December 1996


                         Computer Crime:
            An Emerging Challenge for Law Enforcement

         By David L. Carter, Ph.D. and Andra J. Katz, Ph.D.

__________

Law enforcement agencies must respond to the world-wide growth in
computer-related crime. 
__________

Dr. Carter is a professor in the School of Criminal Justice at
Michigan State University, East Lansing, Michigan.

Dr. Katz is a professor in the Administration of Justice
Department at Wichita State University, Wichita, Kansas.

Law enforcement has withstood many challenges over the years.
Prohibition, organized crime, riots, drug trafficking, and
violent crime exemplify some of the complex problems the police
have faced. Now law enforcement confronts another problem that is
somewhat unusual--computer-related crime.

Several factors make this type of criminality difficult to
address. Lawbreakers have integrated highly technical methods
with traditional crimes and developed creative new types of
crime, as well. They use computers to cross state and national
boundaries electronically, thus complicating investigations.
Moreover, the evidence of these crimes is neither physical nor
human but, if it exists, is little more than electronic impulses
and programming codes.

Regrettably, the police have fallen behind in the computer age
and must overcome a steep learning curve. To make matters worse,
computer crime is sometimes difficult for police officials to
comprehend and to accept as a major problem with a local impact,
regardless of the size or location of their communities.

Futurist Alvin Toffler identified information as the commodity of
greatest value as the new millennium approaches.1 Indeed, the
Securing Proprietary Information Committee of the American
Society of Industrial Security observed that the value of a
company's future lies not in its tangible assets, but in the
"intellectual capital" of the business.2 In most businesses
today, intellectual property is kept in computers. As a
consequence, the computer has become the target--and sometimes
the instrument--of crimes.

We conducted a national study of corporate security directors to
explore the environment of computer crime and identify some
critical issues facing policy makers in the future. The creation
of computer crime units in the Secret Service, Air Force Office
of Special Investigations, FBI, and a small number of state and
local agencies shows that law enforcement agencies are beginning  
to recognize the significance of computer crime. The growth of  
such groups as the Florida Association of Computer Crime
Investigators and the High Tech Crime Investigators Association,
as well as the proliferation of computer crime specialists in
such agencies as the Royal Canadian Mounted Police, Royal Thai
Police, and London  Metropolitan Police Department, confirms the
rising worldwide awareness of computer crime. Still, as one
respondent to this study observed: 

I feel the weakest link is the lack of education in [public] law
enforcement relating to computer-technology crimes. The law
enforcement community has devoted [itself] to the high priority
violent crimes, lumping computer crimes into a low priority
status, yet the losses to computer crime could fund a small
country.


RESEARCH FINDINGS

While many crimes using computer technology mirror traditional
offenses--such as theft or fraud--the technical complexity,
speed, and creative avenues by which these crimes occur pose
particular problems for detection, prosecution, and prevention.
If the trend of computer crime over the last 5 years provides any
indication of the future, law enforcement's problems have just
begun.

Victimization

The extent of computer crimes appears to be expanding rapidly. A
study conducted by the American Bar Association (ABA) in 1987
found that of the 300 corporations and government agencies
questioned, 72 (24 percent) claimed to have been the victim of a
computer-related crime in the 12 months prior to the survey.3 The
combined estimated losses from these crimes ranged from $145
million to $730 million over the 1-year period. 
This broad range illustrates the problem in estimating losses.
Not only is it difficult to identify and document these crimes,
it is even more difficult to place a monetary value on the loss
of intellectual property for which the actual value may not be
known for months or even years.

Two years later, in 1989, the Florida Department of Law
Enforcement (FDLE) surveyed 898 public and private sector
organizations that conducted business by computer. Of the 403
respondents, 25 percent reported they had been victimized by
computer criminals.4 The Florida study found embezzlement of
funds by employees to be a major source of the crimes. No attempt
to estimate losses was made because, according to one of the
researchers interviewed, "losses would have been nothing more
than a guess."

In perhaps one of the most comprehensive studies, a component of
the United Nations Commission on Crime and Criminal Justice
surveyed 3,000 Virtual Address Extension (VAX) sites in Canada,
Europe, and the United States in 1991 to assess computer security
threats and crimes. The results show that 72 percent of the
respondents reported a security incident within the previous 12
months, with 43 percent reporting the incident was criminal in
nature.5 By far, the greatest security threats came from
employees or other people with access to the computers; however,
respondents reported a number of external breeches from crackers6
telephoning into the systems or accessing via networks.

