At first glance, it seems obvious that crime extends well beyond the boundaries of technology and computers.
However, a closer analysis illuminates some related issues. These include questions concerning what cybercrimes consist of, how serious a threat they are to organizations, and who can handle an incident without causing even more complications.
Advances in technology have allowed criminals to create whole new categories of offenses such as cracking and performing unlawful network intrusions. Also, the use of technology to facilitate more 'traditional' crimes, such as fraud, is becoming more common due to the relative ease with which a moderately proficient criminal can remain anonymous while perpetrating a 'cybercrime.' This approach is subtle, and a basic understanding of computer crime is necessary in order to plan sufficient protection for your personal or organizational assets.
Although specific offenses may vary widely between jurisdictions, here cybercrime is broken into three general and frequently overlapping categories:
1. A computer can be the target.
2. A computer can be used as the means of a crime.
3. A computer holds the evidence of a crime.
The first category will include offenses such as theft of intellectual property and sensitive or proprietary information. This is generally considered to be information that has potential monetary value to the company. However, there may be another complication. According to the U.S. Uniform Trade Secrets Act, if a company has not taken formal steps adequate to ensure the safety of this information, then it probably wouldn't be considered a trade secret in court. This begs the question; if a cracker can get the information, was it really a trade secret?
This category also includes corporate espionage, and the violation of privacy (concerning anything from financial records to family medical history, which has become more complicated in the United States with the new regulations that are contained within the HIPAA). This type of activity may or may not leave lasting damage to the computer and/or data.
The second type includes credit card fraud, stalking, extortion, forgery, ATM fraud, identity theft and telecommunications fraud. Other crimes in this category actually require the existence of technology in order for a crime to occur at all. This area includes software piracy, hardware and software theft, copyright, patent and trademark violations of Internet material (here think Amazon.com vs. BarnesAndNoble.com as well as Napster), web site defacement, the spreading of computer viruses and worms, and denial-of-service attacks.
In the final category, the crime may not directly require the use of the computer, but is ancillary to it. Examples for this category may include anything on storage media that may relate to a crime or be used as evidence. Information concerning drug selling, malfeasance, bookmaking and money laundering usually falls in this category.
The categories above show that cybercrime has already encompassed most of the traditional areas of crime, and the continued growth of computer use in all areas of life lends support to the idea that at some point, category number three will contain a majority of those remaining.
In 2000 the International Data Corporation (IDG) reported that the U.S. Secret Service had started to seriously expand its electronic crimes special agent program in order to be prepared for what they called "the crime of the future." The statistics provide support for this action. The 2002 FBI/CSI Computer Crime and Security Survey results emphasize just how seriously cybercrime has affected business. This survey shows an increase in incidents coupled with a decrease in reporting those incidents to law enforcement. This may indicate a significant increase in the number of organizations that are handling incidents internally and may be developing their own digital forensic capabilities.
In both January and March of this year IDG reported increases in firms that are either sending employees to get trained in forensic techniques or calling in experts to perform investigations for them. These are excellent options in that it is vital to have fully trained forensic examiners handle any incident. However, those companies that are neither turning to law enforcement nor their own trained internal personnel to take care of incidents should proceed carefully when 'outsourcing' this type of activity. It is vital that they have a full understanding of the local regulations relevant to performance of an investigation.
For example, in Virginia, USA, some of the actions that may be required for a non-law enforcement or non-government individual to perform a forensic investigation (with the intention of obtaining information concerning injuries to persons or property, that will be submitted to a court, officer or investigative committee) require that the person conducting the investigation must be registered as a private investigator and be employed by a licensed private security services business (VAC Title 9.1-138). In other words, they can't be a friend who has a day job as a network administrator somewhere else. Violation of this code is punishable as a class 1 misdemeanor (VAC Title 9.1-149). Thus, trying to investigate a cybercrime without the properly trained and licensed personnel may also become a crime.
This example illustrates how our attempts to consider age-old concepts of crime and consequences within a new context require that we also recognize the changes that must occur in that context as a result. Although there have been great strides made in 'cyberlegislation,' many of the laws currently being applied to cybercrime were created for 'traditional' crime and fit poorly within the context of technology-enabled crime.
It is in this new context, where power is measured by the control of information, that the question of whether all crimes are becoming cybercrimes is finally answered. Crime, by its very nature is an action intended to gain power, either by destruction or acquisition of something that belongs to someone else. If power is in information, and information lives in cyberspace, then to some degree, all crimes truly are becoming cybercrimes.
Thresa Lang ([email protected]) is a security and training consultant, who also teaches information systems protection at the George Washington University. She is a Cisco certified network associate (CCNA), a systems analyst and a CISSP instructor.