The Socioeconomic Background of Electronic Crime
This chapter discusses current and emerging forms of network and computer-related illegality (electronic crime), its background, the motives driving individuals to such actions as well as strategies and techniques for controlling it.
The author provides evidence that Information and Communication Technology (ICT) is "pervasive and affects all aspects of the economic, social, political, and private life" of individuals and organizations, and that it is already a critical component of business and can be expected to become as critical to other institutions.
The author defines electronic crime as an activity where the computer or network is the source, tool, target, or location of crime. The chief difference between electronic and traditional crime is the disparity in the locations of the offender, victim, and scene of the crime. Also, the detection of electronic crime, given the lack of physical evidence, is more difficult, and there may be jurisdictional issues.
Aside of the actual incidence of crime, the need for security of information is of great concern (evidence that over 70% of individuals consider it to be a serious concern). This has a negative impact on their willingness to engage in commerce or communication over the Internet.
ICT AND CRIME
Old Crimes in New Bottles?
It is too commonly accepted that ICT is merely a new medium, and that the types of crimes being committed there are not much different than those perpetrated in the "real" world. To some degree, this is true - crimes that occur offline are perpetrated online - but there are unique aspects to the medium that facilitate traditional crime.
Of all crimes, the Internet has provided the greatest boon to white-collar crimes from the networking of banking and financial institutions, the vast amount of data that is accessible, and the relative anonymity of the medium.
Additionally, the nature of the technology has led to additional kinds of crime that are not evidenced, or even possible, outside of the medium. An example of the kind of crime that is new to the medium is piracy, which once required specialized equipment and an extensive distribution network
Looking at the basics of criminology, it is generally accepted that crime follows opportunity, and there are a wider range of opportunities provided by technology. One aspect of opportunity is the lack of adequate vigilance against crime, whether from the lack of technology or of interest, and another is the magnitude of opportunity, which is often greater on the Internet than in traditional enterprise.
This is especially true as the medium has gained in popularity. With an estimated 1.4 billion users and over 300 million computers, it's a vast universe without a central governing body or a coordinated control system, and the open-source nature means it's full of vulnerabilities to be exploited.
The global nature of the Internet is also unique to the Internet: an offender can target victims without the constraints of space and time that are obstacles for traditional crime, and that the act of crime may take place in different locations, in different jurisdictions, so a criminal can architect a crime that is committed in such a way that the physical location shields him from prosecution.
Defining Electronic Crime
Technology also creates some gray areas pertaining to the nature of a crime. It is debatable whether certain activities can even be considered criminal: merely accessing a system, making a copy of a file, or sending a request to a server are benign acts are all essential to the legitimate use of the network, and the exact same action may be construed as criminal in some instances and benign in others. There is no united or universal definition of what activities constitute crime.
Three terms are used:
- A "security incident" is an action that causes concern, but which may not be a crime. Generally, it is accepted that a person may unintentionally cause an incident, whereas a crime is always an intentional act.
- An "electronic crime" is an illegal act conducted using computers or other information technology.
- "Information warfare" is an activity that is aimed toward a government of large organization for political motives.
The European Convention on Cybercrime defines as criminal any action that is "directed against the confidentiality, integrity, or availability of computer systems, networks, and data." More specifically, it defines four categories of crime:
- Offenses against systems - including illegal access, interception, and system interference
- Forgery and fraud
- Dissemination of illegal information (hate speech, child pornography)
- Infringement of copyright and related rights
The United States Department of Justice provides two categories:
- Computer crime: includes intrusion, password trafficking, counterfeiting currency, child pornography, fraud, span, harassment, etc.
- IP Crime: copyright piracy, trademark counterfeiting, theft or dissemination of confidential information
The Communication of the Commission to the Council and the European Parliament defines four kinds of offense:
- Privacy Offenses - Collecting, storing, disclosing, or disseminating personal data in an illegal manner
- Content Offenses - The dissemination of illegal content, such as child pornography or information that incites violence
- Economic offenses - Illegal activities for monetary gain (theft, fraud, espionage)
- Property offenses - Violations of the legal protection of computer programs, databases, copyrights, trademarks, and related IP rights.
