Computer crime

SIGNIFICANCE: Computer crimes cause immense harm and present a national problem that is difficult to control because of constantly changing technology and the inconsistent and often unenforceable national and international laws enacted to counter the crimes.

Computer crime comprises a broad range of illegal acts in which computers, other types of electronic information-processing devices, and information systems are the objects, targets, or instruments of crimes. They may also be the sites from which “attacks” are launched or the cyber environments harmed in the course of attacks on information systems.

The term “computer crime” has historically conveyed different meanings to criminal justice officials, policymakers, researchers, the media, and the general public. For example, computer crime was once regarded as any illegal act requiring knowledge of computer technology for its perpetration, investigation, or prosecution. Computers have also been conceptualized as symbols for intimidation, particularly in situations in which intended crime victims do not understand or become fearful about the functional capabilities of computers.

The absence of a widely accepted definition of computer crime has much to do with the technical and special nature of computer abuses, such as computer “hacking,” the releasing into computer systems of viruses and worms, and interruptions of service. Also important are the technologically evolving nature of computers and the crimes in which they are used, the pace of computerization, and increasing adoption of computers for illicit purposes throughout the United States and other nations. As a consequence of these complexities, several different terms and labels have come into use to describe crimes in which computers—often networked and used in combination with other electronic devices—are used for criminal purposes. Terms generally considered to be synonymous with computer crime include computer-related crime, high-tech crime, information technology-related crime, information/new age crime, Internet crime, and cybercrime. In addition, computer crimes are also frequently given sensational labels in the media, such as “data rape” and “cyberstalking.” These terms, too, further complicate wide acceptance of any specific term or label.

History

Computer crimes emerged in the United States with the computerizing of banking services. The first recorded instance of computer crime occurred in 1958. It involved “salami slicing,” in which a bank employee in Minneapolis, Minnesota, used a computer to divert and deposit rounding errors of financial transactions into a special account. Over the years, as evolving computer technology made possible new banking services, such as personal credit cards, automatic teller machines (ATMs), and online banking, new forms of computer-enabled financial crimes arose.

Computer hacking—the unauthorized accessing of computerized information systems—also began during the late 1950s. At that time, the nation’s first computer science students, at the Massachusetts Institute of Technology, were intent on discovering new uses for computers and called themselves “computer hackers.”

Throughout the 1960s and 1970s the number, variety, and impact of computer abuses and crimes increased significantly. However, official estimates of such trends are not available. Nonetheless, growing concern about computer crime during the 1980s, coupled with the beginning of widespread Internet operations in 1984, resulted in several state governments and the federal government enacting special computer crime laws. In 1984, the federal government enacted the Computer Crime and Abuse Act, which made it illegal to access computer systems without prior authorization. During that same period, several new types of computer crimes arose and several famous computer crime cases occurred. For example, in 1984 Fred Cohen, a famous computer-security instructor and consultant, introduced the term “computer virus” to describe self-replicating programs capable of infecting networked computers. On November 2, 1988, Robert Morris released an infamous computer “worm”—a program that shut down significant portions of the Internet.

After 1994, the World Wide Web made online computing more accessible, versatile, and interesting to millions of computer users. The development invariably gave rise to more and increasingly imaginative forms of computer abuse. In the early twenty-first century, computer crimes included disruptions of computer services by writing and distributing malicious computer programs (viruses, worms, and trojans), and trespassing into information systems without authorization in order to explore, steal, modify, or destroy data.

Computer crimes now also include such financial crimes as embezzlement, securities fraud, unlawful use of credit card account numbers, identity theft, and fraud in online auction and retail-purchasing Web sites. Other forms of computer crime include online piracy of digitized music, film, and application files; sending of unwanted spam; online harassment and stalking; and accessing, distributing, and possessing computer media containing child pornography.

