Making Computer Crime Count.
Sensational headlines, such as "Nation Faces Grave Danger of Electronic Pearl Harbor,"  "Internet Paralyzed by Hackers,"  "Computer Crime Costs Billions,"  have become common. Law enforcement organizations cannot determine exactly how many computer crimes occur each year. No agreed-upon national or international definition of terms, such as computer crime, high-tech crime, or information technology crime, exists. Thus, as a class of criminal activities, computer crime is unique in its position as a crime without a definition, which prevents police organizations from accurately assessing the nature and scope of the problem.
Internationally, legislative bodies define criminal offenses in penal codes. Crimes, such as murder, rape, and aggravated assault, all suggest similar meanings to law enforcement professionals around the world. But what constitutes a computer crime? The term covers a wide range of offenses. For example, if a commercial burglary occurs and a thief steals a computer, does this indicate a computer crime or merely another burglary? Does copying a friend's program disks constitute a computer crime? The answer to each of these questions may depend on various jurisdictions. 
The United States Department of Justice (DOJ) has defined computer crime as "any violation of criminal law that involved the knowledge of computer technology for its perpetration, investigation, or prosecution."  Some experts have suggested that DOJ's definition could encompass a series of crimes that have nothing to do with computers. For example, if an auto theft investigation required a detective to use "knowledge of computer technology" to investigate a vehicle's identification number (VIN) in a states's department of motor vehicle database, under DOJ guidelines, auto theft could be classified as a computer crime. While the example may stretch the boundaries of logic, it demonstrates the difficulties inherent in attempting to describe and classify computer criminality.
Over the past 15 years, several international organizations, such as the United Nations, the Organization of Economic Cooperation and Development (OECD), the Council of Europe, the G-8,  and Interpol, all have worked to combat the problem of computer crime.  These organizations have provided guidance in understanding this problem. Yet, despite their efforts, no single definition of computer crime has emerged that the majority of criminal justice professionals use. Although many state and federal laws define terms, such as "unauthorized access to a computer system" and "computer sabotage," neither Title 18 nor any of the state penal codes provide a definition for the term computer crime.
Defining criminal phenomena is important because it allows police officers, detectives, prosecutors, and judges to speak intelligently about a given criminal offense. Furthermore, generally accepted definitions facilitate the aggregation of statistics, which law enforcement can analyze to reveal previously undiscovered criminal threats and patterns.
Benefits of Reporting Computer Crime Statistics
Crime statistics serve an important role in law enforcement. First, they allow for the appropriate allocation of very limited resources. For example, if a community suffered a 73 percent increase in the number of sexual assaults, police administrators immediately would take steps to address the problem by adding more rape investigators, extra patrol in the specific area, and increased community awareness projects. The aggregation of crime data allows police to formulate a response to a problem. Anecdotal evidence suggests that computer crime presents a growing problem for the public, police, and governments, all who rely on crime statistics for the development of their criminal justice policies and the allocation of extremely limited resources. For police to respond successfully to these crimes in the future, they must increase the resources their departments currently dedicate to the problem--a difficult task.
Agencies must justify training, equipment, and personnel costs necessary to create a computer-competent police force. How can law enforcement managers justify these costs to community leaders without appropriate data to substantiate their claims? Police must document the problem with factual data not information based on media sensationalism or a few notorious attacks.
Second, accurate statistics on computer crime are important for public safety reasons. Computer crimes not only affect corporations but hospitals, airports, and emergency dispatch systems as well. Furthermore, surveys have indicated that many individuals fear for their safety in the on-line world and worry about criminal victimization. 
Businesses and individuals rely on law enforcement crime statistics when making important decisions about their safety. Many citizens contact a local police station prior to the purchase of a home in a particular neighborhood to inquire about the number of burglaries and violent crimes in the area. Just as these data provide important information for communities in the "real world," the same is true in cyberspace. For individuals and organizations to intelligently assess their level of risk, agencies must provide accurate data about criminal threats. Access to reliable and timely computer crime statistics allows individuals to determine their own probability of victimization and the threat level they face and helps them begin to estimate probable recovery costs.  Law enforcement organizations traditionally have taken a leading role in providing crime data and crime prevention education to the public, which now should be updated to include duties in cyberspace.
