,.. 3-... fimzs i. V5? .1. .033 1. mi» .. . a: It. .Q... .qu . r... a x. 3;» x wufsbwiu... t a: .... . :34...» . 3.; . v u i theta-z. L“. [H l.‘--iuv" I gufi3§2 3 u 5. 5n. . . .. : itfi .rn l. .I 3 r! .50.. . "NF! WM.“ ...:...........}..... = ,V . I‘ «.6: Hair : w . g . m5 , . 11 yr .33. 9 . 2 “Win... r . .U. 7 ‘ :vnflumv. ‘ re .Lna. . . .. XL. 1... . 1.2 fir... r) 5.; , u. . é. . any: ‘ , :Lm. .53.. 1 x. 14.53:”... .... 0.3.. a: fin... v.1! , .- ... . r... a. I . 3.. i). : J ‘ fi i3: 7”?! us. 0 r. 0- tr.“ . c1 :11 2. .4 £1.71. .vaiuuawll .. 9. r E m ll ml mum llfllllllllllllllll _, 3 1293 01420 2604 memo»: TATE umvsnsm I l l i This is to certify that the dissertation entitled COMPUTERS: THE CHNAGING FACE OF CRIMINALITY presented by ANDRA JAN KATZ has been accepted towards fulfillment of the requirements for Doctor of Philosophy degree in Criminal Justice and Criminology Major professor Date October 20, 1995 MSU is an Affirmative Action/Equal Opportunity Institution 0-12771 LIBRARY Michigan State Unlversity PLACE II RETURN BOX'to remove this chockoutfrom your "cord. TO AVOID FINES Mum on or baton dd. duo. DATE DUE DATE DUE DATE DUE @5358 m MAW-2993' s WU: MAMGS‘JZQOS MSUIIAnAM'Erat'V“ ' ’1 "fl ,2.........- COMPUTERS: THE CHANGING FACE OF CRIMINALITY by Andra Jan Katz A DISSERTATION Submitted to Michigan State University in partial fulfillment of the requirements for the degree of DOCTOR OF PHILOSOPHY School of Criminal Justice 1995 Copyright © by ANDRA JAN KATZ 1995 DEDICATION To my loving and supportive family. Most of all, to my mother and father whose unconditional love and support helped me realize that which is truly important in life. ACKNOWLEDGMENTS My sincerest thanks go to my mentor, Dr. David L. Carter, whose support, kindness, and overall generosity are unparalleled. I would also like to thank those who served on my dissertation committee; Dr. Jackie Lerner, Dr. Denny Payne, and Dr. Chris Vanderpool, for their insightful input. To the support staff of the School of Criminal Justice at Michigan State University, thank you for being so patient and friendly throughout. Lastly, thank you Todd Bosserdet for being so supportive. TABLE or CONTENTS LIST OF TABLES viii LIST OF FIGURES ix Chapter Page p—l I INTRODUCTION Background and Need 5 Statement of the Problem 5 Research Questions 6 Null Hypotheses 7 Delimitations 9 II LITERATURE REVIEW 10 A Historical Look 11 Technology and Society 12 Networks 15 Limited Literature 17 Computer Crime Defined 21 Typologies of Computer Crime 22 Nature of Computer Crime 27 CURRENT TRENDS 29 Networks and Computer Malfeasance 29 PERPETRATORS 32 Human Factors 32 General Comments 32 Theoretical Explanations 37 Types of Computer Criminals 40 Rationalizations 43 Computer Security and the Human Factor 46 LAW ENFORCEMENT AND COMPUTER CRIME 47 vi LEGISLATION AND COMPUTER CRIME Federal Laws State Laws Conflict Between State and Federal Laws On An International Level CONCLUSION III METHODOLOGY IV ANALYSIS OF DATA Explanation of Hypotheses Analysis of the Hypotheses Additional Significant Relationships V SUMMARY, CONCLUSIONS AND RECOMMENDATIONS Summary Conclusion Recommendations REFERENCES CITED AND SELECTED BIBLIOGRAPHY Books and Monographs Articles and Presentations Anecdotal References Interviews Appendices A Computer Crime Survey B Univariate Survey Results C Respondent Comments 50 59 66 67 70 71 78 87 93 95 98 98 101 102 1 08 109 1 1 2 113 118 Page 119 124 19 Table 2.1 4.1 4.2 4.3 LIST or TAB LES Summary of Computer Crime Typology Univariate Findings of Computer-Crime/ Abuse Perpetrators Computer Crime Counter Measures Statistics for Hypothesis Testing viii Page 27 87 LIST or FIGURES Figure Page 2.1 Lexis / Nexis Search of Computer Crime and Internet Crime Stories 27 Chapter I INTRODUCTION With the advent of technology oftentimes comes those who will take advantage of these advancements for illicit purposes. Computer technology is no exception. As is illustrated by the countless examples of ”creative criminality,” one could argue that computer technology has not come without a price. While many of the crimes perpetrated using this technology mirror traditional crimes, the speed and sophistication with which such activities are carried out are often difficult to comprehend. Terms such as ”cyberspace", ”T he Net", and the ”Worldwide Web” further enhance abstract images and concepts thereby creating even greater confusion. In addition, those who perpetrate such crimes are seemingly faceless and nameless unless, of course, they are caught. Such characteristics seem to be unique to computer-related crime, creating somewhat of a mystique. As with other types of crime, both violent and non-violent (i.e., white- collar), perpetrators oftentimes take advantage of that which they perceive as being vulnerable. In reported cases of computer-related crime, for example, it is believed that most perpetrators make a conscious decision to pursue a particularly vulnerable target or targets. However, in some cases, especially those which involve hackers, simply finding the vulnerabilities in a system 2 proves to be the most challenging and therefore the most exciting component of engaging in such crimes. The thrill of the chase and/ or challenge is not a characteristic unique to hackers. Parallels may be drawn to violent crime, as in the case of serial rapists. Interviews with convicted serial rapists reveal that it is not the actual rape, but rather the thrill of the chase (i.e., stalking) that is the most exciting component of the criminal act. Identifying a target (most often a ”vulnerable” female), stalking her, and perhaps even entering the premises several times prior to the rape is the greatest ”high” for these individuals. Some have even stated that the rape only took place because it seemed like the logical ”next step” in the progression of events. To some extent, computer-related crimes are merely traditional crimes that have reappeared in a new form. Disguised perhaps by the level of sophistication and anonymity, such crimes often go unpunished, or, in many cases, undetected. While many offenders revel in their cunning and oftentimes brilliant escapades, others view their activities as being innocuous. Rationalizing the criminal acts is common to both offender categories. Denial that one has committed a crime is a characteristic that usually crosses both offender categories. And, if forced to admit otherwise, both, most likely, will respond within a predictable range of justifications. Rarely, does an offender outright admit that his/ her actions where unjustified. 3 Failure to take an active role in researching computer-related crime in the past may, in essence, be partially to blame for the current explosion of it within the last five years. Aggressive measures specifically designed to apprehend offenders have, up to this point, been few in number. We as a society fear violence. As a result, violent crimes are viewed as being intolerable and unforgivable. If apprehended, offenders are often given a harsh sentence. They serve time in correctional facilities, many of which have environments riddled with violence and aggression. Prisoners spend much of their time learning how to survive on the ”inside". If released, there is a good chance that they will recidivate. More often than not, they will be convicted of crimes more violent than the one they committed as first time offenders. To society, they are undesirables and figuring out what to do with such individuals has been a never-ending process. Concentrating almost all our efforts on protecting ourselves from violent offenders has left us vulnerable and indecisive when it comes to other types of crime, namely white-collar crime. Somehow we have been reluctant to admit that white-collar crime may be even more harmful to society as a whole. The absence of the emotional component has handicapped us in such a way that we ourselves oftentimes rationalize for white-collar criminals who are apprehended. If harsh sentences are imposed (which is typically not the case), there is a tendency to ”feel sorry” for such individuals. 4 Another element which might explain our lack of anger and resentment toward white-collar criminals is the theory that we, as a society, can perhaps relate more closely to these individuals. While most of us cannot imagine committing a violent crime, this may not hold true for white-collar crimes. Seeing ourselves in the shoes of such an offender may not be so far-fetched. Rather, perhaps given the opportunity, we too might engage in such a crime. Therefore, if viewed in the same manner as we view a violent crime, then we too could reasonably be criminals given the opportunity. In an attempt to reduce the cognitive dissonance that may arise as a result of this uncomfortable thought, the ability to rationalize and justify another's criminal act helps explain the leniency and lessened anger toward such individuals. Regardless of the feelings and emotions that underlie society's lack of evenhandedness when it comes to criminal justice, failure to recognize the seriousness of computer-related crime has proven costly. The devastating effects of computer-related crime are in their infancy. If the proliferation of computer crime as it has occurred over the last five years is any indication of what is to be expected in the future, we as society might find ourselves under siege. The technology we have created, coddled, and mass-marketed may one day prove to be our worst enemy. Taking the initiative by first admitting that a serious problem exists and, second by creating policy and procedures to aggressively counteract and/ or inhibit such destructive activities may be our only savior. 5 Several factors can be examined with respect to computer crime and abuse. One issue which seems to emerge in light of the report by the A515 committee on Stealing Proprietary Information (SP1) is the number of times a company/ organization is victimized by full-time employees. Although full- time employees are considered to pose the greatest threat, according to a SPI presentation at the 1995 ASIS meeting, only a handful of preventive measures are regularly taken. Background and Need The proliferation of computer-related crime in recent times is cause for concern. As technology becomes increasingly sophisticated, the likelihood that abuses will increase as well has proven accurate. Factors such as the rapid decrease in the cost of technology which coincides with technological advances, the increased familiarity and use of technology which includes the maturation of the ”techno-generation", and the ”techno-fad” in which outdoing the neighbors takes high priority all contribute to this phenomenon. Statement of the Problem The purpose of this study is to determine the extent and characteristics of computer crime. At this point, there is little empirical evidence Which adequately describes the magnitude and scope of the problem. However, 6 anecdotal evidence indicates that computer crime is a problem which is growing and has a significant economic impact. The survey and interviews on which this study was based provided contemporary empirical research in area where there is a true void. In general, the study assessed (1) changes in the frequency of computer-related crime, (2) changes in the character of computer-related crime and (3) explored the correlation of evolving technology and computer-related crime. Research Questions This study focused on trends of computer-related crime over the last five years. In addition to the aforementioned hypotheses, the research questions addressed were as follows: 1. What is the extent of it? 2. What type of property is being stolen, tampered with and/ or sabotaged? every 3. Who are the offenders? 4. How have trends in computer-related crime changed over the last five years? 5. What types of technologies are used by the companies sampled? 6. What is the current trend with regards to number of victimizations? 7 7. What counter measures do businesses take to protect themselves from computer-related crime? Null Hypotheses In light of the framework discussed above, for purposes of hypothesis testing the relationship between two critical variables was examined. The first variable identified whether the perpetrator was a full-time employee, part-time or ”outsource” employed, or a computer hacker. In addition, it also specified the type of incident. The second variable was the number of times a company/ organization had been victimized by computer-related crime. Ho]: There is no significant relationship between full-time employees stealing or attempting to steal money through computer-related theft and the number of times a company/ organization has been victimized by computer- related crime. H02: There is no significant relationship between part-time or ”outsource” employees who have stolen or attempted to steal money via computer-related theft and the number of times a company/ organization has been victimized by computer-related crime. H03: There is no significant relationship between computer hackers who have stolen or attempted to steal money through computer-related theft and the number of times a company/ organization has been victimized by computer-related crime. 8 H04: There is no significant relationship between full-time employees who have stolen or attempted to steal product information through computer-related theft and the number of times a company/ organization has been victimized by computer-related crime. H05: There is no significant relationship between part-time or ”outsource” employees who have stolen or attempted to steal product information through computer-related theft and the number of times a company/ organization has been victimized by computer-related crime. H06: There is no significant relationship between computer hackers who have stolen or attempted to steal product information through computer-related theft and the number of times a company/ organization has been victimized by computer-related crime. H07: There is no significant relationship between full-time employees who have stolen or attempted to steal marketing information through computer-related theft and the number of times a company/ organization has been victimized by computer-related crime. H08: There is no significant relationship between part-time employees who have stolen or attempted to steal marketing information through computer-related theft and the number of times a company/ organization has been victimized by computer-related crime. H09: There is no significant relationship between computer hackers who have stolen or attempted to steal marketing information through 9 computer-related theft and the number of times a company/ organization has been victimized by computer-related crime. Delimitations As a result of the methods required to collect data on computer crime, the research has the following delimitations. 1. Since the research is exploratory, many of the variables examined were intuitively derived based on a content analysis of anecdotal evidence from news stories and the experiences of security professionals. As a consequence, some critical variables could have been missed in the research. 2. After initial inquiries to security professionals, it became evident that specific data on such things as the numbers of computer crimes, losses from the crimes, and the numbers of perpetrators involved were virtually impossible to obtain. As a consequence, the research relied on less definitive nominal variables to gather data on perceptions and experiences rather than the more specific interval or ratio data. 3. Because of the somewhat peculiar nature of computer crime, external validity may be limited to large corporations and businesses as a result of the purposive sample (described in the methodology). Chapter II LITERATURE REVIEW Although identified as a serious threat by individuals from diverse backgrounds (i.e., security, law enforcement, university professors, etc.), computer crime has historically been viewed as a ”lesser” crime. Its relatively abstract nature coupled with society's emphasis on violent crime explains its subordinate position. Evident by the limited amount of literature and research, it has, in some cases, been outright ignored and/ or deemed less significant than other types of criminal activities. Unfortunately, growing concern about computer crime has come a little too late. Documented cases of such offenses have far surpassed the interest and attention that these criminal activities have received. And, as a result, the proliferation of computer crime has reached widespread and largely unknown proportions. Businesses, government agencies, and universities are all scrambling to recover from attacks and/ or are anticipating the next one. Law enforcement agencies are often not notified of such activities. Even if they are, such activities are given a low priority status. Legislation, not fully equipped to deal with such crimes, has also proven disappointing. In recent years computer crime has been viewed as a serious problem which has the ability to multiply geometrically—this problem is now a reality. 10 11 A Historical Look Computer crime and abuse is a relatively recent phenomenon. Although it has its roots in early predecessors (such as telecommunications fraud), such abuse is limited to the type of technology available at any given time. The rapid change in technological advancements society has witnessed of late is the precursor to the current state of malfeasance. Computer abuse dates back to the late 1940's with the emergence of computer technology. Although far from sophisticated by today's standards, such technology triggered what may be identified as the earliest form of technology crime. However, the first recorded case of computer abuse did not occur until 1958 (Parker, 1989:5). And, ”(t)he first federally prosecuted computer crime, identified as such, was the alteration of bank records by computer in Minneapolis in 1966” (Parker, NI], 19895). The sophistication of the types of abuse witnessed paralleled the technology available at the time, an observation that would re-occur several times throughout the years. Technology oftentimes acts as a host for abuse. As it proliferates, so does the parasitic nature of abuse. Computer technology is a prime example. ”As the number of people in the computer field began to increase, that fact of human nature that wants to harm society for personal gain took hold; the problem of abuse became especially acute as computer technology proliferated into sensitive areas of society, as military systems” (Parker, 1989z5). 12 The well-publicized case of computer theft described in "T he Cuckoo's Egg” is a clear illustration of this phenomenon (Stoll, 1990) . The perpetrator, a hacker out of Hanover Germany, was able to capitalize on the mistakes of administrators. Failure to use carefully guarded passwords, as well as the lack of monitoring audit trails proved to be a most damaging mistake. Throughout his reign, this ”super user” was able to break into US. computer systems and steal sensitive national security and military information. Eventually caught and tried as a spy, ”Hunter", taught society a very important lesson. With technology often comes abuse. Failure to acknowledge this fact has been very costly. Technology and Society Over the last 5-8 years, society has witnessed a rapid change in technology. According to Hoover (1995) such changes have been multiplied by the simultaneous integration of several distinct technologies. On separate fronts, rapid changes in technology and the resulting abuse may be attributed to a number of factors. Technology as whole has increased a great deal in terms of capacity. The growth of technology affects everyday life at a level which becomes seemingly more sophisticated from one year to the next. III fact, technology is permeating every aspect of society creating a more simplified yet exceedingly more complex lifestyle for its members. Examples of technology which have emerged in the recent past yet are foreign to perhaps only a small percentage of the population include: Automatic Teller 13 Machines (ATMs), Voice Mail, Cellular and Wireless Telecommunications, On-line Services, and the integration of telephone, cable television and computer technology. Clearly, social integration of technology has been relatively fast, but has been ”forced” on society by business and technology vendors. Trying to circumvent technological innovations is close to impossible, for they have penetrated every aspect of society. Avoiding it is not only difficult to do, but also warrants a great deal of ingenuity and expertise. Unlike social integration, social acceptance of technology has been slow due to the need to re-socialize the ”non-techno” generations. However, acceptance grows faster each progressive year. The increased familiarity and use of technology which includes the maturation of the ”techno-generation" is enabling the process to occur at an increasingly rapid rate. Another factor responsible for the rapid change witnessed is the cost of technology. The inverse relationship between the level of sophistication of technology and the cost of such technology is contributing factor to the widespread use and abuse experienced thus far. As the level of sophistication increases, the cost of technology decreases allowing ownership and therefore utilization of such technological advances. Decreased cost alone does not necessarily account for the sheer numbers of personal computers owned and operated by individuals. Inherent in the American culture is the desire to keep up with the 'Joneses' and to have a never-ending desire to remain upwardly mobile. Obtaining the 14 'biggest and best' is clearly an American trait which knows no boundaries and crosses all social classes. Material possessions are evaluated and cherished oftentimes more than personal attributes. Personal worth in the eyes of many in America is based on material possessions. Those items viewed as being in line with the newest fads are valued that much more. Securing ”desired” goods seemingly boosts one up the social ladder. Computers and related technology have not been immune to this ”fad” mentality. One unobtrusive measure that illustrates the current computer craze is demonstrated by the number of magazines devoted specifically to computer technology. Prior to 1986, there were no popular magazines of this nature. In less than a decade, approximately 123 computer magazines have appeared on the market, most assuredly the greatest number dedicated to one specific interest area. Like any tool, as it becomes increasingly available it will be increasingly abused. Society has witnessed an abundance of computer-related abuse already, only a small percentage of which has been reported. As predicted by computer specialists around the world, this is only the tip of the iceberg. Such predictions are based on research findings in criminology that approximately 85 percent of all known crime goes unreported. And, it is believed that even a higher percentage of computer-related crime goes unreported (Parker, 1976). Deliberate under-reporting of such crimes is commonplace. Some corporate executives believe that negative publicity received as a result