An increasingly common form of cybercrime is the use of ransomware to attack individuals and institutions such as hospitals, school systems, and local governments. The perpetrators use malicious software (malware) to prevent the owner of the information from accessing the files, systems, or networks. The attacker demands a ransom for their return. Ransomware attacks pose a threat to individuals' personal information such as credit card numbers. An even greater danger is the loss of access to critical patient data when hospitals are attacked.

Prevalence

Computer crime now reportedly occurs globally at record rates, in more complex variations and combinations, and with increasing social and economic impacts. Computer crime also raises fears of lost, damaged, or stolen data among computer users everywhere, and is connected to rising concerns about information security throughout society, including at the highest levels of government. Nevertheless, reliable estimates of the numbers and impact of computer crimes remain largely undetermined, as few studies of the problem have been undertaken. Moreover, even when such studies are conducted, they seldom employ random sampling and other research methods capable of producing results that are scientifically valid and applicable to society as a whole. This condition is the consequence of unclear or imprecise definitions of computer crime and categorizations of offenses and offenders, the unwillingness on the part of many computer crime victims to reveal successful attacks on their information systems, the lack of criminologists specializing in computer crime issues, and a general lack of federal government funding for computer crime research.

Three basic ways of estimating the prevalence of computer crime are victimization surveys, self-report (offender) surveys, and crime reporting systems such as the Uniform Crime Report (UCR) system, which is operated by the Federal Bureau of Investigation (FBI) with voluntary participation of state and local law-enforcement agencies. None of these methods has been systematically and consistently used within the United States for reporting computer crime occurrences or trends. Congress tasked the Department of Justice to develop categories of cybercrime in 2022.

In 2001, the federal government began considering how best to measure the prevalence and costs of computer crime to businesses in the United States. A pilot Computer Security Survey administered in 2001 and responded to by 198 businesses revealed that 74 percent of the businesses had been victims of computer crimes, and 68 percent of the companies experiencing incidents had losses totaling $61 million. In 2002, 223 organizations surveyed reported $455,848,000 in total financial losses from thefts of proprietary information and financial fraud. The organizations surveyed also reported that their Internet connections and internal systems were the most frequent points of attack. Various high-profile attacks on major businesses throughout the 2000s and 2010s increased awareness of such crimes and led to more preventative efforts, but their frequency and cost continued to rise. According to the Ponemon Institute's 2013 Cost of Cyber Crime Study, overall costs of cybercrime had increased 78 percent from 2004 to 2013, with companies averaging annual costs to cyber crime of $11.56 million. A 2013 study by the McAfee computer security company estimated that computer crime cost $100 billion to the US economy each year, and about $300 billion worldwide. In 2017, the Ponemon Institute reported the cost of cybercrime had risen 23 percent in 2016, to a cost of $11.7 billion per business worldwide. However, other studies contest these estimates both as too high and too low, reinforcing the problem of collecting accurate data, which hampers effective countermeasures.

Internet auction fraud is a frequent form of computer crime, along with credit- and debit-card fraud, computer intrusions, unsolicited e-mail (spam), and child pornography. The Internet Crime Complaint Center (IC3) found in its 2023 annual report that out of 880,418 total reported complaints in 2023, (causing more than $12.5 billion in losses), the most common were phishing/spoofing, personal data breach, nonpayment/nondelivery, extortion, investment, and tech support scams. Investment scams, business e-mail compromise (BEC), and tech support scams were among the top crime types by reported loss.

The levels of automation in attack tools are increasing as attack-tool developers use more advanced techniques. The number of newly discovered vulnerabilities continues to rise faster than computer security systems can be updated by systems administrators. Attack technologies are designed to bypass typical computer firewall configurations. The rise of cloud computing has also enabled easier hacking and other illegal activities, as the amount of hardware and technical knowledge required to mount a sophisticated attack has decreased. In general, greater public computer literacy and the increasing importance of the online sphere in everyday life have led to an increase in computer crime prevalence and sophistication. The security of the Internet and other systems is interdependent, as it can only be as strong as its weakest point. Attacks against critical information infrastructures are increasing concern because of the number of organizations and users on the Internet and their increasing dependency on the Internet to perform their daily functions.