The ABA and FDLE studies barely mentioned this external threat
and gave little attention to it as a growing problem. This is not
surprising, however, because predominantly only the military,
academics, and researchers used networking in the late 1980s.
Access was comparatively limited, and networking technology cost
more than it does today. The 1991 United Nations study, however,
identified external threats via remote access as a problem that
would grow in the years to come.7  Despite this concern, past
research suggests that threats of computer crime generally come
from employees, like much of the theft that occurs in retail
businesses.

Our study found a trend of victimization that increased
significantly over previous studies, with 98.5 percent of the
respondents reporting they had been victimized, and 43.3 percent
admitting to being victimized more than 25 times. While these
numbers seem dramatic, security professionals who reviewed the
data expressed surprise at the frequency of admitted
victimization, not actual victimization.

Consistent with previous studies, employees committed most of the
reported crimes. The primary threat came from full-time
employees, followed by part-time and contract employees, with
computer crackers a close third. The   researchers expected this
finding  because of the correlation between theft and access to
computers.8 However, the important dynamic to recognize is that
access is changing dramatically as networking becomes more
widespread. As the probability of these crimes increases, so will
the public's expectation that state and local law enforcement
agencies will be able to respond to and investigate these
offenses.

Theft

Not surprisingly, the fastest growing computer-related crime was
theft. However, an interesting facet of this crime supports
Toffler's forecast--the most commonly stolen commodity was
information. Respondents reported that thieves most frequently
targeted intellectual property, which includes such things as new
product plans, new product descriptions, research, marketing
plans, prospective customer lists, and similar information.
To illustrate one method of information theft, an information
security specialist tried an experiment. A major corporate
research laboratory used the Internet to search for information
on new product plans. In a test of the system, a security
specialist illegally accessed the Internet communications of two
researchers and recorded their search inquiries and the Internet
Uniform Resource Locator (URL) addresses they visited. The
specialist then gave the key word search inquiries and URLs to an
independent researcher in the same field, who immediately
hypothesized the type of product the company was working on and
the new dimension of the product under development. When informed
of the results, the laboratory researchers confirmed the
hypotheses. While this was a security experiment, it illustrates
how computer crime can occur.

Our study found a significant relationship between personal use
of company computers and increases in intellectual property
theft. Personal use of computers ranged from simple word
processing to use of spread sheets for personal finances to
accessing the Internet. In many cases, employers either permitted
or, more typically, overlooked these uses. Perhaps when employees
have workstations where they perform personal activities, they
begin to view the space as being their own. Consequently, the
theft--particularly of intellectual property that  has no
tangible value--is not as readily perceived as being wrong,
thereby making it psychologically easier to commit. In general,
victims discovered thefts either by an audit trail showing access
to information for which the user had no legitimate need, by an
informant who told the business of the theft, or by external
information, such as the actions or products of a competitor,
that indicated theft.

A wide body of research shows the value of stolen trade secrets
and intellectual property.9 Historically, thieves obtained such
property by compromising employees, photocopying documents,
committing burglary, or conducting surveillance of company
personnel and practices. Increasingly, however, thieves prefer
stealing from computers because it provides more extensive access
to more usable information, is easier and more reliable than
other methods, and presents less risk of detection and capture.
Our research also revealed a significant relationship between
personal use of company computers and employees stealing or
attempting to steal money. In most cases, businesses identified
employees who tried to steal money before sustaining a loss. It
was easier to account for monetary losses, which required some
type of electronic transaction, than for intellectual property
losses, which simply required copying files. Moreover, businesses
placed more security controls on monetary files and monitored
them more closely than information files. In addition, businesses
generally had fewer monetary files than information files, making
cash accounting easier to monitor.

Despite these safeguards, monetary thefts have occurred. In
Detroit, Michigan, a small-time computer cracker penetrated a
bank's computer system, opened a new account, and methodically
transferred small amounts of money into it from existing
accounts. The small thefts totaled about $50,000 before being
noticed.10 One of our survey respondents summarized the issue
succinctly, "Losses are sometimes very large. We just lost $1
million."

Unauthorized Access to Files

The term "browsing" refers to the practice of obtaining
unauthorized access to files just to see what they contain,
somewhat akin to a criminal trespass. It is sometimes difficult
to ascertain whether a law was broken, a company policy violated,
an ethical standard breached, or the behavior simply stemmed from
poor judgment. Browsing truly can cover this continuum, depending
largely on security controls, customary practices within an
organization, and corporate policy governing access to
information.