of such a disclosure far outweighs the potential benefits. Not only is there a 15 potential for the business to be adversely affected, but also ”they often discover that they do not know how to correct a vulnerability" (Parker, 1976). A realization such as this may lead to ”administrative handling of cases in which the perpetrator receives little or no sanctions against him” (Parker, 1976:16). In fact, he or she may instead be promoted and transferred to avoid any embarrassment to the company and/ or retaliation by the alleged offender. This attitude which essentially enables the perpetrator to bully and threaten their employer(s) is counterproductive. It not only allows criminal and\or destructive acts to go unpunished, but perpetuates the next cycle of abuse. In fact, in some instances, perpetrators with no affiliation to the company against which certain criminal acts were committed rewarded them by giving them a job with the company. The reasoning behind such an unusual twist of events may be attributed to the fear and vulnerability felt by such companies. Rather than pursing and punishing the perpetrator, having him/ her ”on board” seems to be more advantageous for obvious reasons. Networks Unlike early computer technology which emerged in the 1940’s, the Internet is a comparatively recent addition. The Internet first began as a Department of Defense project designed with the intention of linking all military computers through a network. It was believed that, like the interstate highway system developed in the mid-1950's, such a development would lead to better, more efficient communication between the bases (Stoll, I , .y 16 1990). Such a network would enable a great deal of information to be dispersed in a matter of a short period of time and would essentially eliminate much of the unnecessary, time consuming constraints commonplace in such a bureaucracy. The earliest ancestor of what is now referred to as the Internet was the ARPAnet, developed in 1969 (Smith, Gibbs and McFedries, 1995). The ARPAnet was ”designed to allow messages traveling from one computer to another to be handled in a flexible and robust way” (Smith, Gibbs, and McFedries, 1995). Since it was created for use in a military environment, reliability was a major factor. Understanding and learning about networks that could withstand the loss of connections was the underlying reason for ARPAnet's development from day one (Smith, Gibbs and McFedries, 1995). The idea of connecting computers together through the use of networks was initially welcomed, then almost abandoned. Seen as falling short of the goal for which the technology was originally developed, ARPAnet became a mainstay of universities and laboratories at the same time it was virtually ignored by its creator, the military (Stoll, 1990:64). Attracted by its simplicity and reliability, others began to enjoy the benefits of the ARPAnet. Since 1985, the numbers of institutions, agencies, businesses, and individuals using the NET has skyrocketed. With the realization that this experiment had become extremely successful with both civilians and military personnel, steps were taken to create a separate network for military personnel while retaining the original 17 ARPAnet for everyone else. The Milnet became the offshoot specifically reserved for military use (Stoll, 1990:64). Although designated as a separate network, access to Milnet through the ARPAnet and vice versa was open and therefore did not require any special passwords or invitations. Gateways allowed information to flow freely between the two. Eventually, ARPAnet, Milnet and hundreds of other networks merged together and created what is now commonly referred to as the Internet (Stoll, 1990:64). Limited Literature Research on computer crime has been very limited in both nature and scope. Since the emergence of this technology some fifty years ago, abuse of computer technology has been largely disregarded. According to Parker (1989), the lack of attention historically paid to computer crime is no accident. He states that the ”(p)ursuit of the study of computer crime and computer abuse has been controversial". ”In 1970, a number of researchers concluded that the problem was merely a small part of the effort of technology on society and not worthy of specific explicit research” (pp. 5). However, ”(t)he increase in substantial losses associated with intentional acts involving computers proved the fallacy of this view” (Parker, 1989; pp 5). Another setback for research in computer crime and abuse came in the mid-1970's. Researchers believed that the ”involvement of computers 18 should be subordinate to the study of each specific type of crime, both manual and automated". To further convince themselves, the researchers pointed out the fact that ”(t)he uniqueness of characteristics of computer crime across all the different types of crime was not considered sufficient to warrant explicit research” (Parker, 19895). Consequently, focusing on the ”real” crimes while treating the computer aspect as secondary has been the general theme which has undermined and subsequently inhibited much of the research in this area. Essentially, the potential impact of computer crime was not envisioned. Much to the dismay of the many people and businesses currently faced with computer crime and abuse issues, the lack of such research has left a void and many unanswered questions. While it is difficult to deny that such issues are no longer trivial, government agencies that fund research on a large scale have other agendas. Fueled by the fear of crime so evident in our country, in conjunction with the seemingly impersonal nature of computer crime, resources are poured into areas of a ”pressing” nature. Areas related directly to violent crime, are given priority. Limited attention given to computer-related crime by law enforcement officials may be blamed on its seemingly ”distant and complex” nature. Preliminary research has shown that ”many public law enforcement officials do not envision computer-related crime as a problem that affects them” (Carter, Bramshill 19952). The emotional impact of finding a body or 19 investigating a violent crime is understandably much greater than responding to a computer-related crime. Interestingly enough, computers are not used solely as a tool by white collar criminals. They have been used in the commission of crimes against persons as well. An illustration of this is the abductions of youth from on- line contacts. If the past is predictive of the future, it is safe to assume that this is not merely an anomaly. Linking computers to violent crime may increasingly stir up interest and attention in this much needed direction. Coupled with their ”impersonal" nature, computer crimes are often technical in nature. These crimes ”are sufficiently distinct from the types of crimes that criminal justice officials are accustomed to dealing with that they do not understand their character and impact” (Carter, Bramshill, 1995:2). Additionally, ”(t)he technical nature of computer-related crime is somewhat intimidating-or at least confusing-to those with limited computer-related experience, thus the potential criminality related to those technologies is avoided” (Carter, Bramshill, 1995:2). Another factor that has contributed to the lack of research and inquiry into the area of computer-related crime is that the belief held by many that it is ”unidimensional” (Carter, Bramshill, 1995:2). Viewing it as such does no justice to the real scope and extent of the problem, but rather has proven to be a hindrance. Failure to envision the wide array and ever-expanding nature 'of computer-related offenses has negatively affected not only the views of public 20 law enforcement officials and the public, but also the resources that, as of yet, have not been allocated to the pursuance of active research in this area. Keeping abreast of the technological changes is challenging, to say the least (Carter, Bramshill, 1995:2). However, such changes coupled with the innovative and creative nature of computer criminals makes it difficult to anticipate potential attacks. The information systems 'flashpoint', identified by Hoover (1995), offers an explanation as to why technology and technological changes of late seem much more complex than in the past. The flashpoint refers to the merger of several technologies simultaneously, which, in turn has a synergistic affect, whereby the sum is much greater than the parts. Hoover (1995) explains that up until recently, several technological advances were being made concurrently yet with different goals. Advances in computer processing development, optical science, communication technology and software technology were becoming much more sophisticated than society could have ever foreseen. It is the merger of such technologies that has led to the recent explosion of technological advances and the level of sophistication society is currently experiencing in computer-related communications and processing. Creation of the national information infrastructure (NSI) that has resulted from the integration of technology is both beneficial and detrimental to society. Unfortunately, the benefits acquired have been offset and tainted by the abuse that has thus far grown out of the newest technology. As is g» 21 evident by the current trends in computer malfeasance, the rapid evolution has shown indisputably that there is a greater probability of abuse of the technology with few controls. Computer Crime Defined Defining computer crime in and of itself has been somewhat challenging. Unlike other types of crimes which are usually more concrete in nature, these crimes are abstract. It is difficult to comprehend the idea of crimes being committed in cyberspace. Clearly, this complexity has been a major factor in determining the criteria for what constitutes a computer crime. Locating and identifying definitions of what constitutes computer crime has been difficult. Most of the resources located simply fail to define it. Therefore, reliance on only a few sources will have to suffice. Computer crime is defined as ”any intentional act associated in any way with computers where a victim suffered, or could have suffered, a loss, and a perpetrator made, or could have made, a gain” (Parker, 1983:17). Further, they are ”any violations of criminal law that involve a knowledge of computer technology for their perpetration, investigation, or prosecution” (Computer Crime. Criminal Justice Resource Manual, 1989:2). Implied, though not explicitly stated, computer crime by definition includes any crime whether white-collar or violent, that utilizes computer technology for its commission. In fact, the ”use of computers has proliferated not only in 22 traditional crimes of theft such as embezzlement and fraud; increasingly, drug rings, child pomographers and pedaphiles have turned to computers to facilitate their illicit operations just as legitimate businesses do” (Parker, 1989: ii). Another aspect of computer crime is that it ”may involve computers not only actively but also passively when usable evidence of the acts resides in computer stored form” (Computer Crime. Criminal Justice Resource Manual, 19892). In such cases, the computer is used solely as a tool for data storage. By labeling these crimes as computer crimes the classification of what is defined as such becomes greatly expanded. Although this is determined by law enforcement to be a legitimate addition to the category identified as computer-related crime, such crimes are most often categorized under another, ”more serious” heading. This notably and deceptively reduces the reported cases of computer crime. Typologies of Computer Crime For purposes of simplification and classification, computer crime has been broken down into typologies (Carter, 1995; Manzi, 1992; McEwen, Fester, and Nugent, 1989; Parker, 1976; Parker, 1983; Parker, CCRS, 1989). It is important to note that oftentimes computer crimes do not fit neatly into one category. Most often they spill over and blend with another or other categories. 23 Crimes where the computer is the target is the first typology often identified (Carter, 1995; Manzi, 1992; McEwen, Fester, and Nugent, 1989; Parker, 1976; Parker, 1983; Parker, 1989, CCRS). These object cases "include destruction of computers or of data or programs contained in them or supportive facilities and resources such as air-conditioning equipment and electrical power that allows them to function” (Parker, CCRM, 1989z2). Offenders that are intent on destroying or sabotaging files ”gain access through the utilization of a 'trap door' which permits access to the systems should some types of problems- human or technological- arise” (Carter, FBI Bulletin, 1995:22). Although designed with the best intentions, the 'trap door' has, unfortunately, compromised the safety and security of the operating systems. 'Super-users' (the more sophisticated intruders) oftentimes take advantage of this one weak spot in the system and, masquerading as the system manager gain access to virtually every file in the system (Carter, FBI Bulletin, 1995:22). Cases where the role of the computer in the commission of a crime is that of a target may take many forms. Manzi (1992) identifies some examples which show the diverse nature of this typology. The following represent a fairly broad, although not exhaustive, cross-section of these crimes: Theft of intellectual property; Computer extortion, sabotage, and terrorism; Unlawful access; Unauthorized use; Tampering with or altering data; Malicious software (Viruses, etc.); and Theft of computer or components (Manzi, 1992). A 24 While some activities like techno-trespass whereby an individual ”walks” through the system for purposes of looking around seem innocuous, others are outright malicious and destructive. Regardless of the outward appearance, all are criminal. The second category, whereby the computer is the instrumentality of crime, describes crimes in which the processes of the computer are a necessary or helpful tool in the commission of the crime (Carter, FBI, 1995; Manzi, 1992; McEwen, Fester and Nugent, 1989; Parker, 1976; Parker, 1983). It is not the contents of the computer files in which the criminal is interested, but rather what the computer can do. These types of crimes are often too complex to carry out without the use of a computer, therefore making it an essential part of the act. Some examples of the role of the computer as an instrument in the commission of a crime are as follows: fraud from use of Automated Teller Machines (ATMs), theft of money from accrual, conversion or transfer accounts, credit card fraud, fraud from transactions in the computer, and telecommunications fraud (Carter, 1995, FBI Bulletin). Manzi (1992) adds to this list other criminal activities which include, but are not limited to, computer assisted electronic fraud, rounding theft, desktop publishing fraud/ counterfeiting, long distance toll fraud, PBX fraud, voice mail fraud, and cellular fraud. Reviewing the exhaustive list helps clarify this category. Prior to the emergence of computer technology most of these criminal acts were non-existent. 25 In the third typology, the computer is incidental to other crimes (Carter, 1995; Manzi, 1992; McEwen, Fester and Nugent, 1989; Parker, 1976). Reliance on the computer is beneficial, but not essential for the crime to occur. The benefits secured by using technology are extremely valuable to a criminal. According to Carter, ”computerization helps the crime to occur faster, permits processing of greater amounts of information, and makes the crime more difficult to identify and trace” (Carter, FBI, 1995; pp. 23). Such advantages make it much more desirable to commit offenses. Several examples of this type of abuse are as follows: money laundering and offshore banking, illegal bulletin board services, records keeping for criminal enterprises, bookmaking, embezzlement, blackmail, murder, pornography, and ”secure” communications for criminal purposes (i.e., encryption) (Carter, 1995; Manzi, 1992). While it is apparent that the majority of the crimes listed have been occurring throughout history, the method and ease with which they are now committed is almost incomprehensible. The fourth category of computer crime discussed is that which is associated with the prevalence of computers (Carter, 1995; Manzi, 1992; McEwen, Fester and Nugent, 1989; Parker, 1976; Parker, 1989). Crimes classified under this typology are merely new versions of traditional crimes. The main distinction between these crimes and the old versions are the new crime targets. According to Parker (1976:19), the ”use of computers has not led to new kinds of abusive acts, at least in name” for ”(t)he names of the acts are 26 still the same: fraud, theft, larceny, embezzlement, vandalism, malicious mischief, extortion, sabotage, and espionage”. The criminal acts which fall under this typology by definition range from seemingly innocuous to an obvious violation of the law. On one end of the spectrum are crimes which appear to be harmless and, in fact, are committed by a large percentage of the population. Software piracy and copyright violations are easily overlooked as being criminal in nature. The innocence with which many, if not most, individuals commit these acts makes it difficult to prosecute out of guilt and an unwillingness to get ”law- abiding” citizens in trouble with the law. However, due to the astronomical financial losses faced by software companies this attitude is starting to change rapidly. "Computer Unique" crimes that appear at the other end of the spectrum are most like traditional crimes (Manzi, 1992). Counterfeit equipment, components and software; black market hardware and softWare; illegal foreign smuggling and technological equipment as theft targets are all examples of criminal activities clearly defined and much less ”forgivable". If caught, measures taken against individuals who indulge in such activities are more punitive. The fifth and final typology defined in the literature is less clear and therefore not as easily explainable. Parker (1976, 1983, 1989) does not identify this category by a specific name, but rather describes it. He states that the ”computer can be used symbolically to intimidate, deceive or defraud 27 victims” (pp. 21). For purposes of clarification, this type of computer crime will be referred to as ”technological coercion". Despite the lack of literature on the network ( Internet), the researcher believes it is necessary to add a sixth typology specifically designed to include all crimes committed with its utilization. A review of anecdotal information illustrates the importance of looking at Internet-related crimes rather than just collapsing them into the other categories. Despite the fact that crimes committed using the Internet often overlap with other typologies, they have their own unique characteristics which set them apart. Table 2.1 SUMMARY OF COMPUTER CRIME TYPOLOGY 1. Computer as the Target—The computer is the object of the criminal act. 2. Computer as the Instrument—The processes of the computer are a necessary or helpful tool in the commission of crime. 3. Computer as Incidental—Reliance on the computer is beneficial, but not essential for the crime to occur. 4. Prevalence of Computers—Computers are new targets of crime, by virtue of their presence and accessibility. 5. Technological Coercion—Using the computer for purposes of intimidation, deception, and fraud. 6. Networking Malfeasance—Offenses committed via the Internet. Nature of Computer Crime By nature, computer crimes differ from traditional crimes. With the relatively recent emergence of computer technology, the methods of 28 committing some types of crime have changed drastically. No longer does theft from a bank automatically conjure of an image of a outlaw masked with a bandanna carrying a gun demanding cash. Rather, images of an individual typing away furiously at the computer keyboard breaking into ”secure” systems are slowly replacing the gun-toting intruder. In some cases, the targets of computer crime are different as well. For example, theft committed by breaking into the SWIFT banking system is no longer an impossibility. Targeting tellers in a bank to steal money seems almost worthless and insignificant in comparison. The SWIFT system is the main artery in the global banking system by which monetary transfers are made between financial institutions. Due to the different time zones, money that is transferred from one banking institution to another may become stationary for a designated period of time in this cyberspace. The amount of money awaiting transfer is incomprehensible. It has been suggested that the possibility for a hacker to break into this system, to ”borrow” some money, return it, and to remain completely elusive and undetectable may be more of a probability than originally thought (Carter, 1995). Commission of the ”perfect” crime in the computer age has become more of a reality than ever. "Traditionally, the time of criminal acts is measured in minutes, hours, days, weeks, months and years" ...... whereas ”automated crime must be considered in terms of a computer time scale "of milliseconds, microseconds, and nanoseconds because of the execution of instructions in computers" (Parker, CCRS, 1989:1). 29 One last characteristic which sets computer crime apart from other types of crime is the fact that ”geographic constraints do not inhibit perpetration of this crime" (Parker, CCRS, 1989:1). One can commit crimes on the other side of the world using the on-line computer system. Distance is therefore no longer a safe haven from potential criminals. The vulnerability of computer systems to threats is multiplied given the interaction of a number of factors (Commission on Crime and Criminal Justice, 1995). The most significant of these threats are: 1) ”density of information; 2) system accessibility; 3) complexity; 4) electronic vulnerability; 5) vulnerability of electronic data-processing media and; 6) human factors” (Commission on Crime and Criminal Justice, 1995:11-13). CURRENT TRENDS Networks and Computer Malfeasance Over the last few years, the public has been bombarded by the media with stories and accounts of incidents which have taken place on the Internet (See Figure 2.1). Although a relatively recent technological breakthrough, it has been used extensively as a tool by thieves, con men, pedaphiles, right— wing activists, and others of a similar caliber to further their escapades as well as by thousands of ”law-abiding” citizens. The Internet has become such a part of daily life that it is hard for many to imagine what life was like prior to its arrival only a few short years 30 ago. Reliance on its many characteristic features has lead to a nation whose dependency on it may one day equal that of the automobile. Figure 2.1 LEXIS/NEXIS SEARCH OF COMPUTER CRIME AND INTERNET CRIME STORIES a Computer 3 8 S N Internet '- o: 9’ o: In '- v- 0) 0’ v- Q a) ‘— 1- o: 3 < 3 h 2 I- Unfortunately, the Internet is a mixed blessing. The access and capabilities afforded its users have been exploited by those who view it as a means to ply their trade. In fact, ”(v)irtually every white-collar crime has a computer or telecommunications link" (Sussman, 1995:55). 