Computer Crime: Hard to Prove, Prosecute
When it comes to data diddling, logic bombing, malicious hacking and other everyday forms of computer crime, there is no lack of laws on the books.
Even that most sexy, state-of-the-art technological curse, the computer virus, may well be addressed--if not specifically cited--in state and federal criminal statutes, experts say.
Successful prosecutions, however, are a different story, tending to decrease dramatically as the sophistication of the electronic misdeed increases.
“There are a lot of hairy evidence questions with computer crimes,” said Jack Bologna, head of the International Assn. of Computer Crime Investigators. “Documentation today is different than when you had a complete paper trail. . . . It is now possible to cause a computer crime in which you destroy all the evidence.”
Or, in the case of a virus, infect the legal system with a dizzying logistical nightmare, a side effect of the rogue program that earlier this month paralyzed 6,000 computers coast-to-coast connected to the Pentagon’s ARPANET research system.
The FBI is now studying four separate federal criminal statutes to determine whether to prosecute Robert T. Morris Jr., the 23-year-old Cornell University graduate student said to have created the virus that madly replicated itself across the vast network of military and university computers.
“Because of the complexities of computer viruses and the questions of access and showing intent, it becomes a very complex area to be investigating,” FBI spokesman Michael Drake said.
Rep. Wally Herger (R-Calif.) intends to reintroduce his Computer Virus Eradication Act of 1988, which failed to make it out of the House Judiciary Committee this year. The bill calls for a maximum 10-year prison term for anyone who knowingly inserts commands into a computer program that will cause “loss to users of a computer on which such program is run.”
While Morris’ technology may be up to the minute, the act is only the latest in a long line of mischievous computer misdeeds dating back to the era of the Univac.
Through the years, the typical high-tech heist has involved a felonious computer programmer rigging a computer system--in industry parlance, data diddling--to re-route funds to his wallet or an overseas bank account. While no firm figures are available, industry estimates of the cost of computer crime nationwide range from $200 million to $5 billion a year.
$10 Million Stolen
Traditionally, computer thieves have been tried under ordinary grand theft and fraud sections of state criminal codes.
In one such case 10 years ago, Los Angeles computer analyst Stanley Mark Rifkin used his knowledge of a secret fund transfer code to impersonate a bank officer and steal $10.2 million from Security Pacific National Bank. Rifkin received an eight-year prison term.
In the early 1980s, the state of the law changed to catch up with the state of the art. By then, silicon chips and affordable home computers had replaced punch cards and glowing vacuum tubes--and money was no longer the sole objective of computer crime. Youthful hackers, more interested in secret information than easy cash, could sit in their bedrooms and attempt to dial into sensitive computer systems to steal data or to alter the contents.
In 1983, the film “WarGames” capitalized on the trend. In the slick thriller, a high school hacker almost triggered World War III after trespassing by telephone into a national defense computer system.
As moviegoers rushed to the box office, politicians nearly trampled each other in their haste to codify crimes involving electronic trespassing.
Within a year, the federal government and 20 individual states had enacted computer crime statutes. Now 48 states, including California, and the federal government--which updated its 1984 law via the 1986 Computer Fraud and Abuse Act--boast such laws.
The National Center for Computer Crime Data, in a 1986 survey, reported the filing of 75 cases under state statutes, ranging from thefts from bank automated teller machines to the destruction of computer files by sophisticated hackers.
Five-Year Sentence
In one of the few cases filed thus far under the federal computer act, Barbara Coleman, the sister of state Sen. Diane Watson (D-Los Angeles), was sentenced to five years in prison last March for her part in programming a Southern California defense contracting center’s computer in order to embezzle $9.5 million from the Department of Defense.
An overwhelming majority of cases that reach the judge result in convictions, said the computer crime center’s director, Jay BloomBecker. But most computer crimes, BloomBecker added, are never prosecuted, either because of a lack of sufficient evidence or because embarrassed victims, usually major commercial firms, decline to notify authorities that they have been ripped off.
As yet, BloomBecker said, there have been no prosecutions of computer viruses, which began infiltrating computers across the nation about 18 months ago.
That may soon change.
