According to a 2009 study conducted by the McAfee antivirus company and entitled “Unsecured Economies: Protecting Vital Information,” data theft and breaches from cybercrime likely cost businesses whose networks were hacked as much as $1 trillion globally. This huge cost included both losses in intellectual property rights as well as expenditures for losses in productivity and network damage repair. These cost projections were based on the survey responses of more than 800 chief information officers in the United States, Germany, the U.K., Japan, China, India, Dubai, and Brazil. Respondents said that the breaches amounted to about $4.6 billion in losses, and the repairs were estimated to be as high as $600 million (Mills 2009).
The respondents conjectured that the recent global economic recession had increased the security risks for business and government networks, given that over 40 percent of displaced or laid-off employees were the main threat to sensitive and proprietary information found on networks. When asked which countries posed the biggest threats as state cybercriminals, there were marked differences. Over 25 percent of the overall survey respondents said that they avoided storing data on networks in China because of their likelihood of being attacked, while about 47 percent of the Chinese respondents suggested that the United States poses the biggest threat to the security of their online data (Mills 2009).
I. Cybercrime and Hackers Defined
II. The Four Critical Elements of Traditional Crimes and Cybercrimes
III. The Changing Virtual Landscape and Presenting Challenges
IV. Measures Governments Worldwide Have Enacted to Curb Cybercrime
Cybercrime and Hackers Defined
The growth and spread of the Internet globally within the past 20 years has fostered the growth of a variety of online crimes as well as national cybersecurity strategies and laws aimed at curbing these unwanted behaviors. In fact, an interesting debate has developed concerning the definition of online crimes, one using the terms “cybercrime” (or “cyber crime”) and “computer crimes.” Typically, cybercrimes occur because an individual who uses his or her special knowledge of cyberspace for personal or financial gain, and computer crimes typically involve a special knowledge of computer technology. Moreover, the interrelated nature of these behaviors further complicates the definition process; thus, many experts and the media seem to utilize these two terms interchangeably (Furnell 2002). The term “cybercrime” is used here to refer to any crime completed on or with a computer.
Broadly speaking, cybercrime includes such activities as electronic commerce, intellectual property rights (IPR) or copyright infringement, privacy rights infringement, and identity theft—a type of fraud. The domain of cybercrime also includes online child exploitation, credit card fraud, cyberstalking and cyberbullying, defaming or threatening other online users, gaining unauthorized access to computer networks (commonly known as “hacking”), and overriding encryption to make illegal copies of software or movies. Accepting that variations on the parameters constituting such unlawful acts, as well as the penalties associated with these criminal acts, vary from one jurisdiction to another globally, this continually evolving list of common cybercrimes is relevant and globally applicable (Schell and Martin 2006).
Some experts further suggest that cybercrimes are not all that different from traditional crimes. Whereas cybercrimes occur in an online environment, traditional crimes occur terrestrially. One of the best known cybercrime typologies classifies behavior along lines similar to those found in traditional crime typologies (Wall 2001).
Cybercrimes tend to include two common criminal acts: trespassing (defined as entering unlawfully into an area to commit an offence) and theft (defined as taking or exercising illegal control over the property of another to deprive the owner of that asset (Furnell 2002).
Individuals who break into networks to cause damage or to receive personal or financial gain are commonly referred to in the media as “hackers,” but many in the computer underground insist that the more appropriate term for the mal-inclined techies wreaking havoc on networks is “cracker” or “Black Hat.” Talented tech savvies paid by industry and governments to find vulnerabilities in software or networks are known in the computer underground as “White Hats” (Schell, Dodge, and Moutsatsos 2002).
As technologies evolve, so do the cybercriminal activities and labels. For example, the threat posed by a new form of cybercrime called “carding”—the illegal acquisition, sale, and exchange of sensitive online information—has increased in recent years (Holt and Lampke 2010). Those who engage in such activities are known simply as “carders.”