Crime statistics facilitate benchmarking and analysis of crime trends. Crime analysts use criminal statistics to spot emerging trends and unique modi operandi. Patrol officers and detectives use this data to prevent future crimes and to apprehend offenders. Therefore, to count computer crime, a general agreement on what constitutes a computer crime must exist.
In many police departments, detectives often compile and report crime data. Thus, homicide detectives count the number of murders, sexual assault investigators examine the number of rapes, and auto detectives count car thefts. Computer crime, on the other hand, comprises such an ill-defined list of offenses that various units within a police department usually keep the related data separately, if they keep them at all. For example, the child abuse unit likely would maintain child pornography arrest data and identify the crime as the sexual exploitation of a minor. A police department's economic crimes unit might recap an Internet fraud scam as a simple fraud, and an agency's assault unit might count an on-line stalking case as a criminal threat. Because most police organizations do not have a cohesive entity that measures offenses where criminals either criminally target a computer or use one to perpetrate a crime, accurate statistics remain difficult to obtain.
The Underreporting Problem
Generally, crime statistics can provide approximations for criminal activity. Usually, people accurately report serious crimes, such as homicide, armed robbery, vehicle theft, and major assaults. Many other criminal offenses, however, remain significantly underreported.
Police always have dealt with some underreporting of crime. But, new evidence suggests that computer crime may be the most underreported form of criminal behavior because the victim of a computer crime often remains unaware that an offense has even taken place. Sophisticated technologies, the immense size and storage capacities of computer networks, and the often global distribution of an organization's information assets increase the difficulty of detecting computer crime. Thus, the vast majority of individuals and organizations do not realize when they have suffered a computer intrusion or related loss at the hands of a criminal hacker.
The U.S. Department of Defense's (DoD) Defense Information Systems Agency (DISA) has completed in-depth research on computer crime. From 1992 to 1995, DISA attacked their own DoD computer systems using software available on the Internet. System administrators did not detect the majority of attacks against DoD computers. Of the 38,000 attacks perpetrated, 96 percent of the successful attacks went undetected. Furthermore, of the detected attacks, only 27 percent were reported. Thus, approximately 1 in 140 attacks were both detected and reported, representing only 0.7 percent of the total. If the detection and reporting of computer crime is less than 1 percent in the nation's military systems, how often might these crimes go unreported when the intended victim is an individual or a small business owner?
Convincing victims who have suffered a loss to report the crime to police constitutes another hurdle facing law enforcement agencies. Surprisingly, many individuals, network administrators, and corporate managers do not realize that attacks against their networks constitute a crime. Worse, many victims who understand that a crime has taken place may deliberately keep these facts from the police. Victims may have serious doubts about the capacity of the police to handle computer crime incidents in an efficient, timely, and confidential manner.  These concerns are true particularly among large corporations who fear damage to their reputation or, worse, their bottom line. In banking and financial sectors, reputation is everything. Information that a criminal has infiltrated a bank's computers and accounts potentially could drive thousands of customers to its competitors.
Businesses suffer a variety of losses, both tangible and intangible when hackers attack them. They can lose hundreds of millions of dollars of value, brand equity, and corporate reputation when a business falls prey to a hacker.  Most of the companies that suffer Web attacks see their stock prices fall.  Furthermore, in recent denial of service attacks, for example, the Yankee Research Group estimated that direct revenue losses due to blocked online transactions and the need for security infrastructure upgrades exceed $1 billion.  Because of the high price of victimization, most companies would not want to involve law enforcement and risk a very public arrest or trial attesting to the organization's security and business failings.
The difficulties in computer crime detection and the challenges posed by the reluctance of businesses to admit victimization might demonstrate the underestimation of all statistics related to cybercrimes. However, some less reputable computer security consulting companies may overestimate computer crime and security problems to scare business leaders who, they hope, will turn to these organizations for consulting services and support.
An annual report compiled by the Computer Security Institute in San Francisco, California, and the FBI provides a variety of statistics on computer crime by surveying computer security practitioners in both the private and public sectors.  The anonymity offered to survey respondents may contribute to the accuracy of their data. However, the report does not directly poll law enforcement organizations about the number of computer crimes reported to police. Many experts believe that such a task should be carried out by the government, but to date, no single governmental body maintains responsibility for asking police forces about the prevalence of computer crimes reported and investigated.
The Development of a Definition
The development of a simple, widely agreed-upon definition of computer crime among law enforcement may form the first step in counting computer crimes. This definition would help police to communicate more effectively about these offenses and begin to accurately assess the prevalence of criminal victimization.