31 Cyberspace in its current unregulated state has created a breeding ground for a variety of criminal enterprises. Crimes and incidents of malfeasance ranging from theft, stolen services, smuggling, terrorism, child abuse and pornography, sexual harassment, stalking, and the spread of hate messages by Neo-nazis, have and continue to be committed at astronomical rates. Ingenuity on the part of criminals coupled with easy access has led to a new generation of perpetrators. Restrictions once hindering and inhibiting the commission of some crimes have been dismantled. Cases which at one time were unimaginable have been turning up in large numbers. For example, one case involves a rapist in Orlando who used an on-line service to lure a victim, a fifteen year old girl from Western Maryland (The Washington Times, August 30, 1995). In another, it is believed that two teenagers, in unrelated cases, were lured via Internet by someone they had met through their computers (Peyser, Murr, and French, 1995). In a further twist in the case, America On-line is unable to release information on the alleged perpetrator without a court order (Peyser, Murr and French, 1995). While such cases only represent a few out of an unspeakable number, one thing is clear. The ability to perpetrate such crimes and perhaps others that have not yet come to the forefront is easier than ever. Not only does cyberspace provide a seemingly unlimited supply of information, but also an unlimited supply of victims. The ability to avoid detection, at least as long as 32 there is a void in enforcement on the lntemet, only contributes to the already dangerous nature of cyberspace. PERPETRATORS The Human Factor The notion that ”the computer becomes a near-perfect scapegoat for those providing its services and those receiving them", has a tendency to overshadow the human factor (Parker, 1976:2). Regardless of the seemingly impersonal nature of computer crime, one thing remains the same. Behind the mechanical workings and processes of computers is the human element. It is the human being that commits the crimes and, as with any other type of criminal act, gaining insight into why individuals engage in illegal behavior may prove to be helpful in understanding the true nature of computer crime. General Comments According to Parker (1989:36), there are four basic sources of potential perpetrators of computer-related crime. The first type identified are those ”people with physical access to assets and the capabilities to perform physical acts”. Being in an environment which enables an individual to have close physical contact with computers and their contents poses a potential threat to an employer. It is important to note that simply being in an environment and having access is not enough to prompt an individual into illegal 33 activities. Other factors, often personal characteristics or impromptu ideas, must co-exist with the ripe environment. The second type identified by Parker (1989) are those ”people with any kind of access and operational capabilities” (pp. 36). The key is access, however, physical contact with the computers is not necessary. Knowing how the computers operate and finding a hole in the operating program(s) will enable an individual, whose intentions are to perhaps steal or seize assets, to commit criminal acts. "People with any kind of access and programming capabilities” make up the third category (Parker, 1989:36). Individuals meeting the criteria of being able to actual create and manipulate programs are at a great advantage in such instances where access is also available. The combination of factors will allow someone who has criminal intent to be very successful in carrying out their business. The fourth and last category comprises those individuals ”with any kind of access and electronic engineering capabilities” (Parker, 1989:36). Consistent with the above mentioned categories, access is a common and necessary factor for a potential offender to commit computer crime. The vulnerability of a system is also reliant on the capabilities of an individual. Therefore, a dependency on one's skills and knowledge cannot be overlooked. While access plays a key role, it, in and of itself, is not sufficient to create system vulnerabilities. One's level and malleability of skills must be congruent to the system he/ she construes as being a ”good” target. 34 The pool of potential perpetrators is not necessarily limited to ”insiders” (i.e., employees). In fact, anyone who has the capabilities, skills, etc., may pose a threat to computer security. Determining whether a crime is the job of an employee or an ”outsider” is often difficult to do. However, certain clues and red flags may emerge. One obvious example is that of companies whose reliance on LAN (local area network) systems dominates operating systems. The fact that there is only limited or, in some cases, no access either incoming or outgoing from the company makes it virtually impossible for ”outsiders” to penetrate the system. Although obviously a safeguard, unfortunately, doing business in society today oftentimes does not make it financially possible for businesses to essentially ”cut themselves off” from the outside world. Businesses that are ”well-connected" are able to far surpass those who remain isolated and secluded. While ”outsiders” may pose a serious threat, computer crimes have a tendency to be ”inside” jobs. According to Van Duyn (1985z4), ”insiders pose a far greater threat to the organization's computer security than outside 'electronic invaders' possibly could”. The reason being that "(i)nsiders are familiar with their employers' data processing (DP) operations and the type of data each system and application is storing and processing” and therefore know exactly where to look for data (112111.). AS Van Duyn (1985) clearly notes, vulnerability from within is the most dangerous and poses the most serious threat. A number of studies support this conclusion. In fact, ”(o)ne study estimated that 90% of economic 35 computer crimes were committed by employees of the victimized companies” (United Nations Manual on the prevention and control of computer-related crimes, 1995). A more recent study conducted in North America and Europe found that 73% of the risk to computer security was from internal sources while only 23% was attributable to external sources (United Nations Manual on the prevention and control of computer-related crimes, 1995). Unlike ”outsiders” attempting to break into a system, ”insiders” are oftentimes able to circumvent potential glitches and therefore are able to reduce their chances of being detected. "Insiders” have a distinct advantage, for not only do they often know immediately where to look for the data, but, if in doubt, ”they can reference the systems documentation which usually includes programming specifications, file and record layouts, a data element dictionary, and so on” (Van Duyn, 1985:4). ”But, most significantly, insiders have or can somehow get the password to access stored crucial information such as financial, marketing, manufacturing, technological, or research data unless proper prevention and detection measures are in effect" (Van Duyn, 1985:4). Consistent with evidence that ”insiders” pose the greatest threat to computer security, Parker (1989) cites several factors which alone or in conjunction with others help to create an atmosphere conducive to computer crime within organizations. The first factor identified by Parker (1989) is that perpetrators are often young. He notes that is not youth, in and of itself, which translates into a generation of computer criminals. However, 36 ”(y)ounger people in data processing occupations tend to have received their education in universities and colleges where attacking computer systems has become common and is sometimes condoned as an educational activity” (Parker, 1989:39). Another vulnerability in an organization comes from workers who are overqualified for the work they were hired to do (Parker, 1989). As a result, these individuals have a tendency to get bored. In an attempt to overcome this boredom, seeking stimulation through other activities seems to be the perfect solution. Given the fact that in most cases perpetrators commit acts while they are at work, it is no wonder that using the computer as a source of stimulation oftentimes leads to the commission of illegal activities. The workplace environment is also susceptible to the emergence of perpetrators due to the ability to create ”workgroups” for purposes of collusion. Parker (1989:39) states that ”(c)ollusion seems to occur regularly primarily because computer crime requires more knowledge and access than one individual usually possess”. It (collusion) ”tends to involve a technical person who can perpetrate the act and another person who is in a position to translate the act into some form of gain” (Parker, 1978:51). Differential association as defined by Sutherland may also help explain vulnerabilities which expose organizations to computer crime. Modifying differential association syndrome to a workplace environment, Parker (1989:39) states that it ”is the white-collar criminals’ tendency to deviate in only small ways from the accepted practices of their associates”. The 37 vulnerability erupts from ”groups of people working together and mutually encouraging and stimulating one another to engage in unauthorized acts that escalate into serious crimes” (Parker, 1989:39). The potential for one- upmanship becomes magnified as the acts escalate in risk and sophistication. Theoretical Explanations Although specific theories explaining why individuals may perpetrate computer crime are non-existent, those used to explain white-collar crime in general may be useful. The first theory is referred to as corporate culture theory. According to Siege] (1992:374), and consistent with the corporate culture view, is the notion that ”some business enterprises cause crime by placing excessive demands on employees while at the same time maintaining a business climate tolerant of employee deviance”. The aspect of differential association comes into play as newer associates informally ”learn” about the deviant techniques and attitudes of their corporate peers. The perpetuation of such acts continues throughout the generational process, whereby as older employees retire, they are quickly replaced by others who soon take on the roles left vacant. Survival and success in a given corporation may depend therefore on deviant acts and attitudes which are passed on through a socialization process. Applying corporate culture theory to certain types of computer crimes requires little or no modification in its underlying premise. Such a view best helps explain crimes or illegal activities that occur in an organization where 38 deviance is encouraged for the sake of the company. One theorist further explains this theory by stating that ”business organizations will encourage employee criminality if they encounter serious difficulties in attaining their goals, especially making profits” (Siegel, 1992:374). Clearly, struggling companies and organizations may turn to illegal activities for a number of reasons, profits of which is just one. Using computers as a tool in such activities may be the easiest way to access valuable information (i.e. marketing, plans, innovations and the like) from more profitable, and perhaps more reputable companies in the business. Gaining a ”heads-up” on a competitor may mean the difference between being in the black or staying in the red. Another theory originally designed to help explain crime in general, yet applied with some modification (namely the environment) to the white- collar world is the self-control view. Devised by Hirshi and Gottfredson, it states that criminals lack self-control and, instead, are overcome by their impulses without consideration for the long-term consequences of such acts. Translation of this theory to the white-collar environment is, simply stated, done with little difficulty. Rather than stating that the corporate world breeds deviance, blame is placed on the individual offender. The inability to control one's impulses is the major factor separating the law-abiding from the law-breakers. For, in spite of the fact that most would like to get ahead and perhaps even have passing thoughts about how to best do so, it is self-control which oftentimes is the final determinant as to one's actions. 39 Adapting the self-control view to help explain criminality of those who perpetrate computer crime seems appropriate. Once again, although almost everyone wants to get ahead there are those who lack the control to stop their impulses to do so even if getting ahead essentially means committing illegal acts. Granted, the self-control view may be reserved for only a percentage of computer criminals but on the same note it helps others gain insight into the world of computer criminals, if only a glance. The notion of ”just desserts” may also be an underlying motivation for an individual to engage in criminal acts. According to an article published in The Washington Times, there seems to be, at the least, a correlation between the number of virus ”attacks” and the rise in layoffs. It is believed that one reason for this observed increase ”could be related to the massive terminations and layoffs afflicting the corporate landscape” (Burdick and Mitchell, December 3, 1991z6). Feeling betrayed by a company after years of loyalty may lead a disgruntled employee to perpetrate such an attack. Seeking revenge and essentially giving their former employer what it deserves, may provide a fairly insightful understanding of this phenomenon. Although perhaps limited in scope in the ever-increasing world of computer criminals, such theories may offer explanations for why some engage in such crimes. Reliance on understanding rationalizations of such individuals may prove promising as well. Insight into why those who perpetrate such crimes do so may be extremely valuable given the maturation of the ”techno-generation". Perhaps heading off some of the problems by 40 identifying them early on will be most beneficial in a society already besieged by crime and violence. Types of Computer Criminals Although often referred in general terms, computer criminals represent an array of diverse, individuals with different intentions, motivations, etc. Parker (1983) identifies seven types of computer criminals. The first type, identified as amateur computer criminals, represents the largest category. It includes ”ordinary people in positions of power or trust with special computer-related skills, knowledge, and resources who have never been arrested for work-related activities” (Parker, 1983:107). Their behavior may be traced to their need to attain certain personal or professional goals. At the other end of the spectrum are deranged persons. These individuals are often irrational, violent, psychotic and dangerous. They generally do not have the capability nor the self-control to attack programs, software, or files. Instead, their destructive acts are directed towards equipment and people. Their numbers are limited and therefore, they often are not viewed as being a real threat. Organized crime, groups of all types, are utilizing computers as well. Parker (1983), points out three reasons why criminal organizations need computer capabilities. Like any other business, gaining access to information on a large-scale is a must in today's business world. Therefore, using 41 legitimate businesses as a front, they are able to gain computer access without raising suspicions. The second reason organized crime groups are depending more and more on computer technology is the fact that computers enable them to commit crimes against other organizations that rely on computers. The computer age has created an environment, especially in the business world, where a lack of technology puts a company at a great disadvantage. Unfortunately, it also puts a company in a vulnerable position whereby they may be preyed upon by others. And, lastly, organized crime groups need such technology to outsmart or inhibit law enforcement efforts to track their activities. The realization that computer technology can be both advantageous and a hindrance to their operations makes it mandatory that they have powerful enough tools to attack those used by law enforcement agencies. "Career criminals” is another group identified by Parker (1983). At this point, this category seems to be fairly small comparatively speaking. Parker (1983) suggests that what we are witnessing may be a lag rather than an established phenomenon. He states that the reason ”few career criminals have been identified in computer crime” may be that ”they have not yet had the opportunity or motivation or been forced to learn the technology for their livelihood” (Parker, 1983:111). This is not to say one way or the other whether society will see an increase in this typology. At this point, there is no way of knowing. 42 The most elite of the typologies is the con artist. Computers are particularly suited to these individuals. As Parker (1983:120) states emphatically, ”(c)omputers now add to the lustrous image of con artists, and they will flourish as never before, with computers as their new and powerful instruments and symbols of success”. Preying upon victims via computers will only add to their successful exploits. Another typology identified by Parker (1983) is that of extreme advocates or ideologues. These individuals may be best characterized as being zealots for a given cause. They have a tendency to overlook their own self- interests in a fanatical dedication to a particular cause. Often blinded by their fanaticism they will go to any length to accomplish their goals. To get their point across, they may engage in criminal activities, harming anyone or anything in their way with little or no thought. The last typology identified by Parker (1983) is that of the system hacker. Two major developments are to blame for the emergence of hackers in the early 1980's: 1) the ”proliferation of inexpensive personal computers” and 2) the ”dramatic growth in computer literacy, especially among the younger generation” (Bequai, 1987:31). Perhaps the most publicized and glorified of all the typologies, this category is second only to the amateur computer criminals in number. Hackers willfully, and deliberately access data files as unauthorized users. The fact that they ”want recognition for purely technological achievement” may eventually lead to their demise (Parker, 1983:131). Simply 43 enjoying their escapades alone without bragging about them appears to be, for some, the breaking point. Telling others about what they have done and/ or seen is most revealing both to those the tell and perhaps law enforcement as well, if caught. According to Parker (1983:132), ”(i)t is difficult for hackers to develop relationships with people, when their adversary, partner, friend, adviser, and witness is only the computer”. As Stoll (1989) observed, ”(t)he computer is the hacker's best friend". Any crimes committed using the computer are easily rationalized for this group. There is no observable, concrete victim to confront, only an inanimate object to interact with. A few unique characteristics of computer criminals, as a general crime category, are identifiable (Parker, 1976:44,45). First, computer crime appears to be a male-dominated phenomenon, at least at this point. To date, few women have been identified among perpetrators across all typologies. Second, most perpetrators are young, ranging in age from approximately eighteen to thirty. And third, ”(p)erpetrators are usually bright, eager, highly motivated, courageous, adventuresome, and qualified people willing to accept a technical challenge” (Parker, 1976:45). Rationalizations The ability to identify and understand rationalizations of computer criminals may enable those on the outside to better comprehend the nature of these illegal acts. Although rationalizations will differ both on an individual 44 basis and perhaps may also depend on the type of crime committed, discussing each, in turn, will give a somewhat insightful look into the underlying belief systems of such perpetrators. Parker (1983:180) states that a ”common rationalization among hackers, and other computer criminals as well, is that no harm is done or losses sustained by using idle services where incremental use of such services does not require expenditure of additional sources”. According to this rationalization, existing services should be used by anyone who feels they want to take advantage of them without the proper permission and/ or compensation. An illustration of this is the fact that every year, an astronomical amount of money is lost by long distance carriers due to stolen card numbers, and illegal access to fiber optic phone lines. Those involved in illegal acts of this sort believe that the long distance phone lines are ”laying in wait” for people to use them whenever they want, under any circumstances. Although a falsehood, such distorted thinking has led directly to the charges imposed on paying customers to help make up for these abuses. Another example of this type of rationalization is the practice of ”game playing". ”The vulnerability of game playing is based on the concept that some computer technologists and users believe that using an idle computer does no harm and that they have a right to use it for personal purposes for challenging intellectual exercise” (Parker, 1989:39). Once again, it is apparent that such individuals, like the ones described above, see their activities as innocuous and rightfully deserving of them. 45 The Robin Hood Syndrome, identified by Parker (1989), is another rationalization used by some computer criminals. Essentially, the idea of ”stealing” (harming) from the ”rich” (corporations), and ”giving” (taking) to the ”poor” (themselves). They ”differentiate strongly between harming people, which is highly immoral within their standards, and harming organizations, which they condone” (Parker, 1989:39). Others go a step further in their so-called ”morals” and rationalize that merely harming an inanimate object and its contents is perfectly acceptable. They fail to realize that their misdeeds directly affect corporations and, therefore, peOple. Computer crime may also be rationalized on the basis that ”many computer criminals do achieve folk hero status, at least for a short period of time” (Parker, 1983:182). They are portrayed as heroes in the news media and their ”escapades are described in the most glowing and positive terms”. Not only is there the potential to ”make" the news in such a positive light, but securing a well-paid, high status job with a reputable company is not out of the question. The notion of ”if we can't beat him, let's join him” practiced by some companies essentially overshadows the criminal element of his/ her acts. Therefore, the chances of gaining recognition and being rewarded for committing crimes may be at the forefront of an individual's thought process when he/ she actively breaks the law in such a manner. Certainly, at this point, there appears to be little in the way of deterrence for such criminals. In such cases, the benefits definitely outweigh the costs. 