Today, the major types of cybertrespassing and cybertheft include but are not limited by these categories (Schell and Martin 2004):
- Flooding: a form of cyberspace vandalism resulting in denial of service (DoS) to authorized users of a Web site or computer system
- Infringing intellectual property rights (IPR) and copyright: a form of cyberspace theft involving the copying of a target’s copyright-protected software, movie, or other creative work without getting the owner’s consent to do so
- Phreaking: a form of cyberspace theft or fraud conducted by using technology to make free telephone calls
- Spoofing: the cyberspace appropriation of an authentic user’s identity by nonauthentic users, causing fraud or attempted fraud and commonly called “identify theft”
- Virus and worm production and release: a form of cyberspace vandalism causing corruption and maybe even the erasing of data
The Four Critical Elements of Traditional Crimes and Cybercrimes
According to legal expert Susan Brenner (2001), both traditional land-based crimes and cybercrimes cause harm—to property, to persons, or to both. Furthermore, as in the real world, in the virtual world there are politically motivated crimes, controversial crimes, and technical nonoffenses. In U.S. jurisdictions and elsewhere, traditional and cybercrimes involve four key elements:
- Actus reus (the prohibited act or failing to act when one is supposed to be under duty to do so)
- Mens rea (a culpable mental state)
- Attendant circumstances (the presence of certain necessary conditions)
- Harm (to persons, property, or both)
Perhaps an example or two will illustrate more clearly these critical elements. One of the best-known cyberstalking-in-the-making cases reported in the popular media of late involved a young man named Eric Burns (also known by his online moniker Zyklon). Burns’s claim to criminal fame was that he attacked the Web pages of about 80 businesses and government offices whose pages were hosted by Laser.Net in Fairfax, Virginia.
An obviously creative individual, Burns designed a program called “Web bandit” to identify computers on the Internet that were vulnerable to attack. He then used the vulnerable systems to advertise his love for a high school classmate named Crystal. Through his computer exploits, Burns was able to advertise worldwide his unrelenting love for Crystal in the hope that if he could get her attention, he could have her longer-term. Unfortunately, the case did not end on a happy note for Burns. After he was caught and convicted by U.S. authorities, the 19-year-old pleaded guilty to defacing Web pages for NATO and Vice President Al Gore. In November 1999, the judge hearing the case ruled that Burns should serve 15 months in U.S. federal prison for his illegal exploits, pay more than $36,000 in restitution, and not be allowed to touch a computer for 3 years after his supervised prison release. Ironically, Crystal attended the same high school as Burns but hardly knew him. In the end, she helped the authorities capture him (U.S. Department of Justice 1999).
Citing the four elements of cybercrimes, cyberperpetrator Burns gained entry into computers and unlawfully took control of the property—the Web pages owned by NATO and Vice President Al Gore. Burns entered with the intent of depriving the lawful owner of error-free Web pages (mens rea). By society’s norms, Burns had no legal right to alter the Web pages by advertising his love for Crystal; he was not authorized to do so by the rightful owners (attendant circumstances). Consequently, Burns was liable for his unlawful acts, for he illegally entered the computer networks (i.e., criminal trespass) to commit an offense once access was gained (i.e., data alteration). As the targeted users realized that harm was caused to their property, the judge hearing the evidence ruled that Burns should be sent to prison for his criminal actions as well as pay restitution.
In recent times, there have also been some alleged cybercrimes involving harm or death to Internet-connected persons. For example, in late May 2010, a U.S. judge ordered a former Minnesota nurse facing charges in the suicides of two individuals to keep off the Internet until the cybercriminal case is heard and resolved. William Melchert-Dinkel, aged 47, appeared in a Minnesota court on “assisted suicide” charges. The father of two children is accused of coaxing Nadia Kajouji, an 18-yearold Canadian student, and Mark Dryborough, a 32-year-old British man, to commit suicide. Police allege that Melchert-Dinkel met both in online suicide chat rooms. According to court documents, this alleged cybercriminal had made online suicide pacts with about 10 or 11 individuals all over the world—indicating that, unlike most land crimes, the Internet has no geographical boundaries. Apparently Melchert-Dinkel would go into chat rooms using the monikers “carni,” “Li Dao,” or “falcon.girl,” introducing himself as a female nurse. He seemed to use his medical knowledge to offer advice on suicide methods to online users seeking such. The charges are believed to represent the first time that assisted suicide laws—commonly used in mercy killing cases—have been applied to the virtual world. The teenaged victim in this bizarre case was studying at a university when she drowned herself two years ago, apparently on the advice of Melchert-Dinkel (Doolittle 2010).
