COMPUTER CRIME

COMPUTER CRIME

The use of a computer to take or alter data, or to gain unlawful use of computers or services.

Because of the versatility of the computer, drawing lines between criminal and noncriminal behavior regarding its use can be difficult. Behavior that companies and governments regard as unwanted can range from simple pranks, such as making funny messages appear on a computer’s screen, to financial or data manipulation producing millions of dollars in losses. Early prosecution of computer crime was infrequent and usually concerned EMBEZZLEMENT, a crime punishable under existing laws. The advent of more unique forms of abuse, such as computer worms and viruses and widespread computer hacking, has posed new challenges for government and the courts.

The first federal computer crime legislation was the Counterfeit Access Device and Computer Fraud and Abuse Act (18 U.S.C.A. § 1030), passed by Congress in 1984. The act safeguards certain classified government information and makes it a misdemeanor to obtain through a computer financial or credit information that federal laws protect. The act also criminalizes the use of computers to inflict damage to computer systems, including their hardware and software.

In the late 1980s, many states followed the federal government’s lead in an effort to define and combat criminal computer activities. At least 20 states passed statutes with similar definitions of computer crimes. Some of those states might have been influenced by studies released in the late 1980s. One report, made available in 1987 by the accounting firm of Ernst and Whinney, estimated that computer abuse caused between $3 billion and $5 billion in losses in the United States annually. Moreover, some of those losses were attributable to newer, more complicated crimes that usually went unprosecuted.

The number of computer crimes continued to increase dramatically in the early 1990s. According to the Computer Emergency and Response Team at Carnegie-Mellon University, the number of computer intrusions in the United States increased 498 percent between 1991 and 1994. During the same time period, the number of network sites affected by computer crimes increased by 702 percent. In 1991, Congress created the National Computer Crime Squad within the FEDERAL BUREAU OF INVESTIGATION (FBI). Between 1991 and 1997, the Squad reportedly investigated more than 200
individual cases involving computer hackers.

Congress addressed the dramatic rise in
computer crimes with the enactment of the
National Information Infrastructure Act of 1996
as title II of the Economic Espionage Act of
1996, Pub. L. No. 104-294, 110 Stat. 3488. That
Act strengthened and clarified provisions of the
original Computer Fraud and Abuse Act,
although lawmakers and commentators have
suggested that as technology develops, new leg-
islation might be necessary to address new
methods for committing computer crimes. The
new statute also expanded the application of the
original statute, making it a crime to obtain
unauthorized information from networks of
government agencies and departments, as well
as data relating to national defense or foreign
relations.

Notwithstanding the new legislation and law
enforcement’s efforts to curb computer crime,
statistics regarding these offenses remain stag-
gering. According to a survey in 2002 conducted
by the Computer Security Institute, in conjunc-
tion with the San Francisco office of the FBI, 90
percent of those surveyed (which included
mostly large corporations and government
agencies) reported that they had detected com-
puter-security breaches. Eighty percent of those
surveyed acknowledged that they had suffered
financial loss due to computer crime.Moreover,
the 223 companies and agencies in the survey
that were willing to divulge information about
financial losses reported total losses of $455 mil-
lion in 2002 alone.

