Report on High-Tech Fraud
HOW MUCH HIGH-TECH FRAUD IS THERE?
This is a difficult question to answer for several reasons. At this point in time, there is no organization that keeps accurate statistics on computer fraud and/or high-tech crime. Our technological innovations have far outpaced our ability to record and track the amount of abuse that occurs through their use. Even the FBI, which maintains statistics on all types of crime, does not have a category to show all crimes that involve computer or telecommunications technologies. Secondly, there are many disincentives for organizations to report these types of fraud, including negative publicity, decreased stockholder loyalty, and diminished customer confidence.
A FEW STATISTICS
This being so, surveys have become the best resource for gauging the amount of computer fraud in this age. The following results were derived from the 1999 Computer Crime and Security Survey, conducted by the Computer Security Institute in conjunction with the FBI International Computer Crime Squad:
Losses due to computer security breaches totaled over $100,000,000 for the third consecutive year. Of the 51% of organizations who acknowledged financial loss, only 31% were able to put a figure to their loss.
HOW BAD IS IT REALLY?
Experts have some interesting things to say about computer crime. One book entitled Crimewarps: The Future of Crime in America, says: "Experts agree that computer crime will be the single greatest crime generator we face in the future." Another source calls the computer "the burglary tool of the future."
An additional analogy recalled that with the introduction of the automobile in the early 20th century, the number of crimes doubled. The projection for our future is that the computer might produce an impact for law and law enforcement greater than that created by the invention of the automobile.
The book Computers at Risk, published by the Computer Science and Telecommunications Board of the National Research Council at the request of the Defense Advanced Research Projects Agency (DARPA), states the following:
Naturally, a great deal of what is considered computer crime can be found on the Internet. Traditional frauds, such as pyramid schemes, chain letters, and investment swindles, have now found a home on the Internet, hawking the same old swindles under a new, high-tech guise. New applications, such as electronic commerce and digital cash, have also created greater opportunities for fraud.
Individuals, as well as organizations, jump onto the Internet bandwagon without adequately considering the security implications. Scams, which in the real world would most likely be laughed off by most of us, are somehow lent credence when encountered on the Net. Increased deployment of intranets, which use the Internet as a corporate network backbone, also raise new challenges for security, as well as new opportunities for fraud.
WHAT IS A HIGH-TECH CRIME?
The terms "computer crime" and "high-tech crime" conjure images of seedy computer hackers sitting in dark rooms hunched over their keyboards, attempting to crack into a system and wreak havoc on modern society. Hollywood fills the silver screens with computer super-villains who can tap into any system and instantly gain control of the national defense system or Wall Street. We have been conditioned to view computer crime as an attack on large organizations or governments, not private citizens or small businesses. Unfortunately, this is not generally the case.
Computer fraud and computer crime include violations ranging from unauthorized access to data to malicious destruction of an organizationís information resources by a disgruntled employee. Advanced technology is being used to either commit or further almost every conceivable type of criminal activity. The weapons needed to combat these crimes are education and constant awareness of new technology as it appears on the market.
Another myth in need of debunking is that only large corporations are victims of computer crimes. Large corporations often employ intricate safety features to protect their computer systems from outside, as well as inside, attack. More frequently, small businesses are victimized. Due to the structure of smaller organizations and local government entities, separating duties is more difficult. With fewer employees, small companies often do not have the resources required to implement control measures and maintain independence. Common among small businesses is the attitude of immunity from computer crime: company employees are trusted and reliable enough not to require control measures and the organization is too small to be a target of computer crime. This attitude can leave an organization completely vulnerable and unprotected to both inside and outside computer attack.
COMPUTERS AND CRIME
Understandably, computer crime is most often thought of as a crime that is committed with the aid of a computer. But according to Donn B. Parker, a cybercrime authority and author, the role of the computer in crime is fourfold. In Fighting Computer Crime, Mr. Parker describes how the computer serves as an object, a subject, a tool, and a symbol.
Computer as an object: Computers and network systems are themselves often objects or targets of crime, subject to physical sabotage, theft, or destruction of information.
Computer as a subject: According to Parker, computers are the direct subjects of crime "when they are the environment in which technologists commit crimes." This category includes virus attacks.
Computer as a tool: Obviously, computers are used as the means to commit crime, whether embezzlement, theft of proprietary information, or hacking.
Computer as a symbol: Computers lend fraudsters an air of credibility and are often used to deceive victims into investment and pyramid schemes.
Effectively detecting and deterring computer crime requires familiarity with its various incarnations. The most common offenses involving use of a computer include:
DEFINING COMPUTER FRAUD
One definition of computer fraud that has been commonly utilized in the past is "any defalcation or embezzlement accomplished by tampering with computer programs, data files, operations, equipment, or media, and resulting in losses sustained by the organization whose computer system was manipulated." This definition can be somewhat limiting, considering the types of high-tech crimes that are now occurring within organizations. In some situations, employees have used company computer resources to further criminal acts that would not necessarily fall within the standard legal definition of fraud. For example, employees could use their companyís computers to run an illegal gambling operation, or an employee could use the company computer to compose and send (via e-mail) death threats. These types of incidents, although they cause no direct financial loss to the company, could raise potential liability questions and should be addressed by the companyís computer use policy and security program.
Instead, we will use a somewhat simpler definition published in 1989 by the U.S. Department of Justice to define computer fraud as "any illegal act for which knowledge of computer technology is used to commit the offense."