One security professional indicated that most cases of browsing
in his company were simply curiosity or "cybervoyeurism" with no
malicious intent. He even believed that most hackers were
interested in the challenge of breaking into a computer system
rather than in committing a theft. Despite the experiences of
this individual, our research indicated otherwise.

There were significant relationships between browsing by full-
and part-time employees and their attempts to steal both
intellectual property and money. While not as strong overall, a
significant relationship between browsing  and the theft of
intellectual property, but not money, also existed. With the
growth of networking, a similar analysis in the next two years or
so might find different results.

In the case of stealing intellectual property, browsing
apparently served as a means to identify the nature of available
information, its potential value, and the ability to steal the
data. In the case of money, browsers most likely sought to learn
the computer system's file structure, determine transaction
protocols, locate accounts most susceptible to theft with a lower
probability of discovery, and test security for access control
and authentication roadblocks. Clearly in both cases, browsing
was a significant precursor to criminality.

Traditional wisdom suggests that browsers are more of a nuisance
than a threat. However, the data suggest that browsing is an
exploratory activity that leads to theft or attempted theft in a
significant number of instances. Organizational policy, employee
supervision, and security measures should be reviewed to detect
and resolve browsing activities.

Virus Introduction

Computer viruses, created for a variety of reasons, can have    
many different effects, depending on the creator's intent.
For those malcontent computer users who seek ready-made vi
ruses, a bulletin board service in France, accessible via the
Internet, has a large collection of diverse    viruses that can
be downloaded and then introduced into a targeted computer.
Certainly, the capacity to infect a computer is available, and
infections are occurring on an increasing, although not epidemic,
basis.

Sixty-six percent of the responding businesses reported viruses
had been introduced into their computers over the past 5 years.
When tested, the data show significant relationships between
virus introduction by crackers who stole (or attempted to steal)
both intellectual property and money.

Anecdotal evidence supports this finding, suggesting that
crackers would try to destroy any evidence of their presence and
their crime and make it harder to detect and investigate a theft
or intrusion by introducing a virus. Essentially, the criminals
intend the virus to provide a smoke screen for their invasion of
the computer.

These findings strongly suggest that in a significant number of
cases where computer thefts occur, viruses are introduced. The
caveat to investigators is to look for evidence of thefts
whenever a virus is introduced via network or modem access.
In addition, part-time employees often covered their theft or
attempted theft by introducing a virus into the targeted
computer, following the same rationale as for crackers.
Interestingly, there was no significant relationship between
virus introduction and any behavior by full-time employees,
although anecdotal evidence suggests that employees have placed
viruses in computer systems for a number of reasons.

According to the National Computer Security Association, the 
massive terminations and layoffs  afflicting the corporate
landscape provide an important explanation for the increase in
computer viruses. A growing number of employees, believing they
have been coldly dismissed after years of loyalty, see inserting
a virus into the corporate computer system as a way of striking
back.

Notably, to fend off the threat posed by viruses, nearly 83
percent of the respondents reported that anti-virus software had
been loaded on company computers. Given that this software is
easy to use and relatively inexpensive in comparison with the
damage a virus could cause, it is somewhat surprising that all
companies do not use virus protection.

While not directly comparable, it appears that the portion of 
respondents who do not have anti-viral software approximately
equals the number who have no Internet connections or external
modem access. Presumably, security personnel in these companies
have concluded that a virus threat does not exist because the
computer has no external connectivity. If so, the researchers
emphasize that full-time employees also pose computer security
risks. They obviously could--and have--introduced viruses.
Employees might introduce viruses for a variety of reasons,
including harassing  other employees, seeking retribution,
playing with the system (gamesmanship), impeding commerce, and
hiding evidence of thefts. While our study did not measure
reasons empirically, interviews and anecdotes shed light on these
motivations.

Harassment of other employees, particularly with respect to
"company politics," serves as one reason for viruses. If a fellow
employee can cause problems to others, particularly in a company
where one's success is measured competitively against other
employees, then a virus can be a good tool to gain an advantage.
In other cases, employees seek retribution. Those who believe
they have been treated unfairly, terminated without just reason,
or unappreciated might seek revenge. Introducing a computer virus
might fulfill the need for revenge because it can cause
significant damage to the company with little chance of  the
perpetrator's getting caught.