Investigation

The investigation, prosecution, and punishment of computer abuse and crime began during the late 1950s as financial transactions and other types of record-keeping by banks were computerized. The first federally prosecuted case of computer crime occurred in 1966; it involved a perpetrator using a computer to manipulate computerized banking records. During the early years of computer crime, many investigators and prosecutors considered the problem to arise mainly in isolated instances in which computers were merely tools being used in innovative ways to commit already well-understood forms of white-collar and financial crimes, such as fraud and embezzlement.

The onset of computer abuse and crime also arose from establishment of the computer hacker subculture, whose participants believed in the “hacker ethic” of unconstrained discovery, exploration, and sharing of information. Although such motives may have been noble in their original intent, they underscored a considerable portion of unauthorized hacking into computer systems and remain a justification for many acts of computer trespassing, software piracy, and illegal sharing of digitized music and film files.

Prosecution

During the 1970s and throughout the 1980s, computers were increasingly used to commit other new forms of computer abuse and crime, including the creation and distribution of digitized child pornography. Fraud and exploitation of children and the elderly by means of computer bulletin boards and online information services were also commonplace during this period, as were traditional types of crimes committed with the aid of computers, such as counterfeiting, robbery, illegal gambling, kidnapping, prostitution, racketeering, drug trafficking, and homicide. Hate crimes and acts of terrorism were also facilitated by the use of computers. As a result, the US Department of Justice published the first Computer Crime Criminal Justice Resource Manual in 1979.

In 1987, the federal government passed the nation’s first Computer Fraud and Abuse Act. The following year, Robert Morris became the first offender prosecuted under this law for releasing an Internet worm program that infected thousands of connected computers in November 1988 and essentially shut down significant portions of the Internet throughout the eastern United States.

In 1989, the Department of Justice published a second edition of its computer crime resource book for criminal justice officials and also explained how state and local law-enforcement officials could go about creating special computer crime investigation and prosecution units. Afterward—and especially after the creation of the World Wide Web and the explosion of new forms of computer crime that ensued—numerous state and local law-enforcement agencies, as well as the federal government, established computer investigation and prosecution units. In 1994, the Computer Crime Prosecution Unit of the Department of Justice published its first set of federal guidelines for searching and seizing computers.

Several professional associations and organizations, such as the international and regional chapters of the High Technology Crime Investigation Association, the Computer Security Institute, and SANS became instrumental in developing training programs to teach and promote best practices for investigating and prosecuting computer crime, as well as enhance information-systems security. In 2000, agencies of the federal government, including the Department of Homeland Security, the National Security Agency (NSA), and the National Institute for Standards and Technology, began establishing technical standards and recommending best practices to meet the goals of improved security. These and other government agencies and private associations and organizations now routinely provide updated resource materials at no charge for law-enforcement investigators, prosecutors, and information security professionals. In 2015, following a series of major data breaches against companies such as Target and Sony Pictures, the latter of which was allegedly the work of the North Korean government, President Barack Obama released an executive order that created the first official US program of sanctions aimed at cyberspying and cyberattacks, targeting criminals internationally as well as in the United States. In 2017, the National Conference of State Legislatures reported that at least forty-two states introduced more than 240 bills or resolutions related to cybersecurity in 2017, and at least twenty-eight states enacted legislation that year. By 2024, forty-seven states and the District of Columbia had enacted legislation on this subject.

Despite such capacity-building to prevent and control computer crimes, the international and transnational aspects of investigating and prosecuting computer crimes are immensely complex and problematic for criminal justice officials. No universally accepted body of international law or treaty governing search, seizure, and the admissibility of computer evidence has been established. There are also no universally recognized methods for effecting arrests of offenders beyond US borders or extraditing them back to the United States to stand trial for alleged crimes.