Today, a great deal of what is considered computer fraud is essentially copyright violations, such as in software piracy cases. But it is important to note the limitations of the copyright infringement statutes. Copyright infringement requires the proof of a culpable mental state on the defendantís behalf, meaning that the prosecution must prove the defendantís devious intentions. Thus, many copyright prosecutions fail. Infringement must be performed knowingly and with a willful intent in order to be punished. Therefore, reckless or negligent behavior will not be sufficient for a conviction.
With the rapid advent of computer technology, both federal and state laws have been unable to keep pace. Realizing the predicament facing the United States, courts today have used analogy and other devices to punish criminal activity in one way or another.
BASIC ELEMENTS OF COMPUTER FRAUD
Most states have some sort of computer abuse law, but there is a significant amount of inconsistency in how these laws are written and the definitions used. However, there are several basic elements that are generally consistent throughout these different statutes. The basic elements are that the perpetrator must:
DEFINING COMPUTER CRIME
Although the terms computer fraud and computer crime are often used interchangeably, they actually have different legal connotations. Computer crime differs from computer fraud in two major ways. Employees who, as a part of their normal duties, have access to the computers are deemed to have authorized access and thus do not come under the laws against unauthorized access. Manipulation (alteration) or destruction of data (including computer software) is independent of fraudulent or other schemes. Such action does not fit into the normal vandalism crimes because the data is intangible.
It is sometimes said that most computer fraud is not "computer crime" but involves the use of computers instead of other means to break the law. In some cases these traditionally illegal acts can yield more loot by recourse to the high speed of the computer. These are in reality computer-assisted crimes, and the existing criminal statutes can be appropriately applied to those crimes. However, where detection and proof problems are exacerbated by the involvement of electronic media, computer fraud laws are invaluable for effective prosecution.
In some cases, the computer is an active weapon. These kinds of cases are termed information crimes; the crime would not be possible without computer technology. Examples of information crimes include the theft of computer time, software, and data.
BASIC ELEMENTS OF COMPUTER CRIME
Computer crime can involve criminal activities that are traditional in nature, such as theft, fraud, forgery, and mischief, all of which are generally subject everywhere to criminal sanctions. The computer has also created potentially new misuses or abuses that may, or should, be criminal as well.
If a computer is involved, often the prosecuting authority will seek prosecution under both the traditional statutes and the computer crime statutes. For example, while attempting to prosecute under 18 U.S.C. ß1030 (The Computer Fraud and Abuse Act), the prosecution will also charge the defendant with mail fraud or possibly racketeering. In this way, if one charge fails, there will be a second or third charge to ensure punishment of the criminal activity. For a computer crime, the government prosecutor will bring numerous charges against the accused, present a strong-looking case, and then offer to trade a reduction in the number of charges in exchange for the defendantís guilty plea.
LEGISLATIVE PROBLEMS WITH DEFINITION AND APPLICATION
Existing legislation written at both the federal and state level has been inconsistent with the definitions of computer crime used in the statutes or in the type of criminal behavior that is prohibited.
The dilemma is how to define the term "computer" specifically enough to pass muster as a legal definition. Florida was the first state to define a computer as "an internally-programmed, automatic device that performs data processing." This definition appears adequate at first glance, but closer inspection reveals that it is too broad, encompassing electric typewriters, pocket calculators, and even childrenís toys in addition to computers.
Many times, state agencies without adequate legislation have tried to make the crime fit existing laws - usually theft, larceny, or theft of service statutes. But, depending upon how a state law defines "property," the electronic and magnetic impulses that make up computer data may not be considered to be property and may not be subject to being "stolen," according to the law. For example, a fraudster copies a computer file containing proprietary information from a company. In reviewing individual state laws and the applicable definitions, has anything really been stolen? Many state laws require that "property" be tangible and be physically removed before it can be "stolen." Is an electronic impulse tangible? When investigating an offense involving computer technology, the majority of state laws (and even the federal laws in some cases) may not be adequate.
LACK OF INTERNATIONAL LAW
Another critical issue in high-tech fraud is the inconsistency in international laws that pertain to computer fraud. With a global communications network such as the Internet, the odds have dramatically increased that the fraud may have been perpetrated in a foreign nation, or that records related to a portion of the communications transmission may have passed through another country. This can cause tremendous complications for anyone attempting to investigate a computer crime.
For example, a gambling casino in the principality of Monaco might create a Web site on the Internet and allow anyone to register (with their credit card information) and gamble online. This type of gambling activity is not illegal there. However, if a gambler who is located in Austin, Texas accesses this Web site from his home, he has violated the State of Texas gambling laws. Will the government of Monaco have an incentive to require their casino to provide information in a criminal offense to investigators in the State of Texas? Obviously, the differences in international law and culture will be difficult to overcome in these types of situations. How will investigators for the State of Texas enforce this law?
As referenced in the opening paragraph, our technological innovations have far outpaced our ability to record and track the amount of abuse that occurs through their use not to mention methods to apprehend the exploitive criminal. Law enforcement and private sector investigators have to work together to uncover these crimes. They must be innovative and resourceful utilizing existing tools and laws to combat these crimes.To learn more, you may contact us by telephone (203.264.6802) or via E-Mail: GENERAL E-MAIL CONTACT FORM.
Close this Window to return to the Services Page.