Some employees could be motivated to infect a computer with a
virus simply for purposes of gamesmanship. In these cases, the
employees typically introduce a virus to play with the system
without intending to cause permanent damage, as in the case of
the "Clinton" virus. Despite this lack of malice, these employees
still inflict some financial loss on the targeted businesses due
to lower productivity while the virus is present and the cost of
eradicating the problem. Moreover, there could be accidental
damage caused by the virus itself or by attempts to remove it.
Another reason for infecting a computer is to impede the commerce
of a business. Whether introduced by a cracker working at the
behest of a competitor or an employee who has "sold out," a virus
intended to impede commerce typically will cause major damage,
such as erasing files, mixing information so that it makes no
sense, or locking up hardware so that the system's software must
be reloaded. In addition to the effects of the virus on the
computer system, businesses sustain significant losses from
secondary  effects: the costs of virus eradication and system
repair, operational slowdowns--or even stoppages--while the
problem is being resolved, and undetermined losses of market
share that might occur as a result of the problem.

A final reason for employees to infect computers is to hide
evidence of thefts. If a virus erases information, disrupts audit
trails, or jumbles information, then losses--even if detected--
might be attributed to the virus, not a theft.
As shown, computer viruses can be obtained readily and introduced
by employees and crackers alike. Policy makers should take the
logical security precautions, anticipating the possibility of
viral infection of computer systems. As network connections among
computer systems proliferate, the potential for problems will
only increase.

Security Countermeasures

In light of these computer crime threats, we asked the
respondents about their practices and experiences with a variety
of security countermeasures. These included encryption,
operations security, cash accounts security, employee training,
and firewalls.

Encryption

The analysis shows a significant relationship between file or
data encryption and reduced theft of intellectual property.
Encryption, therefore, should be considered an important tool for
protecting confidential information.

However, encryption tools should be reviewed and changed
periodically. Breaches of such systems not only have occurred but
also have become somewhat of a game. For example, RSA-129 is a
129-digit number created in 1977 by the developers of an
encryption system said to be "provably secure." The creators of
the code estimated that it would take 40 quadrillion years to
factor the number using the methods available in the late 1970s.
The code's creators recognized that rapidly evolving technology
would increase analytic capacities dramatically over the coming
years and, in light of this, predicted that the code would remain
secure well into the next century. In 1994, a mere 17 years
later, a group of 600 Internet volunteers cracked the code.11
Evidently, technology is challenging traditional assumptions,
including the assumption of long-term security via encryption.

Operations Security

Our study also found that increased operations security led to
decreased theft of intellectual property. Operations security
includes such measures as monitoring users, creating audit trails
of system users, and conducting physical surveillance of users
and systems. Physical surveillance, in particular, brought down
the incidence of intellectual property theft; however, it also
caused an operational problem.

Anecdotal evidence suggests that when security surveillance of
computer users increases, employee morale deteriorates, job
satisfaction lessens, and employee productivity decreases. It
might be difficult to balance the need to use surveillance to
reduce intellectual property theft against the potential negative
effects of such heightened scrutiny. In all likelihood, the
decision will have to be made on a case-by-case basis following
an evaluation of the organizational culture and a risk/benefit
analysis.

Protecting money, according to the respondents, poses different
problems. While the value of intellectual property is difficult
to assess, it can be protected more easily through encryption.
However, encryption has unique limitations, and computerized cash
accounts require different types of operations security.
Cash Accounts Security

The threat of monetary loss is real. In 1994, a Russian cracker 
unlawfully accessed Citicorp's computers, transferred
approximately $40 million, and withdrew some $400,000.12 Our
study found a number of measures required to secure cash
accounts, including changing passwords regularly, using numerical
access control systems, upgrading authentication software,
monitoring employees, maintaining audit trails, and regularly
reviewing cash accounts for small losses.

On this last point, we learned that small account balance errors
in computer files serve as good indicators that someone has
tampered with the accounts.  In a rush to commit the crime, the
perpetrator is more likely to make small--rather than
large_errors and miss them.

Employee Training

Across the board, increased employee training consistently helped
minimize theft. Respondents reported that employee training
diminished crimes and computer abuse, such as harassment via
e-mail and personal use of business computer systems.

Firewalls

Finally, we tested the use of firewalls as a countermeasure.
While different approaches exist, as a rule, firewalls are
software controls that permit system access only to users
specifically registered with a computer. As users attempt to gain
access to the system, they are challenged to ensure they have an
authentic password. Typically, users encounter several
challenges, known as layers, for added protection. 

