High Technology Crime Investigation Association Membership info and links to other security sites. Computer Crime & Investigations Center Links to papers on different types of computer crimes and security measures. Computer Crime and Intellectual Property Section Dept. of Justice site with documents related to computer crimes of all sorts. Beating back the hackers We looked at five tools that search for network security holes and found one that's World Class. Network World, 10/27/97. Anatomy of a friendly hack How to assess your enterprise security, correct vulnerabilities and thwart attacks. Network World, 2/2/98. A Web lesson learned A look at how the Dept. of Justice tightened security on its Web site. Network World, 7/28/97. Technology alone won't make you safe Tackle it as a management problem. Network world, 1/27/97.

By Susan Briedenbach
Network World, 2/16/98

Computer criminals are running rampant through cyberspace, picking corporate pockets from hideaways all over the planet. They operate on an electronic frontier that makes the Old Wild West look tame by comparison.

But there is no Matt Dillon or Wyatt Earp rounding up these outlaws. A legal system meant to deal with the physical world is having trouble coping with incorporeal crimes. There is little case law to fall back on and few statistics law enforcement agencies can use to make the case for bigger budgets to fight cybercriminals. On top of that, victims are reluctant to report security breaches, and the few criminals who do get caught often get the computer-related charges dropped when they plead guilty to other crimes.

All the while, the problem is getting worse. Whereas at one time most intruders were just curious youngsters in it for the thrill of the chase, an increasing number of intruders are engaged in industrial espionage for competitors and foreign governments. Because wealth is largely digital these days, computers are prime targets.

According to a recent study by WarRoom Research, a security consulting firm in Baltimore, in 1997 hackers successfully penetrated all of the surveyed Fortune 1000 companies. A whopping 56% of those companies said their systems were attacked 31 to 40 times. Law enforcement officials say industrial espionage accounts for much of the increase.

"Working undercover, I see a shift from the joy-ride hackers to the criminal hackers because there is money to be made,'' says Michael Menz, a Sacramento County detective and president of the Northern California chapter of the High Tech Crime Investigators Association (HTCIA). For example, hackers in St. Petersburg, Russia, were caught stealing some $12 billion from Citibank Corp.'s mainframes in New York.

To stem computer crimes, a couple of simple steps need to be taken. First, law enforcement agencies need to start maintaining statistics on security breaches in order to make a case that more resources are needed to combat them. And corporations need to come forward to report attacks and work with law enforcement to nab intruders.

A decade of blunders

"Legal systems are based on the physical universe,'' says Winn Schwartau, chief operating officer at The Security Experts, Inc., a global security consulting firm, in Seminole, Fla. "The concept of possession means something very distinct in the physical world. There are fundamental differences in cyberspace, where assets can be in more than one place at the same time.''

Congress started to address computer crimes as a special category in the mid-1980s and passed the Computer Fraud and Abuse Act (Title 18, Section 1030) in 1986.

But companies that reported computer crimes had trouble getting law enforcement officials to take an interest. Agencies passed the jurisdictional buck around, and victims had trouble quantifying damages.

In 1988, a 75-cent accounting shortfall alerted astrophysicist-turned-systems-administrator Clifford Stoll to the presence of a cracker who was using his Lawrence Berkeley Lab network as a jumping-off point for illicit excursions through one of the nation's military networks. The FBI wasn't interested because the lab couldn't demonstrate financial losses of at least $1 million.

Stoll didn't want the intruder to get away with this breach of the Internet community's trust and pursued the investigation at his employer's expense. Ten months and more than $100,000 later, Stoll's efforts (which he recounts in the book The Cuckoo's Egg) resulted in the exposure of a Soviet spy ring operating in West Germany.

"As we learned from that case, something that looks little might turn out to be very big, and vice versa,'' says Martha Stansell-Gamm, one of the principal attorneys in the Department of Justice's Computer Crime and Intellectual Property Section (CCIPS), in Washington, D.C. "There is no way to tell if an intruder is an international spy or a teenager collecting trophies.''

Law enforcement agencies blundered into the 1990s with a concerted crackdown that targeted bulletin boards allegedly functioning as hacker hangouts. But the first bulletin board system (BBS) seizure by federal agents - in Austin, Texas, on March 1, 1990 - was a mistake. The BBS actually was operated as a customer service by a legitimate business called Steve Jackson Games, which later sued the government and was awarded $51,000 in damages.