Concerns about TERRORISM have also
included the possibility that terrorist organiza-
tions could perform hostile acts in the form of
computer crimes. In 2001, Congress enacted the
Uniting and Strengthening America by Provid-
ing Appropriate Tools Required to Intercept and
Obstruct Terrorism Act (USA PATRIOT ACT),
Pub. L. No. 107-56, 115 Stat. 277, to provide law
enforcement with the necessary tools to combat
terrorism. The Act includes provisions that
allow law enforcement greater latitude in hunt-
ing down criminals who use computers and
other communication networks. The Homeland
Security Act of 2002, Pub. L. No. 107-296, 116
Stat. 2135 also directed the UNITED STATES SEN-
TENCING COMMISSION to review, and possibly
to amend, the sentencing provisions that relate
to computer crimes under 18 U.S.C.A. § 1030.
The Department of Justice’s Computer
Crime and Intellectual Property Section prose-
cutes dozens of computer-crime cases each year.
Many of those cases involve instances of com-
puter hacking and other unauthorized intru-
sions, as well as software PIRACY and computer
fraud.
One set of especially destructive crimes—
internal computer crimes—includes acts in
which one computer’s program interferes with
another computer, thus hindering its use, dam-
aging data or programs, or causing the other
computer to crash (i.e., to become temporarily
inoperable). Two common types of such pro-
grams are known in programming circles as
“worms” and “viruses.” Both cause damage to
computer systems through the commands writ-
ten by their authors. Worms are independent
programs that create temporary files and repli-
cate themselves to the point where computers
grow heavy with data, become sluggish, and
then crash.Viruses are dependent programs that
reproduce themselves through a computer code
attached to another program, attaching addi-
tional copies of their program to legitimate files
each time the computer system is started or
when some other triggering event occurs.
The dangers of computer worms and viruses
gained popular recognition with one of the first
cases prosecuted under the Computer Fraud
and Abuse Act. In United States v. Morris, 928
F.2d 504 (2d Cir. 1991), Cornell University stu-
dent Robert T.Morris was convicted of violating
a provision of the act that punishes anyone who,
without authorization, intentionally accesses a
“federal interest computer” and damages or pre-
vents authorized use of information in such a
computer, causing losses of $1,000 or more.
Morris, a doctoral candidate in computer sci-
ence, had decided to demonstrate the weakness
of security measures of computers on the INTER-
NET, a network linking university, government,
and military computers around the United
States. His plan was to insert a worm into as
many computers as he could gain access to, but to ensure that the worm replicated itself slowly enough that it would not cause the computers to
slow down or crash. However, Morris miscalculated
how quickly the worm would replicate. By
the time he released a message on how to kill the
worm, it was too late: Some 6,000 computers
had crashed or become “catatonic” at numerous
institutions, with estimated damages of $200 to
$53,000 for each institution. Morris was sentenced
to three years’ PROBATION and 400 hours
of community service, and was fined $10,500.
The U.S. Supreme Court declined to review the
case (Morris, cert. denied, 502 U.S. 817, 112 S. Ct.
72, 116 L. Ed. 2d 46 [1991]).
Computer hackers often share Morris’s goal
of attempting to prove a point through the
clever manipulation of other computers. Hackers,
who, typically, are young, talented, amateur
computer programmers, earn respect among
their peers by gaining access to information
through TELECOMMUNICATIONS systems. The
information obtained ranges from other individuals’
E-MAIL or credit histories to the Department
of Defense’s secrets.
A high-profile case in 1992 captured
national headlines. In what federal investigators
called a conspiracy, five young members of an
underground New York City gang of hackers,
the Masters of Deception (MOD), faced charges
that they had illegally obtained computer passwords,
possessed unauthorized access devices
(long-distance calling-card numbers), and committed
wire fraud in violation of the Computer
Fraud and Abuse Act. Otto Obermaier, the U.S.
attorney who prosecuted the youths, described
their activities as “the crime of the future,” and
said that he intended to use the case to make a
critical statement about computer crime. The
indictment contained 11 counts, each punishable
by at least five years in prison and individual
fines of $250,000. Supporters of MOD’s civil
liberties questioned whether the gang members
had done anything truly illegal.
MOD members Paul Stira and Eli Ladopoulos
pleaded guilty to the charges against them.
They confessed that they had broken the law but
insisted that they had not done anything for personal
profit. They were sentenced to six months
in a federal penitentiary, followed by six months’
home detention. John Lee and Julio Fernandez
faced specific charges of illegally selling passwords
for personal profit. Lee pleaded guilty and
