Cyber Crime . . . and Punishment

Overview

The growing danger from crimes committed against computers, or against information on
computers, is beginning to claim attention in national capitals. In most countries around the
world, however, existing laws are likely to be unenforceable against such crimes. This lack of
legal protection means that businesses and governments must rely solely on technical measures
to protect themselves from those who would steal, deny access to, or destroy valuable
information.

Self-protection, while essential, is not sufficient to make cyberspace a safe place to
conduct business. The rule of law must also be enforced. Countries where legal protections are
inadequate will become increasingly less able to compete in the new economy. As cyber crime
increasingly breaches national borders, nations perceived as havens run the risk of having their
electronic messages blocked by the network. National governments should examine their current statutes to determine whether they are sufficient to combat the kinds of crimes discussed in this report. Where gaps exist, governments should draw on best practices from other countries and work closely with industry to enact enforceable legal protections against these new crimes.

This report analyzes the state of the law in 52 countries. It finds that only ten of these
nations have amended their laws to cover more than half of the kinds of crimes that need to be
addressed. While many of the others have initiatives underway, it is clear that a great deal of
additional work is needed before organizations and individuals can be confident that cyber
criminals will think twice before attacking valued systems and information.

What’s Different About Cyber Crime?

Undeterred by the prospect of arrest or prosecution, cyber criminals around the world
lurk on the Net as an omnipresent menace to the financial health of businesses, to the trust of
their customers, and as an emerging threat to nations’ security. Headlines of cyber attacks
command our attention with increasing frequency. According to the Computer Emergency
Response Team Coordination Center (CERT/CC), the number of reported incidences of security
breaches in the first three quarters of 2000 has risen by 54 percent over the total number of
reported incidences in 1999.

Moreover, countless instances of illegal access and damage around the world remain nreported, as victims fear the exposure of vulnerabilities, the potential for copycat crimes, and the loss of public confidence.

Cyber crimes—harmful acts committed from or against a computer or network—differ
from most terrestrial crimes in four ways. They are easy to learn how to commit; they require few resources relative to the potential damage caused; they can be committed in a jurisdiction
without being physically present in it; and they are often not clearly illegal.

As this report shows, the laws of most countries do not clearly prohibit cyber crimes.
Existing terrestrial laws against physical acts of trespass or breaking and entering often do not
cover their “virtual” counterparts. Web pages such as the e-commerce sites recently hit by
widespread, distributed denial of service attacksmay not be covered by outdated laws as
protected forms of property. New kinds of crimes can fall between the cracks, as the Philippines
learned when it attempted to prosecute the perpetrator of the May 2000 Love Bug virus, which caused billions of dollars of damage worldwide.

Effective law enforcement is complicated by the transnational nature of cyberspace.
Mechanisms of cooperation across national borders to solve and prosecute crimes are complex
and slow. Cyber criminals can defy the conventional jurisdictional realms of sovereign nations,
originating an attack from almost any computer in the world, passing it across multiple national
boundaries, or designing attacks that appear to be originating from foreign sources. Such
techniques dramatically increase both the technical and legal complexities of investigating and
prosecuting cyber crimes.

Six weeks after the Love Bug attack, the Philippines outlawed most computer crimes as
part of a comprehensive e-commerce statute. In order to prevent a repeat of the catastrophe that prompted this action, however, the future of the networked world demands a more proactive approach, whereby governments, industry, and the public work together to devise enforceable laws that will effectively deter all but the most determined cyber criminals.
Poor Information Security Reduces the Competitiveness of Nations In our August 2000 report, Risk E-Business: Seizing the Opportunity of Global E-Readiness, McConnell International rated mid-level economies’ capacity to participate in the digital economy.

In considering nations’ information security, the report evaluated public trust
in the security of information processed and stored on networks in each country. In this context, information security included: an assessment of the strength of legal protections and progress in protecting intellectual property rights, especially for software; the extent of efforts to protect
electronic privacy; and the strength and effectiveness of the legal framework to authorize digital
signatures. The E-Readiness report also examined the existence of legal frameworks to
prosecute cyber criminals, for a predictable environment of strong deterrence for computer crime is critical to the effective protection of valuable information and networks.

