Cybercrime in the United States

Select network

                   

Cybercrime in the United States is an entirely new domain of criminal activity that the world has little experience in combating. There is a unique interplay of law that occurs between the real and virtual worlds, and it is clear that there is a remarkable difficulty in resolving the tensions that arise from differences between cyber and physical crimes. This sample essay from one of the top writers at Ultius discusses the growing threat of cybercrime in this country.

Cybercrime in the United States

Introduction

Cybercrime is a new frontier for legal issues and proves to be difficult for lawmakers to fully comprehend its interplay between the virtual and real world.  As our world is more intricately tied to virtual infrastructure, the legal precedent for dealing with cybercrime is not effective in dealing with the real world consequences. This research project addresses the technological and societal threats that necessitated the need for rapid adoption of cybercrime laws in the United States as well as examples of their application in a variety of incidents. This paper will focus on and examine how the U.S. government has taken reactive versus proactive measures in ensuring the safety of our people, key infrastructure and private sector when it comes to cybercrime. Current legislation and its efficacy with respect to these facets of U.S. society will also be critically analyzed to address why it is important. Inadequate cybercrime laws will be shown to have been responsible for major issues in crimes having to do with intellectual property, national security, fraud, theft and privacy. 

Combating a formidable threat

While technology has paved the way for new ways to communicate, do business and make life easier, it has also opened the doorway for innovative and destructive forms of criminal activity. Mainly, cybercrimes have become commonplace in the world we live in and they are continuing to happen. Various aspects of our society have been impacted by cybercrime:

• Terrorists use the internet to recruit followers and gain funding for malicious projects against first world countries like the United States.
• Criminals engage in cybercrime activity in order to steal from consumers, companies and organizations.

Given the rapid nature of technological development, cybercriminals are continuously innovating and finding ways to circumvent security systems in order to: 

• Pilfer intellectual property
• Access sensitive information
• Access financial records
• Commit identity theft
• View and copy government documents

Nations like the U.S. face a major challenge when it comes to combating cybercrime in all its forms. While the U.S. has been somewhat responsive to the criminal cyber activity that our world is facing, its overall efficacy and legislative implementation rate has been slow and ineffective; consequently, rapid and effective legislation is needed in order to fight against this digital threat. 

Historical overview of cybercrime

While we consider cybercrimes to be a recent phenomenon brought on by the age of the internet and computers, cybercrimes date back to the 19th century. For instance, while the invention of the loom by Jospeh-Marie Jacquard in 1820 was a major milestone for the fabric industry, employees soon felt threatened by the technology’s ability to replace their job. Employees took corrective action by trying to alter the functionality of it so that its usage would be discouraged. In this instance, the first recorded case of cybercrime came to existence. Since then, numerous other instances have led up to the threat that we face today. The proliferation of digital piracy stemming from the rise of Napster and other file sharing and bit torrent web sites marked a high point in the evolution of cybercrime.

AT&T’s historic misfortune.

AT&T was fallen victim to cybercrime on numerous instances, two of the most notable being:

1. In 1971, AT&T found out the hard way that their call network could be exploited by using the tones found inside Captain Crunch cereal boxes. John Draper built a device called a “blue box” that gave users the ability to place long distance calls without having to pay the company. Surely, this was a serious incident that set a precedent for hobbyists and technical experts to exploit other systems that were vulnerable.
2. In 1981, Ian Murphy circumvented network security of the company servers in order to change billing times so that people could pay less during normal business hours.

Other instances reflected how financial institutions were targets for cyber fraud.

Banking under attack

The threat of cybercrime came to prominence when major financial institutions started getting compromised. For instance, 1973 featured cases where bank tellers utilized computers in order to embezzle millions of dollars. Even with the internet company PayPal, hacker embezzled millions of dollars per month while the company was still building its infrastructure (Caulfield, 2011). These major financial institutions were somewhat powerless because they could not easily identify the culprits responsible. Nonetheless, major attacks to key aspects of U.S. infrastructure became commonplace throughout the 1990’s. 

