Computer crime consists of any criminal activity in which computer systems or networks are used as tools. Computer crime also includes crimes in which computer systems are targeted, or in which computers are the scene of the crime committed. That’s a pretty wide spectrum.
The real world, however, has difficulty dealing with computer crimes. Several reasons why computer crimes are hard to cope with include
- Lack of understanding: In general, legislators, judges, attorneys, law enforcement officials, and jurors don’t understand the many different technologies and issues involved in a computer crime.
- Inadequate laws: Laws are slow to change, and fail to keep pace with rapidly evolving new technology.
- Multiple roles of computers in crime: These roles include crimes committed against a computer (such as hacking into a system and stealing information) and crimes committed by using a computer (such as using a system to launch a Distributed Denial of Service attack). Computers may also support criminal enterprises, where criminals use computers for crime-related recordkeeping or communications.
Computer crimes are often difficult to prosecute for the reasons we just listed, and also because of the following issues:
- Lack of tangible assets: Traditional rules of property often don’t clearly apply in a computer crime case. However, property rules have been extended in many countries to include electronic information. Computing resources, bandwidth, and data (in the form of magnetic particles) are often the only assets at issue. These can be very difficult to quantify and assign a value to. The asset valuation process, which we discuss later in this chapter, can provide vital information for valuing electronic information.
- Rules of evidence: Often, original documents aren’t available in a computer crime case. Most evidence in such a case is considered hearsay evidence (which we discuss later in the upcoming section “Hearsay rule”) and must meet certain requirements to be admissible in court. Often, evidence is a computer itself, or data on its hard drive.
- Lack of evidence: Many crimes are difficult to prosecute because law enforcement agencies lack the skills or resources to even identify the perpetrator, much less gather sufficient evidence to bring charges and successfully prosecute. Frequently, skilled computer criminals use a long trail of compromised computers through different countries in order to make it as difficult as possible for even diligent law enforcement agencies to identify them.
- Definition of loss: A loss of confidentiality or integrity of data goes far beyond the normal definition of loss in a criminal or civil case.
- Location of perpetrators: Often, the people who commit computer crimes against specific organizations do so from locations outside of the victim’s country. Computer criminals do this, knowing that even if they make a mistake and create discoverable evidence that identifies them, the victim’s country law enforcement agencies will have difficulty apprehending the criminal.
- Criminal profiles: Computer criminals aren’t necessarily hardened criminals and may include the following:
- Juveniles: Juvenile laws in many countries aren’t taken seriously and are inadequate to deter crime. A busy prosecutor is unlikely to pursue a low-profile crime committed by a juvenile that results in a three-year probation sentence for the offender.
- Trusted individuals: Many computer criminals are individuals who hold a position of trust within a company and have no prior criminal record. Such an individual likely can afford a dream team for legal defense, and a judge may be inclined to levy a more lenient sentence for the first-time offender. However, recent corporate scandals in the U.S. have set a strong precedent for punishment at the highest levels.
Computer crimes are often classified under one of the following six major categories:
- Business attacks. Businesses are increasingly the targets of computer and Internet attacks. These attacks include competitive intelligence gathering, Denial of Service, and other computer-related attacks. Businesses can be inviting targets for an attacker due to
- Lack of expertise: Despite heightened security awareness, a shortage of qualified security professionals exists and is getting worse.
- Lack of resources: Businesses often lack the resources to prevent, or even detect, attacks against their systems.
- Lack of reporting or prosecution: Because of public relations concerns and the inability to prosecute computer criminals because of either a lack of evidence or a lack of properly handled evidence, the majority of business attacks still go unreported.
The cost to businesses can be significant, including loss of trade secrets or proprietary information, loss of revenue, and loss of reputation.
- Financial attacks. Banks, large corporations, and e-commerce sites are the targets of financial attacks, all of which are motivated by greed. Financial attacks may seek to steal or embezzle funds, gain access to online financial information, extort individuals or businesses, or obtain the personal credit card numbers of customers.
