14 minute read

Computer Crime

Further Readings

The use of a computer to take or alter data, or to gain unlawful use of computers or services.

Because of the versatility of the computer, drawing lines between criminal and noncriminal behavior regarding its use can be difficult. Behavior that companies and governments regard as unwanted can range from simple pranks, such as making funny messages appear on a computer's screen, to financial or data manipulation producing millions of dollars in losses. Early prosecution of computer crime was infrequent and usually concerned EMBEZZLEMENT, a crime punishable under existing laws. The advent of more unique forms of abuse, such as computer worms and viruses and widespread computer hacking, has posed new challenges for government and the courts.

The first federal computer crime legislation was the Counterfeit Access Device and Computer Fraud and Abuse Act (18 U.S.C.A. § 1030), passed by Congress in 1984. The act safeguards certain classified government information and makes it a misdemeanor to obtain through a computer financial or credit information that federal laws protect. The act also criminalizes the use of computers to inflict damage to computer systems, including their hardware and software.

In the late 1980s, many states followed the federal government's lead in an effort to define and combat criminal computer activities. At least 20 states passed statutes with similar definitions of computer crimes. Some of those states might have been influenced by studies released in the late 1980s. One report, made available in 1987 by the accounting firm of Ernst and Whinney, estimated that computer abuse caused between $3 billion and $5 billion in losses in the United States annually. Moreover, some of those losses were attributable to newer, more complicated crimes that usually went unprosecuted.

The number of computer crimes continued to increase dramatically in the early 1990s. According to the Computer Emergency and Response Team at Carnegie-Mellon University, the number of computer intrusions in the United States increased 498 percent between 1991 and 1994. During the same time period, the number of network sites affected by computer crimes increased by 702 percent. In 1991, Congress created the National Computer Crime Squad within the FEDERAL BUREAU OF INVESTIGATION (FBI). Between 1991 and 1997, the Squad reportedly investigated more than 200 individual cases involving computer hackers.

Congress addressed the dramatic rise in computer crimes with the enactment of the National Information Infrastructure Act of 1996 as title II of the Economic Espionage Act of 1996, Pub. L. No. 104-294, 110 Stat. 3488. That Act strengthened and clarified provisions of the original Computer Fraud and Abuse Act, although lawmakers and commentators have suggested that as technology develops, new legislation might be necessary to address new methods for committing computer crimes. The new statute also expanded the application of the original statute, making it a crime to obtain unauthorized information from networks of government agencies and departments, as well as data relating to national defense or foreign relations.

Notwithstanding the new legislation and law enforcement's efforts to curb computer crime, statistics regarding these offenses remain stag-gering. According to a survey in 2002 conducted by the Computer Security Institute, in conjunction with the San Francisco office of the FBI, 90 percent of those surveyed (which included mostly large corporations and government agencies) reported that they had detected computer-security breaches. Eighty percent of those surveyed acknowledged that they had suffered financial loss due to computer crime. Moreover, the 223 companies and agencies in the survey that were willing to divulge information about financial losses reported total losses of $455 million in 2002 alone.

Concerns about TERRORISM have also included the possibility that terrorist organizations could perform hostile acts in the form of computer crimes. In 2001, Congress enacted the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act (USA PATRIOT ACT), Pub. L. No. 107-56, 115 Stat. 277, to provide law enforcement with the necessary tools to combat terrorism. The Act includes provisions that allow law enforcement greater latitude in hunting down criminals who use computers and other communication networks. The Homeland Security Act of 2002, Pub. L. No. 107-296, 116 Stat. 2135 also directed the UNITED STATES SENTENCING COMMISSION to review, and possibly to amend, the sentencing provisions that relate to computer crimes under 18 U.S.C.A. § 1030.

The Department of Justice's Computer Crime and Intellectual Property Section prosecutes dozens of computer-crime cases each year. Many of those cases involve instances of computer hacking and other unauthorized intrusions, as well as software PIRACY and computer fraud.

One set of especially destructive crimes—internal computer crimes—includes acts in which one computer's program interferes with another computer, thus hindering its use, damaging data or programs, or causing the other computer to crash (i.e., to become temporarily inoperable). Two common types of such programs are known in programming circles as "worms" and "viruses." Both cause damage to computer systems through the commands written by their authors. Worms are independent programs that create temporary files and replicate themselves to the point where computers grow heavy with data, become sluggish, and then crash. Viruses are dependent programs that reproduce themselves through a computer code attached to another program, attaching additional copies of their program to legitimate files each time the computer system is started or when some other triggering event occurs.