The Changing Virtual Landscape and Presenting Challenges
There is little question that the virtual landscape has changed considerably just in the last 10 years, for in North America and globally, more people have become connected to the Internet, largely because of increasing affordability. Using Canada as one case in point, according to Statistics Canada, in 2009, some 80 percent of Canadians aged 16 and over used the Internet for personal reasons—a figure that shows an increase in usage by 7 percent since 2007 (the last time the survey was conducted). In short, almost 22 million Canadians aged 16 or over are active in the virtual world. Affordability, however, remains a key factor. Although there is a 94 percent Internet usage in Canadian households when income levels exceed $85,000 a year, there is only a 56 percent Internet usage in households where the income is less than $30,000 a year. Developing economies as well as developed economies see the economic sustainability importance of having citizens Internet-connected. According to a 2009 Internet World Stats study, China is, in fact, the number 1 most online-connected location worldwide (El Akkad 2010).
In fact, the virtual world is becoming so crowded on a nationwide basis that the Internet as we know it today seems to be reaching its limits. Some experts have estimated that quite soon—and likely before 2012—the number of new devices able to connect to the World Wide Web will plummet as the world exhausts its IP addresses—unique codes providing access to the Internet. Part of the problem is that the Internet was built around the Internet Protocol Addressing Scheme version 4 (IPv4), having about 4 billion addresses and now running low. Back in the 1970s, when the Internet was just becoming popular, 4 billion addresses probably seemed like plenty. Internet Protocol Addressing Scheme version 6 (IPv6) is on its way in, having trillions more addresses available and ready for the taking. The problem, say the experts, is that businesses and governments are slow in adapting their technology to IPv6. Thus there is the fear that there could be a major online crunch before 2012 (Kesterton 2010).
As more and more citizens become Internet-connected, new opportunities for communicating and exchanging information with others online come into existence, such as the development and growth of popular social networks like Facebook. However, accompanying the positive evolution of Internet usages is the dark side, whereby tech-savvy criminals continually search for new ways to cause harm to property and to persons in the virtual world.
Faced with stricter Internet security measures worldwide, some mal-inclined spammers, for example—marketers conning online users to buy their products or services after deriving mailing lists from many online sources, including scanning Usenet discussion groups—have now begun to borrow pages from corporate America’s economic sustainability rule books: They, too, are outsourcing. Sophisticated spammers are now paying tech-savvy folks in India, Bangladesh, China, and other developing nations to overcome tests know as “captchas,” which ask Internet users to type in a string of somewhat obscured characters to prove that they are human beings and not spam-generating robots. (“Captchas,” pioneered by Luis von Ahn, a computer science professor at Carnegie Mellon, is an acronym for “completely automated public Turing test to tell computers and humans apart.”)
The current charge-out rate for the borrowed talent ranges from about 80 cents to $1.20 for each 1,000 deciphered boxes, based on estimates provided by online exchanges like Freelancer.com, where many such projects are bid on weekly. Where jobs are scarce, becoming involved in such a money-making proposition provides a way for some hungry online citizens to avoid starving to death. Professor von Ahn says that the cost of hiring people, even as cheaply as it may appear, should limit the extent of such operations, since only profitable spammers who have already determined various ways to make money through devious online techniques can afford such operations. Some of these outsourced operations appear to be fairly sophisticated, involving brokers and middlemen. Large enterprises, such as Google, that utilize captchas technogy argue that paying people to solve captchas proves that the tool is working, at least in part, as an effective anticybercrime measure (Bajaj 2010).
There is little question that, globally, cybercrime in recent years has become more “organized,” often involving underground gangs and Mafia-like hierarchies hiring needed talent to get the cybercrime job done and keep the coffers flush with cash. Since 2002, botnets, in particular, are recognized as a growing problem. A “bot,” short form for “robot,” is a remote-controlled software program acting as an agent for a user (Schell and Martin 2006). The reason that botnets are anxiety-producing to organizations and governments, alike is that mal-inclined bots can download malicious binary codes intended to compromise the host machine by turning it into a “zombie.” A collection of zombies is called a “botnet.” Although botnets have been used for spamming and other nefarious online activities, the present-day threat is that if several botnets form a gang, they could threaten—if not cripple—the networked critical infrastructures of most countries with a series of coordinated distributed denial of service (DDoS) attacks, bringing nations’ economies to a standstill (Sockel and Falk 2009).