The earliest work in computer security provides a good foundation upon which police can build such a definition. Traditionally, all computer security efforts have sought to protect the confidentiality, integrity, and availability of information systems. 
Confidentiality in computer systems prevents the disclosure of information to unauthorized persons. Individuals who trespass into another person's computer system or exceed their own authority in accessing certain information, violate the legitimate owner's right to keep private information secret. Crimes that violate the confidentiality of computer systems include "unauthorized access crimes" as defined by Title 18, U.S.C. Section 1030(a)(2). Because breaking into a computer begins with unauthorized access to an information system, many believe this represents the foundational computer crime offense.
Integrity of electronically stored information ensures that no one has tampered with it or modified it without authorization. Thus, any nonsanctioned corruption, impairment, or modification of computer information or equipment constitutes an attack against the integrity of that information. Many of the malicious hacking activities, such as computer viruses, worms, and Trojan horses, fall within this category. The same is true for individuals who purposefully change or manipulate data either for profit or some other motivation, such as revenge, politics, terrorism, or merely for the challenge.
Availability of computer data indicates the accessibility of the information and that its associated programs remain functional when needed by the intended user community. A variety of attacks, such as the often-cited denial of service incidents, constitute a set of criminal activities that interferes with the availability of computer information.
Together, computer crime incidents that attack the confidentiality, integrity, or availability of digital information or services constitute an extremely precise and easily understood foundational definition of computer crime. In effect, these offenses might represent "pure-play" computer crimes because they involve a computer system as the direct target of the attack.
These three types of crimes should form the basis for an internationally agreed-upon definition of computer crime. In reality, they already are becoming the definition of computer crime because each state has some law that prohibits these offenses. Furthermore, an analysis of penal legislation in nearly 50 nations suggests that at least one-half of those countries surveyed--including most industrialized nations--had laws in place or legislation pending that prohibited crimes affecting the confidentiality, integrity, and availability of a computer.  A variety of international organizations also support legislative efforts prohibiting pure-play computer crimes. Groups, such as the United Nations, the 08, the Council of Europe, the OECD, and Interpol, each have delineated confidentiality, integrity, and availability offenses as forming the minimum basis of proscribed computer criminal behavior. The Council of Europe, the 41-nation body of which the United States is an observer, has been working on a draft t reaty on cybercrime for several years. If adopted as currently drafted, the treaty would ensure that confidentiality, integrity, and availability offenses were outlawed in all signatory nations to the treaty, an extremely significant step forward in policing these crimes. 
Defined broadly, the term computer crime or even the more common "computer-related crime" has described a wide variety of offenses. Traditional crimes, such as fraud, counterfeiting, embezzlement, telecommunications theft, prostitution, gambling, money laundering, child pornography, fencing operations, narcotics sales, and even stalking, all could be computer related. Computer technology could facilitate or perpetrate each of these offenses.
These crimes, which represent traditional offenses perpetrated in new and, perhaps, more effective ways, differ from pure-play computer crimes, which involve a computer system as the direct target of attack. Additionally, these crimes, as a group, demonstrate that offenders can use a computer as a tool to commit the crime. The fact that a computer is not necessary to commit the crime sets these offenses apart from the pure-play computer crimes. Prostitution, counterfeiting, and frauds have taken place for hundreds of years without any computer connection. The computer-mediated forms of these crimes pose problems for law enforcement as well.
A traditional crime perpetrated with a new, high-tech twist raises the same investigative and legal challenges for police as pure-play computer offenses. The unique nature of information technology and computer networks moving at Internet speed often are highly incompatible with traditional legal models of policing. Crimes involving high technology cross multiple jurisdictions, are not covered by a single cohesive international law, become harder to track because of anonymity, result in expensive investigations, complicate efforts in obtaining forensic evidence, and require police to have specialized knowledge for a successful investigation. Because computer-related crimes pose many of the same investigative difficulties as pure-play computer crimes, documenting these criminal offenses proves useful. Once captured, these data can help police to further refine their allocation of resources and determine relevant crime trends for computer-mediated illegal activities.
