The Social Aspects of Computing
Computer Crime Prevention
Brian Ge
CS495
Section 01
Group 1 – Speaker 7
I. Abstract
II. Introduction
III. Historical Perspective
IV. An Overview of Computer Crime...... 4
V. Types of Computer Crime...... 5
VI. Ethical Considerations...... 6
VII. What Industry is Doing to Combat Computer Crime...... 7
VIII. What the Government is Doing
IX. Difficulties Encountered...... 8
X. What We Can Do to Prevent Computer Crime
XI. The Future of Computer Crime and Prevention...... 9
XII. Conclusion
XIII. Bibliography
XIV. Biography...... 11
XV. Figures...... 12
I. Abstract
Computer related crime is becoming increasing prevalent in our networked world. When everybody is mere keystrokes away from anything they can imagine, the opportunities to defraud and otherwise disadvantage others for personal gain is ever increasing – with barriers preventing such crimes dropping at an increasing pace. Industry, which has traditionally preferred to cover up network intrusions rather than report them to authorities, is beginning to pull together to present a unified front to computer criminals through a variety of information and resource pooling initiatives. In conjunction with legislative reforms, law enforcement will be in a better position to combat computer crime.
Unfortunately, the solution is not so simple. With the internet being such a global entity, computer crimes inevitably has become a global entity with global implications. When a relatively high percentage of countries lacking completely in laws to deal with computer crime – weface a serious problem dealing with computer crime. When dealing with crimes that span multiple borders, each of which has a valid claim on jurisdiction, which country is right? This is one of several issues, which must be addressed by the international community to effectively combat computer crime.
The key to curbing computer crime outside the realm of legal recourse lies in education and opportunity reduction. When people, and especially ethically challenged youth, are fully made aware of the consequences of their actions on the computer, that will hopefully serve as sufficient deterrence. If not, then coupled with reduced opportunities to commit computer crimes and “get away with it,” committing such crimes will lose its appeal. If these goals can be realized, the world will ultimately be a safer place.
II. Introduction
Computer related crime is an ever-growing concern in the modern world. When access to funds, intellectual properties, and people,are always only a few keystrokes away, the opportunities to commit computer crimes are omnipresent. The rises in opportunity to commit computer crime, in conjunction with a lack of capable oversight are key factors to keep in mind when talking about crime prevention. Also like traditional crimes, we must also keep in mind the motivation of the perpetrators in order to best formulate strategies to prevent computer crime.
One of the principle ideals in traditional crime prevention is the reduction of opportunity[1], and this applies to computer crime as well. Beyond just the opportunity, the computer criminal also needs motivation. This can range anything from revenge to greed. Finally, when opportunity and motivation are present without any type of capable oversight, we have an ideal environment to commit computer crime.
Unfortunately, the solution to computer crime is not a simple one. The cooperation of industry, potential victims, government, and law enforcement are all equally necessary to curb computer crime. Just as with traditional crime, not all forms of computer crime can be caught (or successfully prosecuted), and as unsavory as that is, it is anunchangeable fact. However, when all parties work together, the incidence of computer crime can be greatly reduced. For example, a major problem regarding prosecution of reported computer crimes is the trans-national nature of a vast amount of the crimes. When considering the prohibitively high cost of extraditing a computer criminal from another country and the need for inter-jurisdictional cooperation, there is a high probability the international computer criminal will get away unpunished. This situation is all too common and makes the need for extradition treaties all the more vital.
III. Historical Perspective
Historically, the reporting of computer crimes has been an uncommon practice. Globally, the percent of computer crimes made known to law enforcement is estimated to be about 12%[2]. This low figure is in part due to the victim trying to save face (i.e. a victimized bank not wanting to admit fault or weakness to customers), or simply because the victim does not know they have been the victim of crime (i.e. a crafty hacker erasing any logs of their being present, and the victim isn’t the wiser.) In fact, the “ultimate hack” has always been touted as the hack where the victim does not know they have been victimized.
Laws until relatively recently in the United States, has been ineffective at preventing and prosecuting computer crimes. The majority of laws in existence dealing with traditional crime (including telecommunications crime) just don’t take into account the nature of computer crime and the new forms of crime unique to computers and more recently, the Internet. For example, the author of the “ILoveYou” virus could not be prosecuted by Filipino courts because the Philippines had no law on record to deal with virus creators.