EN: These are not definitions, merely classifications, and in themselves do not suggest what actions are legal or illegal, but merely how illegal actions (by whatever standard they are classified as such) may be categorized.
Types of Electronic Crime
The author cites some statistics on the incidence of electronic crime. The most prevalent for of crime against companies is attempts to gain access to systems, followed by vandalism/sabotage (viruses and malware), followed by unauthorized use or misuse of systems by employees, customer-side attacks, leaks of information, and attempted theft of assets. The most prevalent form of crime against individuals is spyware/malware, followed by phishing, followed by system vandalism, then identity theft.
Sources of Electronic Crime
Motives and Characteristics
The stereotypes of cyber criminals as mischievous teenagers or highly skilled "professional" hackers are not entirely without basis in reality, though there is a broad range of character profiles
Motivations are likewise scattered:
- To obtain money
- To obtain power (influence over others, by threat or promise)
- To punish or gain revenge against an organization
- To make a political statement or prevent someone else from doing so
- To have a sense of adventure (exploring, testing one's skills)
- To call attention to oneself or the victim
- To defy authority
Finally, there are instance in which "criminal" behavior is done by those who don't realize their actions are illicit - such as "sharing" software or passwords to access sites.
The Insider Threat
In addition to the threat of criminals who have no formal relationship, companies must also be vigilant against insider crime: employees, contractors, consultants, and others who are granted systems access, but who misuse the access they are given. Due to their increased access rights, they have the potential to do far greater damage, and are usually in a place to cover up evidence.
The primary concern is that insiders have access to proprietary information - customer data, financial data, intellectual property - that the could provide to those who would use it to harm the company (or use it for such purposes themselves). Also, the company has some liability for any action taken by insiders, using its information systems (employees pirating software on their systems, or using the company's Web server as a platform for hacking other systems).
E-crimes against businesses are believed to originate from external hackers (41%), internal users (29%), customers (14%), competitors (7%) or former employees (5%).
THE IMPACT OF ELECTRONIC CRIME
The impact of electronic crime is often measured in dollars lost to theft or fraud, cost to repair or restore vandalized systems, cost of lost business, financial impact to shareholders, and other financial measurements.
The cost of prevention is also cited as an impact of electronic crime - a considerable amount of money is spent of systems, software, and personnel required for monitoring, detecting, security systems, etc.
However, it's suggested that there are other impacts that are more difficult to quantify: such as damage done to consumer confidence, reluctance of individuals to make online purchases or contribute to social networks, the impact of adverse media coverage, etc.
A number of estimates are given, but given the wonkiness of the latter two "costs", they are all pluctus rectus and therefore not worth preserving.
ELECTRONIC CRIME TRENDS
The author suggests that the incidence of electronic crimes are on the rise (20% increases year-to-year), but I find this dubious: it may be that we are getting better at detecting them, or that more activities are being criminalized, so I can't accept these allegations at face value.
Targeted and Automated Attacks
"Automated" attacks include viruses, worms, and malicious code that are opportunistic, and attack any system they can. These far outnumber "targeted" attacks, which are directed at a specific individual or organization, though targeted attacks tend to be more successful, more damaging, and more difficult to detect. The author asserts that "it is believed" that there is a growing trend for individual hackers to network and act cooperatively against a specific target.
The greatest losses to companies is attributed to malicious code, but financial crimes such as theft and fraud are allergy on the rise.
Credit card fraud is the most common form of financial crime: hackers obtain an individuals credentials, or hack into a database of credit card information, and utilize this information to make purchases.
Another common form of financial crime is obtaining account numbers, site passwords, and other information necessary to access financial accounts and drain them of funds. The examples given use a combination of forged e-mail messages and false Web sites to get bank customers to provided their data.