The dangers of computer worms and viruses gained popular recognition with one of the first cases prosecuted under the Computer Fraud and Abuse Act. In United States v. Morris, 928 F.2d 504 (2d Cir. 1991), Cornell University student Robert T. Morris was convicted of violating a provision of the act that punishes anyone who, without authorization, intentionally accesses a "federal interest computer" and damages or prevents authorized use of information in such a computer, causing losses of $1,000 or more. Morris, a doctoral candidate in computer science, had decided to demonstrate the weakness of security measures of computers on the INTERNET, a network linking university, government, and military computers around the United States. His plan was to insert a worm into as many computers as he could gain access to, but to ensure that the worm replicated itself slowly enough that it would not cause the computers to slow down or crash. However, Morris miscalculated how quickly the worm would replicate. By the time he released a message on how to kill the worm, it was too late: Some 6,000 computers had crashed or become "catatonic" at numerous institutions, with estimated damages of $200 to $53,000 for each institution. Morris was sentenced to three years' PROBATION and 400 hours of community service, and was fined $10,500. The U.S. Supreme Court declined to review the case (Morris, cert. denied, 502 U.S. 817, 112 S. Ct. 72, 116 L. Ed. 2d 46 [1991]).

Computer hackers often share Morris's goal of attempting to prove a point through the clever manipulation of other computers. Hackers, who, typically, are young, talented, amateur computer programmers, earn respect among their peers by gaining access to information through TELECOMMUNICATIONS systems. The information obtained ranges from other individuals' E-MAIL or credit histories to the Department of Defense's secrets.

A high-profile case in 1992 captured national headlines. In what federal investigators called a conspiracy, five young members of an underground New York City gang of hackers, the Masters of Deception (MOD), faced charges that they had illegally obtained computer passwords, possessed unauthorized access devices (long-distance calling-card numbers), and committed wire fraud in violation of the Computer Fraud and Abuse Act. Otto Obermaier, the U.S. attorney who prosecuted the youths, described their activities as "the crime of the future," and said that he intended to use the case to make a critical statement about computer crime. The indictment contained 11 counts, each punishable by at least five years in prison and individual fines of $250,000. Supporters of MOD's civil liberties questioned whether the gang members had done anything truly illegal.

MOD members Paul Stira and Eli Ladopoulos pleaded guilty to the charges against them. They confessed that they had broken the law but insisted that they had not done anything for personal profit. They were sentenced to six months in a federal penitentiary, followed by six months' home detention. John Lee and Julio Fernandez faced specific charges of illegally selling passwords for personal profit. Lee pleaded guilty and received a year behind bars, followed by 300 hours of community service. Fernandez bargained with prosecutors, offering them information on MOD activities, and thus received no jail time. Gang leader Mark Abene, who was notorious in computer circles by his handle Phiber Optik, pleaded guilty to charges of fraud. A U.S. District Court judge sentenced Abene to a year in federal prison, hoping to send a message to other hackers. However, by the time Abene was released from prison in 1995, his notoriety had grown beyond the hacker underground. Many in the computer world hailed him as a martyr in the modern web of computer technology and criminal prosecution. Abene subsequently found employment as a computer technician at a New York-based on-line service.

Computer crime can become an obsession. Such was the case for Kevin Mitnick, a man federal prosecutors described prior to his arrest as the most wanted computer hacker in the world. In the early 1980s, as a teenager, Mitnick proved his mettle as a hacker by gaining access to a North American Air Defense terminal, an event that inspired the 1983 movie War Games. Like the MOD gang, Mitnick gained access to computer networks through telecommunications systems. In violation of federal law, he accessed private credit information, obtaining some 20,000 credit numbers and histories. Other break-ins by Mitnick caused an estimated $4 million in damage to the computer operations of the Digital Equipment Corporation. The company also claimed that Mitnick had stolen more than one million dollars in software.

Mitnick was convicted, sentenced to one year in a minimum-security prison, and then released into a treatment program for compulsive-behavior disorders. Federal investigators tried to keep close track of him during his probation, but in November 1992, he disappeared. Authorities caught up with his trail when Mitnick broke into the system of computer-security expert Tsutomu Shimomura at the San Diego Supercomputer Center—a move that was clearly intended as a challenge to another programming wizard. Shimomura joined forces with the Federal Bureau of Investigation to pursue their elusive quarry in cyberspace. Using a program designed to record activity in a particular database that they were sure that Mitnick was accessing, while monitoring phone activity, Shimomura and authorities narrowed their search to Raleigh, North Carolina. A special device detecting cellular-phone use ultimately led them to Mitnick's apartment. Mitnick was arrested and was charged on 23 federal counts. He pleabargained with prosecutors, who agreed to drop 22 of the counts in exchange for Mitnick's guilty plea for illegally possessing phone numbers to gain access to a computer system. Mitnick was sentenced to eight months in jail.

Mitnick's case illustrates the difficulties that legislatures and courts face when defining and assigning penalties for computer crime. Using a computer to transfer funds illegally or to embezzle money is clearly a serious crime that merits serious punishment. Mitnick broke into numerous services and databases without permission and took sensitive information, in violation of federal laws; however, he never used that information for financial gain. This type of behavior typically has no counterpart outside of cyberspace—for example, people do not break into jewelry stores only to leave a note about weak security.

Some instances of computer crimes demonstrate the way in which small computer files that require relatively little effort on the part of the perpetrator can cause millions of dollars' worth of damage to computer networks. In March 1999, David L. Smith of New Jersey created a virus that lowered the security levels of certain word-processing programs and caused infected computers to send e-mail messages containing attachments with the virus to e-mail addresses contained in the infected computer's e-mail address book. The virus was activated on an infected computer when the user opened the word-processing program.