Accountability for cyber security

It is important to consider that the federal government is responsible for cyber security of its own key infrastructural institutions; moreover, it has an obligation to work with the private sector to protect the interests of the American people. As a division within the Department of Homeland Security, the Office of Cybersecurity and Communications is the regulatory agency that ensures the nation’s digital well-being (CS&C). While this agency cannot mandate laws, it does work with other bodies of government in order to help initiate legislation. The agency:

“serves as a 24/7 cyber monitoring, incident response, and management center and as a national point of cyber and communications incident integration” (CS&C).

Crisis response and resolution is a principle objective of this institution. However, the vast scope of cyber security implies that the private sector as well as various non-profit organizations do their part in making sure that American peoples’ interests are being taken into account. While the issue of National security definitely is one of crucial importance, the right to privacy of American citizens has become a hurdle of this task.

Cybercrime legislation

When it comes to initiating legislation, the government is ultimately accountable for efforts to ensure that the laws fall in line with the dangers that we face on a daily basis. Companies and other institutions can only do their part by lobbying and bringing forth support for legislation that they want to get passed. However, many times the interest of the private sector does not fall in line with the people. According to Amitai Etzoni (2011) in Cybersecurity in the Private Sector, while businesses have suffered the greatest losses in terms of monetary suffering, they

“maintain one version or another of a libertarian or conservative laissez-faire approach, basically holding that they are best left alone, not regulated, free to follow their own courses” (p. 59).

Essentially, they manage losses as part of their normal course of business and generally will not publicly support policies that are indicative of more government regulation. Consequently, it is truly up to the federal government to protect the rights and interests of the people against cybercrimes. 

Reactive versus proactive approaches

A major reason for legislative intervention is because the U.S. government and the people have taken reactive measures versus proactive. For example, John Brennan (2012), a Lieutenant Colonel of the United States Army remarked in a report on cyber terrorism that waiting for true disaster to happen is not a good approach:

“…now is the time to coalesce national CT cyber policy, law, and strategy into an effective triumvirate—and not after a “digital mushroom cloud” has appeared on the horizon” (Brennan, 2012, p. 21).

That is, proper safety measures will be much more efficient in reducing cybercrime before it even happens in the first place. On a government level, this has not been the case as the U.S. has been merely keeping up with recent attacks from dangerous organizations like Al-Qaeda and ISIS (Brennan, 2012). However, businesses and individuals have been more conscious of the problem since the early days of the internet. For instance, Niels Provos (2009) argued noted web based attacks heavily range in their scope and severity:

• False downloads
• Malware
• Website redirects
• Social engineering
• Email (Provos, 2009)

Many of these security concerns have been adequately handled by companies and awareness organizations sponsored by the public. 

The current unpreparedness for cybercrime

Unfortunately, there is still a wide gap between the desired security level that people need and the actual scope of the problem. Much of the public is still unaware of the widespread nature of cybercrime and how it affects their lives every day. Fawn Ngo’s (2011) study of cybercrime victimization in Cybercrime Victimization: An examination of Individual and Situational level factors found that most of the subjects were either completely oblivious to the potential threats or had a false sense of security when it came to managing their digital lives in:

• Finance
• Personal health
• Communication

It is the U.S. government’s job to ensure the security and well-being of its citizens, and the results have just fallen short. The reactive approach to cyberdefense, both internationally and domestically, is inefficient and prompts for legislation that will work towards rectifying the root cause of the problem: unpreparedness. 

Inadequate measurement of scope

Given the difficulty of estimating the current ubiquity of cybercrimes, more robust legislation and data accumulation about the problem is the best way to control it. While the Patriot Act has managed to stem some of the problems, it has, in turn, created more backlash than it has offered solutions.  It is a common principle of science, business and logic that something cannot be managed unless it is properly tracked. With cybercrimes, tracking is a major challenge. Chris Kanich, Neha Chachra and Colleagues (2011) argued that one of the major issues with even studying, let alone fighting, criminal cyber activity is that there are so many different channels of exploitation and a lack of documented measurement. This results in outright guessing and sometimes ineffective problem solving techniques. Even successful companies that effectively track cybercrime have difficulty in assigning exact figures and approximations to their losses. Ultimately, understanding the scope of cybercrime would be the first critical step in reducing it for the long-term and with a degree of accuracy. Kanich (2011) strongly lamented that this is not practical without adequate resources:

The operational complexities required to successfully carry out such measurements are significant and rarely documented; blacklisting, payment instruments, fraud controls and contact management all represent real challenges in such studies. (Kanich et al, 2011, p. 1)

Given the unknown scope and nature of cybercrimes in the U.S. and the world, adequate measurement is not available. It's also worth noting how difficult it is to enforce cybercrimes committed outside the U.S. that still have an impact within it. The case of Alexandra Elbakyan, a russian student who made thousands of academic journals available for free online by technically stealing those journals from the publisher that owned them.

