Computer Crime:
An Emerging Challenge for Law Enforcement
By David L. Carter, Ph.D. and Andra J. Katz, Ph.D.

__________
Law enforcement agencies must respond to the world-wide growth in computer-related crime.
__________

Dr. Carter is a professor in the School of Criminal Justice at Michigan State University, East Lansing, Michigan.

Dr. Katz is a professor in the Administration of Justice Department at Wichita State University, Wichita, Kansas.

Law enforcement has withstood many challenges over the years. Prohibition, organized crime, riots, drug trafficking, and violent crime exemplify some of the complex problems the police have faced. Now law enforcement confronts another problem that is somewhat unusual--computer-related crime.

Several factors make this type of criminality difficult to address. Lawbreakers have integrated highly technical methods with traditional crimes and developed creative new types of crime, as well. They use computers to cross state and national boundaries electronically, thus complicating investigations. Moreover, the evidence of these crimes is neither physical nor human but, if it exists, is little more than electronic impulses and programming codes.

Regrettably, the police have fallen behind in the computer age and must overcome a steep learning curve. To make matters worse, computer crime is sometimes difficult for police officials to comprehend and to accept as a major problem with a local impact, regardless of the size or location of their communities.

Futurist Alvin Toffler identified information as the commodity of greatest value as the new millennium approaches.1 Indeed, the Securing Proprietary Information Committee of the American Society of Industrial Security observed that the value of a company's future lies not in its tangible assets, but in the "intellectual capital" of the business.2 In most businesses today, intellectual property is kept in computers. As a consequence, the computer has become the target--and sometimes the instrument--of crimes.

We conducted a national study of corporate security directors to explore the environment of computer crime and identify some critical issues facing policy makers in the future. The creation of computer crime units in the Secret Service, Air Force Office of Special Investigations, FBI, and a small number of state and local agencies shows that law enforcement agencies are beginning to recognize the significance of computer crime. The growth of such groups as the Florida Association of Computer Crime Investigators and the High Tech Crime Investigators Association, as well as the proliferation of computer crime specialists in such agencies as the Royal Canadian Mounted Police, Royal Thai Police, and London Metropolitan Police Department, confirms the rising worldwide awareness of computer crime. Still, as one respondent to this study observed:

I feel the weakest link is the lack of education in [public] law enforcement relating to computer-technology crimes. The law enforcement community has devoted [itself] to the high priority violent crimes, lumping computer crimes into a low priority status, yet the losses to computer crime could fund a small country.

RESEARCH FINDINGS

While many crimes using computer technology mirror traditional offenses--such as theft or fraud--the technical complexity, speed, and creative avenues by which these crimes occur pose particular problems for detection, prosecution, and prevention. If the trend of computer crime over the last 5 years provides any indication of the future, law enforcement's problems have just begun.

Victimization

The extent of computer crimes appears to be expanding rapidly. A study conducted by the American Bar Association (ABA) in 1987 found that of the 300 corporations and government agencies questioned, 72 (24 percent) claimed to have been the victim of a computer-related crime in the 12 months prior to the survey.3 The combined estimated losses from these crimes ranged from $145 million to $730 million over the 1-year period.

This broad range illustrates the problem in estimating losses. Not only is it difficult to identify and document these crimes, it is even more difficult to place a monetary value on the loss of intellectual property for which the actual value may not be known for months or even years.

Two years later, in 1989, the Florida Department of Law Enforcement (FDLE) surveyed 898 public and private sector organizations that conducted business by computer. Of the 403 respondents, 25 percent reported they had been victimized by computer criminals.4 The Florida study found embezzlement of funds by employees to be a major source of the crimes. No attempt to estimate losses was made because, according to one of the researchers interviewed, "losses would have been nothing more than a guess."

In perhaps one of the most comprehensive studies, a component of the United Nations Commission on Crime and Criminal Justice surveyed 3,000 Virtual Address Extension (VAX) sites in Canada, Europe, and the United States in 1991 to assess computer security threats and crimes. The results show that 72 percent of the respondents reported a security incident within the previous 12 months, with 43 percent reporting the incident was criminal in nature.5 By far, the greatest security threats came from employees or other people with access to the computers; however, respondents reported a number of external breeches from crackers6 telephoning into the systems or accessing via networks.