46 Others rationalize their acts by denying that they are criminal at all. Resigned to the falsehood that only street crimes actually constitute crime, they believe that their actions are perfectly acceptable and within the law. In fact, computer crime usually is an act (or series of acts) which involves one person (or more persons) and a machine in a ”sterile, seemingly amoral environment” (Parker, 1983:133). There are ”no ”admonitions or other reactions from anyone else” and ”no victim to react with a physical attack or anguish; no tears and no scowls” (Parker, 1983:133). Denial of a victim or victims is easy to do since no interpersonal contact is ever made with him/ her or them. The impersonal nature of these types of crime makes it psychologically possible to commit them with little regret or remorse. Diffusion of guilt, by saying that everyone else is doing it, provides another rationalization for computer criminals. An example of this to which many can perhaps relate is the pirating of software. Simply ”borrowing” another’ s program for the purposes of installing it on one's own computer is illegal. However, the notion that ”everyone's doing it” somehow is sufficient to convince otherwise law-abiding citizens that it is acceptable to do so. Computer Security and the Human Factor In order to ”appreciate the extent to which the human factor plays a part in computer crime, we have to be aware of its role in crime deterrence, prevention, detection, and risk assessment on the physical, hardware, software, and personnel security levels” (Van Duyn, 1985:3). As Van Duyn 47 (1985) reiterates throughout his book, failure to focus efforts on the human factor may be blamed for the ever-increasing incidents of computer crime. Acknowledging that the majority of computer crime is committed within the confines of an organization or business by ”insiders", he states that ”without effective personnel security, meaning a security program that is designed to foster the most effective deterrent against computer crime; job satisfaction, the most sophisticated hardware and software security systems are worthless” (Van Duyn, 1985:3). The point being the human factor must be taken into account in every aspect of computer security. Unhappy, disgruntled employees pose the greatest threat to computer security. Feeling that they have somehow been betrayed or treated unfairly 1y the company, figuring out ways to seek revenge becomes a quest. Physically attacking those perhaps responsible for one's anger is not an attractive, nor a reasonable option. Rather, going after company secrets and/ or destroying programs or files may seem to be the most damaging and vengeful act one individual can perpetrate against the company as a whole. And, perhaps, the most satisfying. LAw ENFORCEMENT AND COMPUTER CRIME According to Bequai (1987:11 1), ”computer-assisted fraud appears to be the fastest growing category of white-collar crime, with an estimated cost of $200 billion annually”. Despite the fact that this is an alarming statistic, law enforcement is ill-equipped to deal with such crimes (McEwen, Fester, and 48 Nugent, 1989). Training and resources for law enforcement have been less than adequate, factors partially to blame for this blatant inconsistency. The fact that high-tech crime ”pays” makes it an ideal alternative to other types of crimes. The statistics are bleak. Evading prosecution is almost a given, since ”only 12 percent of all computer heists are ever reported to the police and only 18 percent of these result in convictions” (Bequai, 1987:111). And, ”..while America's police are trying to catch up on the basic levels of technological advancement, computer thieves are rapidly becoming more sophisticated” (Bequai, 1987:111). Law enforcement is at an even greater disadvantage Since they oftentimes lack public support for their efforts in fighting ”techno-crimes". The average citizen does not understand nor grasp the seriousness of these crimes. As noted previously, computer crimes are viewed as invisible crimes by the public, since not only are they complex in nature but also they do not fit the profile of a traditional crime. As matter of fact, society is ”entertained” by and at the same time extremely fearful of violent crime as a result of media portrayals. Abstract crimes simply do not invoke the same emotions as do concrete acts of violence. Therefore, they are easily ignored and disregarded by the public at large. Other difficulties arise which also prevent law enforcement from efficiently handling such cases. Victims often do not realize that they have been ”taken” until much later. This, in addition to the fact that such cases are 49 difficult to detect, investigate and prosecute, creates a sense of frustration and helplessness by police personnel and victims alike. Time is not the only inhibition discouraging police from becoming actively involved in ”techno-crimes". The reluctance of victimized companies to come forward and report such crimes is extremely common (Schjolberg, 1983). For one thing, adverse publicity endangers a company's reputation (Bequai, 1987; McEwen, Fester, and Nugent, 1989). Admitting that it was unable to protect assets in their guardianship, is essentially what they are doing by going to the police. Unfortunately, oftentimes secrets of this sort have a tendency to be exposed to public scrutiny by the media. A lawsuit may also be an unintended consequence of reporting such cases to the police. In a seemingly strange twist of events, the company may be victimized twice. As if the original crime was not devastating enough, a lawsuit filed by investors or other interested parties blaming the victimized company for not securing its computer systems is not out of the question. Victimized companies do not feel the risks involved with reporting computer crimes outweigh the benefits. Already there is little confidence in the American justice system, a viewed shared by the public and victims of computer crime alike. Even when caught and convicted, only meager sanctions are imposed on offenders (Bequai, 1987; McEwen, Fester, and Nugent, 1989). As a result, there is no real incentive for victims to come forward given the current state of influx and confusion stirred up by ”techno- crimes". 50 In the mind of the public, violent crimes are the only ”real” crimes. Demands on police are high, as are expectations by the public. As long as violent crime occupies the public's mind to the extent that it does so currently, there is essentially ”no room” to recognize and fear any other types of criminal activity. As Bequai (1987:114) states, ”(u)ntil the public's perception of computer crime changes, and until adequate training and resources are provided for law enforcement officials, victims will continue to stay quiet- making policing even more difficult”. Although it appears as if law enforcement is losing the battle against computer-related crimes, some agencies are making a serious effort to change this ominous outlook. Essentially ”fighting fire with fire", some officers are being trained extensively in technological investigations (Lansing State Journal, February 5, 199553). The fact that a great deal of evidence is stored on computers is the initiative behind this recent emphasis by law enforcement. However positive such initiatives sound, law enforcement must have the support of legislation. For, regardless of the determination on the part of such agencies, a lack of consistent and strong support by lawmakers and the criminal justice system as a whole may undermine and destroy such efforts. LEGISLATION AND COMPUTER CRIME As is reflected in the literature on legislation and computer crime, three schools of thought, each representing a different viewpoint of laws 51 pertaining to computer-related crimes, have emerged On the one hand, there are those who believe that traditional laws are relevant and, therefore, applicable (perhaps with slight modifications) to cases involving computer crime (Computer Crime: Criminal Justice Resource Manual, 1979; Diamond Interview, 1995). Individuals who adhere to this particular viewpoint, believe that creating new laws for ”old” offenses is an unnecessary burden for the already overworked, criminal justice system. Reliance on existing laws is perfectly legitimate and acceptable. For example, theft of software programs can be prosecuted under the Federal Copyright Act. In fact, as early as 1964, the copyright office has recognized such programs as ”books", thereby giving them the same protection from unauthorized use (Criminal Justice Resource Manual: Computer Crime, 1979). Concrete examples in which software companies have successfully prosecuted corporations for such violations is a tribute to the usefulness of such laws. Another school of thought emerging from the literature consists of those who readily admit that, at one time (in the early days of computer technology), traditional laws wefe perhaps sufficient. However, given the current state of computer technology, such laws are far from adequate ( Bequai, 1976; Bequai, 1987; Jurkat, 1986; Meyer, 1995; Schjolberg, 1983; Whiteside, 1978). The lack of adequate laws leads to few cases being referred to prosecutors, and even less resulting in convictions. Those that have, are often plea bargained down to the point where, instead of being charged with a 52 felony and getting a stiff sentence, the offender is charged with a misdemeanor (Bequai, 1987). The reason for the lack of success in the prosecution and conviction of computer-related offenses is twofold. Understanding the complex nature of computer technology, the terms associated with it, and the level of sophistication at which most computer criminals operate presents a problem in itself. Police, prosecutors, witnesses, and even judges may grapple with such issues from the start. Therefore, it is not uncommon for such cases to be difficult to follow through with from beginning to end. Inherently, they present a challenge to almost everyone involved, except perhaps the defendant and a computer expert who may provide some testimony. The second reason that a computer-related offenses often do not receive a punishment that reflects the seriousness of a given case is due, once again to the inadequacy of existing laws. According to Bequai (1987:115), ”as Federal law now stands, authorities would find it difficult to prosecute anyone who disrupts an electronic mail system, carries out an unauthorized search of computer files, alters or manipulates data, or attempts blackmail by computer”. For purposes of prosecution, he explains that computer-related offenses fall into one of two categories: ”those in which the computer is used as a tool to embezzle or defraud, and those in which it is used to copy or alter data stored in interlocking computer systems” (Bequai, 1987:116). Early computer crimes fell into the former category and, although ”(p)rosecution 53 was certainly not easy, ...some courts were willing to apply traditional criminal laws to these high-tech thefts” (Bequai, 1987:116). Less clear cut are computer-related offenses that fall into the later category. Those involving ”the copying or altering of data have proven difficult to handle because existing criminal laws don't apply to intangible property, and computer data are considered intangible” (Bequai, 1987:116). Additionally, the ”best evidence rule” has proven problematic when it comes to computer- related litigation (Bequai, 1978). The admission of documents other that the original for evidentiary purposes is often not acceptable in a court of law. However, some changes have occurred recently which take into account the unique nature of computer crimes. Allowing copies of documents to take the place of originals, is a growing trend ”which appears to bring the rule in harmony with the needs of the computer age” (Bequai, 1978:140). Schjolberg (1983:42) takes the argument one step farther, by stating that ”(a)n essential task in penal legislation is to prevent crime”. Giving potential perpetrators, regardless of the crime, a warning that a specific act will not be tolerated, and following up with a conviction for the crime explicitly done, will act as a deterrent both to the individual convicting and to those contemplating such acts in the future (Schjolberg, 1983:42). The basic concept is that of Beccaria, an 18th century philosopher, whose emphasis on certainty, celerity and severity was the foundation for the Classical School of Criminology. The idea of ”free will” was a concept that 54 overshadowed this era of criminology. Clearly, Schjolberg (1983) relies heavily on this interpretation of what should be done with criminals. He believes that computer legislation is a must if society is going to overcome the uncertainty of potential threat and inconvenience that will most certainly result from computer-related crime if allowed to continue in the way in which is has been progressing thus far. The inclusion of penal legislation specifically designed to combat and punish those who commit such crimes will send a message to potential perpetrators. Alleviation of the gray area by creating such legislation will make it possible to convict perpetrators ”for their explicit acts and not by existing statutes stretched in interpretation for the purpose, or by statutes covering only incidental or peripheral acts in the case” (Schjolberg, 1983:42). Occupying a position somewhere in the middle are those who believe that traditional laws are, for the most part, adequate and useful in cases of computer crime, but that additional laws specifically created for computer- related offenses may be helpful (McEwen, Fester, and N ugent, 1989). In the words of McEwen, Fester, and Nugent (1989:60), strong proponents of this position, ”(v)irtually every computer crime violates laws other than computer crime laws themselves, and prosecutors have successfully prosecuted cases for embezzlement, larceny, fraud, and, in federal courts, for wire fraud and mail fraud”. Admittedly, ”there have been some problems applying older forms to newer offenses and specifically designed computer 55 crime statutes should alleviate these problems” (McEwen, Fester, and Nugent, 1989:60). The Internet has been viewed as posing a variety of new problems currently not dealt with in existing legislation. It remains unclear as to whether it truly has the capacity to enable offenses previously not seen or regulated to be committed, or if it merely provides a disguise behind which many traditional crimes mask themselves. One such case involves a student from the University of Michigan (Lansing State Journal, February, 26, 1995; Lansing State Journal, February 17, 1995; della Cava, USA Today, March 7, 1995; Davis, R., USA Today, March 6,1995; Lansing State Journal, February 11, 1995; Davis, R., USA Today, February 10, 1995:3A; The State News, February 17, 1995z6). Using the Internet, he ”posted a violent story of a fellow student's rape and torture” (Lansing State Journal, February 26, 1995). Described as a sex fantasy, the accused's story not only included a graphic description of how and where the ”crime” would take place but also named the intended victim. Touted as a ”cyber-threat", his story landed him in jail charged with the federal crime of interstate transmission of a threat (Lansing State Journal, February 26, 1995). In the words of his defense attorney, the transmission of the story via Internet constituted ”nothing more than words floating in cyberspace” (Lansing State Journal, February 26, 1995). Thereby reducing it to perhaps a harmless mistake, let alone a crime. 56 Although eventually found not guilty, Jake Baker's actions and the resulting action by the prosecutors and the court have had far-reaching repercussions. Not only was this case highly publicized, but it called into question existing statutes and their applicability to the technological advances, such as the Internet, that have recently become much more sophisticated and widely used. As stated by Meyer (February 6, 1995236), ”(t)he trouble is that there are few cops on the net” and, ”(Dam that bite here often lack teeth there”. One individual has even gone so far as to refer to the Internet as the ”Wild West” since ”(n)o one owns it” and ”(i)t has no rules” (anonymous source as quoted in Meyer, February 6, 1995:36). Terms such as ”cybercops” and the notion of ”policing cyberspace” have been used to describe a scene perhaps in the near future. Given the fact that the Internet is unregulated (a point belabored by the media), images of officers ”policing” a lawless society in space has proven to be a strange and perhaps, even amusing concept. However ridiculous such images and portrayals have been, it is a point that is currently at the center of a controversy. Fear of infringing on an individual's constitutional rights (freedom of speech and the right to privacy), as well as a fear that the government may become too intrusive and invasive represents the viewpoint of those who either do not want the Internet to be regulated at all or who feel that a great deal of caution should be taken to insure that such violations do not occur. 57 Representing the other viewpoint regarding regulation of the Internet are those who strongly believe that perhaps sacrificing some liberties at the cost of preventing crimes and criminal acts is worth the trade-off. Interestingly enough, the newest technology has set off an age old debate. The Internet, in conjunction with a number of other technological advancements in computerization, has undoubtedly contributed to the changing face of criminality. Ushering in the computer age with their brilliance and sophistication, such advancements have, in some ways, created a society gleaming with hope and wonderment and, in others, a society destined to collapse as a result of its failure to have foresight. Not surprisingly, society has not learned from past mistakes. Hindsight has been visited on numerous occasions, yet the ability to head-off some very predictable factors by acting in a proactive rather than a reactive component seems unlikely. Although perhaps a bit too idealistic with regards to at least some of the computer technology, especially that which seemed to emerge overnight, other measures could be taken. Something implied, yet not explicitly stated in the literature, is the fact that legislation in response to the growth of computer-related offenses has, according to some, been slow and inconsistent (Carroll and Schrader, 1995). Perhaps partially to blame for the lack of enthusiasm on the part of legislators to create laws which specifically addressed computer-related offenses were the mixed reactions expressed both by government officials and members of the public. 58 According to Bequai (1987:117), there was and still is ”philosophical opposition from within and without the government to extending the powers of law enforcement”. Controversy over issues related to the invasion of privacy and guaranteed protections afforded all United States citizens has created a rift between those who occupy positions on either end of the spectrum. This lack of agreement has become a focal point of the battling factions to such an extent that it has clearly interfered with the development of such legislation. Interestingly enough, the business community has also responded with ambivalence towards such legislation (Bequai, 1987). Some believe that computer crime is not a serious threat. They insist that there is an overreaction to it and deny its destructive nature. Others see ”legislation as a first step toward government regulation” and are therefore opposed to the creation of such laws. This is changing, however. At the 1995 conference of the American Society of Industrial Security (ASIS), presentations focused on securing proprietary information, including that which is electronic. Despite the aforementioned resistance, laws at the federal and state levels have been passed and others are awaiting a similar fate. The criminalization of computer crime and the resulting legislation is attributed to the media (Hollinger and Lanza-Kaduce, 1988). As noted by Hollinger and Lanze-Kaduce (1988:113), ”(p)ublic opinion neither called for nor opposed the criminalization of computer abuse”. ”There was very little direct pressure on 59 legislators from any interest group” ”(n)or were there any 'moral entrepreneurs' zealously seeking to legislate morality”. Instead, ”(b)oth the experts and legislators relied heavily on the media in their efforts to advance criminalization”. Extensive media coverage was not only a contributing factor, but it was the major factor underlying the campaign by legislators to enact such laws. As Hollinger and Lanza-Kaduce (1988:113), point out the media indirectly influenced the criminalization process. They did not act as advocates, but were just doing their job by reporting it (Hollinger and Lanza-Kaduce, 1988). Federal Laws At the federal level, computer-related offenses have been addressed as a distinct category only since 1984 (Carroll and Schrader, 1995). The Counterfeit Access Device and Computer Fraud and Abuse Law of 1984 has been characterized as being helpful, but only to a limited extent (Carroll and Schrader, 1995; Jurkat, 1986). Although the 1984 Act was designed to protect against computer-related offenses, it was far from adequate (Carroll and Schrader, 1995). In response to the realization that it was ”too ambiguous and narrow in scope", it was amended in 1986 by Congress with the Computer Fraud and Abuse Act (Carroll and Schrader, 1995). Despite the fact that this amendment eliminated some of the ambiguities and widened the scope, it has its shortcomings. The Act of 1986 60 was designed to specifically protect the interests of the federal government. It fails to protect private businesses or private systems from computer crime. And, even though there is a provision which states that ”(p)unishment for an attempt to commit an offense is identical to punishment for commission of the offense itself", there is no inclusion of criminal sanctions in this statute (Carroll and Schrader, 1995; Bequai, 1987). In response to criticisms of the 1986 Act, ”Congress passed the Computer Abuse Amendments Act of 1994 to broaden the scope of liability for computer crimes and to expressly provide civil remedies for the victims of computer crimes” (Carroll and Schrader, 1995:188-189). The 1994 Act includes some rather substantial changes to the earlier statutes thereby moving one step closer to accommodating and recognizing the scope and depth of computer crime. The changes are as follows: 1) ”the 1994 Act changes coverage from acts committed on federal interest computers used in interstate commerce or communications and affecting any computer", 2) ”the threshold requirement has been removed", thereby no longer providing immunity for those who are authorized users and engage in criminal acts, and 3) it ”criminalizes certain types of reckless conduct in addition to intentional acts” thus enabling prosecution hackers whose actions are considered reckless, yet not necessarily intentional (Carroll and Schrader, 1995:189). Punishment of computer criminals is also clarified under the amended statute. ”Intentional computer crimes committed on interstate computers are felonies, while reckless acts on interstate computers are misdemeanors” 61 (Carroll and Schrader, 1995:189). The 1994 Act also ”provides an incentive for victims to report computer-related crimes by allowing civil remedies for victims of intentional computer crimes” and, changes the term ”adversely” before ”'affects the use of the Government's operation of a computer', implying that a trespasser might affect the computer benignly and escaped prosecution” (Carroll and Schrader, 1995:190). Alternatives to the Computer Fraud and Abuse Act allow for the prosecution of criminal acts that do not readily fall under its provisions. Such statutes broaden the scope of legislation to even a greater extent, closing gaps that enable perpetrators to escape prosecution. Although there are approximately 40 different federal statutes under which computer crimes can be prosecuted, the most commonly utilized are: 1) the Copyright Act, 2) the National Stolen Property Act, 3) Mail and Wire Fraud statutes, and 4) the Electronic Communications Privacy Act (Carroll and Schrader, 1995; Starkman, 1986). The Copyright Act has been expanded to include the illegal copying and distribution of computer software (Carroll and Schrader, 1995; Criminal Justice Resource Manual: Computer Crime, 1979). An individual who infringes on the copyright of such products may be punished by law in accordance with this Act. This statue has three elements: 1) ”infringement of a copyright, 2) ”done willfully", and 3) ”for commercial advantage or private financial gain” all of which must be met before .an individual can be held liable (Carroll and Schrader, 1995:190). 