Steve Jackson Games was still trying to get its computer equipment back on May 8, 1990, when 150 Secret Service agents, backed by local law enforcement agencies, executed 28 search warrants in 13 cities around the country. Dubbed Operation Sundevil, the carefully planned strike "was dramatic and fear-inspiring at the inception but ended up a fiasco by most accounts,'' says Lance Rose, a Montclair, N.J.-based attorney who specializes in online law and author of Netlaw: Your Rights in the Online World.

Operation Sundevil netted some 42 computers, 25 BBSes and 23,000 floppy disks but resulted in only four arrests, and one was on an illegal-weapons charge. Most of the people whose property was seized were never charged with any crime, which raised the hackles of civil libertarians focusing on cyberspace issues. They banded together and formed the Electronic Frontier Foundation (EFF), now a major lobbying force for electronic civil liberties.

Congress tried to clear up some of the legal confusion by making adjustments to the Computer Fraud and Abuse Act in 1994, but the changes had some unexpected consequences that actually made things worse.

While attempting to broaden the statute, lawmakers inadvertently removed federal protection from certain government and financial-institution computers, decriminalized hacking activities and inappropriately criminalized certain insider conduct. Before they would prosecute, lawmakers also required that break-ins resulted in "damage'' without clearly defining the term.

According to a 1996 report to Congress by the U.S. Sentencing Commission (USSC), only 174 computer criminals were convicted under the statute during its first decade on the books. The USSC compared these individuals to other federal defendants and found that computer criminals were much better educated and typically had no criminal history.

Sentencing statistics were mixed. On the one hand, computer criminals received enhanced sentences for "abuse of position'' much more frequently than other white-collar defendants. On the other hand, sentences imposed on computer criminals were generally light; the courts never imposed penalties stricter than sentencing guidelines recommended.

The USSC study also found that the convicted computer criminals had "only a pedestrian level'' of computer expertise and tended to be insiders who had authorized access to portions of the computer systems they penetrated. Until 1996, at least, the typical computer crime defendant was not a highly skilled computer hacker conducting raids from the far reaches of cyberspace.

Following the USSC report, legislators overhauled the Computer Fraud and Abuse Act and renamed it the National Information Infrastructure Protection Act of 1996. Signed into law in October 1996, the statute covers any computer connected to the Internet or telephone network.

Lawmakers eased, and in some cases eliminated, the requirement that victims must demonstrate a certain level of monetary loss. In fact, they made the very act of unauthorized access to information a crime. Computer intruders now are breaking the law just by reading the information online - they don't even have to download a copy.

The law also includes a careful distinction between public and private computers. Consequently, visitors can't construe the presence of a Web server on a private network as an invitation to prowl around in other areas of that network. A section of the law also addresses threats against computers, networks, programs and data.

In other changes to the statute, legislators broadened the definition of damage and eased the definition of recidivism. A criminal no longer needs to break the same part of the law twice to qualify as a repeat offender subject to stiffer penalties.

Quantifying the problem

Just how prevalent network intrusions are is a matter of conjecture. EFF members say government agencies are exaggerating the problem considerably to justify greater funding and an expansion of their powers. The EFF points out that there are no statistics showing that computer crime is increasing relative to the growth of the Internet and the number of people using it.

"You can't get the citizens of the United States to let you rip up the Bill of Rights without the specter of absolute doom,'' says Giles McNamee, senior vice president of technology research for investment banker First Albany, in Boston. "And with no facts to substantiate anybody's case, you can build as big a picture of doom as you want.''

The FBI still does not include computer crime as a category in its annual crime-statistics report. One problem is that many cases are resolved when perpetrators who have been charged with several crimes plead guilty to just one of them.

Because computer crime is still a new and rather uncertain area that lacks a big body of case law, it is the computer-related charges that tend to get dropped during the plea-bargaining process.

The lack of solid statistics is a sore point with some local law enforcement officials. "When you ask for the budget to equip and train special computer crime units, people say computer crime is not that much of an issue,'' says Gail Thackeray, a deputy county attorney for Maricopa County in Phoenix. "And you can't prove that it is because there aren't any statistics.

"If the FBI can track gang-related crime, they should be able to do the same for computer-related crime,'' she says.