Botnets have been crafted by individuals not intentionally out to cause harm to property or persons but who are later co-opted into gangs with alternative motives. Sometimes the creators of the botnets are later blamed for the damages caused.
For example, in a New Zealand hearing held on July 15, 2008, Justice Judith Potter discharged without conviction Owen Walker, a teenage hacker involved in an international hacking group known as “the A-Team” (Farrell 2007). Walker was alleged to have been engaged in some of the most sophisticated botnet cybercrime ever seen in New Zealand. Even though Walker pleaded guilty to six charges during his trial—including accessing a computer for dishonest purposes and damaging or interfering with a computer system—he walked away from the courthouse without going to jail. Walker was part of an international ring of 21 hackers, and his exploits apparently cost the local New Zealand economy about $20.4 million in U.S. dollars. Had he been convicted, the teen could have spent up to seven years in prison.
In his defense, Walker said that he was motivated to create bots not by maliciousness but by his intense interest in computers and his need to stretch their capabilities—the line often cited by White Hat hackers as justification for their exploits (Gleeson 2008). The judge ordered Walker to pay $11,000 in costs and damages, although the botnet creator said that he did not receive any of the approximately $32,000 “stolen” resulting the course of the cybercrime in question (Humphries 2008).
Measures Governments Worldwide Have Enacted to Curb Cybercrime
Clearly, the continually evolving nature of cybercrime has caused considerable consternation for governments globally. It is tough for governments and their authorities to stay ahead of the cybercriminal curve because the curve keeps changing. Moreover, there is a widespread belief that if cybercriminals are to be stopped in their tracks and dealt with by the global justice system, countries must work together to stop this online “problem,” which knows no boundaries. Simply stated, as the nature of cybercrime has evolved from single-person exploits to international cybergangs and Mafia-like structures, the need for more effective legal structures to effectively prosecute and punish those engaged in such costly behaviors has also increased exponentially.
In the United States in particular, most newsworthy cybercrime cases have been prosecuted under the computer crime statute 18 U.S.C. subsection 1030. This primary U.S. federal statute criminalizing cracking was originally called the Computer Fraud and Abuse Act (CFAA), modified in 1996 by the National Information Infrastructure Protection Act and codified at 18 U.S.C. subsection 1030, Fraud and Related Activity in Connection with Computers. If caught in the United States, crackers are often charged with intentionally causing damage without authorization to a protected computer. A first offender typically faces up to five years in prison and fines up to $250,000 per count, or twice the loss suffered by the targets. The U.S. federal sentencing guidelines for cracking have been expanded in recent years to provide longer sentences if exploits lead to the injury or death of online citizens—such as the recent case involving allegations against American William Melchert-Dinkel. In the United States, targets of cybercrimes can also seek civil penalties (Evans and McKenna 2000).
After the September 11, 2001, terrorist attacks on the World Trade Center and the Pentagon, the U.S. government became increasingly concerned about terrorist attacks of various natures and increased homeland security protections. To this end, the U.S. Congress passed a series of laws aimed at halting computer criminals, including the 2002 Homeland Security Act, with section 225 known as the Cyber Security Enhancement Act of 2002. In 2003, the Prosecutorial Remedies and Tools against the Exploitation of Children Today Act (PROTECT Act) was passed to assist law enforcement in their efforts to track and identify cybercriminals using the Internet for child exploitation purposes. Also in 2003, the Can Spam Act was passed, aimed at decreasing the harm issues raised by online spammers.
President Barack Obama has identified cybersecurity as one of the most serious economic and national security challenges facing the United States today—a challenge that he affirmed the United States was not adequately prepared to counter effectively. Shortly after taking office, Obama ordered a complete review of federal efforts to defend the U.S. information and communication online infrastructure and the development of a more comprehensive approach for securing the information highway.
In May 2009, Obama accepted the recommendations of the Cyberspace Policy Review to select an executive branch cybersecurity coordinator who would have regular access to the president and to invest hugely into cutting-edge research-and-development efforts to meet the present-day digital challenges. The president also wanted to build on the Comprehensive National Cyber Security Initiative (CNCI) launched by President George W. Bush in the National Security Presidential Directive of January, 2008. President Obama has also called on other nations to develop similar comprehensive national cybersecurity policies and action plans as a means of securing cyberspace for online citizens worldwide (U.S. National Security Council 2010).