62 The National Stolen Property Act ”prohibits the transportation in interstate commerce of 'any goods, wares, securities or money' valued at $5,000 or more and known to be stolen or fraudulently obtained” (Carroll and Schrader, 1995:191; Criminal Justice Resource Manual, 1979). While this statue has a great deal of merit with regards to certain types of interstate criminal acts (i.e., fraudulent computerized transfers of funds), it does not protect software if it is completely in intangible form (Carroll and Schrader, 1995:191). In such cases, prosecution under this statute can only occur ”when software is stolen in conjunction with the theft of tangible hardware” (Carroll and Schrader, 1995:191). The federal mail and wire fraud statutes ”prohibit the use of interstate wire communications and mails to further a fraudulent scheme to obtain money or property” (Carroll and Schrader, 1995:191; Computer Crime Resource Manual, 1979). This statue may pertain to ”any computer-aided theft involving the use of interstate wire, the mails or a federally insured bank” as well as ”any attempt to obtain an unauthorized copy of a computer program in an intangible form” (Carroll and Schrader, 1995:191 notes 61, 62). Unlike the other three, the Electronic Communications Privacy Act of 1986 is the result of an updated version of an already existing statute (Carroll and Schrader, 1995). Rather than relying on the power of interpretation, this statute clearly was developed out the realization that offenses unique to the computer age are occurring with little deterrence. In addition to prohibiting the ”unauthorized interception of computer communications", it created a 63 new offense of ”obtaining, altering, or preventing authorized access to data stored electronically in a facility through intentional, unauthorized access of the facility” (Carroll and Schrader, 1995:192). The main objective of the Electronic Communications Privacy Act of 1986 is to ”prevent hackers from intercepting computer communications by: (1) expanding the protection of individuals' privacy, and (2) expanding the number of crimes that can be investigated through electronic surveillance methods” (Carroll and Schrader, 1995:192). It is hoped that this statute will retain the broad interpretation used to prosecute other related offenses for computer crimes. To date, it is uncertain whether this will occur since it has not yet been utilized in cases of computer crime (Carroll and Schrader, 1995). Despite recent statutes both created and expanded at the federal level to combat computer crime, the general trend thus far has been unanticipated. Very few cases have been prosecuted under the 1984 and 1986 Acts (Carroll and Schrader, 1995). Reasons for the observed scarcity in the utilization of such Acts are only speculative. However, they appear to offer a reasonable explanation for this inconsistency. The first reason, as stated by Carroll and Schrader (1995) is that given the fact that these Acts pertain specifically to federal ”interest” computers, only crimes which affect this particular subgroup may be prosecuted under this statute. Additionally, ”owners of large federal interest computers may prefer to handle security problems themselves to avoid the embarrassment of 64 a public trial focusing on the vulnerability of their computers” (Carroll and Schrader, 1995:193). The second reason, as suggested by Carroll and Schrader (1995), is that computer'crimes which fall under a federal statute may instead be prosecuted under state computer crime laws. Most computer crimes are prosecuted at the state level. One reason for this is that many computer crimes have loss amounts which are not easily definable. As a result, federal agencies will frequently not take the case. Additionally, most computer crimes investigated and prosecuted thus far have been thefts, which are state law violations. State Laws Armed with the knowledge that pre-existing statutes at the federal level had proven unsuccessful and that computer crime poses a very real threat, states did not hesitate to enact legislation specifically ”drafted for the emerging computer technologies” (Carroll and Schrader, 1995:200; Postell, 1989). The first state to enact such legislation was Florida in 1978 (Carroll and Schrader, 1995). And, since then, every state except Vermont has followed suit (Carroll and Schrader, 1995). In general, such statutes have been more precise and therefore much more useful for prosecutorial purposes than those at the federal level. Although there is some variation from state to state, some commonalties 65 exist. As summarized in Carroll and Schrader (1995:202-204 at note 129), the following ten areas are addressed by state compute crime statutes: 1. "Expansion of the traditional concept of property. These statutes attack computer-related crimes by the expanding the traditional notion of 'property to include electronic and computer technologies”. 2. "Destruction. Many states criminalize acts which 'alter, damage, delete or destroy computer program or files'". 3. "Aiding and abetting. Some statutes prohibit use of a computer to facilitate the commission of a crime such as embezzlement or fraud." 4. "Crimes against intellectual property. This type of statute defines new offenses in terms that are analogous to trespassing (unauthorized computer access), vandalism (maliciously altering or deleting data), and theft (copying programs or data). N 0 actual damage is required to prosecute under such a statute." 5. "Knowing unauthorized use. These statutes prohibit the act of 'accessing' or 'using' computer systems beyond the consent of the owner." 6. "Unauthorized copying. This unusual approach appears to be a close cousin of federal criminal copyright infringement. Few states have defined copying programs and data as a distinct state offense." 7. "Prevention of authorized use. This approach, taken by approximately one-fourth of the states, outlaws any activity which impairs the ability of authorized users to obtain the full utility of their computer systems. Unauthorized execution of programs which slow down the computer's ability to process information falls under such statutes." 8. "Unlawful insertion or contamination. These statutes criminalize the highly-publicized 'viruses', 'worms', and 'logic bombs' which may be planted on computers or transmitted over telephone lines or on floppy disks. Unlawful insertion provisions do not require actual 'access' of a computer by the offender because the offending programs may be communicated indirectly over networks or on floppy disks by offenders who never use the affected computer." 9. "Computer voyeurism. Computers contain a wide range of confidential personal information. To protect the public's right to privacy in this information, several states have enacted laws criminalizing unauthorized access to a 66 computer system even if only to examine its contents and not make any changes or extract any data." 10. "'Taking Possession'. These provisions prohibit the act of assuming control over a computer system and its contents without authorization." Conflict Between State and Federal Laws The fact that a number of state laws overlap with federal statutes creates somewhat of a conflict between the two entities. Although the objective of both is the same, namely to alleviate or at least deter computer criminals, it may be reduced to a question not of who can accomplish the goals most efficiently and effectively, but rather who is the more powerful of the two. As a general rule, the federal government is clearly the more powerful. Despite the states' intentions to actively prosecute computer criminals, the federal government has interpreted their attempt to do so as an infringement on federal statutes. Rather than applauding the efforts by states, the federal government has reacted with resentment and retaliation, quickly re-affirming ownership of particular statutes (Carroll and Schrader, 1995). Siding with the federal government, one such case involving copyright laws was decided in favor of the federal government to the detriment of the state (Carroll and Schrader, 1995). Although there have been few cases which have challenged the authenticity of state laws, which may be viewed. as conflicting or overlapping with federal laws, such a ruling is undoubtedly not 67 just an anomaly. If others of a similar standing are challenged in the future there is little doubt that they will be overruled. If such cases and the resulting rulings continue along this path, it will most certainly be a setback for the prosecution of computer crime. The two most noteworthy factors that will contribute to this reversion are: 1) ”the volume and economic harm caused by computer crime" as it grows will overburden state and federal law enforcement agencies, and 2) ”by foreclosing any state prosecution of-conduct involving computer software, would put the burden increasingly on a federal legal system which has not actively prosecuted in this area” (Carroll and Schrader, 1995:205). If egos continue to get in the way, battling computer crime could prove to become an inordinately difficult task. On An International Level The realization that computer crime occurs on a global scale with interconnecting networks allowing for many computer systems around the world to be ”easily and surreptitiously accessed” has lead to development of provisions on an international front (Carroll and Schrader, 1995:207). Several industrialized countries who have acknowledged the vulnerability of their institutions (mainly financial) have taken measures to help deter such criminal acts. Most, if not all, are responding to what they interpret as being a serious and very real threat to computer security. Additionally, many have 68 been victimized before and believe that it is necessary to react with aggressive measures. The four needs with regards to legislation on computer crime that have been identified and included in the laws and statutes of most industrialized countries are: ”1) protection of property, 2) prosecution of economic crimes, 3) protection of intellectual property, 4) and procedural provisions to aid in the prosecution of computer crimes” (Carroll and Schrader, 1995:207). Somewhat reminiscent of the path taken in the United States, three approaches in criminalizing computer offenses have been utilized by these countries. The first approach, referred to as the ”evolutionary” approach, ”incorporates computer offenses into existing statutes” (Carroll and Schrader, 1995:208). Second, ”computer-specific offenses may be defined in terms of existing crimes” (Carroll and Schrader, 1995:208). And third, ”computer-specific statutes define entirely new crimes” (Carroll and Schrader, 1995:208 note 156). As Carroll and Schrader (1995:209) note, ”(u)ltimately, the global interconnection of vulnerable computer systems may require a uniform legal framework for dealing with multi-national computer-related crimes”. Basing this statement on the lack of uniformity and coordinative efforts between nations, they recognize that it will take an all-out effort by interested nations to help combat this criminal element. Providing guidelines to help prevent and combat computer-related 1 crimes, the International Congress of the United Nations has recognized that 69 such crimes present a global threat. Initiatives suggested as a result are as follows: 1. ”Modernization of national criminal laws and procedures; 2. Improvement of computer security and prevention measures; 3. Adoption of measures to sensitize the public, the judiciary and law enforcement agencies to the problem and the importance of preventing computer-related crimes; 4. Adoption of adequate training measures for judges, officials and agencies responsible for the prevention, investigation, prosecution and adjudication of economic and computer- related crimes; 5. Elaboration, in collaboration with interested organizations, of rules of ethics in the use of computers and the teaching of these rules to as part of the curriculum and training in informatics; 6. Adoption of policies for the victims of computer-related crimes that are consistent with the United Nations Declaration of Principles of Justice for Victims of Crime and Abuse of Power” (Commission on Criminal Justice, United Nations, 1995z6). At the present time, both international and private corporations are working to combat computer-related crimes (Carroll and Schrader, 1995). However, they are not necessarily working in unison. In fact, ”(w)here nations do not agree to jointly pursue computer criminals, non- governmental agencies are already beginning to fill the void, especially in the area of computer software” (Carroll and Schrader, 1995:20). It is important to note that there was no attempt by the researcher to look at case law. There is comparatively little case law with regards to such offenses. More importantly, is the fact that it goes beyond the scope of this 70 dissertation. Instead, the intent behind the researcher's inclusion of the legal discussion is to provide a perspective on statutory law. CONCLUSION Gaining perspective on the currently unknown extent of computer- related offenses is challenging. However, one thing is certain. Known variables and aspects of such offenses clearly reveal that they have penetrated all aspects of society. There exists a fear that computer malfeasance will one day reach epidemic proportions if proper controls and mechanisms are not immediately put into place. Despite this growmg concern, relatively little has been done thus far to ensure that this does not occur. The literature, most of which is dated, shows that while admittedly a problem, few serious steps have been taken to curb the malfeasance. However, the most recent literature and research represents a changing viewpoint. Essentially ”cracking down” on computer-related offenses by various agencies is sound evidence that for the first time, it is being seen a serious threat requiring action. Fighting the war against computer crime will require a serious initiative by society. Chapter III METHODOLOGY One of the difficulties in conducting exploratory research is to properly define and frame the variables to be assessed. Intuitively, one knows the issues at hand and the broad goal to be accomplished. In the current research, the research parameters were more strongly directed by anecdotal information about computer-related abuses than previous research. For one reason, as noted in the literature review, there is a significant paucity of research on the topic. Complicating the matter is that the environment and character of computer-related crime as well as the technology has changed significantly over the past five years. As a consequence, what little past research does exist has limited applicability. This project is an exploratory national study of trends in computer- related crime. It was intended to give greater definition to important variables which have emerged in the literature and experience of professionals. Specific concerns are corporate experiences of this emerging crime and, secondarily, methods used to cope with the problem. There has been no national research to date documenting the characteristics of this criminal pathology, only anecdotal descriptions of victimizations. The problem is aggravated due to the fast evolution of technology and adaptation of those technologies for business and personal applications. 71 72 Prior to the development of the survey, the researcher discussed relevant issues with a member of the faculty whose expertise is in the area of security. Following an in-depth discussion, the researcher came to the logical conclusion that the data to be collected was of a sensitive nature. Therefore, the researcher took precautionary steps to ensure honesty and openness on the part of participants. Such steps included, but were not limited to, (1) designing the survey in such a way that it did not appear to be threatening in any way, and (2) inclusion of a cover letter which clearly stated that completion of the survey was strictly on a voluntary basis as well as anonymous. They were assured that there was no identifying information on either the survey itself or the return envelope. It was hoped that these steps will lead to accurate, honest, and insightful information regarding the current state of computer-related crime as it affects the business world. The development of the survey instrument was based upon desired research goals and the project's conceptual framework. As stated earlier, this project was exploratory in nature. It was guided by the need (as stated by a number of individuals in upper-level security positions, i.e., directors) to collect and analyze baseline data which identified and characterized current trends in computer-related crime over the last five years. Based on literature searches and interviews with professionals in the field, this appears to be the first research of its kind. After four iterations of instrument development, the survey was pre- tested among a small selected group of criminal justice professionals who 73 reviewed the instrument for clarity, terminology, issues, and structure. Those asked to review the survey had at least some level of expertise in the area of computer crime and/ or security. Feedback was generally positive despite a few constructive criticisms. Modifications were made based on the comments received. The next step was refinement of the survey to the final form. The survey was then submitted for review by the University Committee on Research Involving Human Subjects (UCRIHS). It was approved on approximately June 22, 1995. The final survey was mailed under the letterhead of the MSU School of Criminal Justice and in the name of Professor David Carter to help enhance the response rate and to give recipients a contact point in case they had questions. Additionally, the School had approved use of the toll-free number for recipients to call for questions. (These steps had been approved.) Given the nature of the study, it was determined that the best resource was private security. The sampling frame was the membership of the American Society of Industrial Security (ASIS) which has some 12,000 worldwide members who hold a wide range of positions. In narrowing down the sample, it was first decided to survey only United States residents both for reduced mailing costs and the time involved in the mailout and return processes. Next, it was decided that a purposive sample would be selected to ensure security professionals were included which had the greatest likelihood 74 of knowledge about computer-related crime. As defined by Kerlinger (19732129), purposive sampling is a nonprobability sample which is ”characterized by the use of judgment and a deliberate effort to obtain representative samples by including presumably typical areas or groups in the sample”. Many ASIS members work for organizations that provide uniformed guards, conduct private investigations, provide alarm services, -and/ or are companies which would have minimal, if any, experience in computer- related crime. Those kept in the sampling frame were corporate security directors with corporations and businesses ranging from retailers to banks to defense contractors. A random selection from the purposive sample identified and targeted 600 individuals. An effort was made to ensure that replication of businesses selected to receive the survey did not occur. A decision was reached regarding this sample size based on the desire to have a response rate that will meet the assumptions needed for statistical testing and to increase external validity. The sample members received a survey package which contained a letter of introduction, the survey, and a self-addressed return envelope. Those who wished to receive the final results of the research project had the option of either enclosing a business card with their returned survey or calling the toll-free number. A final report was sent to them if they desired. To retain anonymity, when business cards were enclosed with the sample 75 members returned surveys they were immediately separated from the survey. No attempt was made to identify the recipient of the survey. Due to budget constraints, there was only one mailout of the survey. Two weeks after the survey was sent, a reminder post card was mailed to all sample members. Two weeks following the postcard reminder was the closing date. Later surveys were included in the results only if they were received prior to the beginning of the actual data analysis. At the time of closure, whereby data analysis began, the response rate was 182. The usable response rate which reflected the number of surveys actually returned was 150. At first glance, the number of respondents may appear low. The small response rate may be attributed to confidentiality policies by some companies, an inability to make complete assessments of problems, or to the lack of applicability of the survey instrument to a potential respondent's company. As one respondent noted, ”(u)nderstandably, companies that have experienced some of the {computer crime victimization} are reluctant to disclose their experiences". And, ”(c)onsequently, it is extremely difficult to convince management to dedicate the resources necessary to prevent and/ or detect computer crime” ( the same of which is true with regards to responding to the researcher's questions). Overall, given the Specific nature of the research population and the nature of