Meanwhile, "nobody has a good empirical measure of the nature and scope of computer crime,'' Justice Department attorney Stansell-Gamm says. People have to rely instead on numbers derived from studies by industry groups in the private sector.

The Computer Security Institute's (CSI) 1997 Computer Crime and Security Survey of U.S. corporations, government agencies and universities found that 47% of the respondents had suffered at least one attack from the outside in the previous 12 months. Security breaches cost the 249 organizations that had been attacked more than $100 million, or an average of $400,000 each.

Experts are quick to point out that these numbers are quite conservative because they represent only the attacks the victims noticed.

The Defense Information Systems Agency's Automated Systems Security Incident Support Team has performed penetration testing in which standard hacking techniques were used to attack systems in the Defense Information Infrastructure community. In the most recent test, 88% of the attacks were successful. Systems administrators only noticed 5% of these penetrations and subsequently reported only 5% of the detected incidents.

"So for every reported incident, there are something like 400 intrusions that go undetected,'' Stansell-Gamm says. Experts use the results of this controlled study to estimate the levels of nondetection and underreporting on corporate networks.

The cost of silence

Law enforcement efforts are stymied because victims generally don't report network and computer intrusions. Companies don't want customers, investors and competitors to know when security has been breached, so many of them have steadfastly remained silent about cracker attacks.

"The problem is corporate cowardice,'' says Thom Stark, president of Stark Realities, a network consultancy, in El Cerrito, Calif. "Is it stupid and counterproductive? Of course it is. Why do you think Dilbert is so popular?''

In the CSI study, less than 18% of the intrusions the victims noticed were reported to the authorities. Two-thirds of the companies that decided not to report incidents said fear of bad publicity kept them from coming forward.

Companies also are concerned about the cost and inconvenience of cooperating with law enforcement investigations and legal proceedings.

"If you're a medium-size company, they can drown you in discovery,'' says Robert Gezelter, a security consultant in Flushing, N.Y., who has served as an expert witness in computer crime cases. "That has a chilling effect. It's not like a conventional crime where police come in and bag the evidence and that's the last you hear about it until the trial.''

The situation is frustrating for police and prosecutors. "We have victims who weren't very bright about securing their systems in the first place, and then they don't want to cooperate with law enforcement when there is a break-in,'' Thackeray says.

Law enforcement officials insist they are more sensitive to cost issues these days and don't expect to be able to freeze up network systems for weeks on end while they investigate. It is heart surgery, not car repair, and it has to be done while the patient is breathing.

Reporting must pick up if law enforcement agencies are going to expand their computer-crime-fighting capabilities. The agencies already have their hands full with the cases being reported, but they need a backlog.

"Without this excess demand, it will be very difficult for us to get the resources we need,'' says Jim Christy, an Air Force special agent and the Department of Defense representative on the Infrastructure Protection Task Force, in Washington, D.C. "We are always going to be one step behind the bad guys, and we can't catch all of them. But if we hear about them, we will at least find out what they did and learn about their tradecraft, and that can help us to take appropriate countermeasures.''

Law enforcement improves

Tsutomu Shimomura's bestseller Take-Down, which recounts the pursuit and capture of computer outlaw Kevin Mitnick three years ago, paints a pretty sorry picture of law enforcement. However, three years is an ice age in cyberspace, and experts say big strides have been made since then.

"We're a lot better than we used to be, even three years ago,'' Stansell-Gamm says. "You might be surprised at the quality of our investigators and ready-assistance prosecutors, and at the networks we've built internationally.''

A federal training center in Georgia started offering computer-crime training in the early '90s. Since then, thousands of federal and local law enforcement officers have gone through the two-week course.

Each of the country's 94 federal judicial districts now has a designated computer and telecommunications coordinator. These specialized prosecutors get additional training at least once a year.

"The change is somewhat erratic across various jurisdictions, but there are cells of police in different areas that are getting more and more involved," says Abigail Abraham, an assistant state attorney in the Cook County State's Attorney's Office, in Chicago. Also, the young recruits out of high school and college these days have had more exposure to computers.''

A number of states - including California, Florida, Georgia, Illinois and New York - have been focusing extensive efforts on combating computer crime. Some have been giving the feds a lesson or two.

By 1993, New York had two trained computer-crime investigators in each of the state police's 10 troops. And in 1996, Nassau and Suffolk counties and New York City launched their own computer crime units.