Cybercrime law and regulation

The current legislation in place regarding cybercrime prevention is ineffective and subject to superiority by the attacker(s). For instance, the most prominent example of this is on the government level in the Iraq War. Brennan (2012) gave numerous anecdotes where he compared the standard protocol for running defensive maneuvers in cybercrime versus the tangible world: in effect, getting authorization to drop bombs on villages based on speculation requires little due process while any manipulation of enemy computer networks requires direct permission from the Secretary of Defense.

Clearly, there is a serious flaw when it comes to evaluating the risk/reward ratio of using cyber technology to protect the country. There were also many other examples cited by Brennan where potential threats could have been avoided if the government allowed the military more flexibility in terms of using social media, foreign computer networks and resources to protect the country (Brennan, 2012). The current legislation in place for fighting cybercrime and using it as a tool makes it a slow and ineffective process. 

Inherent Dangers of the Internet

Current legislation doesn’t take into account the inherent dangers of the internet and the ability of attackers to exploit it easily. The internet is vulnerable by design and a breeding ground for exploitation. According to Provos (2009),

“unfortunately, the root cause that allows the Web to be leveraged for malware delivery is an inherent lack of security in its design” (Provos, 2009, p. 6).

That is, it was not designed with security and potential abuse in mind. Not only that, but cyber criminals constantly differentiate and adapt their malicious tactics in order to circumvent security efforts:

As a result, academia and industry alike developed effective ways to fortify the network perimeter against such attacks. Unfortunately, the attackers similarly changed tactics, moving away from noisy scanning and concentrating more on stealthy attacks. (Provos, 2009, p. 2)

If the competitive landscape for cyber activity is dynamic, then laws should be dynamic as well. However, legislation that the U.S. uses is ineffective because it does not change and surely doesn’t have the leverage to make a true impact before the damage is done.

DMCA is Ineffective against cybercrime

For instance, while the Digital Millennium Copyright Act (DMCA) of 1998 intended to protect various industries from online privacy and intellectual property theft, it has been ineffective. The music industry was effectively crippled by the likes of companies like Napster and other peer to peer file sharing sites. These applications allowed criminals to steal billions of dollars’ worth of intellectual property from various industries, including publishing, movie production and music.

The DMCA did nothing but assign guidelines that would be broken because of a lack of enforcement and administrative execution (U.S. Copyright Office). Even for companies like Napster that were shut down, the damage had been done by then so it was a moot point. If anything, the DMCA has protected some online piracy sites by expunging them of blame for the actions of their third party users (U.S. Copyright Office). 

SOPAs failure to pass legislation

Even when promising legislation like the Stop Online Piracy Act (SOPA) was up for approval, it did not get passed. The 2011 SOPA initiative sought to protect digital property industries like Hollywood by making clear, meaningful laws that would enable them to take more direct legal action (SOPA, 2011). However, even if it had passed, the legislation did not clearly address the international scope of the problem due to its ambiguous nature:

Using existing resources, all training and technical assistance provided by intellectual property attaches appointed under subsection (b), or under other authority, relating to intellectual property enforcement and protection abroad shall be designed to be consistent with the policy and country-specific priorities set forth in the most recent report of USTR under section 182(a) of the Trade Act of 1974. (SOPA, 2011, p. 75)

As interpreted above, exceptions would be made for the laws of different nations where the U.S. may not have a physical presence. While policing international cybercrime is surely a daunting challenge in terms of a comprehensive policy framework, SOPA did not do much to establish a new precedent for the problem. 

Cybercrime is now a matter of national security

Finally, rapid and effective legislation is needed because of the fact that national security and the lives of millions of Americans can be saved. As international terrorist groups such as Isis heavily utilize cyber technology to aid their evil endeavors, the U.S. has been merely playing “catch-up.” For instance, Brennan (2012) cited numerous concerns over the efficacy of the U.S. cyber strategy for combating terrorist attack related activities.

