Cybercrime as Little as Ten

Cybercrime

As little as ten years ago, few people could have conceived of the Internet and its capabilities, let alone know how to illegally take advantage of this new communication vehicle. Yet today millions of people use the Web, and online crime is increasing at breakneck speed. Although much discussion has occurred about cybercrime worldwide, much more is needed to take a proactive stance. People at all levels -- consumers, company owners, state officials, judicial systems, and government representatives must be better trained on ways to implement and employ anti-cybercrime methods. In addition, both nationally and internationally, there has to be more consistent plans to deal with cyber-terrorist acts.

According to an article on ZDNet, startling figures from the National Hi-tech Crime Unit (NHTCU) in the United Kingdom were reported at an E-Crime Congress in London at the beginning of this April. Last year, electronic crime cost companies in the UK alone an estimated £2.45bn. Out of 200 companies surveyed, 178 experienced some form of high-tech crime. Of these latter firms, 90% reported their systems were intruded and 89% said data was stolen. Virus attacks hit 97% of survey respondents, which cost them a total of more than £70m. Nine percent had suffered financial fraud, at a cost of £68m.

The situation in the United States does not fare any better. According to the National White Collar Crime Center (2004) study, the Internet Crime Complaint Center (IC3), a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C), reported that From January 1, 2004 to December 31, 2004, the IC3 website received 207,449 complaint submissions. This was a 66.6% increase over 2003 when 124,509 complaints were received. These filings consisted of fraudulent and non-fraudulent complaints primarily related to the Internet. From these submissions, IC3 referred 103,959 complaints of fraud, the majority of which were committed over the Internet or a similar online service. This was a 64.2% rise over 2003 with 63,316 complaints referred. The total dollar loss from all referred cases of fraud was $68.14 million. In addition, the report noted that Internet auction fraud was by far the most reported offense, with 71.2% of referred complaints. Most experts believe that common forms of computer- related crime are significantly underreported because victims may not realize that they have been involved in a crime, or may decide not to complain for reasons of embarrassment or corporate credibility.

The term "cybercrime" or "cyber fraud" is defined in various ways. When analyzing statistics and reports on this topic, therefore, it is important to keep in mind that variables exist. For example, Tavani in "Defining the Boundaries of Computer Crime," (2001), "cybercrime" defined "cybercrime" as "a special category of criminal acts that can only be executed through the utilization of computer and network technologies. In his view, cybercrime consists of three basic categories: software piracy, electronic break-ins and computer sabotage.

Software piracy involves the unauthorized duplication of proprietary software and the distribution or making available of these copies over the electronic network. The unauthorized copying and distribution of MP3 files, for instance, would fall under this category. Electronic break-ins consist of gaining unauthorized access to a computer system or to a private, password-protected Internet site. The third category, computer sabotage, involves the use of viruses, worms and DoS attacks that interfere with electronics and disturb flow of information (Tavani). When cybercrime is done on a large scale, it is instead called "cyberterror."

It did not take people long after the development of the Internet to determine ways to legally and illegally gain from this new communication system. However, cybercrime did not occur "overnight," according to a 2002 report by Syngress. In the earlier days of computing and networking, criminals did not have the technical ability or hardware to break into the mainframe systems. Cybercrime instead developed along with the technological advances that made computing so easy and accessible that even kindergarten children could use the Internet for fun and information.

In the 1960s, the term "hacker" had a far less negative connotation than it does today. It had more to do with the ability of allowing a system to handle more than it was previously capable of, rather than illegal actions. Not surprising, the first hacker group developed out of the "computer university," Massachusetts Institute of Technology, in 1961. By the 1970s, however, "hacking" was being used by the "yippies" and other more radical underground groups as part of their antiestablishment efforts. In the 1980s, the FBI started arresting some of the more prominent hackers such as Kevin Mitnik (Syngress). In movies such as the Hackers in the 1990s, these individuals still remained in a semi- romantic light.

In the background, however, other things were happening that did not bode well for the hackers' positive reputation. In the morning of November 3, 1988, also known as "Black Thursday," system administrators nationwide found that their computer networks were moving very slowly, if at all. If they could log in and generate a system status listing, they saw scores of "shell," or command interpreter, processes. If they tried to kill these processes, new ones appeared even faster. Rebooting the computer had no positive effect.

These systems had been invaded by a "worm," or a program that duplicates itself across a network and uses resources on one machine to attack another. A worm is not quite the same as a "virus," which is a program fragment that inserts itself into other programs. The worm had taken advantage of lapses in security on systems that allowed it to connect to machines across a network, bypass their login authentication, copy itself, and then proceed to attack still more machines. The massive system load was generated by multitudes of worms trying to propagate the epidemic (Seeley). After this event, the hacker was no longer a "nice guy "in most people's eyes, especially those who had lost information or whose systems had been shut down by the worm.

