The Need for Computer Crime Legislation in Vermont

Regardless of how we as individuals may feel about this, computers, and networks that allow computers to communicate, have become inextricably woven into our society and daily lives. But it is not the computers, per se, that are so valuable to us, but rather the information that they store. Without properly functioning information management and access systems, the national banking network, electric power grid, health care system, national defense, transportation systems, food and water supplies, communications systems — including the Vermont Interactive Television network — emergency services, most businesses, and the government could not survive.

Recognizing the importance of information as a critical resource, and computers as the repositories and access devices to that information, and networks as the avenue by which we access them, the federal government and every state in the nation have enacted computer crime legislation to protect these resources. Every state in the nation — except Vermont [7,12].

In late-November and early-December, 1996, the Milton High School was subject to more than a half-dozen bomb threats, each of which resulted in the loss of a school day (but, thankfully, no explosion). The school experienced what can only be called a "terrorist denial-of-service" attack. What happened there, and subsequently at several other area schools, IBM, and Hannaford's Market, was a crime, both in the moral and legal sense. And after a lull in such events — which made many think that they would happen no more — similar events started again in late 1998 and early 1999.

But consider the impact of an analogous "cyberterrorist" attack. Suppose someone were to walk into a random business and delete all of the files from a corporate computer. That individual may have trespassed on private property but, according to current Vermont law, has committed no other punishable crime. In an even more realistic scenario, suppose an individual breaks into a company's computer systems through that company's own modems; in that case, no crime has been committed at all! Alternatively, a virus can be planted in a company's computer via e-mail, so that the perpetrator does not even have to come into direct contact with any of the victim's resources. As long as the damage done does not exceed a certain amount of money, or does not affect a U.S. government computer, financial or medical records, nuclear secrets, or a short list of other items, no federal law applies and neither the FBI nor the Secret Service has any jurisdiction. In those cases, we are left to Vermont's laws and police agencies.

Vermont has long touted its telecommunications network as an attraction to the "right kinds of businesses" — i.e., service-oriented and light manufacturing rather than heavy industry. These businesses are absolutely dependent upon information and information systems. In the future, they will depend more and more on electronic commerce and electronic data interchange (EDI). As Nicholas Negroponte, head of MIT's Media Lab has observed, companies are increasingly in the business of shipping bits rather than atoms [14]; i.e., trading in information rather than in traditional hard goods.

Vermont currently has many laws that protect against theft, destruction, and vandalism of atoms; we also need such protection for bits. The inability of a potential victim of a computer crime to have legal recourse could send a chill over any potential for large-scale electronic commerce in the state and could adversely affect economic development. Basic computer crime legislation may be particularly important now that some members of the legislature are looking into the creation of Digital Signature legislation, which will be written specifically to aid electronic commerce. Digital signature legislation will be necessary for the long-term future of electronic commerce just as banking laws are essential for banking in the state. And to protect the repositories of digital signature information, basic computer crime statues must be in place.

There are several major types of computer attacks that do not appear to be crimes under current Vermont statutes, including:

• Destruction of program and data files: Destruction of computer files merely means that an intruder destroys information. Even with backup copies of all files, the victim of such an attack has to spend personnel resources and time recovering lost files, not to mention the difficulty in recreating any files that were modified after the last backup was performed. In some cases, the victim's computers and/or network will be unavailable to the employees and customers during the recovery process.
• Theft of program and data files: Theft of information may or may not happen in conjunction with destruction of information; some thieves will merely steal files while others will destroy the victim's files after taking what they want. The theft of information, obviously, can have a severe impact on a victim's continued ability to do business and/or provide services. While destroyed information may be recovered, the loss of information to a competitor or other nefarious individual can place the victim in an impossible situation to continue business. Lost programs and data may represent intellectual property, confidential business records, and/or confidential client records.
• Alteration of program and data files: This is potentially the most devastating case, where an intruder modifies a victim's programs and/or data files. If the victim is unaware of the intrusion, they may deliver the wrong goods, provide the wrong service, deny a student a loan, etc.
• Depositing virus or trapdoor programs: An intruder might attack a system and deposit files rather than remove them. In some cases, intruders have left stolen files on a third-party's system so that other intruders can access them later (using the third-party as an unsuspecting "safe" repository). Some intruders will plant a virus, a program that will attach itself to the host's programs or other executable files with consequences ranging from annoying message displays to destruction of all files on a hard drive. Viruses are reaching epidemic proportions (no pun intended) today [13]; an attacker does not even need access to a victim's system to deliver some kinds of viruses, but can send one in an e-mail message. Alternatively, trapdoor programs provide a mechanism so that an intruder can continue to enter a system, often bypassing the system's own protections.
• Denial-of-service: There are many things that an intruder can do to prevent a company from being able to effectively use their computers and network. For an information-intensive company, this denial-of-service can prevent them from accessing information that they need to do their business and/or prevent them from delivering information to their customers.

