Chapter 9. Computer Crime
At a Glance
We hope that you will never have to act on the information in this Chapter. You may have studied this Handbook diligently and taken every reasonable step toward protecting your system–yet someone has still abused it. Perhaps an ex-employee has broken in through an old account and has deleted some records. Perhaps someone from outside continues to try to break into your system despite warnings that they should stop. What recourse do you have through the courts? Furthermore, what are some of the particular dangers you may face from the legal system during the normal operation of your computer system? What happens if you are the target of legal action? This chapter attempts to illuminate some of these issues. The material we present should be viewed as general advice, and not as legal opinion: for that, you should contact good legal counsel and have them advise you.
Your Legal Options After a Break-In
If you suffer a break-in or criminal damage to your system, you may have a variety of recourses under the your legal system. This chapter cannot advise you on the many subtle aspects of the law. There are many differences in legal systems and laws from country to country, as well as different laws that apply to computer systems used for different purposes. Laws outside the United States vary considerably from jurisdiction to jurisdiction; we won’t attempt to explain anything beyond the U.S. system.63 However, we should note that the global reach of the Internet may bring laws to bear that have their origin outside the U.S.
Discuss your specific situation with a competent lawyer before pursuing any legal recourse. Because there are difficulties and dangers associated with legal approaches, you should be sure that you want to pursue this course of action before you go ahead.
In some cases, you may have no choice; you may be required to pursue legal action. For example:
•If you want to file a claim against your insurance policy to receive money for damages resulting from a break-in, you may be required by your insurance company to pursue criminal or civil actions against the perpetrators.
•If you are involved with classified data processing, you may be required by government regulations to report and investigate suspicious activity.
•If you are aware of criminal activity and you do not report it, you may be criminally liable as an accessory. This is especially true if your computer is being used for the illegal activity.
•If your computer is being used for certain forms of unlawful or inappropriate activity and you do not take definitive action, you may be named as a defendant in a civil lawsuit seeking punitive damages.
•If you are an executive of a public company and decide not to investigate and prosecute illegal activity, shareholders of your corporation can bring suit against you.
•If you are an executive of a private company, though you do not have shareholders, it may be possible for suppliers, partners, or customers to bring suit against you, depending on the laws on computer crime in your country.
If you are working in a company and believe that your system is at especially high risk for attack, you should probably speak with your organization’s legal counsel as part of your security incident preplanning before you have an incident. Organizations have different policies regarding when law enforcement should or should not be involved. By doing your homework, you increase the chances that these policies will actually be followed when they are needed.
63 A more extensive, although dated, discussion of legal issues in the United States can be found in Computer Crime: A Crimefighter’s Handbook (O’Reilly), and we suggest you start there if you need more explanation than we provide in this chapter. The book is out of print, but used copies are available.
To provide some starting points for discussion, this section gives an overview of a few issues you might want to consider.
Filing a Criminal Complaint
In the United States, you are free to contact law enforcement personnel any time you believe that someone has broken a criminal statute. You start the process by making a formal complaint to a law enforcement agency. A prosecutor may be asked to decide if the allegations should be investigated and what charges should be filed, if any.
In some cases—perhaps a majority of them—criminal investigation will not help your situation. If the perpetrators have left little trace of their activity and the activity is not likely to recur, or if the perpetrators are entering your system through a computer in a foreign country, you probably will not be able to trace or arrest the individuals involved. Many experienced computer intruders will leave little tracing evidence behind.64
If you do file a complaint, there is no guarantee that the agency will actually conduct a criminal investigation. The prosecutor involved (federal, state, or local) decides which, if any, laws have been broken, the seriousness of the crime, the availability of trained investigators, and the probability of a conviction. Remember that the criminal justice system is overloaded; new investigations are started only for severe violations of the law or for cases that warrant special treatment. A case in which $200,000 worth of data is destroyed is more likely to be investigated than a case in which someone is repeatedly scanning your home computer through your cable modem.
If an investigation is conducted, you may be involved with the investigators or you may be completely isolated from them. You may even be given erroneous information—that is, you may be told that no investigation is taking place, even though a full-scale investigation is in the works. Many investigations are conducted on a “need to know” basis, occasionally using classified techniques and informants. If you are told that there is no investigation and in fact there is one, the person who gives you this information may be deliberately misinforming you, or they themselves may simply not have the “need to know.”
Investigations can place you in an uncomfortable and possibly dangerous position. If unknown parties are continuing to break into your system by remote means, law enforcement authorities may ask you to leave your system open, thus allowing the investigators to trace the connection and gather evidence for an arrest. Unfortunately, if you leave your system open after discovering that it is being misused, and the perpetrator uses your system to break into or damage another system elsewhere, you may be the target of a thirdparty lawsuit. Cooperating with law enforcement agents is not a sufficient shield from such liability. Investigate the potential ramifications before putting yourself at risk in this way.