Offenses where a computer is completely incidental to the crime represents the third type of criminal activity with possible computer involvement. In these cases, although a criminal might have used a computer before, during, or after the crime, it was not related directly to the offending criminal activity. For example, a man who murders his wife and confesses 3 weeks later in an electronic document has not committed a computer crime--he has committed a homicide. Leaving behind computer-related evidence that will require specialized forensic methods does not turn murder into "cyber-homicide." For this reason, police should not count offenses that generate computer-related evidence incidental to the perpetration of the offense as either a computer crime or as a computer-related crime.
Law Enforcement's Response
How can agencies capture, analyze, and report data on these offenses in an efficient manner? In 1930, the U.S. Congress required the Attorney General to produce data on the incidence of crime in America. In turn, the Attorney General designated the FBI to serve as the national clearinghouse for the statistics collected. Since that time, the FBI has administered the Uniform Crime Reporting (UCR) Program, which obtains data based on uniform classifications and procedures for reporting from the nation's law enforcement agencies and presents this information in the annual Crime in the United States publication.  While the traditional UCR Summary Reporting System  tracks only eight criminal offenses (murder and nonnegligent manslaughter, forcible rape, robbery, aggravated assault, burglary, larceny-theft, motor vehicle theft, and arson), the new UCR National Incident Based Reporting System  (NIBRS) tracks 46 criminal offenses in 22 categories, including crimes perpetrated using computers.  However , because the transition from the traditional system to NIBRS will take considerable time, law enforcement executives proactively should review their internal procedures to ensure that they have appropriate policies in place to track and recap pure-play computer crimes.
Agencies should consider adding the following question to crime and arrest reports: "Was a computer used in the perpetration of this offense?" Many agencies already include similar questions about the use of firearms or the occurrence of hate crimes on their internal reports. In fact, hate crimes may provide a useful lens through which to examine computer-related crime. Hate crimes often involve other crimes, such as assault, vandalism, and even murder. But, knowing what percentage hate actually motivates vandalism becomes a useful tool for police administrators attempting to understand and address community disorder problems.
Several efforts have begun to promote law enforcement's understanding of the prevalence and effects of computer crime. The FBI and the National White Collar Crime Center recently took a big step forward in counting computer-related fraud. In 2000, these organizations established the Internet Fraud Complaint Center (IFCC)  to create a national reporting mechanism for tracking fraud on the Internet. The center will track statistics on the number and type of complaints and forward reported incidents to the appropriate law enforcement agency. While IFCC will prove helpful in tracking Internet fraud data, it does not deal directly with pure-play computer crimes that violate the confidentiality, integrity, and availability of data. Therefore, federal, state, and local criminal justice agencies must take a more comprehensive approach.
To combat computer crime, law enforcement must build an internal capacity to define, track, and analyze these criminal offenses. Even if law enforcement has a highly sophisticated and well-developed system to count computer crime, agencies still must overcome the public's underreporting problem. Underreporting these crimes results from a failure on the part of the victim to realize a crime has taken place and an unwillingness to report discovered incidents to police.
To decrease the incidence of computer crime, law enforcement agencies must work with private organizations to ensure that businesses become aware of potential threats they face from computer crime. These partnerships could include working with technical experts from within and outside the government to develop solutions that improve the prevention and detection of computer crimes. Of course, even after detecting these crimes, police still must convince victims to report them.
Police agencies must work with the business community to gain trust. Many community and problem-oriented policing techniques can help law enforcement as they deal increasingly with computer crime investigations. Government and industry partnerships, and police sensitivity about businesses' concerns, will help increase the number of these offenses brought to the attention of the police.
Most police agencies do not have the staff or funding to deal adequately with computer crime. Though the recent series of virus and denial of service attacks have increased public awareness of the problem, law enforcement organizations must prepare for offenses by developing a strategic and preventative approach to deal with this problem.
Law enforcement managers must ensure that they remain capable of responding to the changing faces of criminal activity in the 21st century. When compared to murder, rape, or violent assaults, computer crime may seem trivial. But, a person who asks an executive who loses his life savings due to the theft of intellectual property from his computer hard drive will get a different answer. The teacher who receives daily calls from credit agencies because she was the victim of on-line identity theft understands the importance of policing computer related crime as well. Similarly, so does the AIDS researcher who has 5 years of work destroyed by a computer virus. The mother of the 13-year-old girl who was lured across state lines by a pedophile will certainly demand a computer-competent police force capable of helping her. Each of these computer or computer-related crimes and their victims are real. Law enforcement agencies have a responsibility to protect and serve the public, regardless of advances in technology-a role that cannot be abdicated.