By 1990, increasing numbers of e-mail users recognized that their communications could be intercepted. Phillip Zimmerman developed an encryption program called Pretty Good Privacy (PGP) that could be used to protect private messages. However, PGP was also being used by individuals to hide their crimes (Syngress). The first cyberBank called First Virtual went online in 1994, and hackers had all new horizons to conquer. In addition Internet Protocol security started becoming an issue of concern. In 1995, the U.S. Secret Service and Drug Enforcement Agency (USDEA) obtained an Internet wiretap to help develop a case against individuals who were accused of producing and selling illegal cell phone equipment. A year later, another electronic concern came into the forefront for both private and governmental groups -- Internet pornography. Congress passed the Communication Decency Act, which was later deemed unconstitutional.

Also in 1995, a hacker shut down the Public Access Networks Corporation in New York (Goldstein, 1989, pd). A "cancelbot" that wormed its way through Usenet decimated 25,000 messages. In addition, the Central Intelligence Agency, Federal Bureau of Investigation and U.S. Air Force computer systems were hacked.

Such events proved to be just the beginning (Denning, 2000). Over the next couple of years, numerous agencies and private organizations were invaded by hackers. In addition, there have been a few "cyberterroist" activities. In 1998, Spanish protestors bombarded the Institute for Global Communications (IGC) with thousands of bogus e-mail messages. E-mail was undeliverable to ISP's users, and support lines were tied up with people who could not receive their mail. The protestors also spammed IGC staff and member accounts and clogged their Web page with fraudulent credit card orders. In the same year, a 12-year-old boy successfully hacked into the controls for the Roosevelt Dam in Arizona. He could have released floodwaters and endangered at least one million people.

Although no one is prepared for massive cyberterroist actions, there has been some headway made in combining efforts on the national and international levels. Chawki, researcher at the School of Law, University of Lyon III, France, recently wrote a paper on the cybercrime regulation -- looking at how the issue is being addressed at national and international levels and reviewing the state of the existing legislative and regulatory framework and its efficiency in combating this form of cross-border organized crime. He uses the he European Union as a positive example of how countries can work together.

In 2003, the European Union European telecommunications and communications ministers gave final approval to the creation of a European Network and Information Security Agency. The main role of ENISA is to support the internal European Union market by facilitating and promoting increased cooperation and information exchange on issues of network and information security. Actions are also being taken by the Council of Europe, which consists of 44 member states, including all of the members of the European Union. The Council was established in 1949 primarily as a forum to uphold and strengthen human rights as well as promote democracy and the rule of law in Europe. Since the late 1980s, the Council has addressed the growing international concern over computer-related crimes. In 1997, it established a Committee of Experts on Crime in Cyberspace (PC-CY) to begin drafting a binding Convention to facilitate international cooperation in the investigation and prosecution of computer crimes. The United States actively participated in both the drafting and plenary sessions (Chawki).

The Convention stipulates actions targeted at national and inter-governmental levels, directed to prevent unlawful infringement of computer system functions. It divides cybercrime into: hacking of computer systems, fraud, forbidden content (racist websites and child porn content) and breaking copyright laws. The Convention has been signed by 32 European and non-European States and ratified by nine. However, the Convention on Cybercrime is, so far, the only internationally binding legal basis for strengthened cooperation worldwide.

At the Eleventh United Nations Congress on Crime Prevention and Criminal Justice in Bangkok on April 26, 2005, it was stressed that further internationally binding and effective prescriptive instruments must be in place to achieve uniformity in national crime codes and procedures and effective international cooperation in the application of measures. "We need a universal framework of penal law," said Ambassador Henning Wegener of the World Federation of Scientists. The international nature of cybercrime creates the need for an international solution that should cover substantive, procedures and international cooperation rules (I-Newswire).

Meanwhile, on the national level, countries are developing legislation that deals with specific forms of cybercrimes. In response to the new cases of "hacking," many nations have devised new statutes protecting a "formal sphere of secrecy" for computer data by criminalizing the illegal access to or use of a third person's computer or related data. Similarly, most countries have explicitly provided copyright protection for computer programs by legislative amendments since the 1980s. As a consequence, the courts now recognise copyright protection of computer programs.

Some issues, however, are not as clear cut. Over recent years, offenses related to the production, possession and distribution of "child pornography" have assumed significant standing. One problem is terminology disagreements. In some jurisdictions, pornography is linked to sexualized behaviour. This can impact how any given example of child pornography is regarded. Thus, it is quite possible for a picture to be recognized under laws that emphasize sexual qualities as child pornography, but to fail in jurisdictions where obscenity or public morality definitions prevail. Another major difficulty relates to what, in the context of adult images, might be regarded as erotica. Pictures of this kind would generally be regarded as child pornography where reference is made to sexual qualities, but might not if obscenity or indecency criteria are used.

Another problem in writing, enforcing, prosecuting, and interpreting cybercrime laws is the lack of technical knowledge of legislators and experts charged with these regulatory duties. Legislators, in most cases, do not have a real understanding of the technical issues and what is or is not desirable -- or even possible -- to legislate. Police investigators are becoming more technically savvy, but in many small jurisdictions, no one knows how to recover critical digital evidence. Judges, too, often lack technical expertise, which makes it difficult for them interpret the laws. The fact that many computer crime laws use vague language worsens the problem. The answer to all these dilemmas is education and awareness programs, which must be aimed at everyone involved in the fight against cybercrime, including: legislators and other politicians, criminal justice professionals and it professionals and the community at large -- the cyberspace community in particular.