information being sought, the researcher feels the response rate was good. 76 Due the comparatively small response rate, questions regarding external validity may arise. The overall external validity of a purposive sample is not as broad as it is with a true random sample. However, external validity to the purposive sample can be achieved with a smaller response rate than one would typically find in general survey research. Babbie (1992) states that a response rate of 50% in general survey research is adequate. For a purposive population, hence sample, a response rate of 25% to 30% is adequate (Kish, 1965). As determined by the design of the survey, the data collected was nominal level data. As a result, the statistics are not as robust as those which are used with interval and ratio level data. To balance that reduced robusticity, the author used multiple tests which are designed for nominal level data. As a starting point for the data analysis, the researcher used univariate statistics. Given the fact that this research project was exploratory in nature, it seemed logical to ”eyeball” the data with descriptive statistics prior to determining which bivariate statistics would prove most applicable. The primary test for bivariate analysis was the Chi-Square (X ) test of independence and was used to determine if there was a Significant relationship between the variables. If such a relationship existed, Phi was examined to determine the strength of correlation (covariance) Finally, Cramer's V was examined as a gauge of the overall strength of the association. A weakness in this last analytical tool is that many of the 77 variable scales are narrow and, as a consequence, the ability to discriminate the variance is reduced. Despite this limitation, when all three statistics are viewed collectively, they provide reliable indicators for conclusions to be drawn. Chapter IV ANALYSIS OF DATA To deny the instrumentality of the media in alerting society to the problem of computer crime would be ludicrous. However, reliance solely on anecdotal accounts for an accurate picture of the true nature and extent of computer crime is, at best, risky. One researcher whose data on computer crime was gathered strictly from media reports was rather quickly discounted. In addition to other problems with the data set (i.e. classification), the major criticism dealt specifically with the source of data collection. As noted by Hollinger and Lanza-Kaduce (1988:106), the researcher's ”heavy reliance on newspaper accounts without independent verification has allowed his data set to become contaminated with a number of apocryphal events”. An example of such contamination is the well-known fact that, in an attempt to gain the attention of the reader, journalists may embellish or exaggerate. Therefore, ”guesstimates” by researchers regarding such things as the number of incidents of computer-related crime may be reported as fact. This exploratory study relied on the independent verification absent from the aforementioned study. It depended on anecdotal evidence as a peripheral indicator rather than as the basic support structure. In fact, such evidence invoked the initial interest and curiosity of the researcher to such an extent that it provided the impetus for the study at hand. 78 79 Unlike its predecessors, which had a tendency to rely on outdated figures or ”guesstimates”, the results reported in this study were collected directly from businesses and agencies via a survey. One of the most significant findings was that 98% of the reporting businesses said they had been victims of computer crime- 43% of these had been computer crime victims 25 or more times. This is aggravated even further by the fact that many computer crime victimizations go undiscovered, while many others go unreported. For purposes of comparison, a study conducted by the American Bar Association in 1987 found that of the 300 corporations and government agencies surveyed, 72 claimed to have been the victim of a computer-related crime in the 12 months prior to the survey (United Nations Manual on the prevention and control of computer-related crimes). It was estimated that the losses sustained ranged from $145 million to $730 million (United Nations Manual on the prevention and control of computer-related crime, 1995). A study by the Florida Department of Law Enforcement in 1989 found that 25% percent of companies had been victimized by computer criminals. The significantly higher level reported by respondents in 1995 may be indicative of a staggering increase in the level of computer crime victimization compared to just five years ago. Another study useful for comparison purposes was conducted in 1991. The recipients were surveyed at 3,000 Virtual Address Extension (VAX) sites in Canada, Europe, and the United States (United Nations Manual on the 80 prevention and control of computer-related crime, 1995). The results of the survey are as follows: 72% said that a security incident had occurred within the previous 12 months; 43% said that the incident was criminal in nature; and, 8% did not know if they had had a security incident (United Nations Manual on the prevention and control of computer-related crime, 1995). The most common computer-related abuses reported by respondents were credit card fraud (96.6%), telecommunications fraud (96.6%), employee use of computer equipment for personal reasons (96.0%), unauthorized access to computer files for purposes of ”snooping” (95.1%), cellular phone fraud (94.5%) and unlawful copying of copyrighted/ licensed software (91.2%). There were also substantial increases in the introduction of computer viruses into company machines and harassment of employees through computer network communications. It is important to note that these statistics are the result of responses to questions which explicitly focused on computer and technology related problems. Thus, for example, it is not just 96.6% agree that credit card fraud has increased over the last five years, but that such fraud is being perpetrated through technological means. Similarly, telecommunications fraud is not just stealing telephone credit card numbers, it is a technological breech. In all cases, at least half of the respondents agreed that there has been a substantial increase in computer and technology related problems in the last five years. 81 Increasing most dramatically over the last five years according to respondents was unauthorized access to computerized confidential business information (84.4%), theft or attempted theft of client or customer information (81.0%), theft or attempted theft of trade secrets (77.6%), theft or attempted theft of new product plans (76.7%), theft or attempted theft of product descriptions (75.5%), unauthorized computer access to confidential employee information (74.5%), unauthorized computer access to confidential business information (74.4%), theft or attempted theft of money (72.2%), theft or attempted theft of product pricing data (71.8%). Taking a closer look at specific variables provided interesting insights. For example, the statement which relates to theft or attempted theft of client or customer information is particularly of interest. In fact, 24% percent of the 80% who agreed that this in fact a serious problem, replied that they strongly agreed. One might intuitively find this surprising drinking that money is the most sought after target. This finding shows that intellectual property, even in its most fundamental form, is valuable. One implication is that security directors must be cognizant of potential targets which may not be as apparent. Focusing on targets that are more appealing are often the thrust of security directives. The same may be said of the results gleaned from the statement pertaining to unauthorized access to computerized confidential business information. Of the 84.4% that agreed, 26.2% responded that they strongly agreed. This strongly supports the finding described above. 82 Given the growth in just the past year of computerized personnel data files and organizations such as ”Autotrack", one can reasonably assume that unauthorized access to computerized confidential employee information will grow significantly, perhaps even exponentially. Such speculation is based on the already substantial number of incidents reported by respondents. According to the results of the survey, of the 74.5% that agreed, 24.1% strongly agreed. The percentage of respondents who agreed with the statement that theft or attempted theft of company financial status has increased over the last five years was 59.2%. In comparison, this may seem low. One reason this may be low is that a significant proportion of the sample represents large corporations whose financial status is generally a matter of public record. Interestingly enough, if this is in fact the case, nearly 60% represents a substantial problem when there is an increase in the theft of information which can largely be gained from public sources. One may speculate that it is perhaps a ”mentality” or ”culture” of the computer criminal to resort to this unlawful approach. Some counterintuitive results surfaced as well. The statement concerning theft or attempted theft of litigation or legal records yielded a percentage of only 44.1% of respondents who agreed. This may indicate a lack of interest or a lack of these records being placed in a computer accessible format. 83 Percentages of respondents who agreed with the statements pertaining to the destruction or attempted destruction of data files (59.5%) and the destruction or attempted destruction of operating programs (48.3%) seemed lower than anticipated, especially in relation to the other categories. A reasonable explanation for this apparent inconsistency may be that ”cyber-criminals” are not interested in destruction but in the theft of information. Collectively, all of the findings thus far support this conclusion. In addition, these percentages don't just represent victims but an increase in victimization over the past five years. Consequently, the problems are indeed significant. It is difficult to put a monetary value on many of the thefts because they represent ”intellectual property", such as client lists, pricing information, confidential business information, and new product plans. The realization that intangible assets can possess economic value accounts for the perpetration of these types of crimes. According to the United Nations Manual on the prevention and control of computer-related crimes (1995:10), ”(t)he replacement cost of a piece of computer equipment may represent only a small portion of the economic loss caused by the theft of, or damage to, that equipment”. ”Of much greater significance is the value of the information lost or made inaccessible by the misappropriation or damage” (United Nations Manual on the prevention and control of computer-related crimes, 1995:10). Independent research also provides some insights. For example, the British Banking Association has 84 estimated that computer fraud is costing businesses $8 billion a year which translates into $29.2 million a day (Carter, 1995). With regards to people who improperly access computers, respondents inferred through their responses that there have been substantial increases in all categories. Full-time employees (as noted in Table 4.1) represent the largest problem. This is consistent with the finding of the 1995 Securing Proprietary Information (SP1) survey conducted by ASIS as well as related literature. What is surprising is that there has been such a substantial increase over the last five years. While it is less surprising that the number of computer hackers has increased, the proportions are rather substantial. The author believes that the notable increase in hackers will undoubtedly grow in a fashion that parallels the increased numbers of computers, more networking, and wider computer literacy. Making generalizations is somewhat difficult- the people committing computer crimes vary somewhat depending on the type of crime committed. Table 4.1 provides more detail on this issue. Another problem faced by a number of companies is theft of physical property. In fact, this study revealed that of all the items listed, only fax machines (39.6%) were below 50% in terms of incidents of theft as rated by respondents. The most significant findings revealed that theft of software programs and microcomputers/PCS, 77.9% and 75.2% respectively, rated the highest. Not surprising is the fact that these percentages are fairly close given 85 the interrelationship of the two. It is not clear whether respondents defined the two as separate entities or if they varied together due to the fact that most computers contain software. Table 4.1 UNIVARIATE FINDINGS or COMPUTER-CRIME/ABUSE PERPETRATORS STRONGL STRONGLY DISAGREE full-time employees have stolen or attempted to 19 70 40 8 steal money. (13.9%) (51.1%) (29.2%) (5.8%) ...part-time or ”outsource" employees have stolen or 20 65 42 7 attempted to steal money. (14.9%) (48.9%) (31.1%) (5.2%) ...computer hackers have stolen or attempted to 19 50 50 7 steal money. (15.1%) (39.7%) (39.7%) (5.6%) ...full-time employees have stolen or attempted to 11 67 50 6 steal product information (8.2%) (50.0%) (37.3%) (4.5%) ...part-time or ”outsource" employees have stolen or 17 55 55 6 attempted to steal product information (12.8%) (41.4%) (41.4%) (4.5%) ...computer hackers have stolen or attempted to 14 58 46 11 steal product information (10.9%) (45.0%) (35.7%) (8.5%) ...full—time employees have stolen or attempted to 15 59 50 7 steal marketing information. (11.5%) (45.0%) (38.2%) (5.3%) ...part-time or ”outsource” employees have stolen or 14 56 53 6 attempted to steal marketing information (10.9%) (43.4%) (41.4%) (4.7%) ...computer hackers have stolen or attempted to 14 59 48 11 steal marketing information. (10.6%) (44.7%) (36.4%) (8.3%) In descending order according to percentages, theft of floppy disks (67.1%), theft of computer monitors (66.4%) and theft of printers (60.4%) occupy the middle range. Theft of modems (56.4%) and theft of cellular phones (53.7%) are also indicative of substantial problems. Although not listed on the survey, yet reported in respondent comments, is theft ‘of computer subcomponents like memory and/ or boards. Given the lack of statistics on this particular type of computer-technology related property, at 86 this point it is difficult to determine the actual extent of it. However, the researcher speculates that such theft poses a serious threat to many companies and agencies. It is somewhat surprising that the size of certain technology-related property does not appear to be especially significant in terms of theft. Intuitively, it would seem that easily concealed items would be the greatest target of theft, though perhaps not the most profitable nor the most lucrative. Given the nature and extent of technology-related crimes, controlling it should, if it is not already, be a priority. The survey results offered some insights into the counter measures utilized by respondents in the last five years. The most common security activity was to train employees who used computers about their responsibilities and security related issues (83.2%). This is a logical response since earlier reported findings show that employees are the greatest offending group with respect to computer abuse. Installing anti-virus software was also a common security response (82.6%). Given the relative ease and inexpense of this precaution it is not surprising to see it so frequently used. Perhaps what is surprising is that there was not a higher usage of such software. Controlling access to computers was used by 80.5% of respondents. This is both a logical approach as well as a traditional security activity. It would seem difficult, however, to control access to a broad extent when computerization of all corporate activities are being increased and such things as E-mail and networking are becoming commonplace. Perhaps what was 87 meant by respondents was that selected computers had greater access controls given the sensitivity of the information they contain. This is, however, speculation at this point because the survey instrument did not gather this information. A similar approach for access control which was widely used was a changing password system for computer users (77.2%). Table 4.2 provides a summary of the security measures reported by the respondents. Table 4.2 COMPUTER CRIME COUNTER MEASURES VARIABLE FREQUENCY PERCENT Hired more security personnel 29 19.5% Retained computer security consultants 38 25.5% Trained employees (computer users) on computer security 124 83.2% Controlled access to computers 120 80.5% Eliminated modem access to computers 16 10.7% Eliminated computer networking outside of the company 1 1 7.4% Eliminated internal computer networks 2 1.3% Developed changing password access system 115 77.2% Encrypted data 70 47.0% Established computer system access log/ audit trail 97 65.1% Increased computer system operations security 93 62.4% Installed anti-virus software 123 82.6% Increased physical surveillance of computer operations 52 34.9% Increased surveillance of computer users 26 17.4% Established physical security checks of personnel 64 43.0% Other 15 10.1% Explanation of Hypotheses Reliance on hypotheses for purposes of prediction constitutes an educated guess. Oftentimes relying on literature in conjunction with other sources are guiding principles. In the social sciences, especially, there is no 88 guarantee that such principles will lead to the development of hypotheses that accurately depict a given problem. Hence, the practice of hypothesis testing enables the researcher to make logical assumptions which may later be either supported or rejected contingent on the analysis of a data set. In accordance with this traditional academic practice, the researcher first identified and stated hypotheses taking into account information extracted from the literature and other resources. Following an analysis of the data and the statistical evidence yielded from it, the researcher either accepted or rejected the null hypotheses. Each hypothesis was evaluated individually, the decision being made only after the appropriate statistics were located and analyzed. Below, the hypotheses are stated once again. Each is followed by a discussion section. In order to expedite a discussion, the statistics which were used to make decisions about the null hypotheses are in Table 4.3. Table 4.3 STATISTICS FOR HYPOTHESIS TESTING HO: CHI-SQUARE df SIGNIFICANCE PHI CRAMBR’S V H01 29.165 12 p<.005 .485 .280 H02 23.038 12 p<.05 .433 .250 H03 18.492 12 n.s. n.s. n.s. H04 19.704 12 n.s. n.s. n.s. H05 17.487 12 n.s. n.s. n.s. Ho6 14.249 12 n.s. n.s. n.s. Ho7 23.765 12 p<.05 .449 .259 Ho8 24.167 12 p<.01 .454 262 H09 12.760 12 n.s. n.s. n.s. 89 H01: There is no Significant relationship between full-time employees stealing or attempting to steal money through computer-related theft and the number of times a company/ organization has been victimized by computer-related crime. The null hypothesis is rejected. The significant relationship between the two variables was expected because of the literature. In fact, it clearly shows that full-time employees who actually steal or attempt to steal money through computer-related theft are responsible for a substantial number of victimizations experienced by a corporation. H02: There is no significant relationship between part-time or ”outsource” employees who have stolen or attempted to steal money via computer-related theft and the number of times a company/ organization has been victimized by computer-related crime. The null hypothesis is rejected. Reliance on the literature and other resources were unclear how this outcome would occur. While there is more confidence in predictions about full-time employees, the significance of this hypothesized relationship should not necessarily be unexpected. Part-time or ”outsource” employees oftentimes do not have the amount of access or time 90 inherent in full-time employment. Also, these individuals may not be as knowledgeable about contents of the computers. H03: There is no significant relationship between computer hackers who have stolen or attempted to steal money through computer-related theft and the number of times a company/ organization has been victimized by computer-related crime. The data fail to Show a significant relationship. While this may be somewhat surprising, reference to the literature would be less likely to predict a significant relationship given the fact that such individuals are ”outsiders". However, this may be changing. In the last few years, hackers are gaining momentum. The author predicts that hackers may one day overcome part- time or ”outsource” employees in terms of theft from a company/ organization and the number of times a company is victimized. H04: There is no significant relationship between full-time employees who have stolen or attempted to steal product information through computer-related theft and the number of times a company/ organization has been victimized by computer-related crime. Although nearly significant, the failure to reject the null hypothesis is reflective of the statistical analysis. Despite the fact that a statistically significant relationship does not exist, the fact that it is almost Significant 91 enables the research to cautiously conclude that there is at least some relationship worthy of noting. Further research Should explore this. Hos: There is no significant relationship between part-time or ”outsource" employees who have stolen or attempted to steal product information through computer-related theft and the number of times a company/ organization has been victimized by computer-related crime. The data fail to reject the hypothesis. Therefore, there is no significant relationship between the two variables. This is not surprising given the relatively weak relationship between full-time employees who have stolen product information and the number of times a company/ organization has been victimized. In relative terms, this outcome is fairly predictable. H06: There is no significant relationship between computer hackers who have stolen or attempted to steal product information through computer-related theft and the number Of times a company/ organization has been victimized by computer-related crime. According to the data there is no significant relationship between the two variables. The data fail to reject the null hypothesis. Although both are not significant, the category of computer hackers clearly is even less likely than part-time or ”outsource” employees to exhibit a relationship between the two variables. Therefore, this result is directly in line with predicted results for this particular case. 92 HO ' There is no significant relationship between full-time 7. employees who have stolen or attempted to steal marketing information through computer-related theft and the number of times a company/ organization has been victimized by computer-related crime. A significant relationship exists between full-time employees who have stolen or attempted to steal marketing information through computer- related theft and the number of times a company/ organization has been victimized by computer-related crime. Therefore, the null hypothesis is rejected. Hos: There is no significant relationship between part-time employees who have stolen or attempted to steal marketing information through computer-related theft and the number of times a company/ organization has been victimized by computer-related crime. According to the data, the null hypothesis is rejected. Part-time or ”outsource” employees who have stolen or have attempted to steal marketing information through compute-related theft do in fact contribute to the number of times a company/ organization is victimized by computer- related crime. A surprising outcome emerges when comparing the statistics for part-time or ”outsource” employees to those of full-time employees. Although both show significant relationships with the other variable, a more significant relationship is found with part-time or ”outsource" employees. 