Such activity has only deepened the need for stronger legislation and intervention:

“as Al-Qa’ida and its affiliates and adherents have evolved into much more technically savvy terrorist organizations, their ability to threaten U. S. National Security has likewise increased” (Brennan, 2012, p.1).

The impending danger towards American citizens also reflects the use of underground and digital markets for exchanging goods such as weapons and collaborating on malicious plans. Kanich et al (2011) reported that there are many instances of illegal commerce taking place without regulation or oversight of any kind.

Alternate solutions are needed

As we have seen, the U.S. has posited several solutions to the cybersecurity problem that the country and world is facing. However, current legislation has not been effective in adequately measuring or preventing instances of cyberterrorism, fraud, theft and illegal activity. The most robust solution is rapid legislation that gives the government more leverage to control things.

While we think of cybercrimes in the context of the 21st century and the internet, the first documented case of a cybercrime was in 1820. Since then, there have been many other historical cases where the internet and technological infrastructure has been heavily compromised. AT&T and major financial institutions are early case studies that exemplify the severity of the attacks. Personal information was stolen from the IRS by hackers. Since the 1980’s, more and more pressure has been placed on nations, individuals and companies to adequately protect themselves. Ultimately, the U.S. government is responsible for passing legislation that will mitigate the problem. Private companies suffer losses from cybercrimes but are apprehensive to support legislation as it may impede on other rights that they value for making profit.

Mainly, the need for rapid legislation stems from the failure of the current system we have. For example, much of the efforts to mitigate cyber threats have been reactive rather than proactive. The military is just one example where U.S. efforts to combat terror have been compromised through inadequate regulatory policies (Brennan, 2012). As far as consumers and citizens are concerned, Provos (2009) argued that there is very little realization and understanding of the problem when it comes to managing our digital lives; people are more susceptible than they think. Next, the government cannot effectively manage cybercrimes because there are no adequate measurement techniques in place. Kanich (2011) and colleagues cited how even studying cybercrime is a daunting task without the necessary data. This is doubly true for real world applications such as defending critical digital infrastructure. 

Conclusion

Slow response time to cyber threats were also cited as being a major reason for quicker government intervention. The military is another example where certain uses of cyber technology required administrative approval from the Secretary of Defense. This sample essay from Ultius highlights that these tactics have proved to be ineffective and impractical for using technology to combat cyber terror. The inherent dangers of the internet were regarded as a key reason why the current legislation we have is inadequate. Industries that produce digital goods have been under attack for many years and policies like the DMCA and SOPA have not done much to fix the problem before long-term damage was done. Finally, national security was cited as a key reason that the government needs to focus on addressing the cyber threat quickly. As terrorists use technological means to commit murder and actions against innocent people, the U.S. must be more prepared.

Work Cited

Brennan, J. (2012). United States Counter Terrorism Cyber Law and Policy, Enabling or Disabling? USAWC Civilian Research Project , 1, 1-22.

CS&C. (2012). Office of Cybersecurity and Communications | Department of Homeland Security. Department of Homeland Security. 

Caulfield, B. (2011, February 14). Life After Facebook - Forbes.com. Information for the World's Business Leaders - Forbes.com.

Etzioni, A. (2011). Cybersecurity in the  Private Sector. Issues in Science and Technology, Fall, 58-63.

Kanich, C., Chachra, N., & McCoy, D. (2011). No Plan Survives Contact: Experience with Cybercrime Measurement. CSET '11: Proceedings of the 3rd Workshop on Cyber Security Experimentation and Test, August, 1-8.

Ngo, F., & Paternoster, R. (2011). Cybercrime Victimization: An examination of Individual and Situational level factors. International Journal of Cyber Criminology, 5(1), 773-793.

Provos, N., Rajab, M., & Mavrommatis, P. (2009). Cybercrime 2.0: When the Cloud Turns Dark. Association for Computer Machinery, 7(2), 1-8.

U.S. Copyright Office. (1998, December 1). THE DIGITAL MILLENNIUM COPYRIGHT ACT OF 1998. U.S. Copyright Office Summary. Retrieved April 26, 2013

SOPA – U.S. House of Representatives. (2011, October 26). Stop Online Piracy Act. Judiciary Hearings Online. Retrieved April 24, 2013