received a year behind bars, followed by 300
hours of community service. Fernandez bargained
with prosecutors, offering them information
on MOD activities, and thus received no jail
time. Gang leader Mark Abene, who was notorious
in computer circles by his handle Phiber
Optik, pleaded guilty to charges of fraud. A U.S.
District Court judge sentenced Abene to a year
in federal prison, hoping to send a message to
other hackers. However, by the time Abene was
released from prison in 1995, his notoriety had
grown beyond the hacker underground. Many
in the computer world hailed him as a martyr in
the modern web of computer technology and
criminal prosecution. Abene subsequently
found employment as a computer technician at
a New York-based on-line service.
Computer crime can become an obsession.
Such was the case for Kevin Mitnick, a man federal
prosecutors described prior to his arrest as
the most wanted computer hacker in the world.
In the early 1980s, as a teenager,Mitnick proved
his mettle as a hacker by gaining access to a
North American Air Defense terminal, an event
that inspired the 1983 movie War Games. Like
the MOD gang, Mitnick gained access to computer
networks through telecommunications
systems. In violation of federal law, he accessed
private credit information, obtaining some
20,000 credit numbers and histories. Other
break-ins by Mitnick caused an estimated $4
million in damage to the computer operations
of the Digital Equipment Corporation. The
company also claimed that Mitnick had stolen
more than one million dollars in software.
Mitnick was convicted, sentenced to one
year in a minimum-security prison, and then
released into a treatment program for compulsive-
behavior disorders. Federal investigators
tried to keep close track of him during his probation,
but in November 1992, he disappeared.
Authorities caught up with his trail when Mitnick
broke into the system of computer-security
expert Tsutomu Shimomura at the San Diego
Supercomputer Center—a move that was clearly
intended as a challenge to another programming
wizard. Shimomura joined forces with the
Federal Bureau of Investigation to pursue their
elusive quarry in cyberspace. Using a program
designed to record activity in a particular database
that they were sure that Mitnick was
accessing, while monitoring phone activity, Shimomura
and authorities narrowed their search
to Raleigh, North Carolina. A special device
detecting cellular-phone use ultimately led them
to Mitnick’s apartment. Mitnick was arrested
and was charged on 23 federal counts. He plea-bargained with prosecutors, who agreed to drop
22 of the counts in exchange for Mitnick’s guilty
plea for illegally possessing phone numbers to
gain access to a computer system. Mitnick was
sentenced to eight months in jail.
Mitnick’s case illustrates the difficulties that
legislatures and courts face when defining and
assigning penalties for computer crime. Using a
computer to transfer funds illegally or to embezzle
money is clearly a serious crime that merits
serious punishment.Mitnick broke into numerous
services and databases without permission
and took sensitive information, in violation of
federal laws; however, he never used that information
for financial gain. This type of behavior
typically has no counterpart outside of cyberspace—
for example, people do not break into
jewelry stores only to leave a note about weak
security.
Some instances of computer crimes demonstrate
the way in which small computer files that
require relatively little effort on the part of the
perpetrator can cause millions of dollars’ worth
of damage to computer networks. In March
1999, David L. Smith of New Jersey created a
virus that lowered the security levels of certain
word-processing programs and caused infected
computers to send e-mail messages containing
attachments with the virus to e-mail addresses
contained in the infected computer’s e-mail
address book. The virus was activated on an
infected computer when the user opened the
word-processing program.
Smith posted a message on March 26, 1999,
to an Internet newsgroup called “Alt.Sex.” The
message claimed that if a user opened an attachment,
it would provide a list of passcodes to
pornographic websites. The attachment contained
the virus, which became known as the
“Melissa” virus. Smith was arrested by New Jersey
authorities on April 1, 1999, but not before
the virus had infected an estimated 1.2 million
computers and affected one-fifth of the country’s
largest businesses.
The total amount of damages was $80 million.
Smith pleaded guilty in December 1999 to
state and federal charges. He faced 20 months in
a federal prison and a fine of approximately
$5,000 for his crime.He faced additional time in
state prison. According to U.S. Attorney Robert
J. Cleary, “There is a segment in society that
views the unleashing of computer viruses as a
challenge, a game. Far from it; it is a serious
crime. The penalties Mr. Smith faces—including
potentially five years in a federal prison—are no
game, and others should heed his example.”
Others have continued to commit such
crimes. In February 2000, a computer hacker
stunned the world by paralyzing the Internet’s