93 Such a result may be explained away as a coincidence, or perhaps as revealing something not yet discovered. At this point, it is diffith to accurately assess the situation. Perhaps future research will help explain this apparent inconsistency. H09: There is no significant relationship between computer hackers who have stolen or attempted to steal marketing information through computer-related theft and the number of times a company/ organization has been victimized by computer-related crime. There is no significant relationship between the two variables. The data fail to reject the null hypothesis. At least in terms of this particular data set, it appears as if hackers who have stolen or attempted to steal marketing information through computer-related theft do not account for a significant percentage of the number of times a company/ organization has been victimized by computer-related crime. Analysis of the Hypotheses On the whole, the data generally supports the findings discussed in the literature. Consistent with earlier research, full-time employees are in fact responsible for the majority of incidents of victimization experienced by companies/ organizations. Even in instances where there was no statistically Significant relationship between the given variables, full-time employees still maintained the hypothesized position. Second to full-time employees, part- 94 time and ”outsource” employees ranked second, followed by computer hackers. There was one exception to this rule. In the case of stolen marketing information and the number of times a particular company/ organization was victimized, the category of part-time or ”outsource” employees was more statistically significant than full-time employees. Such a result may just be a coincidence or may reveal something not yet discovered. Perhaps future research will help explain this apparent inconsistency. Clearly, full-time employees are the most knowledgeable about the contents of the computers as well as operating systems. Part-time or ”outsource” employees would most likely be less aware of such things. Given the nature of computer hacking, it is interesting to speculate as to why they do not appear to account for a statistically significant number of victimizations experienced by companies/ organization in any of the categories. Perhaps they, like the part-time or ”outsource" employees, would be less inclined to know about contents of computers. However, this does not seem to explain away the discrepancy. Another explanation would be that hackers target other types of information, hence their lack of a presence is attributed to their intrusions elsewhere. The literature and other resources paints a very dim picture of the future of computer hackers and their ability to gain access . to company/ organization computers via the Internet. While it appears that they have not posed significant problems as of yet, with increased 95 networking, it is likely that this will change, perhaps dramatically, in the next few years. Ominous statements by some survey recipients reiterate this prediction. As one respondent stated, ”Breaking into systems for excitement, nourishing egos, etc. has increased. Hackers will try anything as a challenge". It is important to note that the researcher acknowledges the fact that there is an identifiable weakness with the survey. Part-time employee and ”outsource” employees were collapsed into one category. However, they should have been separate variables given inherent differences in their positions. Unlike part-time employees who are regular permanent employees of the company, ”outsource” employees are hired as contract professionals, and therefore are usually designated as temporary employees. Given this fact, ”outsource" employees could be considered to be ”outsiders” and may, as result, have less allegiance to a company/ organization. Given these distinctions, some of the results may have been slightly different. Additional Significant Relationships Support for the main premise is found not only in the case of the hypothesized relationships, but throughout the data set. While inherently some do not seem to represent traditional dependent-independent variable relationships, others clearly fit this mold. Nevertheless, in both instances, the pattern infers widespread abuse of computer technology by full-time employees, followed by part-time or ”outsource” employees, and lastly by 96 computer hackers. In addition, there are those with results that may be interpreted as being spurious given the variables involved. A pattern consistent with the one hypothesized emerges at least twice with the variable ”unauthorized access to computer files for 'snooping' (as opposed to theft)". The variable relationship between ”snooping” and ”stealing or attempting to steal money” is statistically significant for both full- time and part-time employees. It is not statistically significant for computer hackers. The variable relationship between ”snooping” and ”stealing or attempted to steal marketing information” is clearly consistent with the pattern. For full-time employees, there was a particularly statistically significant relationship between the two variables. The relationship between the variables was less statistically significant for part-time or ”outsource” employees. And, lastly, statistical significance was even less for computer hackers. The variable ”employee use of company computer equipment or resources for personal reasons” and its relationship to other variables further supports the premise that full-time employees pose the greatest threat. Inherently it should eliminate computer hackers given the fact that they are not employees and therefore would not have access to company computer equipment. This assumption is supported in at least two variable relationships involving the aforementioned variable (stealing or attempting 97 to steal money and stealing or attempting to steal marketing information), both of which have findings consistent with the literature. Although less intuitive, the variable relationship between ”stealing or attempting to steal product information” and the ”improper copying of software in violation of copyrights” further reinforces the idea that full-time employees are the most likely perpetrators of computer-related crime. Part- time or ”outsource” employees ranked second, while computer hackers predictably were responsible for the fewest number of incidents. Generally, the data supports the literature and information gathered from other sources. However, the researcher acknowledges that the findings are not ”foolproof". Part of the problem in defining the pattern of abuse comes from the limitations of the survey instruments. Another part of the problem is the lack of clear information or an understanding by respondents. Chapter V SUMMARY, CONCLUSIONS, AND RECOMMENDATIONS Summary Over the last decade, the proliferation of computer-related technology has brought to the forefront yet another realization about crime. The Changing face of criminality acts as a disguise, if even momentarily. A disguise that may one day reveal a much more dangerous face than ever anticipated. Computer crime is one such example because of the devastating losses which can be suffered in time so Short that it is measured by nanoseconds and by criminals who perform their acts in anonymity, moving across international borders at the speed of light using technological avenues which are virtually untraceable. Originally developed for the betterment of society, computer-related technology has been used as a tool by those who exploit its wide-ranging capabilities. The emergence of new crimes co-exist with the perfection of traditional ones as a result such exploits. Additionally, the literature and related sources imply, but do not explicitly state, that computers have, in a sense, widened the net of criminals. They lure traditionally law-abiding citizens into committing malfeasance by their seemingly innocuous nature. The low risk of detection and apprehension is clearly part of the draw. Unlawful duplication of copyrighted software is one simple example of this. 98 99 Computer crime has historically been viewed as being a ”lesser” offense. Given a low priority, such crimes have virtually been ignored by public law enforcement agencies until the documented losses reach staggering amounts. The repercussions of underestimating the severity of computer crimes has been felt far and wide. In fact, the consequences have proven disastrous. The British Banking Association has estimated that computer fraud is responsible for financial loses upwards of $8 billion dollars a year—or $64 million a day (Carter, 1995). In addition to crimes of a monetary nature, technological advances, such as the Internet, have made crimes of a more personal and violent nature easier to perpetrate as well. Capitalizing on the utility of electronic bulletin boards, child pornographers, con artists, neo—nazis and others of this ilk have very effectively and efficiently plied their trade. Commercial on-line services have even been blamed for incidents which resulted in kidnapping, and/ or rape. Such devastation was never anticipated nor expected. However, in retrospect, society is just beginning to acknowledge some of damage which is a direct result of this a lack of foresight. Despite a slowly growing awareness, such crimes continue, oftentimes undetected and/ or unpunished. The delayed response to computer-related crime is attributed to a number of related factors. First, the public is extremely fearful of violent crime. As a result of this very real fear, violent crime is given top priority by criminal justice decision makers. Clearly, the amount of time and energy 100 devoted to violent crime by these agencies reduces their ability to focus efforts elsewhere. A lack of education relating to computer technology crimes on the part of criminal justice officials further enhances this observably slow response. Simply understanding the terminology and the basics of such technology is far from sufficient. Keeping up with the latest advances both physically and intellectually is close to impossible. Most budgets do not allow for the purchasing of the newest and best equipment and when funding is available the typically bureaucratic purchasing process of government makes technology dated by the time it is in the hands of the end-user. As a consequence, law enforcement officials are working with dated equipment and at the same time are expected to be ahead of the game. Knowing the ”ins and outs” of the latest technology on an intellectual level is also a difficult, if not impossible task. Technology is evolving at such an incredible rate that keeping abreast of upgrades is a job unto itself. Devoting the necessary time and resources to training is a challenge. Moreover, it is diffith to get police administrators interested in computer crime when they are besieged with 911 calls just as it is difficult to pique the interests of prosecutors who have caseloads which are already unmanageable. Serious efforts to change this stagnant Situation are just becoming apparent. The realization that computer-related crime is something to be contended with has provided the stimulus for an exploration of the problem. 101 It is not clear at this point the true extent and scope of computer-related malfeasance. However, one thing is certain: Cooperative efforts on the part of citizens and the criminal justice system is a must. In addition, given the fact that this is a problem of a global nature, working together requires universal commitment and support from around the world. Conclusion While occupied with violent crime, society has essentially missed the birth of computer crime. No longer in its infancy, computer crime has flourished, broadening its impact and leaving many disbelieves reeling from the shock. At one time thought to be limited to isolated incidents which affected only a select group of ”well-deserving” companies and organizations (in the eyes of the public), computer crime has clearly been shown to touch most people in a modern society. Reactions to computer-related crime as whole have been mixed. While there is little denial that computer crime is upon us, disagreement as to how to deal with it most effectively prevails. It seems that despite its significant economic impact, it fails to emotionally appeal to either the public or law enforcement. Concentrating on violent crime has inadvertently obscured the emergence of computer crime as a social threat. Victimization surveys, inclusive of the current study, have revealed a substantial social trend. The number of reported incidents are growing exponentially. Those computer systems thought to be impervious to such 102 malfeasance have not been spared. Potentially, anyone, anywhere can become a statistic of computer crime. Interestingly enough, these ominous words also ring true with regard to violence. Suffice it to say, computer related crime may not remain a seemingly impersonal crime. At this point, it knows no boundaries and is on an apparent increasing trend. As stated recently in an Associated Press story which describes a theft of $10 million from Citibank, ”...this crime is a taste of things to come” (Associated Press, September 26, 1995). Recommendations Despite feelings of helplessness experienced by many of those who have been victimized, the researcher believes it is necessary to provide some genuine reassurance in the form of recommendations. Computer crime is really not the ”perfect” crime although it sometimes may appear as such. As with any other crime, it has its strengths which at times may seem impenetrable. It similarly has weaknesses which make it especially vulnerable to control. Acknowledging the fact that computer crime poses a very real threat is first and foremost. Mistakes of the recent past, where it was ignored or deemed unworthy of attention, must not continue. As one survey respondent notes, there is a ”rapid increase in the sophistication of computer criminals—they are better organized/ more knowledgeable". 103 Accumulating knowledge through research is a another tool that may be used successfully to help combat computer crime. Parker (1976) identifies three purposes of performing computer abuse research. One purpose is that ”....it forms an empirical or practical approach to computer security research” (Parker, 1976:16). He states that ”(t)hreat models can be developed from practical experience to play against models of secure computer systems” (Parker, 1976:16). Dissemination of the results of such research ”is an aid to potential victims of computer abuse, informing them of the nature of the problem, alerting them, and making them more sensitive to possibilities of losses through their data processing organizations” (Parker, 1976:16). Many organizations/ companies are simply unaware that they are prime targets. Oftentimes, they may simply be unaware of the victimization. A comment by one survey respondent captures this truth impeccably. He or she states that ”we (security personnel at the company/ organization) are concerned that we do not have the controls and resources to identify attempts by unauthorized users-both inside and outside the company- to access sensitive company files, networks, systems". Research findings should also be disseminated to law enforcement agencies. Attention to investigation of computer crime should become at least the equivalent as robbery and burglary investigation. At present, there are few computer crime experts to be found in public law enforcement. 104 The final purpose of research on computer abuse, identified by Parker (1976:16), is the fact that ”....it is important that consultants, helping their clients make safer use of computers, have as much background and experience as possible with real victims and real perpetrators in order to gain necessary insight”. Parker (1983) recommends another approach. Although he readily admits that ”system hackers will never be eradicated", he states that ”(t)here will always at least be pranks, but the goal is to make even pranksters understand that their antics are unacceptable, that compromise is too much work, that there is the likelihood of being caught, and that the levels of punishment are high” (Parker, 1983:188). In essence, notifying hackers and others who engage in such malfeasance that their behavior will not be tolerated in the least should act as somewhat of a deterrent. This recommendation for prevention addresses the human factor, something inherently missing in much of the security literature. Educating future generations about computer ethics should parallel the training they receive on computer technology. Throughout the education process, reinforcement that unethical behaviors are unacceptable will inhibit the majority of those growing up in the ”techno-generations” from engaging in such acts. Such ethical training will be in sharp contrast to the current state of education. As described on a number of occasions in the literature, . not only are such ethics absent from training, but it is not uncorrunon for teachers to actually encourage students to be ”creative". 105 Relying on practical and sensible security counter measures to protect a company/organization's computers from abuse is also a helpful, if not necessary tactic. Some suggestions for enhancing computer security are... 1. Strong physical access control measures; 2. Strong emphasis on denying external software from being brought in; 3. A good resident anti-viral program managed and configured and access protected by computer security; 4. A limit on external connected machines or system portals to isolated machines; 5. A comprehensive, thought out systems approach and threat awareness education provided to users” (anonymous respondent's comments). Most companies not only fail to put in necessary safeguards, but also rush to join in on the latest technological advances with little thought often to their detriment. In the words of one survey respondent... ”Most companies have rushed to join the Internet without safeguarding their computers from intrusion by those on the net. Many continue to have proprietary information (i.e., financial personnel, contracts, pricing, etc. on the same computer system that is accessible via modem to the Internet. Without proper firewalls and other gateways, their company information has been stolen, tampered with, manipulated, read by 106 unauthorized individuals. Company plans, research, products, etc. have been lost this way creating financial losses and job losses. Also, there is considerable liability to losing personnel information Of their employees. With the information superhighway there is even greater opportunity for information warfare". As revealed in the literature and supported by the survey results, full- time employees are responsible for the majority of the victimization experienced by companies/ organizations. One interesting point noted in some literature, is that companies/ organizations often fail to fire or even admonish the most ”creative and innovative” employees who steal for fear of reprisal or embarrassment. Unfortunately, this only acts to further condone their behavior since, in a number of cases, such employees have actually been ”rewarded” through job promotions and pay raises. Clearly, this sounds somewhat illogical and irrational. However, many companies are, at this point, fearful of the potential of such individuals and are essentially held hostage by them. Admittedly, this is a difficult problem to solve. Getting tough with employees though seems to be a necessary tool. As with any other type of crime, victims need to speak up (given they are fully supported by the major players of the criminal justice system) and refuse to be taken advantage of. Although stated over a decade ago, the following quote by Parker (1983:27) foreshadows incidents in the very recent past and the present. He 107 states, ”(l)et us get back to the job of protecting business and government from computer abuse based on the fact that it is occurring and has changed the nature of business crime, that losses can be very large, and that reasonable scenarios of potential loss demonstrate the existence of serious vulnerabilities”. In 1983 such warnings fell on deaf ears, in 1995 such warnings are already late. REFERENCES CITED AND SELECTED BIBLIOGRAPHY 1m REFERENCES CITED AND SELECTED BIBLIOGRAPHY Books and Monographs Babbie, E. (1992). The Practice of Social Research (6th edition). Bilmont, California: Wadsworth Publishing Co. Bartlett, E. (n.d.). Computer Crime: Computer Security Techniques. (Grant No. 80-BJ-CX-0015). Washington, DC: US. Department of Justice (Bureau of Justice Statistics). Bequai, A. (1978). Computer Crime. Lexington, Massachusetts: D.C. Heath and Company. Bequai, A. (1987). Technocrimes. Lexington, Massachusetts: D.C. Heath and Company. Colton, K. W., Tien, J. M., Tvedt Davis, 5., Dunn, B., and Barnett, A. 1. (July, 1982). Computer Crime: Electronic Fund Transfer Systems and Crime. (BJS Grant N o. 80—BJ-CX 0026). Cambridge, MA: Public Systems Evaluation, Inc. Commission on Crime and Criminal Justice. (1995). United Nations Manual on the Prevention and Control of Computer-related Crime. New York: United Nations. Farr, R. (1975). The Electronic Criminals. New York: McGraw-Hill Book Company. Kerlinger, F. N. (1973). Foundations of Behavioral Research (2nd edition). New York: Holt, Rinehart, and Winston, Inc. 109 110 Kish, L. (1965). Survey Sampling. New York: John Wiley and Sons. McEwen, J. T., Fester, D., and Nugent, H. (1989). Dedicated Computer Crime Units. (Contract No. OJP-85-Co006). Washington, DC: National Institute of Justice. McKnight, G. (1973). Computer Crime. London: Michael Joseph. Parker, D. B. (1976). Crime by Computer. New York: Charles Scribner's Sons. Parker, D. B. (1983). Fighting Computer Crime. New York: Charles Scribner's Sons. Parker, D.B., Webb, D., Wood, C. C., Connor, W., Nycum, 5., and Bartlett, E. (n.d.). Computer Crime: Computer Security Techniques. (Grant N o. 80-BJ-CX-0015). Washington, DC: US. Department of Justice. Schjolberg, S. (1983). Computers and Penal Legislation. Oslo: Universitetsforlaget. Siegel, L. J. (1992). Criminology. (Fourth Edition). St. Paul: West Publishing Company. Smith, R.J., Gibbs, M., and McFedries, P. (1995). Navigating the Internet: Third Edition. Indianapolis, IN: Sams.net Publishing. Stoll, C., (1990). The Cuckoo ’5 Egg. New York: Simon and Schuster Inc. Todd, M. A. and Guitian, C. (November 1989). Computer Security Training Guidelines. (NIST Special Publication 500-172). Gaithersburg, MD: . US. Department of Commerce. 