One could argue that all computer and network systems should have security in place to protect themselves from these kinds of attacks and, therefore, laws are unnecessary; or, stated another way, "Why should the state protect someone who is too naive or ignorant to implement the correct level of protection?" The response to this line of reasoning is that no security system is perfect and one who purposely attacks another's computer system should be considered a criminal regardless of what the victim has done (or not done) to protect him or herself. The question, in fact, flies in the face of other Vermont laws that make crimes out of acts that could be prevented by the victim. For example, if I forget to lock the front door of my house, and someone enters during my absence and steals something, a crime has been committed, even though I could have prevented it by taking proper actions. Finally, I would simply observe that this "lack of necessity" or "blame the victim" argument is clearly not shared by the federal government nor the other 49 states.

Although I know of no major computer intrusions or data thefts in the state, the threat is real — and such incidents may have already taken place. Companies do not typically advertise these occurrences, partially out of embarrassment but primarily because they do not want to undermine their customers' confidence. A recent Government Accounting Office (GAO) report, for example, suggested that less than 1 in 150 attacks on Department of Defense (DoD) computers were actually detected and reported, and that 65% of attempted attacks on DoD systems successfully resulted in a user gaining unauthorized access [5]; and there is no reason to believe that the statistics are significantly different for businesses, in general. In fact, the vast majority of computer crimes are committed by insiders who have authorized access to the systems [1,7]. The FBI reports that computer crime costs U.S. businesses between $200 million and $5 billion annually [1], suggesting that a) the cost is very high and b) no one really knows how high! Indeed, in March 1997, the FBI again encouraged companies to report computer crimes — but companies in Vermont actually have a disincentive to make such reports in the absence of supportive legislation. Indeed, a white paper on computer crime statistics from the International Computer Security Association [8] seems to confirm the difficulty in accurately assessing the damage done from computer crime.

It is also worth noting that there is no absence of training material for hackers — just go down to the local Barnes & Noble and check out 2600 Magazine or Secrets of a Super Hacker [9]. By the same token, there is no lack of people willing to try breaking into systems at their schools or elsewhere, and the number of books describing such individuals around the world could fill a small library [2,3,4,6,10,11,15,16,17,18].

Finally, acts of computer cracking are not just harmless pranks to be ignored or laughed off. They are, in fact, the training ground for potentially worse damage. Every book describing these activities shows that the big-time attackers were caught or identified at an early stage of their "career" (while the activities were still relatively local) and given either a slap on the wrist or stern warning. Either response resulted in the individual being emboldened to maintain the activity and not make the same mistakes again. And the continued activities can be far-reaching. Attacks on U.S. military and government sites are favorite targets. Attackers on a hospital database in late 1997 changed medical records resulting in several patients receiving chemotherapy for cancers that they did not have. Assaults on NASA in early 1998 were used by a "hacker club" to demonstrate their ability to take down the U.S. electrical power grid and disrupt communication to the space shuttle.

These events and others prompted President Clinton, in a speech early in 1998, to call for a public-private partnership to protect against these kinds of events in the future [19]. The result was the establishment of the National Infrastructure Protection Center (NIPC), a cooperative of federal, state, and local government agencies, the FBI, and the private sector. Their charter can be best understood by this quote from their Web site: "No computer or networked system can be one-hundred percent attack proof and the job of securing a system against an illegal intrusion will never be complete." The lesson here is that all members of the networked community are best served when working in concert.

The bottom-line is this: Vermont needs to join the rest of the country and play an active role in providing basic protections against computer- and network-based crimes. Vermont needs to enact legislation that, quite simply, makes unauthorized access to any computer system or network a crime. Access to, theft of, alteration of, and/or destruction of information; unauthorized storage or alteration of computer files; and any purposeful system or network degradation, including denial-of-service, should have legal consequences.


