Countering the cyber-crime threat.

• Author: Yang, Debra Wong
• Position: Twenty-First Annual Survey of White Collar Crime

In these early years of the 21st century, we continue to live in the Information Age--an age when our economy's greatest assets are not steel and coal, but ideas and their practical applications. (1) We have been able to exploit this intellectual capital more effectively in large part due to the widespread use of computers, (2) which has enabled businesses to manipulate their intellectual property with greater ease and to buy and sell physical products with greater efficiency over the Internet. Our economy's reliance on computers has created a concomitant vulnerability, however. A person seeking to harm a business in this day and age does not aim his attacks at the company's physical assets; instead, he takes aim at its computers. (3)

Not surprisingly, criminal and other harmful acts aimed at computers--so-called "cyber-crimes"--are on the rise. (4) Recent surveys indicate that anywhere from 25% to 50% of American businesses have detected some sort of security breach in their computer networks in the past year. (5) The losses caused by these breaches are more pernicious and far reaching than one might initially think. The damage caused by a single computer intrusion typically entails more than the cost of repairing the compromised data or system, as news of the intrusion may adversely affect the company's "market capitalization or consumer confidence." (6) This is one of the reasons why companies routinely fail to report cyber intrusions, including to the authorities. (7) Despite the absence of precise data, however, most observers agree that "computer crime causes enormous damage to the United States economy." (8)

The prevalence and increasing prominence of cyber-crime has not escaped the notice of the President or the Congress. In 2003, the White House released its National Strategy to Secure Cyberspace. (9) In 2004, the United States Department of Justice Task Force on Intellectual Property issued its Report, and detailed the Justice Department's roadmap for combating crimes involving trade secrets and other intellectual property often stolen or distributed over computer networks. (10) The Federal Bureau of Investigation has made cyber-crime a top priority. (11) More recently, the House of Representatives passed a resolution acknowledging the "increasing threat of malicious attacks" through computer intrusions. (12) Congress also enacted the Family Entertainment and Copyright Act of 2005, which made it a felony to use a computer to upload previously unreleased movies, games and software onto the Internet. (13) Among other bills, Congress is currently considering legislation that would make it a crime to use a computer to obtain personal information (such as names, social security numbers or credit card information) (14) and legislation that would make it a crime to place software on a computer with the intent to use that computer to commit further crimes. (15)

Despite this much-needed attention, however, and as we discuss in Part I of this Essay, the threat of cyber-crime is still likely to grow in the coming years because of two factors. First, we are seeing an increase in the number of American businesses that are potential victims of cyber-crime. Second, we are beginning to see an upsurge in the number of potential perpetrators. A brief sampling of the cyber-crimes the Justice Department is currently prosecuting demonstrates that this threat is real. (16)

At this time, the debate about how to address this growing threat is still in its infancy. No consensus has yet emerged. Although, as noted above, the federal government has increased its efforts to combat cyber-crime, market forces have remained the primary impetus for sorting out where the burdens and costs of cyber-crime fall. Thus far, they have fallen largely on the victims of cyber-crime--that is, American businesses--which have been forced to absorb the burden of preventing cyber-crime and any subsequent losses stemming from their failure to do so. It is yet to be seen whether this current arrangement is the best for our economy. Fortunately, this arrangement is not permanent. It is now--at this early stage in the debate--when we should ask the twin questions: Where should the onus of fighting cyber-crime and absorbing its costs lie, and what role should the various players play in this calculus?

In this Essay, we address these two questions and, in so doing, examine the possibilities of leaving the burdens of cyber-crime on victim companies, of placing it upon the software and hardware manufacturers, of expanding the role of governmental regulation, and of a combination of all three options. We also propose the considerations that policymakers should examine in choosing among these options. In the end, we postulate that the ultimate response to cyber-crime is likely to be a three-way synergy of all these options.

1. THE GROWING CYBER-CRIME THREAT

   In the coming years, two demographic trends are likely to increase the potential number of cyber-crimes perpetrated against American businesses. First, there is likely to be a greater proliferation in the number and types of businesses that will be potential victims of cyber-crimes. Until the past few years, cyber-criminals typically targeted one of three types of businesses: information brokers, manufacturers and distributors of digital media, and businesses who offered products or services for sale over the Internet. Information brokers, such as credit reporting agencies and data aggregators like ChoicePoint or LexisNexis, are ripe targets for cyber-crime because their databases contain information that provides a treasure trove for identity thieves. (17) Indeed, several states have already acknowledged the prevalence of this more traditional form of cyber-crime by statutorily requiring these database aggregators to report the compromise of information to potential individual victims. (18) The manufacturers and distributors of digital media--most notably, the motion picture, recording, and software industries--have also long been the victims of cyber-crime, typically through the illegal copying and online distribution of their copyrighted content. Each of these industries has resorted to civil lawsuits against downloaders, uploaders, and those who facilitate the distribution (19) and to lobbying Congress for more stringent criminal copyright laws (20) to stave off the billions of dollars in losses attributed to digital piracy every year. (21) The final category of more traditional targets of cyber-crime are businesses who offer their wares for sale over the Internet, and more particularly, on the World Wide Web, where their websites can be defaced or "knocked offline" by a flood of malicious Internet traffic.

   Cyber-crime is no longer confined to targets in these industries, however. No matter what its core product or service, nearly every business in today's economy relies upon computers and computer networks to conduct its daily affairs. (22) It is likely that many of a company's assets--including its trade secrets (23)--are archived on these computer systems. If the company's computer network is accessible to the Internet (or, for that matter, to disgruntled or enterprising but disloyal employees), those assets are subject to cyber-theft. Similarly, companies often store their customers' names, contact information, and payment information in order to facilitate electronic transactions (so-called "e-commerce"). This data is also likely to be stored electronically and, as such, is likely vulnerable to theft or destruction. As a consequence, as the trend toward increased reliance on computers continues, nearly every business will become a potential target of cyber-criminals.

   The second reason why the threat of cyber-crime may loom larger in the coming years is that the number of persons capable of committing or directing others to commit these crimes is likely to increase. Traditionally, the universe of cybercriminals has been limited to persons with the technical knowledge--mastery of computer languages, computer programming, or network architecture--capable of orchestrating what are technically complex crimes. That universe is expanding along two axes. (24) On one axis, the number of technically savvy individuals capable of committing cyber-crimes continues to grow as computers are integrated into our business culture and personal lives. On the other axis, we are beginning to see "enablers"--persons who use their technical expertise to create and then sell to others easy-to-use tools that make it possible for non-technically savvy people to engage in cyber-crime. This secondary market in "cyber-crime tools" is just beginning to emerge.

   The threat of cyber-crime is not an idle one, as the Justice Department's recent experience in prosecuting cyber criminals demonstrates. As anticipated, the victims of cyber-crimes are increasingly diverse--ranging from manufacturers of computer network products to companies that research floods to online search engine companies. (25) This is largely because company insiders familiar with the company's computer networks and the intellectual property assets stored within them are the perpetrators. (26) Employees and former employees of victim--businesses have launched malicious and harmful computer programs on their employer's systems (a so-called "employee hack back"), (27) have stolen the company's trade secrets, (28) or have engaged in extortionate acts by holding the company's network hostage. (29) Although cyber-crime attacks from skilled outsiders continue to plague American businesses, (30) this past year the Department prosecuted the first-ever cyber-criminal who infected thousands of computers with a malicious computer program, effectively turned the infected computers into "zombie" computers capable of responding to any commands, and then sold that "army" of "zombie" computers--which could be used to attack and harm the computer systems of...