Other countries have followed the U.S. lead and cries for virtual world interventions. For example, on May 28, 2010, the Canadian government announced its National Strategy and Action Plan to Strengthen the Protection of Critical Infrastructure (Public Safety Canada 2010). Other countries have also enacted anti-intrusion legislation similar to the crime statute 18 U.S.C. subsection 1030 enacted in the United States. For example, section 342.1 of the Canadian Criminal Code is aimed at a number of potential harms, including theft of computer services, invasion of online users’ privacy, trading in computer passwords, and cracking encryption systems. Moreover, breaking the digital encryption on a movie DVD—even if copying it for personal use—would in the near future make individual Canadians liable for legal damages up to $5,000 if a tougher copyright law proposed by the present Canadian federal government is enacted in 2010 (Chase 2010).
Finally, it must be emphasized that although the battle to keep cybercriminals at bay is a problem that will continue into the future, countries worldwide are committed to putting sizable resources into meeting the challenge. The Global Cyber Law Survey of 50 countries recently found that 70 percent of these had legislation against unauthorized computer access as well as against data tampering, sabotage, malware or malicious software usage, and fraud.
Bernadette H. Schell
- Bajaj, Vikas, “Spammers Pay Others to Answer Security Tests.” New York Times (April 25, 2010).
- Brenner, Susan W., Cybercrime: Criminal Threats from Cyberspace. Santa Barbara, CA: Praeger, 2010.
- Chase, S., “New Bill Cracks Down On Copyright Pirates.” Globe and Mail ( June 3, 2010): A4.
- Doolittle, R., “Internet Ban for Man Accused in Teen Suicide.” Toronto Star (May 26, 2010): GT2.
- El Akkad, O., “Communications: Canadian Internet Usage Grows.” Globe and Mail (May 11, 2010): B9.
- Evans, M., and B. McKenna,”Dragnet Targets Internet Vandals.” Globe and Mail (February 10, 2000): A1, A10.
- Farrell, N., “Hacker Mastermind Has Asperger Syndrome.” New Zealand Herald (December 3, 2007). http://www.theinquirer.net/inquirer/news/1038901/hacker-mastermind-asperger-syndrome
- Furnell, S., Cybercrime: Vandalizing the Information Society. Boston, MA: Addison Wesley, 2002.
- Gleeson, Sheenagh, “Freed Hacker Could Work for Police.” New Zealand Herald ( July 16, 2008). http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=10521796
- Holt, T. J., and E. Lampke,”Exploring Stolen Data Markets On-Line: Products and Market Forces.” Criminal Justice Studies 33, no. 2 (2010).
- Humphries, M., “Teen Hacker Owen Walker Won’t Be Convicted.” July 17, 2008. http://www.geek.com/news/teen-hacker-owen-walker-wont-be-convicted-576604/
- Kesterton, M., “Social Studies: A Daily Miscellany of Information.” Globe and Mail (May 31, 2010): L6.
- McQuade, Samuel C., III, ed., Encyclopedia of Cybercrime. Westport, CT: Greenwood Press, 2009.
- Mills, Elinor, “Study: Cybercrime Cost Firms $1 Trillion Globally.” January 28, 2009. http://news.cnet.com/8301-1009_3-10152246-83.html
- Public Safety Canada, “Ministers Announce National Strategy and Action Plan to Strengthen the Protection of Critical Infrastructure.” May 28, 2010. http://www.publicsafety.gc.ca/cnt/nws/nws-rlss/2010/20100528-eng.aspx
- Schell, B. H., J. L. Dodge, and S. S. Moutsatsos, The Hacking of America: Who’s Doing It, Why, and How. Westport, CT: Quorum Books, 2002.
- Schell, B. H., and C. Martin, Webster’s New World Hacker Dictionary. Indianapolis, IN: Wiley, 2006.
- Schell, B. H., and C. Martin, Cybercrime. Santa Barbara, CA: ABC-CLIO, 2004.
- Sockel, H., and L. K. Falk, “Online Privacy, Vulnerabilities, and Threats: A Manager’s Perspective.” In Online Consumer Protection: Theories of Human Relativism, ed. K. Chen and A. Fadlalla. Hershey, PA: Information Science Reference, 2009.
- U.S. National Security Council, The Comprehensive National Cyber Security Initiative. 2010. http://www.whitehouse.gov/issues/foreign-policy/cybersecurity/national-initiative