The ABA and FDLE studies barely mentioned this external threat and gave little attention to it as a growing problem. This is not surprising, however, because predominantly only the military, academics, and researchers used networking in the late 1980s. Access was comparatively limited, and networking technology cost more than it does today. The 1991 United Nations study, however, identified external threats via remote access as a problem that would grow in the years to come.7 Despite this concern, past research suggests that threats of computer crime generally come from employees, like much of the theft that occurs in retail businesses.

Our study found a trend of victimization that increased significantly over previous studies, with 98.5 percent of the respondents reporting they had been victimized, and 43.3 percent admitting to being victimized more than 25 times. While these numbers seem dramatic, security professionals who reviewed the data expressed surprise at the frequency of admitted victimization, not actual victimization.

Consistent with previous studies, employees committed most of the reported crimes. The primary threat came from full-time employees, followed by part-time and contract employees, with computer crackers a close third. The researchers expected this finding because of the correlation between theft and access to computers.8 However, the important dynamic to recognize is that access is changing dramatically as networking becomes more widespread. As the probability of these crimes increases, so will the public's expectation that state and local law enforcement agencies will be able to respond to and investigate these offenses.

Theft

Not surprisingly, the fastest growing computer-related crime was theft. However, an interesting facet of this crime supports Toffler's forecast--the most commonly stolen commodity was information. Respondents reported that thieves most frequently targeted intellectual property, which includes such things as new product plans, new product descriptions, research, marketing plans, prospective customer lists, and similar information. To illustrate one method of information theft, an information security specialist tried an experiment. A major corporate research laboratory used the Internet to search for information on new product plans. In a test of the system, a security specialist illegally accessed the Internet communications of two researchers and recorded their search inquiries and the Internet Uniform Resource Locator (URL) addresses they visited. The specialist then gave the key word search inquiries and URLs to an independent researcher in the same field, who immediately hypothesized the type of product the company was working on and the new dimension of the product under development. When informed of the results, the laboratory researchers confirmed the hypotheses. While this was a security experiment, it illustrates how computer crime can occur.

Our study found a significant relationship between personal use of company computers and increases in intellectual property theft. Personal use of computers ranged from simple word processing to use of spread sheets for personal finances to accessing the Internet. In many cases, employers either permitted or, more typically, overlooked these uses. Perhaps when employees have workstations where they perform personal activities, they begin to view the space as being their own. Consequently, the theft--particularly of intellectual property that has no tangible value--is not as readily perceived as being wrong, thereby making it psychologically easier to commit. In general, victims discovered thefts either by an audit trail showing access to information for which the user had no legitimate need, by an informant who told the business of the theft, or by external information, such as the actions or products of a competitor, that indicated theft.

A wide body of research shows the value of stolen trade secrets and intellectual property.9 Historically, thieves obtained such property by compromising employees, photocopying documents, committing burglary, or conducting surveillance of company personnel and practices. Increasingly, however, thieves prefer stealing from computers because it provides more extensive access to more usable information, is easier and more reliable than other methods, and presents less risk of detection and capture. Our research also revealed a significant relationship between personal use of company computers and employees stealing or attempting to steal money. In most cases, businesses identified employees who tried to steal money before sustaining a loss. It was easier to account for monetary losses, which required some type of electronic transaction, than for intellectual property losses, which simply required copying files. Moreover, businesses placed more security controls on monetary files and monitored them more closely than information files. In addition, businesses generally had fewer monetary files than information files, making cash accounting easier to monitor.

Despite these safeguards, monetary thefts have occurred. In Detroit, Michigan, a small-time computer cracker penetrated a bank's computer system, opened a new account, and methodically transferred small amounts of money into it from existing accounts. The small thefts totaled about $50,000 before being noticed.10 One of our survey respondents summarized the issue succinctly, "Losses are sometimes very large. We just lost $1 million."

Unauthorized Access to Files

The term "browsing" refers to the practice of obtaining unauthorized access to files just to see what they contain, somewhat akin to a criminal trespass. It is sometimes difficult to ascertain whether a law was broken, a company policy violated, an ethical standard breached, or the behavior simply stemmed from poor judgment. Browsing truly can cover this continuum, depending largely on security controls, customary practices within an organization, and corporate policy governing access to information.

One security professional indicated that most cases of browsing in his company were simply curiosity or "cybervoyeurism" with no malicious intent. He even believed that most hackers were interested in the challenge of breaking into a computer system rather than in committing a theft. Despite the experiences of this individual, our research indicated otherwise.