Contacting the Relevant Authorities
Depending on the criminal and legal systems in your country, there may be specific processes for contacting local or state authorities in the case of computer crime. The following are general suggestions, but it will be most effective if you follow the customs appropriate to your region.
•You might approach local or state authorities first, if possible. If your local law enforcement personnel believe that the crime is more appropriately investigated by the Federal government, they will suggest that you contact them. Unfortunately, some local law enforcement agencies may be reluctant to seek outside help or to bring in Federal agents. This may keep your particular case from being investigated properly.
•Local authorities may be more responsive because you are not as likely to be competing with a large number of other cases (as frequently occurs in the United States at the federal level). Local authorities may be more likely to be interested in your problem, no matter how small the problem may be.
•At the same time, although some local authorities are tremendously well-versed in computers and computer crime, even in the U.S., local authorities generally have less expertise than state and federal authorities and may be reluctant to take on hightech investigations. Many federal agencies have expertise that can be brought in quickly to help deal with a problem.
•In the U.S., state authorities may be more interested than federal authorities in investigating and prosecuting juveniles. If you know that you are being attacked by a juvenile who is in your state, you may be better off dealing with local authorities. In some cases, you may find that it is better to bypass the legal system entirely and speak with the juvenile’s parents or teachers (or have an attorney or imposing police officer speak to them).
64 Although few computer intruders are as clever as they believe themselves to be.
Hazards of Criminal Prosecution
There are many potential problems in dealing with law enforcement agencies, not the least of which is their experience with computers, networking, and criminalrelated investigations. Computer-illiterate agents may sometimes seek your assistance to try to understand the subtleties of the case. Other times, they may ignore your advice—perhaps to hide their own ignorance, and often to the detriment of the case and the reputation of the law enforcement community. Note that there is always the possibility that the “victim” in a crime is also involved in criminal activity. In general, it is poor practice for an investigator to accept advice from the victim without some level of suspicion, and this is no different in the case of cybercrime.
If you or your personnel are asked to assist in the execution of a search warrant to help identify material to be searched, be sure that the court order directs such “expert” involvement. Otherwise, you might find yourself complicating the case by appearing to be an overzealous victim. You may benefit by recommending an impartial third party to assist the law enforcement agents.
The attitude and behavior of the law enforcement officers can sometimes cause major problems. Your equipment might be seized as evidence or held for an unreasonable length of time for examination—even if you are the victim of the crime. If you are the victim and are reporting the case, the authorities will usually make every attempt to coordinate their examinations with you, to cause you the least amount of inconvenience. However, if the perpetrators are your own employees, or if regulated information is involved (bank, military, etc.), you might have no control over the manner or duration of the examination of your
systems and media. This problem becomes more severe if you are dealing with agents who need to seek expertise outside their local offices to examine the material. Be sure to keep track of downtime during an investigation as it may be included as part of the damages during prosecution and any subsequent civil suit—suits that may be waged against either your attacker or, in some cases, against the law enforcement agency itself.
Your site’s backups can be extremely valuable in an investigation. You might even make use of your disasterrecovery plan and use a standby or spare site while your regular system is being examined.
Heavy-handed or inept investigative efforts may also place you in an uncomfortable position with respect to the computer community. Many computer users harbor negative attitudes toward law enforcement officers— these feelings can easily be redirected toward you if you are responsible for bringing the “outsiders” in. Such attitudes can place you in a worse light than you deserve, and hinder cooperation not only with the current investigation but with other professional activities. Furthermore, they may make you a target for electronic attack or other forms of abuse after the investigation concludes.
These attitudes are unfortunate, because there are some very good investigators, and careful investigation and prosecution may be needed to stop malicious or persistent intruders. We can report that this situation seems to have gotten better in recent years, so this is less of a concern than it was a decade ago. As time goes on, and as more people realize the damage done by intruders, even those without malicious intent, we expect to see the antipathy towards law enforcement fade even more.
We do encourage you to carefully consider the decision to involve law enforcement agencies with any security problem pertaining to your system. In most cases, we suggest that you carefully consider whether you want to involve the criminal justice system at all unless a real loss has occurred, or unless you are unable to control the situation on your own. In some instances, the publicity involved in a case may be more harmful than the loss you have sustained.
Once you decide to involve law enforcement, avoid publicizing this fact. In some cases the involvement of law enforcement will act as a deterrent to the attackers, but in other cases it may make you the subject of more attacks. Also be aware that the problem you spot may be part of a much larger problem that is ongoing or beginning to develop. You may be risking further damage to your systems and the systems of others if you decide to ignore the situation.
We wish to stress the positive. Law enforcement agencies are generally aware of the need to improve how they investigate computer crime cases, and they are working to develop in-service training, forensic analysis facilities, and other tools to help them conduct effective investigations. In many jurisdictions (especially in high-tech areas of the country), investigators and prosecutors have gained considerable experience and have worked to convey that information to their peers. The result is a significant improvement in law enforcement effectiveness over the last few years, with many successful investigations and prosecutions. You should very definitely think about the positive aspects of reporting a computer crime—not only for yourself, but for the community as a whole. Successful prosecutions may help prevent further misuse of your system and of others’ systems.