References

1. Cohen, F.B. Protection and Security on the Information Superhighway. New York: John Wiley & Sons, 1995.
2. Dreyfus, S. Underground: Tales of Hacking, Madness and Obsession on the Electronic Frontier. Sydney: Mandarin, 1997.
3. Freedman, D.H. and C.C. Mann. @Large: The Strange Case of the World's Biggest Internet Invasion. New York: Simon and Schuster, 1997.
4. Goodell, J. The Cyberthief and the Samurai. New York: Dell, 1996.
5. Government Accounting Office. INFORMATION SECURITY: Computer Attacks at Department of Defense Pose Increasing Risks. GAO/AIMD-96-84, May 1996. (Also available via the Internet at http://www.gao.gov.)
6. Hafner, K. and J. Markoff. Cyberpunk: Outlaws and Hackers on the Computer Frontier. New York: Simon & Schuster, 1991.
7. Icove, D., K. Seger, and W. VonStorch. COMPUTER CRIME: A Crimefighter's Handbook. Sebastopol (CA): O'Reilly & Associates, 1995.
8. Kabay, M. E. "ICSA White Paper on Computer Crime Statistics." URL: http://www.icsa.net/knowledge/research/comp_crime.html. Last accessed: 2 March 1998.
9. The Knightmare. Secrets of a Super Hacker. Port Townsend (WA): Loompanics Unlimited, 1994.
10. Littman, J. The Fugitive Game: Online with Kevin Mitnick. Boston: Little, Brown & Co., 1996.
11. _____. The Watchman: The Twisted Life and Crimes of Serial Hacker Kevin Poulsen. Boston: Little, Brown and Co., 1997.
12. National Computer Security Association. NCSA's U.S. Computer Crime Law Web Pages. URL: http://www.ncsa.com/ncsalaws/. Last accessed: 2 March 1998.
13. _____. NCSA Virus Study. Harrisburg (PA): NCSA, 1996. (Ordering information can be obtained by calling (717) 258-1816 or is available on the Internet at http://www.ncsa.com/virus_study.html. A shorter, less comprehensive NCSA 1996 Computer Virus Prevalence Survey is available on the Internet at ftp://ftp.ncsa.com/pub/httpd-files/ncsavsrv.zip.)
14. Negroponte, N. Being Digital. New York: Alfred A. Knopf, 1995.
15. Shimomura, T. with J. Markoff. Takedown: The Pursuit and Capture of Kevin Mitnick, America's Most Wanted Computer Outlaw by the Man Who Did It. New York: Hyperion, 1996.
16. Slatalla, M. and J. Quittner. Masters of Deception. New York: Harper Collins, 1995.
17. Sterling, B. The Hacker Crackdown: Law and Disorder on the Electronic Frontier. New York: Bantam, 1992. (URL: http://ice-www.larc.nasa.gov/ICE/papers/hacker-crackdown.html. Last accessed: 23 January 1998.)
18. Stoll, C. The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage. New York: Doubleday, 1989.
19. Vistica, G.L. and E. Thomas. "The Secret Hacker Wars." Newsweek, June 1, 1998.

Gary C. Kessler is currently an Associate Professor at Champlain College in Burlington, VT, where he is program director of the Computer & Digital Forensics program. At the time of the initial version of this statement (Dec.,1996), he was a Senior Consultant at BBN Systems & Technologies, where he acted as Program Manager for CommerceNet's Public Key Infrastructure (PKI) and Electronic Data Interchange (EDI) Task Forces, a consortium of over 200 companies involved in electronic commerce over the Internet. At the time the bill was passed into law, he was the Director of Information Technology and Senior Member of Technical Staff at Hill Associates, a telecommunications training firm in Colchester, VT. Gary's other areas of interest include network security, Internet and TCP/IP applications and protocols, ISDN, and fast packet telecommunications technologies. Gary is a well-known writer and speaker in the telecommunications industry, has written two books and over 60 articles, has given talks at many local and national industry conferences. Gary holds a B.A. in Mathematics and an M.S. in Computer Science. More information can be found at his personal Web page at http://www.garykessler.net.

Gary can be reached by 802-879-5242, or via e-mail at kumquat@sover.net.