There were significant relationships between browsing by full- and part-time employees and their attempts to steal both intellectual property and money. While not as strong overall, a significant relationship between browsing and the theft of intellectual property, but not money, also existed. With the growth of networking, a similar analysis in the next two years or so might find different results.

In the case of stealing intellectual property, browsing apparently served as a means to identify the nature of available information, its potential value, and the ability to steal the data. In the case of money, browsers most likely sought to learn the computer system's file structure, determine transaction protocols, locate accounts most susceptible to theft with a lower probability of discovery, and test security for access control and authentication roadblocks. Clearly in both cases, browsing was a significant precursor to criminality.

Traditional wisdom suggests that browsers are more of a nuisance than a threat. However, the data suggest that browsing is an exploratory activity that leads to theft or attempted theft in a significant number of instances. Organizational policy, employee supervision, and security measures should be reviewed to detect and resolve browsing activities.

Virus Introduction

Computer viruses, created for a variety of reasons, can have many different effects, depending on the creator's intent. To illustrate, several new insidious viruses have been found.

> "Gingrich" randomly converts word processing files into legalese often found in contracts. Victims can combat this virus by typing their names at the bottom of infected files, thereby signing them, as if signing a contract.

> "Clipper" scrambles all the data on a hard drive, rendering it useless.

> "Lecture" deliberately formats the hard drive, destroying all data, then scolds the user for not catching it.

> "Clinton" is designed to infect programs, but it eradicates itself when it cannot decide which program to infect.

> "SPA" examines programs on the hard disk to determine whether they are properly licensed. If the virus detects illegally copied software, it seizes the computer's modem, automatically dials 911, and asks for help.

For those malcontent computer users who seek ready-made vi- ruses, a bulletin board service in France, accessible via the Internet, has a large collection of diverse viruses that can be downloaded and then introduced into a targeted computer. Certainly, the capacity to infect a computer is available, and infections are occurring on an increasing, although not epidemic, basis.

Sixty-six percent of the responding businesses reported viruses had been introduced into their computers over the past 5 years. When tested, the data show significant relationships between virus introduction by crackers who stole (or attempted to steal) both intellectual property and money.

Anecdotal evidence supports this finding, suggesting that crackers would try to destroy any evidence of their presence and their crime and make it harder to detect and investigate a theft or intrusion by introducing a virus. Essentially, the criminals intend the virus to provide a smoke screen for their invasion of the computer.

These findings strongly suggest that in a significant number of cases where computer thefts occur, viruses are introduced. The caveat to investigators is to look for evidence of thefts whenever a virus is introduced via network or modem access. In addition, part-time employees often covered their theft or attempted theft by introducing a virus into the targeted computer, following the same rationale as for crackers. Interestingly, there was no significant relationship between virus introduction and any behavior by full-time employees, although anecdotal evidence suggests that employees have placed viruses in computer systems for a number of reasons.

According to the National Computer Security Association, the massive terminations and layoffs afflicting the corporate landscape provide an important explanation for the increase in computer viruses. A growing number of employees, believing they have been coldly dismissed after years of loyalty, see inserting a virus into the corporate computer system as a way of striking back.

Notably, to fend off the threat posed by viruses, nearly 83 percent of the respondents reported that anti-virus software had been loaded on company computers. Given that this software is easy to use and relatively inexpensive in comparison with the damage a virus could cause, it is somewhat surprising that all companies do not use virus protection.

While not directly comparable, it appears that the portion of respondents who do not have anti-viral software approximately equals the number who have no Internet connections or external modem access. Presumably, security personnel in these companies have concluded that a virus threat does not exist because the computer has no external connectivity. If so, the researchers emphasize that full-time employees also pose computer security risks. They obviously could--and have--introduced viruses. Employees might introduce viruses for a variety of reasons, including harassing other employees, seeking retribution, playing with the system (gamesmanship), impeding commerce, and hiding evidence of thefts. While our study did not measure reasons empirically, interviews and anecdotes shed light on these motivations.

Harassment of other employees, particularly with respect to "company politics," serves as one reason for viruses. If a fellow employee can cause problems to others, particularly in a company where one's success is measured competitively against other employees, then a virus can be a good tool to gain an advantage. In other cases, employees seek retribution. Those who believe they have been treated unfairly, terminated without just reason, or unappreciated might seek revenge. Introducing a computer virus might fulfill the need for revenge because it can cause significant damage to the company with little chance of the perpetrator's getting caught.