"Pumping" has also been defined as an electronic crime: hackers create false publicity to influence the price of a security (stock) and capitalize on an increase or decrease in its value (sometimes both).
Finally, there are also isolated incidents of extortion, where a hacker may demand payment under threat of disabling a Web site or disclosing information that was stolen from proprietary systems.
Electronic crime is a relatively new phenomenon, and measures to prevent and react to it are relatively primitive. The author recommends a multifaceted approach that would require legal, technical, procedural, and behavioral remedies.
In developed countries, some efforts are being made to establish laws and agencies to react to electronic crime, and cooperation is being sought to overcome the jurisdictional boundaries. However, the relatively large number of countries with limited laws and resources still provides an obstacle to effective countermeasures.
The author looks to the EU as an example of multinational cooperation that involves nations of varying levels of economic development who are working together to overcome the problem of jurisdiction and move toward cooperative agencies and uniform enforcement. However, it seems that this is merely in the planning stages at present.
Information Sharing and Incident Reporting
While there are communities of interest on various topics, many organizations handle their security and response to threats internally, are reluctant to involve law enforcement, and share little information with others.
This notion is supported by a security survey in which IT security directors responded that only 15% of organizations had reported an incident or intrusion to law enforcement, and this is a decrease of 4% from the previous year. Reasons cited for this reluctance were fear of negative publicity, fear that competitors might take advantage of the incident, failure of the legal system to provide adequate remedies in the past, and lack of awareness as to whom to report incidents.
Companies have taken extensive measures to combat the threat of insider attacks: they conduct background checks on employees, log and monitor network activity, restrict access to public networks, scan employee e-mails for malicious code and confidential information, and other such measures.
A smaller proportion take similar measures regarding internal network traffic. Systems are safeguarded and monitored, but communications sent over the network are not as strictly monitored as those that cross the firewall.
There is no mention of companies attempts to monitor or restrict the use of personal equipment (cell phones and PDAs) that may be used by employees. It is an area of concern, but there is only anecdotal evidence thus far.
The monitoring of employee behavior has raised some concerns over the psychological impact on the individual employee and the possible conflict with privacy rights.
A wide array of technical controls are currently in place to secure systems and networks: access control, authentication schemes, encryption, economization, virus sweeps, firewalls, blocking and filtering programs, and the like.
Nearly all companies (in the USA and UK) are utilizing detection or prevention software to safeguard their systems, however it is noted that ":surveillance measures" are largely regarded as the least effective approach to protecting against e-crimes.
While organizations invest in systems, software, and personnel for defending their systems, the individual user must often depend on their own efforts. The adoption rate of security software as well as the level of awareness and competence in securing residential computer systems "remains an open issue."
It is also noted that it is becoming more common for security features to be built into computer software and systems, and that practices have changed such that security is enabled by default. However, such features generally provide only a modicum of protection against the most common attacks at the time the software was developed.
And for both companies and individuals, it is mentioned that offenders are generally one step ahead of efforts: the method of an attach remains unknown until it has been attempted, and the ability to detect and counteract a specific attack are done in the aftermath.
Financial insurance to militate against the cost of cybercrime is relatively new and not widely adopted (a UK survey indicated only 23% of companies had some kind of coverage), nor are insurers aggressive in providing products of this nature.
It is suggested that development is needed, both to mitigate against the cost impact of attacks against a company as well as liability coverage for the acts of a company or its employees.
Education and User Awareness
Educating individual users to raise their awareness of the issue, teach them preventative practices, and enable them to react in a timely manner to electronic threat is woefully inadequate, and does not seem to be a priority: in the majority of companies, less than 1% of IT security budgets are spent on user education, and 18% admit having made no effort whatsoever.
CONCLUSION AND OPEN ISSUES
The author restates bits of information from the chapter. Nothing new is added.