Defining the problem, gathering crime data, and analyzing the nature and scope of the threat represent natural steps in any problem oriented policing approach. New forms of criminality do not differ-- a lesson law enforcement agencies must learn to make computer crime count.
(1.) Andrew Glass, "Warding Off Cyber Threat: "Electronic Pearl Harbor Feared," The Atlanta Journal and Constitution, June 25,1998.
(2.) Anick Jcsdanun, "Internet Attacks Raise Concerns About Risks of Growth," San Francisco Examiner, February 14, 2000.
(3.) Michael Zuckerman, "Love Bug Stole Computer Passwords," USA Today, May 10, 2000.
(4.) Jodi Mardesich, "Laws Across the Country Become Relevant in Connected World: Jurisdiction at Issue in Net Legal Cases," San J Mercury News, October 8, 1996, 1E.
(5.) Catherine H. Conly, Organizing for Computer Crime Investigation and Prosecution, National Institute of Justice, July 1989, 6.
(6.) These countries, several major industrial nations in the world, include the United States, the United Kingdom, France, Germany, Japan, Canada, Italy, and Russia.
(7.) "International Review of Criminal Policy: United Nations Manual on the Prevention and Control of Computer-Related Crime," United Nations Crime and Justice Information Network Vienna: United Nations, 1994.
(8.) Tina Kelley, "Security Fears Still Plague Cybershopping," The New York Times, July 30, 1998, G5; Michael Stroh, "Online Dangers, Offspring Protection; Security: Parents Can Find Allies on the Family Computer to Protect their Children from Harm on the Internet," The Baltimore Sun, May 10, 1999, 1C.
(9.) M.E. Kabay, "ISCA White Paper on Computer Crime Statistics," International Computer Security Association (1998), http://www.icsa.net/html/library/whitepapers/index.shtml; accessed November 8, 2000.
(10.) P.A. Collier and B.J. Spaul, "Problems in Policing Computer Crime," Policing and Society 307, no. 2 (1992).
(11.) Larry Kamer, "Crisis Mode: It's About Values," The San Francisco Examiner February 23, 2000, A15.
(12.) Carri Kirbie, "Hunting for the Hackers: Reno Opens Probe Into Attacks That Disabled Top Web Sites," The San Francisco Chronicle February 10, 2000, A1.
(13.) "7 Days: Web Attacks Raise Security Awareness," Computing, February 17, 2000, 17.
(14.) R Power, "2000 CSI/FBI Computer Crime and Security Survey," Computer Security Issues and Trends 6, No. I, Spring 2000.
(15.) These three themes provide the basis for the Organization for Economic Cooperation and Development's (OECD) Guidelines for tile Security of Information Systems and are included in most textbooks, legislative acts, and media articles on computer crime. The OECD document is available at http.//www.oecd.org//dsti/sti/it/securlprod/reg97-2.htm; accessed November 8, 2000.
(16.) Based upon research conducted by the author.
(17.) For further information, see http://conventions.coe.int/treaty/EN/cadreprojets.htm.
(18.) U.S. Department of Justice, Federal Bureau of Investigation, Crime in tile United States (Washington, DC, 1999).
(19.) In the summary program, law enforcement agencies tally the number of occurrences of the offenses, as well as arrest data, and submit aggregate counts of the collected data in monthly summary reports either directly to the FBI or indirectly through state UCR programs.
(20.) In NIBRS, law enforcement agencies collect detailed data regarding individual crime incidents and arrests and submit them in separate reports using prescribed data elements and data values to describe each incident and arrest.
(21.) NIBRS provides the capability to indicate whether a computer was the object of the crime and to indicate whether the offenders used computer equipment to perpetrate a crime. This ensures the continuance of the traditional crime statistics and, at the same time, "flags" incidents involving computer crime. For additional information on NIBRS, contact the NIBRS Program Coordinator, Criminal Justice Information Services, 1-888-827-6427.
(22.) Jerry Seper, "Justice Sets Up Web Site to Combat Internet Crimes," The Washington Times, May 9, 2000, A6, www.ifccfbi.gov; accessed November 8, 2000.
|Printer friendly Cite/link Email Feedback|
|Publication:||The FBI Law Enforcement Bulletin|
|Date:||Aug 1, 2001|
|Previous Article:||Law Enforcement Web Sites.|
|Next Article:||Addressing School Violence.|