Some employees could be motivated to infect a computer with a virus simply for purposes of gamesmanship. In these cases, the employees typically introduce a virus to play with the system without intending to cause permanent damage, as in the case of the "Clinton" virus. Despite this lack of malice, these employees still inflict some financial loss on the targeted businesses due to lower productivity while the virus is present and the cost of eradicating the problem. Moreover, there could be accidental damage caused by the virus itself or by attempts to remove it. Another reason for infecting a computer is to impede the commerce of a business. Whether introduced by a cracker working at the behest of a competitor or an employee who has "sold out," a virus intended to impede commerce typically will cause major damage, such as erasing files, mixing information so that it makes no sense, or locking up hardware so that the system's software must be reloaded. In addition to the effects of the virus on the computer system, businesses sustain significant losses from secondary effects: the costs of virus eradication and system repair, operational slowdowns--or even stoppages--while the problem is being resolved, and undetermined losses of market share that might occur as a result of the problem.

A final reason for employees to infect computers is to hide evidence of thefts. If a virus erases information, disrupts audit trails, or jumbles information, then losses--even if detected-- might be attributed to the virus, not a theft.

As shown, computer viruses can be obtained readily and introduced by employees and crackers alike. Policy makers should take the logical security precautions, anticipating the possibility of viral infection of computer systems. As network connections among computer systems proliferate, the potential for problems will only increase.

Security Countermeasures

In light of these computer crime threats, we asked the respondents about their practices and experiences with a variety of security countermeasures. These included encryption, operations security, cash accounts security, employee training, and firewalls.

Encryption

The analysis shows a significant relationship between file or data encryption and reduced theft of intellectual property. Encryption, therefore, should be considered an important tool for protecting confidential information.

However, encryption tools should be reviewed and changed periodically. Breaches of such systems not only have occurred but also have become somewhat of a game. For example, RSA-129 is a 129-digit number created in 1977 by the developers of an encryption system said to be "provably secure." The creators of the code estimated that it would take 40 quadrillion years to factor the number using the methods available in the late 1970s. The code's creators recognized that rapidly evolving technology would increase analytic capacities dramatically over the coming years and, in light of this, predicted that the code would remain secure well into the next century. In 1994, a mere 17 years later, a group of 600 Internet volunteers cracked the code.11 Evidently, technology is challenging traditional assumptions, including the assumption of long-term security via encryption.

Operations Security

Our study also found that increased operations security led to decreased theft of intellectual property. Operations security includes such measures as monitoring users, creating audit trails of system users, and conducting physical surveillance of users and systems. Physical surveillance, in particular, brought down the incidence of intellectual property theft; however, it also caused an operational problem.

Anecdotal evidence suggests that when security surveillance of computer users increases, employee morale deteriorates, job satisfaction lessens, and employee productivity decreases. It might be difficult to balance the need to use surveillance to reduce intellectual property theft against the potential negative effects of such heightened scrutiny. In all likelihood, the decision will have to be made on a case-by-case basis following an evaluation of the organizational culture and a risk/benefit analysis.

Protecting money, according to the respondents, poses different problems. While the value of intellectual property is difficult to assess, it can be protected more easily through encryption. However, encryption has unique limitations, and computerized cash accounts require different types of operations security. Cash Accounts Security

The threat of monetary loss is real. In 1994, a Russian cracker unlawfully accessed Citicorp's computers, transferred approximately $40 million, and withdrew some $400,000.12 Our study found a number of measures required to secure cash accounts, including changing passwords regularly, using numerical access control systems, upgrading authentication software, monitoring employees, maintaining audit trails, and regularly reviewing cash accounts for small losses.

On this last point, we learned that small account balance errors in computer files serve as good indicators that someone has tampered with the accounts. In a rush to commit the crime, the perpetrator is more likely to make small--rather than large_errors and miss them.

Employee Training

Across the board, increased employee training consistently helped minimize theft. Respondents reported that employee training diminished crimes and computer abuse, such as harassment via e-mail and personal use of business computer systems.

Firewalls

Finally, we tested the use of firewalls as a countermeasure. While different approaches exist, as a rule, firewalls are software controls that permit system access only to users specifically registered with a computer. As users attempt to gain access to the system, they are challenged to ensure they have an authentic password. Typically, users encounter several challenges, known as layers, for added protection.