leading U.S. web sites. Three days of concentrated
assaults upon major sites crippled businesses
like Yahoo, eBay, and CNN for hours,
leaving engineers virtually helpless to respond.
When the dust had settled, serious doubts were
raised about the safety of Internet commerce.
An international hunt ensued, and web sites
claimed losses in the hundreds of millions of
dollars. After pursuing several false leads, investigators
ultimately charged a Canadian teenager
in March 2000 in one of the attacks.
On February 7, engineers at Yahoo, the popular
portal web site, noticed traffic slowing to a
crawl. Initially, suspecting faulty equipment that
facilitates the thousands of connections to the
site daily, they were surprised to discover that it
was receiving many times the normal number of
hits. Buckling under exorbitant demand, the
servers—the computers that receive and transmit
its Internet traffic—had to be shut down for
several hours. Engineers then isolated the problem:
Remote computers had been instructed to
bombard Yahoo’s servers with automated requests for service. Over the next two days, several
other major web sites suffered the same
fate. Hackers hit the auction site eBay, the bookseller
Amazon.com, the computer journalism
site ZDnet, stock brokerages E*Trade and
Datek, the computer store Buy.com, the web
portal Excite at Home, and the flagship site for
news giant CNN.As each site ground to a halt or
went offline, engineers tried in vain to determine
where the digital bombardment had originated.
Experts expressed amazement at the attacks’
simplicity as well as at the inherent vulnerabilities
that they exposed in the Internet’s architecture.
Hackers had launched what quickly came
to be known as a distributed Denial-of-Service
(DOS) attack—essentially a remote-controlled
strike using multiple computers. First, weeks or
months in advance, they had surreptitiously
installed commonly available hacking programs
called “scripts” on 50 or more remote computers,
including university systems chosen for their
high-speed connections to the Internet. Later,
they activated these scripts, turning the remote
computers into virtual zombies that were
ordered to send unfathomably large amounts of
data—up to one gigabyte per second—continuously
to their victims. These data asked the target
web sites to respond, just as every legitimate
connection to a web site does. The sheer multitudes
of requests and responses overwhelmed
the victim sites. To escape detection, the “zombies”
forged their digital addresses.
Federal investigators were initially stymied.
They had legal authority to act under 18
U.S.C.A. § 1030, which criminalizes “knowingly
transmit(ting) a program information code or
command” that “intentionally causes damage.”
Sleuthing was difficult, however. Not only had
the hackers covered the trail well, but also the
FBI had suffered numerous personnel losses to
private industry. The bureau had to hire consultants
and had to develop special software to
assist in its manhunt. Moreover, as FBI official
Ron Dick told reporters, the proliferation of
common hacking tools meant that even a
teenager could have orchestrated the crime.
In early March 2000, authorities arrested 17-
year-old New Hampshire resident Dennis
Moran, allegedly known online as “Coolio.” The
lead proved false. In mid-April, claiming to have
found “Mafiaboy,” Royal Canadian Mounted
Police arrested a 15-year-old Montreal hacker.
The youth, whose real name was not divulged,
allegedly had boasted of his exploits online
while trying to recruit helpers. Officials charged
him with a misdemeanor for launching the
attack upon CNN’s website.
Although the DEPARTMENT OF JUSTICE continued
its hunt, this denial-of-service attack was
never completely resolved. Analysts have noted
that DOS attacks have occurred for several years,
although not to the extent as that of February
2000. In May 2001, for instance, the White
House’s web page was hit with a DOS attack that
blocked access to the site for about two hours.
Based upon the sheer number of cases
involving computer crime, commentators
remain puzzled as to what is necessary to curb
this type of activity. Clearly, technology for law
enforcement needs to stay ahead of the technology
used by the hackers, but this is not an easy
task. A number of conferences have been held to
address these issues, often attracting large corporations
such as Microsoft and Visa International,
but the general consensus is that the
hackers still hold the upper hand, with solutions
still elusive.
FURTHER READINGS
Cadoree, Michelle. 1994. Computer Crime and Security.
Washington, D.C.: LC Science Tracer Bullet.
Gemignani, Michael C. 1993. Computer Law. New York:
Clark Boardman Callaghan.
Irwin, Richard D. 1990. Spectacular Computer Crimes.
Homewood, Ill.: Dow Jones–Irwin.
Mungo, Paul. 1992. Approaching Zero. New York: Random
House.
Nugent, Hugh. 1991. State Computer Crime Statutes. Justice
Department. National Institute of Justice.
Slatalla, Michelle, and Joshua Quittner. 1995. Masters of
Deception. New York: HarperCollins.
Soma, John T. 1994. Computer Technology and the Law. Colorado
Springs: Shepard’s/McGraw-Hill.
CROSS-REFERENCES
E-Mail.