The general requirements for successful investigations and prosecutions of computer crimes do not substantially differ from those for other types of crime. However, greater understanding, curiosity, and technical knowledge about computers and other types of electronic information processing systems is required in some instances. Computer crimes range from offenses that involve little computer usage to those that involve significant usage. Evidence of computer crimes may be testimonial and either tangible or cyber, as well as circumstantial. Human factors surrounding motives, means, and opportunities to commit computer crimes, as well as the skills, knowledge, resources, and access to information systems possessed by perpetrators also matter from the standpoints of investigating and prosecuting computer crimes.

Investigations of computer crimes are subject to the same rules that govern the search, seizure, and analysis of evidence in other crimes. For example, search warrants are required to search computers for digital evidence of crimes unless exceptional circumstances exist. Ultimately, judges and juries decide on the acceptability and relative value of evidence in cases that go to trial.

Punishment

Depending on the types of computer crimes involved, suspected perpetrators may be charged with either misdemeanor or felony crimes. Adults convicted of misdemeanors are normally subject to punishment of up to one year in jail, fines of up to one thousand dollars, or both. Adults convicted of felony computer crimes may be sentenced to spend more than one year in prison, pay fines greater than one thousand dollars, or both. However, amounts of fines vary among state and federal courts. Other sanctions, such as performing community service and paying victims of crimes financial restitution may also be imposed.

Early computer criminals typically received light punishments. However, as the number and seriousness of computer crimes increased, courts began imposing more severe sanctions. In an incomplete but regularly updated list of punishments imposed on convicted computer crime offenders, the Department of Justice reported that penalties ranged from five to sixty months incarceration, often combined with fines of thousands or even hundreds of thousands of dollars, depending on the circumstances of the cases.

Bibliography

Baase, Sara. A Gift of Fire: Social, Legal, and Ethical Issues for Computing and the Internet. 4th ed. Upper Saddle River: Prentice-Hall, 2012.

Clifford, Ralph D., ed. Cybercrime: The Investigation, Prosecution, and Defense of a Computer-Related Crime. 3rd ed. Durham: Carolina Academic, 2011. Print.

Grance, T., K. Kent, and B. Kim. Computer Security Incident Handling Guide: Recommendations of the National Institute of Standards and Technology. Washington, DC: US Dept. of Commerce, 2004. Print.

Himanen, P. The Hacker Ethic and the Spirit of the Information Age. New York: Random House, 2001. Print.

IC3. FBI, Natl. White Collar Crime Ctr., 2022, www.ic3.gov/. Accessed 25 June 2024.

Phillips, Kirsty, et al. "Conceptualizing Cybercrime: Definitions, Typologies and Taxonomies." Forensic Sciences, vol. 2, no. 2, 2022, pp. 379-398. DOI: 10.3390/forensicsci2020028. Accessed 25 June 2024.

"Ransomware." Federal Bureau of Investigation, 2024, www.fbi.gov/how-we-can-help-you/scams-and-safety/common-scams-and-crimes/ransomware. Accessed 25 June 2024.

Rantala, R. R. Cybercrime Against Businesses. Washington, DC: Bureau of Justice Statistics, 2004. Print.

Stephenson, Peter, and Keith Gilbert. Investigating Computer-Related Crime. 2nd. ed. Boca Raton: Taylor, 2013. Print.

"2013: The Impact of Cybercrime." Infosec Institute. Infosec Inst., 1 Nov. 2013, www.infosecinstitute.com/resources/threat-intelligence/2013-impact-cybercrime/. Accessed 25 June 2024.

"The U.S. Is Less Prepared to Fight Cybercrime than It Could Be." US Government Accountability Office, 29 Aug. 2023, www.gao.gov/blog/u.s.-less-prepared-fight-cybercrime-it-could-be. Accessed 25 June 2024.

Zetter, Kim. "Hacker Lexicon: What Is the Computer Fraud and Abuse Act?" Wired. Condé Nast, 28 Nov. 2014, www.wired.com/2014/11/hacker-lexicon-computer-fraud-abuse-act/. Accessed 25 June 2024.