Although respondents reported widespread use of firewalls, the data showed no significant relationship between this countermeasure and protection of information. Indeed, several respondents' comments suggested that crackers had pene- trated their firewalls. A number of security professionals have reported discovering "Password Sniffer" and "Password Breaker" programs downloaded from the Internet by crackers to breach security. Our study did not examine the sophistication or level of security provided by these firewalls, thus the finding of no significance could be a function of security practice rather than actual effectiveness of the countermeasure. Typically, firewalls are developed to defend against known incursion methods. However, computer criminals are creative and clearly have demonstrated their ability to penetrate many firewall systems. Moreover, when security professionals develop new barriers, crackers approach them like a puzzle, rather than an obstacle.

Essentially, a firewall acts as a sophisticated electronic dam. Unfortunately, once an intruder finds a passage around this barrier, access to critical information becomes much easier. Some evidence suggests that when systems have firewalls to protect against external intruders, system operators place less emphasis on internal security control, thus exposing the system to abuse by insiders and, once the firewalls have been breached, outsiders alike. To provide effective information system security requires a more holistic, proactive vision supported by the underlying assumption that any countermeasure can be compromised.

CONCLUSION AND RECOMMENDATIONS

As the research shows, computer crime poses a real threat. Those who believe otherwise simply have not been awakened by the massive losses and setbacks experienced by companies worldwide. Money and intellectual property have been stolen, corporate operations impeded, and jobs lost as a result of computer crime. Similarly, information systems in government and business alike have been compromised, and only luck has prevented more damage from occurring.

The economic impact of computer crime is staggering. British Banking Association representatives estimate the global loss to computer fraud alone as approximately $8 billion each year. To add other losses as previously described brings the total economic effects of computer crime to a level beyond comprehension. As new technologies emerge and another generation of people becomes not only computer literate but also network literate, the problems will multiply.

Researchers must explore the problems in greater detail to learn the origins, methods, and motivations of this growing criminal group. Decision makers in business, government, and law enforcement must react to this emerging body of knowledge. They must develop policies, methods, and regulations to detect incursions, investigate and prosecute the perpetrators, and prevent future crimes. Institutions already have fallen behind the criminals; at this point, the question is not whether they can catch up but whether they can keep the gap from widening. Just as law enforcement agencies have developed specialized criminal investigative units and prevention programs for crimes of violence and drug abuse, they must initiate similar programs for computer crime. In addition, police departments immediately should take steps to protect their own information systems from intrusions.

Computer crime is a multi-billion dollar problem. Technological changes will enable more perpetrators to ply their trade from remote locations. Police managers must plan for this reality and devote resources to deal with the computer crime problem. Computers have ushered in a new age filled with the potential for good. Unfortunately, the computer age also has ushered in new types of crime for the police to address. Law enforcement must seek ways to keep the drawbacks from overshadowing the great promise of the computer age.

Endnotes

1 A. Toffler, PowerShift (New York: Bantam Books, 1990).

2 R. Heffernan, Securing Proprietary Information Committee of the American Society of Industrial Security, Committee Presentation at the ASIS Annual Meeting, New Orleans, LA, September 12, 1995.

3 U.N. Commission on Crime and Criminal Justice, United Nations Manual on the Prevention and Control of Computer-related Crime (New York: United Nations, 1995).

4 Florida Department of Law Enforcement, Computer Crime in Florida, unpublished report, Tallahassee, Florida, 1989.

5 Supra note 3.

6 This term, which refers to people who break into computer systems without authorization, is preferred to "hackers," which signifies people skilled in writing and manipulating computer code.

7 Supra note 3.

8 Supra note 2.

9 See, for example, supra note 2; B. Tripp, Survey of the Counterintelligence Needs of Private Industry (Washington, DC: National Counterintelligence Center and the U.S. Department of State Overseas Security Advisory Council, 1995); and U.S. Congress, Annual Report to Congress on Foreign Economic Collection and Industrial Espionage (Washington, DC: U.S. Government Printing Office, 1995).

10 "Computer Used to Steal Cash," Lansing State Journal, February 5, 1995, 4B.

11 J. Rosener, Cyberlaw (America Online) April, 1994.

12 J. Rosener, CyberLaw (America Online), October, 1995.