- “Fun” attacks. “Fun” attacks are perpetrated by thrill-seekers and script kiddies who are motivated by curiosity or excitement. Although these attackers may not intend to do any harm or use any of the information that they access, they’re still dangerous and their activities are still illegal.
These attacks can also be relatively easy to detect and prosecute. Because the perpetrators are often script kiddies (hackers who use scripts or programs written by other hackers because they don’t have programming skills themselves) or otherwise-inexperienced hackers, they may not know how to cover their tracks effectively.
Also, because no real harm is normally done nor intended against the system, it may be tempting (although ill-advised) for a business to prosecute the individual and put a positive public relations spin on the incident. You’ve seen the film at 11:00: “We quickly detected the attack, prevented any harm to our network, and prosecuted the responsible individual; our security is unbreakable!” Such action, however, will likely motivate others to launch a more serious and concerted grudge attack against the business.
Many computer criminals in this category only seek notoriety. Although it’s one thing to brag to a small circle of friends about defacing a public website, the wily hacker who appears on CNN reaches the next level of hacker celebrity-dom. These twisted individuals want to be caught to revel in their 15 minutes of fame.
- Grudge attacks. Grudge attacks are targeted at individuals or businesses, and the attacker is motivated by a desire to take revenge against a person or organization. A disgruntled employee, for example, may steal trade secrets, delete valuable data, or plant a logic bomb in a critical system or application.
Fortunately, these attacks (at least in the case of a disgruntled employee) can be easier to prevent or prosecute than many other types of attacks because:
- The attacker is often known to the victim.
- The attack has a visible impact that produces a viable evidence trail.
- Most businesses (already sensitive to the possibility of wrongful-termination suits) have well-established termination procedures.
- Specific laws (such as the U.S. Economic Espionage Act of 1996, which we discuss in the section “U.S. Economic Espionage Act of 1996,” later in this chapter) provide very severe penalties for such crimes.
- Ideological attacks. Ideological attacks — commonly known as “hacktivism” — have become increasingly common in recent years. Hacktivists typically target businesses or organizations to protest a controversial position that does not agree with their own ideology. These attacks typically take the form of Distributed Denial-of-Service (DDoS) attacks, but can also include data theft. For example, the U.S. Senate and many businesses — including the Sony PlayStation Network — were targeted in 2011 and early 2012 because of their support for the Stop Online Piracy Act (SOPA).
- Military and intelligence attacks. Military and intelligence attacks are perpetrated by criminals, traitors, or foreign intelligence agents seeking classified law enforcement or military information. Such attacks may also be carried out by governments during times of war and conflict.
- Terrorist attacks. Terrorism exists at many levels on the Internet. Following the terrorist attacks against the U.S. on September 11, 2001, the general public became painfully aware of the extent of terrorism on the Internet. Terrorist organizations and cells use online capabilities to coordinate attacks, transfer funds, harm international commerce, disrupt critical systems, disseminate propaganda, recruit new members, and gain useful information about developing techniques and instruments of terror, including nuclear, biological, and chemical weapons.
Important international computer crime and information security laws that the CISSP candidate should be familiar with include
- U.S. Computer Fraud and Abuse Act of 1986
- U.S. Electronic Communications Privacy Act of 1986
- U.S. Computer Security Act of 1987
- U.S. Federal Sentencing Guidelines of 1991 (not necessarily specific to computer crime, but certainly relevant)
- U.S. Economic Espionage Act of 1996
- U.S. Child Pornography Prevention Act of 1996
- USA PATRIOT Act of 2001
- U.S. Sarbanes-Oxley Act of 2002
- U.S. FISMA Act of 2002
- U.S. CAN-SPAM Act of 2003
- U.S. Identity Theft and Assumption Deterrence Act of 2003
- The Council of Europe’s Convention on Cybercrime of 2001
- The Computer Misuse Act of 1990 (U.K.)
- Privacy and Electronic Communications Regulations of 2003 (U.K.)
- Cybercrime Act of 2001 (Australia)