The need for laws governing computer crime is obvious. Asides from digitized forms of traditional crimes, there is a spectrum of crimes which are unique to computers. One such example is software piracy. It was not until the software industry, in the form of the Business Software Alliance (BSA), lobbied for and saw to fruition the Digital Millennium Copyright Act (DMCA) that the public was even made aware of the scope of the software piracy problem. Even at that point, nobody really cared about the problem, since enforcement of laws was almost non-existent. That all changed when the BSA began suing large groups of people and businesses for large sums of cash (and in some cases, pressing criminal charges). Suddenly, people began to care; businesses began checking their software licenses, large-scale software pirates went underground to avoid prosecution, and so on. The point: the public became aware of the growing problem we are facing with computer crime. As enforcement efforts were expanded and widely publicized, people who would ordinarily never commit a crime in real life were made aware that their “not-quite-legal-but-its-only-the-computer” actions could implicate them in real life criminal activity.
It is unclear yet whether this new breed of laws has been effective in an ever-changing criminal environment.
IV. An Overview of Computer Crime
It is an inescapable fact that the numbers of crimes that could be committed with the aid of a computer are limited only by the human imagination. Keeping this in mind, law enforcement and policy makers have been able to classify several types of prevalent computer crime. These are “theft of services, communications in furtherance ofcriminal conspiracies, information piracy and forgery, the dissemination ofoffensive materials (including extortion threats), electronic money laundering, electronic vandalism and terrorism, telemarketing fraud, illegal interception, andelectronic funds transfer fraud.”[3]
Many of these categories of computer crime have direct financial implications (i.e. the multiple types of fraud, money laundering, theft of services, etc.) Why one may wonder, are half the categories related to financially related computer crimes? The reason being, money makes the world go around. If we think about it logically, when do the majority of people report a crime? Usually when they have been defrauded or in some other way, financially exploited. This general principle carries over into computer crimes too. As a result, the overwhelming majority of reported computer crimes involve money, and with incomplete data being used to find trends in criminal activity, a large amount of attention was given to financially motivated computer crimes.
The point of all that was not that financially motivated computer crimes deserve any less attention than it receives, because it does deserve all the attention it receives (what other type of non-violent crime will leave as lasting an impression on the victim than when the victim has been financially exploited?) The point was to accentuate the lack of information about all the other computer crimes being committed. What is the motivation of a computer criminal who is not motivated by money? The computer criminal who is not motivated by money generally falls into two categories: the dangerous type, and the curious type. The dangerous types are the people who desire to inflict harm to others, the ones where there is strong desire for revenge. The type of real life criminal one tries their hardest to avoid, and the type of computer criminal where one typically brushes away and dismisses as any kind of threat in real life (i.e. the once integral employee which is now disgruntled after being fired, or the amateur political terrorist.) The other type of computer criminal is motivated by curiosity and/or power and they too are dangerous, but in a much different way. These criminals unlike the financially motivated or revenge driven criminals do not feel as if they are breaking the law. That is, they choose to believe that what they are doing (accessing complex computer systems searching for information unavailable to the public) is morally defensible. These computer criminals live for the thrill of hacking complex computer systems, and for the more insecure persons, bragging of their “conquests” to the hacker community in search of respect (which typically is how they are caught).
As one can quickly see, the range of criminal activity is quite diverse, and costs to industry totaling millions each year (excluding software piracy). At quick glance at figure 1.1 shows the costs of computer crime in Australia, luckily still a country with arelatively low incidence rate of computer crimes. The perpetrators of the crimes themselves can fit into any spectrum of categories. The good news is that, the basic tenets of criminology, that is, the theory behind crime, criminal behavior, and corrections apply to this breed of criminal just as they apply to every other criminal on the planet. That information allows policy makers and law enforcement to develop strategies thatsomeday may drastically curb the incidence of computer crime.[4]
V. Types of Computer Crime
As previously mentioned, computer crime can fall into several categories that separate into financially motivated crimes, power/revenge motivated crimes, and curiosity motivated crimes. We should also at this time keep in mind the fact that relatively few incidents of computer crime are reported as we explore these crimes further.
When a person contemplates committing a crime for financial profit, there are two things on their minds: money and not being caught. In the traditional sense, such crimes carry an especially high risk of incarceration due to all the complex supervision systems in place to protect the assets the would-be criminal wish to make their own. This can encompass anything from robbing a bank, to stealing from the church collection box. Generally, the thought of all the dangers involved and the likelihood of being caught serves as sufficient deterrent not to commit the crime. However, when one thinks about doing such things with a computer, where there are no immediate physical dangers (i.e. being shot at by police, evading capture) or even physical contact with the object of desire, suddenly the crime seems that much more appealing.