While FBI agents in Washington investigate the Morris case, county prosecutors in Seattle are considering filing action against the suspects in another case of a benign virus that wormed its way into floppy disks on the production line of a Seattle software manufacturer last spring.
Both cases, authorities concede, are fraught with legal problems.
When young Morris allegedly unleashed his virus from a computer at Cornell, he apparently did not intend for it to rapidly replicate, tying up the memory capacities of computers plugged into the network, thus preventing them from conducting their normal tasks.
But replicate it did, and the cost in computing time lost and man-hours necessary to cure the virus could total tens of millions of dollars, according to some analysts.
Little Liability
Yet if Morris intended no harm, government attorneys privately concede, his only liability under the federal computer crime law might be a misdemeanor for using a government computer without authorization. The maximum penalty for such an offense would be a year in jail.
And even then, a prosecution could be tough, because Morris, unlike some young hackers who have been prosecuted in the past, had basic access rights to the ARPANET network. Furthermore, as pointed out by John M. McAfee, chairman of the Computer Virus Industry Assn., a group that helps ferret out viruses, “Bob himself did not get access to the 6,000 machines. It is the program that did.”
In the Seattle case, a rogue program, which flashed a “universal message of peace” on the screens of affected Apple Macintosh computer users--but also apparently caused some computers to crash--was allegedly launched by the publisher of a Canadian computer magazine.
A senior county prosecutor reviewing the case says it raises difficult questions concerning cost effectiveness and extradition.
“In a typical crime, you have all your witnesses in the same county,” said Ivan Orton of the King County district attorney’s office. “But you get something like this . . . where a virus is disseminated through an electronic bulletin board . . . and that puts witnesses in several places.
“Then you must weigh how to spend the public’s money. Should you bring in 20 witnesses at $1,000 each where there may be $500 of measurable damage but serious aggravation and inconvenience? That’s one of the things going into the decision on whether to prosecute.”
Besides the logistical questions, many computer crimes pose baffling evidentiary problems not found in more typical criminal investigations that involve fingerprints and auditing ledgers.
“With a computer crime, you can’t just call up the desk sergeant and ask for a theft investigation,” said Los Angeles Police Detective James Black, who heads the department’s two-officer computer crime unit.
“A lot of times you have system logs and automated trails built into the computer, but all that tells you is that an event occurred and that possibly in some cases a particular password did it. But it’s not like fingerprints. If passwords are shared as a convenience among employees, then the password by itself means nothing.”
A case in point is the 1985 sabotage of a central computer at the Los Angeles Department of Water and Power headquarters, in which a so-called “logic bomb” rearranged key data, making it temporarily inaccessible.
Investigators found the program for the bomb in a disgruntled employee’s password-protected computer file, according to Deputy Dist. Atty. Stephen Plafker. But that wasn’t enough evidence to lodge charges.
“People pass their passwords around,” Plafker explained. So “to prove beyond a reasonable doubt who put the logic bomb in the computer is a very difficult thing to do unless the suspect admits it.
“It’s not a lack of law that stops these prosecutions. They are just inherently difficult to prosecute.”
Light Penalties
Even when malicious hacking prosecutions prove successful, the penalties assessed are often minor.
In 1985, a 21-year-old UCLA computer whiz was successfully prosecuted for illegally tapping into the ARPANET system and tampering with others users’ files.
The same year, a job-weary computer programmer was convicted of placing a “logic bomb” in the computers of Collins Foods International Inc., a Los Angeles firm that owned and operated more than 200 Sizzler steakhouses and Kentucky Fried Chicken franchises.
(If the program had been activated, Black said, the firm would have lost track of its payroll and of “how many chicken wings they were going to have to send out.”)
In both cases, the defendants were sentenced to probation and ordered to perform several hundred hours of community service.
“That’s basically what the hackers have been getting--a slap on the wrist,” said Hal Tipton, who heads the Information Systems Security Assn.
Donn Parker, head of security at the SRI International research and development firm in Menlo Park, declared that in the current ARPANET case, “it is extremely important that very harsh action be taken against the perpetrator.”
“If he gets his hands slapped, then we’re in big, big trouble,” said Parker, who is regarded as the dean of American computer security experts. “There are 50,000 hackers and computer science students out there eagerly watching what will happen.”