Although respondents reported widespread use of firewalls, the
data showed no significant relationship between this
countermeasure and protection of information. Indeed, several
respondents' comments suggested that crackers had pene-  trated
their firewalls. A number of security professionals have reported
discovering "Password Sniffer" and "Password Breaker" programs
downloaded from the Internet by crackers to breach security.
Our study did not examine the sophistication or level of security
provided by these firewalls, thus the finding of no significance
could be a function of security practice rather than actual 
effectiveness of the countermeasure. Typically, firewalls are
developed to defend against known incursion methods. However,
computer criminals are creative and clearly have demonstrated
their ability to penetrate many firewall systems. Moreover, when
security professionals develop new barriers, crackers approach
them like a puzzle, rather than an obstacle.

Essentially, a firewall acts as a sophisticated electronic dam.
Unfortunately, once an intruder finds a passage around this
barrier, access to critical information becomes much easier. 
Some evidence suggests that when systems have firewalls to    
protect against external intruders, system operators place less
emphasis on internal security control, thus  exposing the system
to abuse by insiders and, once the firewalls have been breached,
outsiders alike. To provide effective information system security
requires a more holistic, proactive vision supported by the
underlying assumption that any countermeasure can be compromised.

CONCLUSION AND RECOMMENDATIONS

As the research shows, computer crime poses a real threat. Those
who believe otherwise simply have not been awakened by the
massive losses and setbacks experienced by companies worldwide.
Money and intellectual property have been stolen, corporate
operations impeded, and jobs lost as a result of computer crime.
Similarly, information systems in government and business alike
have been compromised, and only luck has prevented more damage
from occurring.

The economic impact of computer crime is staggering. British
Banking Association representatives estimate the global loss to
computer fraud alone as approximately $8 billion each year. To
add other losses as previously described brings the total
economic effects of computer crime to a level beyond
comprehension. As new technologies emerge and another generation
of people becomes not only computer literate but also network
literate, the problems will multiply.

Researchers must explore the problems in greater detail to learn
the origins, methods, and motivations of this growing criminal
group. Decision makers in  business, government, and law
enforcement must react to this emerging body of knowledge. They
must develop policies, methods, and regulations to  detect
incursions, investigate and prosecute the perpetrators, and
prevent future crimes. Institutions already have fallen behind
the criminals; at this point, the question is not whether they
can catch up but whether they can keep the gap from widening.
Just as law enforcement agencies have developed specialized
criminal investigative units and prevention programs for crimes
of violence and drug abuse, they must initiate similar programs
for computer crime. In addition, police departments immediately
should take steps to protect their own information systems from
intrusions.

Computer crime is a multi-billion dollar problem. Technological
changes will enable more perpetrators to ply their trade from
remote locations. Police managers must plan for this reality and
devote resources to deal with the computer crime problem.
Computers have ushered in a new age filled with the potential for
good. Unfortunately, the computer age also has ushered in new
types of crime for the police to address. Law enforcement must
seek ways to keep the drawbacks from overshadowing the great
promise of the computer age.

Endnotes

1 A. Toffler, PowerShift (New York: Bantam Books, 1990).
2 R. Heffernan, Securing Proprietary Information Committee of the
American Society of Industrial Security, Committee Presentation
at the ASIS Annual Meeting, New Orleans, LA, September 12, 1995.
3 U.N. Commission on Crime and Criminal Justice, United Nations
Manual on the Prevention and Control of Computer-related Crime
(New York: United Nations, 1995).
4 Florida Department of Law Enforcement, Computer Crime in
Florida, unpublished report, Tallahassee, Florida, 1989.
5 Supra note 3.
6 This term, which refers to people who break into computer
systems without authorization, is preferred to "hackers," which
signifies people skilled in writing and manipulating computer
code.
7 Supra note 3.
8 Supra note 2.
9 See, for example, supra note 2; B. Tripp, Survey of the
Counterintelligence Needs of Private Industry (Washington, DC:
National Counterintelligence Center and the U.S. Department of
State Overseas Security Advisory Council, 1995); and U.S.
Congress, Annual Report to Congress on Foreign Economic
Collection and Industrial Espionage (Washington, DC: U.S.
Government Printing Office, 1995).
10 "Computer Used to Steal Cash," Lansing State Journal, February
5, 1995, 4B.
11 J. Rosener, Cyberlaw (America Online) April, 1994.
12 J. Rosener, CyberLaw (America Online), October, 1995.