111 US. Congress, Office of Technology Assessment. (May 1988). Criminal Justice: New Technologies and the Constitution. (OTA-CIT-366). Washington, DC: US. Government Printing Office. US. Congress, Office of Technology Assessment. (September 1987). Science Technology and the Constitution-Background Paper. (OTA-BP-CIT-43). Washington, DC: US. Government Printing Office. US. Congress, Office of Technology Assessment. (January 1988). Science Technology and the First Amendment. (OTA-CIT-369). Washington, DC: US. Government Printing Office. US. Department of Justice. (1979). Computer Crime: Criminal Justice Resource Manual. (BJA Grant No. 78-SS-AX-0031). Washington, DC: US. Government Printing Office. Van Duyn, J. (1985). The Human Factor in Computer Crime. Princeton, NJ: Petrocelli Books, Inc. Wack, J. P. and Carnahan, L. J. (December 1994). Keeping Your Site Comfortably Secure: An Introduction to Internet Firewalls. (NTIS Special Publication 800-10). Gaithersburg, MD: US. Department of Commerce. Whiteside, T. (1978). Computer Capers. New York: Thomas Y. Crowell Company. Wold, G. H. and Shriver, R. F. (1989). Computer Crime: Techniques Prevention. Rolling Meadows, Illinois: Bankers Publishing Company. 112 Articles and Presentations Bequai, A. (October, 1976). ”Computer Crime: A Growing and Serious Problem". Police Law Quarterly. (6) pp. 22-30. Carroll, M. W. and Schrader, R. (1995). ”Computer—Related Crimes". American Criminal Law Review. Vol. 32:183:183-211. Carter, D. L. (1995). Computer-Related Crime and the Misappropriation of Intellectual Property. Paper presented at the Second International Conference on Organized Crime, Bramshill, England. Carter, D. L. (1995). Technological Trends and Developments: A Look to the Future. Texas Law Enforcement Management Institute Executive Seminars. Carter, D. L. Only 1995). Computer Crime Categories: How Techno-criminals Operate. FBI Law Enforcement Bulletin. Washington, DC: US. Department of Justice. Festinger, L. (1957). A Theory of Cognitive Dissonance. California: Stanford University Press. Florida Department of Law Enforcement. (1991) Computer Crime in Florida. Survey. Tallahassee, FL: Florida Department of Law Enforcement. Hollinger, R. C. and Lanza-Kaduce, L. (1988). ”The Process of Criminalization: The Case of Computer Crime Laws". Criminology. volume 26(1):101-126. Hoover, Larry (1995). ”Police Agencies as Information Processing Organizations". Executive Issues Seminar Series: Merging Law 113 Enforcement onto the Information Superhighway. Huntsville, TX: Law Enforcement Management Institute. Jurkat, M. A. (June 1986). ”Computer Crime Legislation: Survey and Analysis". Annual Survey of American Law. pp. 511-544. Manzi, M. (1992). Introduction to Computer Related Crime: Computer Crime Definitions and Overview. Paper presented at the Annual Meeting of the Society of Police Futurists International. McEwen, J.T., Fester, D., and Nugent, H. (June, 1989). Dedicated Computer Crime Units. Washington DC: National Institute of Justice. Postell, C. (1989). ”State Enacts Legislation to Target Computer Crime". Trial. v. 25 pp. 119-120. Starkman, R. D. (March, 1986). ”Computer Crime: The Federal vs. State Approach to Solving the Problem". Michigan Bar Journal. v.6 5 pp. 314-317. Anecdotal References Baig, E. C. (1994, November 14). ”Shielding the Net From Cyber-Scoundrels.” Business Week. Bergstein, B. (September 16, 1995). ”Resort owner seeks ID of online user.” Lansing State Journal. Billings, L. (1995, February 24-26). ”23 million kids go to the North Pole”. USA Weekend. pp. 16. Boeck S. and McLean, E. A. (1995). ”US. homes getting wired”. USA Today. 114 Burdick, T. and Mitchell, C. (December 3, 1991). ”'Attacks' of computer viruses rise with layoffs.” The Washington Times. Chandrasekaran, R. (1995, June 15). ”On-Line and Out of Bounds.” The Washington Post. pp. A1, A27. Cook, W. J. (1994, October 17). ”Serving Up A New Era In Computing.” U .5. News and World Report. pp. 62-72. ”Cops fight computer crimes.” (1995, February 5). Lansing State Journal pp. 5B. Corcoran, E. (1995, January 24). ”Of Interlopers on Internet”. The Washington Post. Davis, R. (1995, February 10). ”Graphic 'cyber-threats' land student in court.” USA Today. Davis, R. (1995, March 6). ”Crime finding a lane into info highway." USA Today. DeBarros, A. (1995, March 16). ”Which Way to the Highway?” Lansing State Journal. della Cava, M. R. (1995, March 7). ”Users abuzz over Internet obscenity bill”. USA Today. Dill, S. (1995, February 17). ”Alleged hacker is off- line.” Lansing State Journal. Eisler, P. (1995, September 5). ”Alert Center keeps Prodigy users in line”. USA Today. pp. 1A, 2A. 115 Elmer-Dewitt, P. (1994, November 21). ”Censoring Cyberspace”. Time pp. 102-104. ”Hackers Entered Pentagon Computers”. (1991, November 21). Washington Post. ”Hacker to accept plea bargain”. (1995, July 2). lansing State Journal. ”Internet suspect now a story victim”. (1995, February 17). Lansing State Journal. Kantrowitz, B., King, P. and Rosenberg, D. (1994, April 18). Newsweek pp. 40. Levy, S. (1995, February 27). ”TechnoMania”. Newsweek. pp.24-29. Levy, S. (1995, February 6). The Case for Hackers. Newsweek pp. 39. Lynch, D. J. (1995, February 19). ”Hacker scares on-line shoppers”. USA Today pp. 2B. Maney, K. (1995, January 25). ”New users, new uses: A chain reaction”. USA Today pp. 1B, 1C. Markoff, J. (1995, February 16). ”A Most-Wanted Cyberthief Is Caught in His Own Web”. New York Times. Marshall, S. (1995, January 24). ”High-tech crooks crack Internet security”. USA Today. McEwen, J. T. (1991, January/February). Computer Ethics. National Institute of Justice Reports. pp. 8-11. Meyer, M., and Glick, D. (1994, March 14). ”Keeping the Cybercops Out of Cyberspace”. Newsweek. pp. 38-39. 116 Meyer, M., Underwood, A., King, R, Rhodes, 5., and Rosenberg, D. (1995, February 6). ”Stop! Cyberthief!” Newsweek. pp. 36- 38. Meyer, M. and Underwood, A. (1994, November 14). ”Crimes of the 'Net'”. Newsweek pp. 46-47. Miner, B. J. (1995, April 10). ”Fraud out of control”. Lansing State Journal. Mokrzycki, M. (1995, January 24). ”Hackers attacking on Internet”. Lansing State Journal. ”Most Wanted”. (1994, November 15). USA Today. ”Neo-Nazis build electronic shield”. (1995, June 27). Lansing State Journal. ”Online Runaway Safe”. (1995, June 12). USA Today. Pearl, D. (1995, Feb. 8). ”Government Tackles a Surge of Smit on the Internet”. Wall Street Journal. Peyser, M., Murr, A. and French, R (1995, June 19). ”Don't 'Chat' to Strangers”. Newsweek pp. 42. Price, W. T. (1993, August 6). ”Low-tech problem hits PC networks”. USA Today pp. 2A, 2B. ”Prosecutors say U-M student should stay in jail”. (1995, February 26). Lansing State Journal. Quittner, J. (1995, January 23). ”Hacker Homecoming”. Time pp. 61. ”Rapist used on-line service to lure victim, lawmen say”. (1995, August 30). The Washington Times. pp. C3. Raven, G. (1994, N ovember-December). ”Computers Spread Hate Messages”. C] Europe pp. 9. 117 Sandberg, J. (1994, December 6). ”Hackers take revenge on, author”. Lansing State Journal pp. 7A. Schwartz, B. (1994, November 15). ”Tips protect kids who go on-line”. USA Today. Snider, M. (1995, January 23). ”FBI probes on-line child pornography”. USA Today. ”Stalking law may be tested in e-mail case”. (1995, January 24). Lansing State JournaL ”Student jailed in Internet sex fantasy”. (1995, February 11). Lansing State Journal. Sussman, V. (1995, January 23). ”Policing Cyberspace”. US. News and World Report. pp. 55-60. ”Teach your children well”. (1995, January 23). US. News and World Report pp. 60. Tompkins, W. (1995, June 26). ”Scam artists at home in cyberspace”. Lansing State Journal. Tompkins, W. (1995, July 19). ”Survey: Computers hold bigger chunk of our lives”. Lansing State Journal pp. SB. Waller, D. (1994, April 18). ”Techno-Smuggling”. Newsweek. pp. 36-37. Woller, B. (1995, June 16). ”Reengineering rules for the cyber-road”. USA Today. pp. 48. ”Writer seeks retaliation for posted Internet threat”. (1995, February 12). The State News. 118 Interviews Diamond, Drew. Associate Director, Police Executive Research Forum. Personal interview in East Lansing, Michigan, March, 1995. Appendix A COMPUTER CRIME SURVEY 119 g MICHIGAN STATE UNIVERSITY SCHOOL OF CRIMINAL JUSTICE NATIONAL SURVEY ON Comm-RELATED/I‘ECHNOLOGY CRIME (PHASE II) The purpose of this study is to measure the role and seriousness Of computer-related/ technology crime in the US. today. All of your responses are completely anonymous. If you have questions, please call Dr. David L. Carter toll free at (800) 892-9051. If you would like a copy Of the survey findings either call the toll free number above or include a business card in the survey return envelope. (Please do not write your name or address on the survey.) INSTRUCTIONS. Fer each of the questions check the box which most accurately indicates your perception or experience Please check only one response per question unless otherwise indicated. If you do not have an War for a question, leave it blank and go to the next Feel free to write comments at an time. SBCHON A: Please respond to the following statements about trends in computer-related crime in a manner which best represents your perception. 1 . With respect to business/office computers, over the past five (5) years. . . or has increased. or has increased. or money has increased. or data or or customer computer access to confidential employee access to computerized confidential business has increased. or secrets has increased. records increased. data has of 121 2. With respect to people who improperly access computers, we would like your perceptions and experiences. Over the past five (5) years... ......... ...... ............ a. ...firll-time employees have stolen or attempted to steal money through computer-related theft. 0 D D D b. ...part-time/ or ”outsource” employees have stolen or attempted to steal money via computer-related theft. 0 U 0 Cl c. ...computer hackers have stolen or attempted b steal money through computer-related theft. 0 D D D d. .. .full—time employees have stolen or attempted b steal product infimnation through computer- D D D D related theft e. ...part-time or ”outsource” employees have stolen or attempted to steal product information through computer-related theft. f.. ...computer hackers have stolen or attempted b steal product information through computer- Cl related theft g. ...fltll-iime employees have stolen or attempted b steal marketing injbrmation through computer- Cl related theft. h. ...part-time or ”outsource" employees have stolen or attempted to steal marketing injbrmation through computer-related theft. i. ...computer hackers have stolen or attempted b steal marketing information through computer- related theft. 3. We are interested in your perceptions of computer and technology-related problems in a variety of areas. In the last five (5) years, have there been increases in.. . a. .. .telecommunications fraud b. ...CIeditcardfraud c. .. .cellular phone fraud (1 .. .employee use of company computer equipment or resources for mortal reasons e. ...improper copying of software in Violation (f COPyfightB f. ...unauthorized access to computer files for ”snooping" (as Opposed to theft) g. ...intentional introduction of a “Virus" into computers h. . . .harassment of employees through computer network communications D 0 D U D I: D D D U U 122 SECTION B: Please respond to the following questions concerning the computer environment and security in your organization. 1 . Which of the following technologies are used by your company / organization? (Check All That Apply) DDDDDDDDDDD 0000 Bulletin Board System (BBS) Accessed by the Company Bulletin Board System (BBS) Operated by the Company Cellular Phone(s) (Company Owned) Company Subscription to a Commercial On-Line Service (e. g., CompuServe, America On-Line, Prodigy, eWorld, etc.) File Server Internet Access Internet Home Page (for the company) Local Area Network (LAN) Mainframe Computer Micro Computer/ Desktop / PC / Macintosh Mini Computer Modem Access In to the Company’ 8 Computers Modem Access Outward from the Company’ 3 Computers Super Computer Wide Area Network How many times would you estimate that your company/ organization has been Victimized by computer-related crime? (Check Only One) D D D 0 Only Once 2-10 Times 11-25 Times More Than 25 Times What types Of computer/ technology-related property have you had stolen from your company / organization? (Check All That Apply) UDDUDDDD Cellular Phones Computer Monitors Fax Machines Floppy Disks Microcomputer / PC Modems Printers Software Programs GENERAL COMMENTS: 123 4. What computer security counter measures have you taken over the past five years? (Check All That Apply). Hired more security personnel Retained computer security consultants Trained employees (computer users) on computer security Controlled access to computers Eliminated modem access to computers Eliminated computer networking outside Of the company Eliminated internal computer networks Developed changing password access system Encrypted data Established computer system access log/ audit trail Increased computer system operations security Installed anti-virus software Increased physical surveillance of computer Operations Increased surveillance of computer users Established physical security checks of personnel Other (Specify) PLEASECOWENTONANYASPKTOFm-WRMTEDmm-EREYW FEELCOI‘CERNSNEED'IDBEADWESSEDORS‘IUDIED. DDDUUDUDDUDDDDDD THANK YOU FOR YOUR PARTICIPATION! REMEMBER: IPYOUWDULDLucEACOPYOPmERESULTs, EITHERINCLUDEA \______....-——-. f BIJSNESSCARDN'I‘HEREIURNENVEIOPEORCALLUS(8M) 892-9051. h, Appendix B SUMMARY OF RESULTS 124 SUMMARY FINDINGS NATIONAL SURVEY ON COMPUTER-RELATED/TECHNOLOGY CRIME The purpose of this study was to measure the role and seriousness of computer- related/ technology crime in the US. today. There were a total of 182 respondents out of the 600 people surveyed, producing a response rate of 30.2%. Some responses were late or improperly completed resulting with 149 usable responses and a usable response rate of 248%. Given the sample size and an examination of the findings, the results appear to be representative of the population surveyed. The data in the following tables are the ”raw” univariate or descriptive results from the survey. The researchers are preparing detailed analyses which will be available in forthcoming publications. SECTION A: The following statements were directed toward trends in computer-related crime based on the respondents' experiences and perceptions. 1 . With respect to business/office computers, over the past five (5) years. .. ...theft or attempted theft of new product plans 27 62 25 2 has increased. (23.3%) (53.4%) (21.6%) (1.7%) ...theft or attempted theft of product 17 70 26 2 descriptions has increased. (14.8%) (60.9%) (22.6%) (1.7%) ...theft or attempted theft of money has 33 63 35 4 increased. (24.8%) (47.4%) (26.3%) (3.6%) ...theft or attempted theft of product pricing 20 59 27 4 data has increased. (18.2%) (53.6%) (24.5%) (3.6%) ...theft or attempted theft of client or customer 31 75 23 2 infirmation has increased. (23.7%) (57.3%) (17.6%) (1.5%) ...unauthorized computer access to confidential 33 69 30 5 employee information has increased. (24.1%) (50.4%) (21.9%) (3.6%) ...unauthorized computer access to confidential 37 82 18 4 business information has increased. (26.2%) (58.2%) (12.8%) (2.8%) ...theft or attempted theft of trade secrets has 31 66 26 2 increased. (24.8%) (52.8%) (20.8%) (1.6%0 ...theft or attempted theft of company 13 58 46 3 financial status has increased. (10.8%) (48.3%) (38.3%) (2.5%) ...theft or attempted theft of litigation or 7 38 53 4 legal records has increased. (6.9%) (37.3%) (52.0%) (3.9%) ...destruction or attempted destruction of data 15 60 46 5 files has increased. (11.9%) (47.6%) (36.5%) (4.0%) . . .destruction or attempted destruction of 9 49 55 7 operating programs has increased. (7.5%) (40.8%) (45.8%) (5.8%) 125 126 2. The following are the respondents experiences and perceptions with respect to people who improperly access computers. Over the past five (5) years, using computer-related theft. . . ...full-time employees have stolen or attempt ed to steal money. (13.9%) (51.1%) (29.2%) (5.8%) ...part-time or ”outsource" employees have stolen 20 65 42 7 or attempted to steal money. (14.9%) (48.9%) (31.1%) (5.2%) ...computer hackers have stolen or attempted to 19 50 50 7 steal money. (15.1%) (39.7%) (39.7%) (5.6%) ...full-time employees have stolen or attempted 11 67 50 6 to steal product information (8.2%) (50.0%) (37.3%) (4.5%) ...part-time or ”outsource" employees have stolen 17 55 55 6 or attempted to steal product information (12.8%) (41.4%) (41.4%) (4.5%) ...computer hackers have stolen or attempted to 14 58 46 11 steal product iry‘ormation (10.9%) (45.0%) (35.7%) (8.5%) ...full-time employees have stolen or attempted 15 59 50 7 to steal marketing iry‘ormation. (11.5%) (45.0%) (38.2%) (5.3%) ...part—time or ”outsource” employees have stolen 14 56 53 6 or attempted to steal marketing information (10.9%) (43.4%) (41.4%) (4.7%) ...computer hackers have stolen or attempted to 14 59 48 11 steal marketing information. (10.6%) (44.7%) (36.4%) (8.3%) 3. These variables explored the respondents experiences and perceptions of computer and technology-related problems in a variety of areas. In the last five (5) years, have there been increases in. .. . ..telecommunications fraud (57.8%) (38.8%) (3.4%) (0.0%) 90 50 4 1 .. .credit card fraud (62.1 %) (34.5%) (2.8%) (0.7%) 91 47 8 0 ...cellular phone fraud (62.3%) (32.2%) (5.5%) (0.0%) . . .employee use of company computer equipment or 86 57 6 0 resources for personal reasons (57.7%) (38.3%) (4.0%) (0.0%) ...improper copying of software in violation of 78 56 13 0 copyrights (53.3%) (38.1%) (8.8%) (0.0%) . ..unauthorized access to computer files for 58 78 7 0 ”snooping” (as opposed to theft) (40.6%) (54.5%) (4.9%) (0.0%) . . .intentional introduction of a ”virus” into 27 63 45 3 computers (19.6%) (46.7%) (32.6%) (2.2%) . . .employee harassment through computer 25 54 55 4 network communications (18.1%) (39.1 %) (39.9%) (2.9%) 127 SECTION B: These variables explored the computer environment and security in the respondents’ organizations. 1. Which of the following technologies are used by your company/ organization? 2. How many times would you estimate that your company/ organization has been victimized by computer-related crime? > 25 Times 11-25 Times I 2-10 Times . 5 (amtinuai...) 128 3. What types of computer/technology-related property have you had stolen from your company/ organization? Cellular Phones 80 53.7% Computer Monitors 99 66.4% Fax Machines 59 39.6% Floppy Disks 100 67.1% Microcomputer/ PC 112 75.2% Modems 84 56.4% Printers 90 60.4% Software Programs 116 77.9% 4. The following explore the computer security counter measures the respondents’ organizations have taken over the past five years? Hired more security personnel . VARIABLE " 29 19.5% Retained computer security consultants 38 25.5% Trained employees (computer users) on computer security 124 83.2% Controlled access to computers 120 80.5% Eliminated modem access to computers 16 10.7% Eliminated computer networking outside of the company 11 7.4% Eliminated internal computer networks 2 1 .3% Developed changing password access system 115 77.2% Encrypted data 70 47.0% Established computer system access log/ audit trail 97 65.1 % Increased computer system operations security 93 62.4% Installed anti-virus software 123 82.6% Increased Jhysical surveillance of computer operations 52 34.9% Increased surveillance of commter users 26 17.4% Established physical security checks of personnel 64 43.0% Other 15 10.1% Appendix C REPRESENTATIVE RESPONDENT COMMENTS 129 RESPONDENT COMMENTS Over one half of the respondents to the survey Offered some types Of comment about computer-related crime. Based on both experiences and perceptions, the comments generally proved insightful. The following are a representative selection of those comments. ”Breaking into systems for excitement, nourishing egos, etc. has increased. Hackers will try anything as a challenge.” ”There are growing concerns about [security professionals] ability to preserve security with increasing pressure for LAN 8 [Local Area Networks], WANS [Wide Area Networks], and the WWW [World Wide Web].” ”With the information superhighway there is even greater Opportunity for information warfare.” ”Although gateways are designed so that upgrades can be added easily [thereby increasing security], those in the know can get around them easily.” ”RE: Network security, firewalls just don’t seem to cut it and encryption is expense. User precautions are the key to protection.” ”Outside individual hacking into our computer is a problem Of a potential threat. Its hard to stop with jeopardizing business communications and networking.” ”Most companies have rushed to join the Internet without safeguarding their computers from intrusion by those on the net. Many continue to have proprietary information (i.e., financial, personnel, contracts, pricing, etc.) on the same computer system that is accessible via modem on the Internet. Without proper firewalls and other gateways, their company information has been stolen, tampered with, manipulated, read by unauthorized individuals. Company plans, research, products, etc. have been lost this way creating financial losses and lob losses. Also there is considerable liability to losing personnel information Of their employees.” 130 131 ”I feel the weakest link is the lack Of education in law enforcement relating to computer-technology crimes. The law enforcement community has devoted [itself] to the high priority violent crimes lumping computer crimes into a low priority status yet the losses to computer crime could fund a small country.” ”Software piracy is by far the greatest theft in numbers. Who knows how much money and how many jobs have been lost to this alone.” ”Random harassment has increased over the Internet, especially in the wake Of the Oklahoma City bombing incident.” ”We have seen a large increase in the transmission of Offensive or harassing statements and the sending, storing, creating or displaying Of computer files of a sexual nature.” ”Since we are connected to the Internet or WWW we have been asked how to deal with or manage personnel issues related to Offensive or inappropriate material brought into the workplace via net access." ”All I can answer about is known incidents—who knows what else has happened here.” ”You have to be careful Of people in payroll and personnel; they change vacation and pay records.” ”There is a rapid increase in the sophistication of computer criminals. They are better organized/ more knowledgeable.” DO we know the national or even local scope Of the computer crime threat? Probably not. Centralized data is not available.” ”Losses are sometimes very large. We just loss $1 million.” "‘tutti"tit