Here are some examples taken from a paper by Lloyd Doney:
- The manager of a diocesan pension office is suspected of embezzling over $1.1 million over several years.
- The resident handyman of a church stole $61,238 from the church over a 10-year period. No one could believe it. The handyman had been a fixture at the church and was known never to have uttered even a mild profanity.
- A grandmother is caught stealing over $500,000 from her employer.
As we have seen, people who would not typically be classified as the stereotype “bank robber,” “people who would not dream of stealing…people’s property in real life have no qualms or second thoughts in relation to the opportunities and challenges presented by the Internet.”[5] The fact is, with the help of computers, the perpetrator can easily steal or reallocate large sums and hide evidence of their theft for longer periods of time (thus stealing more.) Worst of all, almost all employers (including non-profits) are susceptible to this risk.
The second broad category of computer crimes is motivated by revenge. The revenge-driven computer criminal is most often a disgruntled or former employee taking advantage of weak security protocols employed by their former employer[6]. They can then proceed to disrupt the internal computer network, steal sensitive information, steal intellectual property, re-allocate funds, etc. Attacks by a former employee tend to have larger amounts of damage due to the attacker’s intimate knowledge of the system he/she is attacking.
The third category comprises of computer crimes motivated by power and/or curiosity. Those motivated by power or curiosity commit computer crimes for purpose of challenging themselves in cracking a complex computer system and consequently, see private information not intended for the public. The skilled hacker at that point would erase any evidence of their unauthorized access and move on. At this crucial stage is where the power element comes into play. The hacker, armed with the knowledge they just accomplished quite the technical feat, is confident and feels powerful. If they never tell anyone about the hack, and if they covered their tracks properly, the chances they will be caught are negligible at best. However, where is the fun in that? The entire point of cracking the system was to accomplish a task others could not, and if one did not share knowledge of one’s conquest, how can one make a name for themselves? While on the post-hack power trip, the insecure hacker would go brag of his conquest and earn “respect” from fellow hackers, and if the hack was “righteous” enough, perhaps be dubbed “l33t” by the community. This bragging is typically how law enforcement track down and catch the insecure hackers and the script kiddies that score big.
In addition to the above-mentioned forms of computer crime, there are also crimes committed against intellectual properties. On a large scale, this could mean patent infringement by a large company, but more often than not, such intellectual property crimes are in the manifest in the form of software piracy. Software piracy encompasses everything from acquisition of content to distribute, to actual distribution with many layers of “middle-men.” Software and the intellectual property theft cost the software industry US$29 billion in 2003 and represents approximately 37% of the world’s software.[7] This type of computer crime has obvious consequences to the software industry, and represents one of the most prevalent forms of computer crimes on earth (from selling of pirated material, to using pirated software consciously/unconsciously.)
There are many forms of computer crimes, with a wide range of motivations, and for the large part, those criminals are not caught. Of the 10% that are caught, 15% are turned into authorities, of which less than 50% are sentences to jail.[8] These statistics are disturbing at best, and is most likely a better indicator of industry trend than not. The solution to computer crimes lies not exclusively with government, but with industry, and potential victim alike.
VI. Ethical Considerations
While it should be obvious to everyone, that to commit afinancially motivated, or revenge-driven computer crime is both illegal, and unethical. The computer criminal who commits crimes malicious in nature for the motive of promoting one’s own self-image is equally guilty of breaking the law, and acting unethically, and for the most part, those three types of criminals will acknowledge that they acted unethically or immorally. Then we come across the curiosity-motivated computer criminal. These hackers justify their actions with excuses ranging from their desire to defend democracy, to promoting the welfare of society by disseminating information, to following the hacker ethic.[9]
This type of defense or justification to computer crimes is invalid in and of itself. Typically, if one truly believes (the usage of truly does not include borderline) what they are doing is morally correct, and ethical, they have little need to justify their actions. So if the computer criminal truly believes what they are doing is not wrong, then why the need for justification of their actions? Justification is defined as “something (such as a fact or circumstance) that shows an action to be reasonable or necessary”; truly moral and ethical decisions generally do not need to be shown why they are moral or ethical. If the hacker truly believes they are correct, they should be content in that fact without need to constantly prove why they are “correct.”