"More than 90% of the complaints we receive result in arrests,'' says Don Delaney, a senior investigator and veteran computer crime specialist in the New York State Police's major case squad, in Farmingdale, N.Y. "And there's no minimum damage amount that victims have to demonstrate.''

In 1995, four counties in the Sacramento, Calif., area assembled a high-tech crimes task force that is now viewed as the national model and is feared by criminals. "Hackers tell each other, 'Don't mess around in Sacramento because they've got computer cops,'" Sacramento County Detective Menz says.

Well-trained investigators are the key, and the task force put more than 1,000 officers through special courses in 1997. The California State Assembly's Public Safety Committee is looking to expand these efforts in 1998 through legislation that would make computer law enforcement training mandatory for all officers who have field or investigative duties - a step other states should consider.

Fixing the problem

Any effort to keep cyberspace safe for business must start with the victims. Delaney says most of the cases the New York State Police have investigated could have been prevented with good security practices. (For more information, see Network World's special section on securing the Web, Feb. 2, page 35.)

When the best security is breached from time to time, be ready to respond by preserving evidence and contacting the right authorities immediately.

"Make it a point to find out who handles computer crime in the local white-collar crime unit - police or FBI or whatever - and get to know them,'' advises Jim Patterson, vice president of security and telecommunications at Oppenheimer Funds, in Denver. He suggests that network administrators familiarize themselves with computer crime laws and rules of evidence so they know what kinds of records to keep.

Law enforcement agencies need to foster relationships with businesses through outreach efforts. For example, local chapters of the HTCIA provide a forum for law enforcement officials to meet regularly with local businesses. This can foster a sense of community that makes companies more likely to come forward when they are victimized.

Jurisdictional complexities have been the computer criminal's best friend, and they need to be addressed by some type of centralization. Investigative jurisdiction has always been based on geography, which is the wrong paradigm for cyberspace. Hackers hop across multiple jurisdictions in seconds as they commit their crimes.

"It's a procedural problem,'' Thackeray says. "Can I get subpoenas honored by 43 different carriers in different jurisdictions fast enough to do some good?''

Suggestions for centralization include a na-tional task force that incorporates state and local jurisdictions and serves as a mechanism for sending cases to one particular court. "Maybe we need a new type of cyber court,'' special agent Christy says.

Centralization would provide some consistency of crime categorization and case management in this emerging area of the law and help law enforcement agencies share information in a more systematic way. These are prerequisites to coming up with better computer-crime statistics - something law enforcement desperately needs to do.

Pooling resources also would help agencies make better use of the few prosecutors who are computer savvy.

"There aren't a lot of lawyers out there who are part computer scientist and part prosecutor, and the few who exist can make a lot more money outside of government,'' says Andrew Grosso, a former U.S. attorney who has master's degrees in computer science and physics. Grosso is now in private practice in Washington, D.C.

Centralization also could help law enforcement to choose the right cases to prosecute.

Even a little bit of prosecution might have a big deterrent effect if it's applied carefully, says Eugene Volokh, a professor at UCLA Law School. "We're dealing with people who are not professional criminals, and they may be scared off by the possibility of arrest and incarceration. They aren't like professional criminals who factor these things in as part of the cost of doing business,'' he says.

The next generation

Last but not least, parents, teachers and industry leaders need to do a much better job educating children about the proper use of computers.

"The adult world is unanimous in its condemnation of certain things, like stealing physical objects and peeping in windows,'' Stansell-Gamm says. "Before we give kids the keys tothe car, we make sure they understand that society expects them to respect some limits or suffer the consequences and lose the privilege. In the computer world, teachers aren't teaching these ethical limits because they don't know they have to.''

Technology leaders need to speak out, too, because what they say resonates with the types of kids who be-come hackers. These youths will listen to a Bill Gates or Mitch Kapor in ways they will never listen to parents, teachers and law enforcement officials.

If kids are reached early enough, the effort can probably prevent crime and subsequent law enforcement later on.

"In the long run, the best overall defense is to reduce the number of individuals who are so alienated from the social fabric that they engage in such destructive or otherwise illegal acts,'' says David Johnson, legal counsel for the EFF, in Washington, D.C.

Breidenbach is a consultant and freelance writer in San Mateo, Calif. She can be reached at sbreidebach@usa.net.