The Responsibility to Report Crime
Finally, keep in mind that criminal investigation and prosecution can only occur if you report the crime. If you fail to report the crime, there is no chance of apprehension. Not only does that not help your situation, it leaves the perpetrators free to harm someone else. Remember that the little you see may only be one part of a huge set of computer crimes and acts of vandalism. Without investigation, it isn’t possible to tell if what you have experienced is an isolated incident or part of a bigger whole.
A subtler problem results from a failure to report serious computer crimes: it leads others to believe that there are few such crimes being committed. As a result, insufficient emphasis is placed on budgets and training for new law enforcement agents in this area; little effort is made to enhance the existing laws; and little public attention is focused on the problem. The consequence is that the computing milieu becomes incrementally more dangerous for all of us.
Playing It Safe . . .
Here is a summary of additional recommendations for avoiding possible abuse of your computer. Most of these are simply good policy whether or not you anticipate break-ins:
•Put copyright and/or proprietary ownership notices in your source code and data files. Do so at the top of each and every file. If you express a copyright, consider filing for the registered copyright—this version can enhance your chances of prosecution and recovery of damages.
•Be certain that your users are notified about what they can and cannot do.
•If it is consistent with your policy, make all users of your system aware of what you may monitor. This includes e-mail, keystrokes, and files. Without such notice, monitoring an intruder or a user overstepping bounds could itself be a violation of wiretap or privacy laws!
•Keep good backups in a safe location. If comparisons against backups are necessary as evidence, you need to be able to testify as to who had access to the media involved. Having tapes in a public area will probably prevent them from being used as evidence.
•If something happens that you view as suspicious or that may lead to involvement of law enforcement personnel, start a diary. Note your observations and actions, and note the times. Run paper copies of log files or traces and include those in your diary. A written record of events such as these may prove valuable during the investigation and prosecution. Note the time and context of each and every contact with law enforcement agents as well.
•Try to define in writing the authorization of each employee and user of your system. Include in the description the items to which each person has legitimate access (and the items each person cannot access). Have a mechanism in place so each person is apprised of this description and can understand his or her limits.
•Tell your employees explicitly that they must return all materials, including manuals and source code, when requested or when their employment terminates.
•If something has happened that you believe requires law enforcement investigation, do not allow your personnel to conduct their own investigation. Doing too much on your own may prevent some evidence from being used or may otherwise cloud the investigation. You may also aggravate law enforcement personnel with what they might perceive to be interference in their investigation.
•Make your employees sign an employment agreement that delineates their responsibilities with respect to sensitive information, machine usage, electronic mail use, and any other aspect of computer operation that might later arise. Make sure the policy is explicit and fair, and that all employees are aware of it and have signed the agreement. State clearly that all access and privileges terminate when employment does, and that subsequent access without permission will be prosecuted.
Criminal Hazards for Businesses
If you operate an Internet service provider or web site, or have networked computers on your premises, you may be at risk for criminal prosecution yourself if those machines are misused. This section is designed to acquaint you with some of the risks.
If law enforcement officials believe that your computer system has been used by an employee to break into other computer systems, to transmit or store controlled information (trade secrets, child pornography, etc.), or to otherwise participate in some computer crime, you may find your computers impounded by a search warrant or writ of seizure. If you can document that your employee has had limited access to your systems, and if you present that information during the search, it may help limit the scope of the confiscation. However, you may still be in a position in which some of your equipment is confiscated as part of a legal search.
Depending on accepted practices in your legal system, local police or federal authorities may present a judge with a petition to grant a search warrant if they believe there is evidence to be found concerning a violation of a law. If the petition is in order, the judge may grant the search warrant. In the recent past, a few federal investigators and law enforcement personnel in some states developed a reputation for heavy-handed and excessively broad searches. In part, this was because of inexperience with computer crime, and it has been getting better with time.
Playing It Safe . . .
• Be prepared with a network and/or keystroke monitoring system that can monitor and record all information that is sent or received by your computer. If you suspect a break-in, start monitoring and recording immediately: do not wait to be given instructions by law enforcement: in some cases law enforcement agencies cannot give you such instructions without first obtaining a court order, since, by acting upon their instructions, you would be acting as an extension of the law.
• Make contingency plans with your lawyer and insurance company for actions to be taken in the event of a break-in or other crime, the related investigation, and any subsequent events.
• Identify law enforcement personnel who are qualified to investigate problems that you may have ahead of time. Introduce yourself and your concerns to them in advance of a problem. Having at least a nodding acquaintance will help if you later encounter a problem that requires you to call upon law enforcement for help.
• Consider joining societies or organizations that stress ongoing security awareness and training and work to enhance your expertise in these areas.
|