Smith posted a message on March 26, 1999, to an Internet newsgroup called "Alt.Sex." The message claimed that if a user opened an attachment, it would provide a list of passcodes to pornographic websites. The attachment contained the virus, which became known as the "Melissa" virus. Smith was arrested by New Jersey authorities on April 1, 1999, but not before the virus had infected an estimated 1.2 million computers and affected one-fifth of the country's largest businesses.

The total amount of damages was $80 million. Smith pleaded guilty in December 1999 to state and federal charges. He faced 20 months in a federal prison and a fine of approximately $5,000 for his crime. He faced additional time in state prison. According to U.S. Attorney Robert J. Cleary, "There is a segment in society that views the unleashing of computer viruses as a challenge, a game. Far from it; it is a serious crime. The penalties Mr. Smith faces—including

David L. Smith was arrested in April 1999 for creating and disseminating the "Melissa" virus, which infected an estimated 1.2 million computers and affected one-fifth of the country's largest businesses.

potentially five years in a federal prison—are no game, and others should heed his example."

Others have continued to commit such crimes. In February 2000, a computer hacker stunned the world by paralyzing the Internet's leading U.S. web sites. Three days of concentrated assaults upon major sites crippled businesses like Yahoo, eBay, and CNN for hours, leaving engineers virtually helpless to respond. When the dust had settled, serious doubts were raised about the safety of Internet commerce. An international hunt ensued, and web sites claimed losses in the hundreds of millions of dollars. After pursuing several false leads, investigators ultimately charged a Canadian teenager in March 2000 in one of the attacks.

On February 7, engineers at Yahoo, the popular portal web site, noticed traffic slowing to a crawl. Initially, suspecting faulty equipment that facilitates the thousands of connections to the site daily, they were surprised to discover that it was receiving many times the normal number of hits. Buckling under exorbitant demand, the servers—the computers that receive and transmit its Internet traffic—had to be shut down for several hours. Engineers then isolated the problem: Remote computers had been instructed to bombard Yahoo's servers with automated requests for service. Over the next two days, several other major web sites suffered the same fate. Hackers hit the auction site eBay, the bookseller Amazon.com, the computer journalism site ZDnet, stock brokerages E*Trade and Datek, the computer store Buy.com, the web portal Excite at Home, and the flagship site for news giant CNN. As each site ground to a halt or went offline, engineers tried in vain to determine where the digital bombardment had originated.

Experts expressed amazement at the attacks' simplicity as well as at the inherent vulnerabilities that they exposed in the Internet's architecture. Hackers had launched what quickly came to be known as a distributed Denial-of-Service (DOS) attack—essentially a remote-controlled strike using multiple computers. First, weeks or months in advance, they had surreptitiously installed commonly available hacking programs called "scripts" on 50 or more remote computers, including university systems chosen for their high-speed connections to the Internet. Later, they activated these scripts, turning the remote computers into virtual zombies that were ordered to send unfathomably large amounts of data—up to one gigabyte per second—continuously to their victims. These data asked the target web sites to respond, just as every legitimate connection to a web site does. The sheer multitudes of requests and responses overwhelmed the victim sites. To escape detection, the "zombies" forged their digital addresses.

Federal investigators were initially stymied. They had legal authority to act under 18 U.S.C.A. § 1030, which criminalizes "knowingly transmit(ting) a program information code or command" that "intentionally causes damage." Sleuthing was difficult, however. Not only had the hackers covered the trail well, but also the FBI had suffered numerous personnel losses to private industry. The bureau had to hire consultants and had to develop special software to assist in its manhunt. Moreover, as FBI official Ron Dick told reporters, the proliferation of common hacking tools meant that even a teenager could have orchestrated the crime.

In early March 2000, authorities arrested 17-year-old New Hampshire resident Dennis Moran, allegedly known online as "Coolio." The lead proved false. In mid-April, claiming to have found "Mafia boy," Royal Canadian Mounted Police arrested a 15-year-old Montreal hacker. The youth, whose real name was not divulged, allegedly had boasted of his exploits online while trying to recruit helpers. Officials charged him with a misdemeanor for launching the attack upon CNN's website.

Although the DEPARTMENT OF JUSTICE continued its hunt, this denial-of-service attack was never completely resolved. Analysts have noted that DOS attacks have occurred for several years, although not to the extent as that of February 2000. In May 2001, for instance, the White House's web page was hit with a DOS attack that blocked access to the site for about two hours.

Based upon the sheer number of cases involving computer crime, commentators remain puzzled as to what is necessary to curb this type of activity. Clearly, technology for law enforcement needs to stay ahead of the technology used by the hackers, but this is not an easy task. A number of conferences have been held to address these issues, often attracting large corporations such as Microsoft and Visa International, but the general consensus is that the hackers still hold the upper hand, with solutions still elusive.



Additional topics

Law Library - American Law and Legal InformationFree Legal Encyclopedia: Companies House to Constituency