organizations, loss of hardware by simple thievery is the second-ranking loss category for small business. Common-sense measures such as supervising entrances and locking up easily transported equipment at night are obvious enough. Many laptops are lost to thieves-of-opportunity who, standing in an unattended lobby, see a laptop on a desk while distantly laughter sounds from an office birthday party.
Business travelers, of course, must keep a close eye on their notebook and laptop computers. The allure of portables is so great that thieves sometimes work in teams to get their hands on them. Airports and hotels are favorite haunts of thieves. Security experts counsel travelers to be especially vigilant in high-traffic areas, to carry computer serial numbers separately from the hardware, and to consider installing locks, alarms, or tracking software.
Federal Bureau of Investigation. 2005 FBI Computer Crime Survey. Available fromwww.fbi.gov/publications/ccc2005.pdf. Retrieved on 28 January 2006.
Gordon, Lawrence A., Martin P. Loeb, William Lucyshyn, and Robert Richardson. 2005 CSI/FBI Computer Crime and Security Survey. Computer Security Institute. Available from www.gocsi.com. Retrieved on 29 January 2006.
Gibson, Stan. "Hacking: It's a Mad, Mad, Mad New World." eWeek. 1 January 2001.
Harbinson, Andrew. "Understanding Computer Crime: A Beginner's Guide." Accountancy Ireland. August 2005.
Karp, Josh. "Small Businesses Often Target of Cybercrime; Lack of IT Expertise Leads to Vulnerability." Crain's Chicago Business. 19 February 2001.
Morgan, Lisa. "Be Afraid '¦ Be Very Afraid—Malicious Attacks Are on the Rise, and Trends Are Harder to Predict." Internet Week. 8 January 2001.
Rich Skrenta Home Page Available from http://www.skrenta.com/. Retrieved on 28 January 2006.
Wallace, Ryan P., Adam M. Lusthaus, and Jong Hwan Kim. "Computer Crimes." American Criminal Law Review. Spring 2005.
U.S. Department of Justice. National Institute of Justice. Computer Crime: Criminal Justice Resource Manual. 1989.