Although several countries, particularly in Europe and Asia, were found to have addressed a number of these broader information security factors, few countries were able to demonstrate that adequate legal measures had been taken to ensure that perpetrators of cyber crime would be held accountable for their actions. Overall, nearly half of the countries included Victims of recent attacks include: Yahoo, CNN Interactive, Amazon.com, eBay, Datek Online, E*Trade, ZDNet, and Buy.com.

In the E-Readiness study were rated as needing substantial improvement in information security. In addition, only a small fraction of countries needing substantial improvement indicated that progress was currently underway.

Outdated laws and regulations, and weak enforcement mechanisms for protecting
networked information, create an inhospitable environment in which to conduct e-business
within a country and across national boundaries. Inadequate legal protection of digital
information can create barriers to its exchange and stunt the growth of e-commerce. As e-
business expands globally, the need for strong and consistent means to protect networked
information will grow.

The Cyber Crime Laws of Nations

Based on its findings in the E-Readiness study, and in the wake of the Philippines
inability to prosecute the student responsible for the “I Love You” virus, McConnell
International surveyed its global network of information technology policy officials to determine
the state of cyber security laws around the world. Countries were asked to provide laws that
would be used to prosecute criminal acts involving both private and public sector computers.

Over fifty national governments responded with recent pieces of legislation, copies of
updated statutes, draft legislation, or statements that no concrete course of action has been
planned to respond to a cyber attack on the public or private sector. Countries were provided the opportunity to review the presentation of the results in draft, and this report reflects their
comments.

Countries that provided legislation were evaluated to determine whether their criminal
statutes had been extended into cyberspace to cover ten different types of cyber crime in four
categories: data-related crimes, including interception, modification, and theft; network-related
crimes, including interference and sabotage; crimes of access, including hacking and virus
distribution; and associated computer-related crimes, including aiding and abetting cyber
criminals, computer fraud, and computer forgery.

Thirty-three of the countries surveyed have not yet updated their laws to address any type
of cyber crime. Of the remaining countries, nine have enacted legislation to address five or
fewer types of cyber crime, and ten have updated their laws to prosecute against six or more of
the ten types of cyber crime.

The countries evaluated are:

Albania, Australia, Brazil, Bulgaria, Burundi, Canada, Chile, China, Cuba, the Czech Republic, Denmark, Dominican Republic, Egypt, Estonia, Ethiopia, Fiji, France, Gambia, Hungary,Iceland, India, Iran, Italy, Japan, Jordan, Kazakhstan, Latvia, Lebanon, Lesotho, Malaysia, Malta, Mauritius,Moldova, Morocco, New Zealand, Nicaragua, Nigeria, Norway, Peru, Philippines, Poland, Romania, South Africa, Spain, Sudan, Turkey, United Kingdom, United States, Vietnam, Yugoslavia, Zambia, and Zimbabwe.

Finally, of the 33 countries with no updated laws in place, 13 indicated that progress toward the adoption of updated legislation to combat cyber crime is underway. Seven of these 13 countries are in Africa or the Middle East, indicating that, although these regions have not yet adequately addressed the issue of cyber crime, many countries are aware that action is needed.

Law Is Only Part of the Answer

Extending the rule of law into cyberspace is a critical step to create a trustworthy
environment for people and businesses. Because that extension remains a work in progress,
organizations today must first and foremost defend their own systems and information from
attack, be it from outsiders or from within. They may rely only secondarily on the deterrence
that effective law enforcement can provide.

To provide this self-protection, organizations should focus on implementing cyber
security plans addressing people, process, and technology issues. Organizations need to commit
the resources to educate employees on security practices, develop thorough plans for the
handling of sensitive data, records and transactions, and incorporate robust security technology-
such as firewalls, anti-virus software, intrusion detection tools, and authentication services--
throughout the organizations' computer systems.

These system protection tools--the software and hardware for defending information
systems--are complex and expensive to operate. To avoid hassles and expense, system
manufacturers and system operators routinely leave security features “turned off,” needlessly
increasing the vulnerability of the information on the systems. Bugs and security holes with
known fixes are routinely left uncorrected. Further, no agreed-upon standards exist to
benchmark the quality of the tools, and no accepted methodology exists for organizations to
determine how much investment in security is enough. The inability to quantify the costs and
benefits of information security investments leave security managers at a disadvantage .