What we ... must confront today is an entirely new breed of criminal--one that transcends geographic boundaries or borders with a high degree of stealth and anonymity. We have witnessed the emergence of the professional Cybercriminal, a foe at home and abroad that continuously probes our critical infrastructure for weakness and vulnerability, in order to victimize the American public in a multitude of ways, and profit from our loss.
James M. Sheehan, Special Agent in Charge, Criminal Division, FBI Los Angeles. (1)
The commercial use of the Internet came as an afterthought. The Internet's original designers aimed to create a communication system resilient in the face of a nuclear attack, not a secure network for business and consumer transactions. (2) A widespread use of commodity operating systems and software products delivering rich functionality but lacking security aggravated the problem. (3) Viruses, worms, and hacker attacks caused tremendous damage and made securing Internet communications and Internet-connected computer systems the primary concern of software vendors and information technology ("IT") professionals. (4) A patchwork of technologies and software products emerged to protect computer systems and to make the Internet suitable for commercial use. (5)
By offering an inexpensive global communication medium, the Internet enabled businesses to provide information and deliver innovative products and services to a much wider audience of consumers around the corner or around the world. (6) For retailers, moving mail order business to the Internet expanded their customer base and reduced their costs. (7) The financial industry, especially global banking and financial services companies, quickly recognized and leveraged the tremendous potential of the Internet. (8) Now any customer with an Internet connection can access bank accounts and execute transactions at practically any time and from any location. (9) The customer can use a broadband connection to the Internet, a dial-up, or a satellite link in some remote place or aboard a ship.
Ensuring the security of online transactions, however, is a challenging task. (10) The global nature of the Internet exposes online businesses to attacks by cybercriminals of all types from all over the world. (11) Financial institutions, merchants, and organizations storing data that criminals can exploit for illicit financial gains are among the primary targets. Therefore, these institutions and actors must ensure that their computer systems can withstand attacks of the most sophisticated and skilled intruders, including organized crime syndicates, terrorist organizations, and foreign government agencies. (12) At the same time, it is critically important for American society to secure online transactions, ensure consumer confidence in conducting business online, and protect Americans from being victimized at an increasing rate. (13)
This Comment illustrates how government regulation, criminal justice, private legal actions, and market forces contribute to the security of online transactions. Further, it argues that government regulation aimed at the prevention of cybercrime should be the primary focus of the efforts to improve online security. Part I explains that malicious hackers are becoming an integral part of organized crime and terrorist organizations. Part II provides an overview of various attack schemes used by cybercriminals.
Part III examines industry efforts intended to prevent cybercrimes through technological solutions and raising awareness of information security issues among business leaders, government officials, and consumers. The discussion continues with an overview of private legal actions where plaintiffs attempted to hold business organizations accountable for failing to secure their personal and financial information.
Part IV addresses the role of the government in improving the security of online transactions. In particular, the discussion shows that many cybercrimes were precipitated by an organization's failure to adhere to basic information security principles. Using financial institutions as an example, Part IV also shows how government regulation can force business organizations to maintain adequate security of their computer systems.
Part V provides a discussion of various approaches to securing online transactions. Ultimately, Part V concludes that government regulation and oversight, the deterrent effect of criminal prosecution, and the right to enforce through private legal action compliance with government-mandated information security standards may be the optimal way to improve the security of online transactions and prevent cybercrime.
CYBERCRIME: A GROWING THREAT
Hackers as a Part of Organized Crime and Terror Networks
An inherent lack of security in the Internet architecture and relative user anonymity make the Internet an attractive medium for extortion (14) and crimes involving theft of personal information for illicit financial gain. (15) According to a recent IDG News Service report, hackers have joined forces with organized criminal groups to engage in increasingly sophisticated criminal schemes operated exclusively for profit. (16) Although computer crime experts agree that most computer-related crimes go either undetected or unreported, (17) the Internet Crime Complaint Center recently reported
that the total annual amount of losses reported in 2006 was $198 million, compared with $183 million in 2005. (18)
Financial institutions are among the primary targets of cybercriminals. According to recent reports, organized crime groups have offered millions of dollars for help in breaking into financial institutions' computer networks. (19) The FBI has confirmed the existence of organized crime structures in parts of the hacking community, particularly in Eastern Europe, that function as criminal enterprises. (20) In such instances, hackers break into computer systems and steal data, while other individuals sell the data for profit to those who exploit the stolen data in order to gain unauthorized access to credit card, bank, and brokerage accounts of unsuspecting victims. (21) According to industry observers, the market for stolen identities has recently reached one billion dollars. (22)
The most alarming development in the area of information systems security is that terrorist organizations now perceive cybercrimes both as a source of financing for their activities (23) and as a new weapon in their arsenal. (24) For example, according to law enforcement organizations, the Irish Republican Army and the terrorists that plotted the foiled bombing of the Los Angeles
International Airport used identity theft to finance their activities. (25) Imam Samudra, the radical Muslim cleric and mastermind of the devastating 2002 Bali bombing attacks that claimed 202 lives, called for fellow Muslim radicals to take jihad into cyberspace and tap into online credit card fraud as a source of funding. (26)
Although some individuals still break into computer systems for fun, bragging rights, or as a prank, they do not pose nearly as much of a threat to the security of online transactions as highly motivated, increasingly sophisticated, well-organized, and well-funded groups of cybercriminals and cyberterrorists. (27)
Hacker Tools for Sale
Contrary to popular belief, most of the attacks perpetrated against computer systems do not require a high level of technical sophistication. (28) Many hacking tools, as well as legitimate computer programs that cybercriminals use for malicious purposes are freely available for download on the Internet, (29) while more sophisticated tools are offered for sale. (30) According to a recent study by IBM, attacks will likely increase in 2007 because cybercriminals organize networks dedicated to the production and commercial distribution of increasingly sophisticated malicious software ("malware") that is later used in criminal attacks on computer systems. (31) Additionally, Raimund Genes, the chief technical officer ("CTO") of Trend Micro, a security software vendor, contends that the revenue generated by the malware industry exceeded the twenty-six billion dollars earned by legitimate computer security vendors in 2005. (32)
The industrial production of malware will make it much more difficult for IT professionals to stay ahead of hackers in securing computer systems. (33) Gunter Ollmann, the director of security strategy at IBM's Security Systems unit, warned that the criminal malware infrastructure allows cybercriminals to target their attacks and build custom malware to be used against specific organizations. (34) This development increases the risk for high-value targets, such as financial institutions, payment processing companies, and big retailers. (35)
"Zero-day exploits" take advantage of newly discovered security vulnerabilities before software vendors issue patches for their affected products and, therefore, are especially valuable for cybercriminals. (36) In 2006, cybercriminals unleashed zero-day attacks on an unprecedented scale, raising serious concerns in the software development and IT industry. (37) But since it is legal to post information on the Internet about unpatched security vulnerabilities in commercial software products, law enforcement can do little to prevent the creation of code, which exploits these vulnerabilities. (38)
The next Section provides a brief overview of attack schemes that cybercriminals use to cripple computer systems and gain unauthorized access to information that may enable them to execute fraudulent transactions.
INFORMATION SYSTEMS SECURITY AND CYBERATTACKS
The primary goals of information system security professionals are to ensure the availability of computer systems and the data stored in them for authorized users, as well as to protect the integrity
and confidentiality of the data. (39) Any attack against a computer system...