The legal framework for battling cybercrime rests on surprisingly few federal laws.

While enforcement officials and other experts seem largely satisfied with these statutes, new laws are in the works to combat increasingly sophisticated criminals. Also, the distinction between pure cybercrime - defined as a computer-based attack on computers, networks and data - and traditional crime such as fraud and theft continues to blur, further complicating the legal challenges.

One critical part of the legal framework is only now starting to get more systematic attention: the procedural rules that regulate investigations and evidence gathering - and protect civil rights.

The main federal cybercrime laws traditionally have been the Computer Fraud and Abuse Act and the Electronic Communications Privacy Act. They form the foundation of digital law enforcement by defining and criminalizing unauthorized access to computers and the interception of electronic communications.

But many prosecutions involve these cybercrime laws coupled with traditional laws, such as those against mail and wire fraud, or in the case of the Federal Trade Commission, unfair and deceptive practices under the FTC Act.

Consider a number of recent federal cases, which show the range of cybercrime actions and federal priorities:

•  Six men were indicted on charges, based on the Computer Fraud and Abuse Act as well as money laundering and conspiracy, in Los Angeles for allegedly hacking into the online ordering system of Ingram Micro and fraudulently ordering more than $10 million worth of computer gear to be shipped to locations in Romania and the U.S.

•  Capping a 4-year-old case, a federal judge ruled that two companies and their principals were guilty of unfair and deceptive practices under the FTC Act for billing people for accessing Internet pornography sites that in fact were never accessed at all. The defendants, both now at large, have been ordered to repay nearly $18 million in phone charges.

•  Operation Web-Snare, a joint effort by the Department of Justice and investigators from federal, state and local agencies, involved more than 150 separate investigations into a range of crimes covered by various cybercrime laws, including: criminal spam, phishing, spoofed or hijacked accounts, international re-shipping schemes, cyber extortion, auction fraud, and credit card fraud, identity theft and hacking.

•  A former employee of Varian Semiconductor was charged under the Computer Fraud and Abuse Act with one count of intentionally damaging a protected computer when he hacked into a Varian server from his Indiana home and deleted the source code for a major new e-commerce application.

•  A Florida man was charged with illegal access to servers at Acxiom, which manages personal, financial and corporate data, and downloading an estimated 8.2G bytes from an FTP server between April 2002 and August 2003. The charges were based in part on the Computer Fraud and Abuse Act.

These cases show that the distinction between cybercrime and traditional crime is blurring.

Criminals "don't care about definitions, they just keep figuring out ways to make more money more surreptitiously," says Paul Luehr, vice president with Stroz Friedberg and a former federal attorney who oversaw cyber investigations for the U.S. Attorney's office in Minnesota for four years. Spammers who used to just pitch Viagra are now soliciting for names, addresses and credit card information to perpetrate fraud, and hacking into mail servers and Web servers to hide their tracks, Luehr says.

The CAN-SPAM lesson

The federal response to spamming is a good example of how the legal code is adapting and being enforced. Before the 2003 passage of the CAN-SPAM Act, law enforcement agencies used a range of existing statutes, including provisions of the Computer Fraud and Abuse Act and the wire fraud statute to prosecute spamming. But as Assistant FBI Director Jana Monroe testified in Congress earlier this year, existing statutes didn't directly address a range of specific spamming actions, such as using widely available "open proxies" to bounce e-mail traffic through intermediary computers with the intent to hide the true location of the sender.

"Because of this, many investigators and prosecutors viewed cases based primarily on the sending of spam as unlikely to result in successful investigations and prosecutions," she testified. But CAN-SPAM criminalizes a range of spamming activities so that spammers now face criminal penalties. That's especially important because spamming now is seen as a favored means to start or run a wide array of frauds.

One result is that the Internet Crime Complaint Center (IC3), a joint effort by the FBI and the National White Collar Crime Center, has revamped its SLAM-Spam program. The IC3 is refining its databases, sharing data, and educating and training federal and state agencies. This outreach program covers such topics as anti-spam techniques spammers used, tactics to investigate spam schemes and the tools available to them via CAN-SPAM.