Government Threats
The most significant threat the government poses in the realm of illegal activity is the lack of intervention that governments around the world have made in cybercrime. Even though several laws that have passed in some countries, such as the U.S. and Australia, and in Europe have made progress, the average consumer is still faced with threats to her privacy and security on many fronts with little or no help from law enforcement agencies. The right to anonymity in the online world is, of course, desired by everyone, but this anonymity does help criminals hide their activities from the average consumer. Government intervention is slowly making its way into cybercrime cases, such as when U.S. courts have issued rulings requiring chat rooms or e-mail forums to reveal the names of people who have posted anonymous messages. However, some of these cases have been overturned, and the government must find its way through new precedents every time a cybercrime case is brought into court.
As we have seen in recent international cases, such as with the Russian hackers in 2001 who stole bank information, extraditing criminals for cybercrimes is next to impossible. The FBI estimates that more than one million credit card numbers have been stolen from e-commerce Web sites in 2000 and 2001 from hacker groups in Russia and the Ukraine. The FBI's National Infrastructure Protection Center (NIPC) was the main task force in tracking these thefts. The two alleged network intruders, identified as 20-year-old Alexey Ivanov and 25-year-old Vasiliy Gorshkov, were recently indicted on counts of conspiracy, wire fraud, and violations of the Computer Crime and Abuse Act. The FBI and Department of Justice got a lot of information about the Russian and Ukrainian hacking of U.S. sites during this investigation. The FBI could not extradite the hackers, so it had to lure them to the U.S. with job offers and then arrest them. The great lengths the FBI had to go to to arrest these hackers is evidence of the weak cooperation between countries in tracking down hacking incidents.
Government-Sanctioned Hacking
A new threat facing consumers in an indirect way is hacking between governments. This type of illegal activity has become widely known within the past year based on a number of viruses, worms, and hacking groups that can be traced back to specific countries. The incident of the Russian hackers was not tied to the government, but it does display a lack of action on the part of many governments around the world to suppress illegal cybercrime activity. Some of the most dangerous worms and viruses have been linked to China in recent cases. The Code Red worm in July and August 2001 is estimated to have caused about $2.6 billion of damage and is linked to Chinese hackers. In other recent cases, Chinese hackers have attacked U.S. government information systems, including the White House and U.S. embassies around the world, in the new war in cyberspace. Chinese military writings have announced that the People's Liberation Army is developing information warfare capabilities designed to attack and destroy technology and communications systems. The FBI's NPIC has sent out alerts based on the monitoring of Chinese Web sites and chat rooms that are proponents of denial-of-service and e-mail attacks and disruptions of service against what they perceive as anti-Chinese governments and Web sites.
In most cases, a government does not take responsibility for such hacker attacks. Also, many governments do not attempt to stop such hackers, and some even covertly fund or assist in such attacks. The problem with tracking such connections between governments and hacker groups is the anonymity that we cherish with Internet use. In one case, Web sites for the U.S. Department of Health and Human Services, the Department of Labor, and the White House Historical Society were defaced with images of the Chinese flag and Weng Wei, the Chinese pilot who died in a crash between an American plane and a Chinese plane. A survey by the Web site China.com that found 85% of respondents were in favor of organized attacks against the United States.
By no means is it just China that has hackers targeting other countries. Numerous Chinese Web sites have been vandalized by American hackers in retaliation of Chinese hacking, and the U.S. has made no concerted effort to track these attackers.
Hacker Prosecution
As hacker attacks increase, the U.S. government is slowly making progress in prosecuting hackers who steal personal information. Table 5.4 shows a number of cases that are in the process of being tried.
| Computer Crimes Case Chart[1] | Interest Harmed[2] | Estimated Dollar Loss | Target[3] | Perpetrator Charged?[4] | Geography | Punishment[5] |
|---|---|---|---|---|---|---|
| U.S. v. Osowski (N.D. CA) August 20, 2001 | C | 6.3M | Private | No | TBD | TBD |
| U.S. v. Ivanov III (E.D. CA) August 16, 2001 | C, I, A | Unknown | Private | Yes | TBD | TBD |
| U.S. v. Turner (N.D. OH) August 7, 2001 | C, I, A | Unknown | Public | No | TBD | TBD |
| U.S. v. Diekman II (C.D. CA) August 1, 2001 | — | Unknown | Private | No | TBD | TBD |
| U.S. v. Carpenter (D. MD) July 24, 2001 | C, I, A | Unknown | Private | No | TBD | TBD |
| U.S. v. Brown (N.D. OH) July 6, 2001 | C, I, A | Unknown | Private | No | TBD | TBD |
| U.S. v. Ivanov II (C.D. CA) June 20, 2001 | C, I, A | Unknown | Private | Yes | TBD | TBD |
| U.S. v. McKenna (D. NH) June 18, 2001 | C, I, A | 13K | Private | No | 6-month sentence; pay $13,000 | |
| U.S. v. Oquendo (S.D. NY) June 13, 2001 | C, I, A | 60K | Private | No | 27-month sentence; pay $96,000 | |
| U.S. v. Ivanov (D. CT) May 7, 2001 | C, I, A | Unknown | Private | Yes | TBD | TBD |
| U.S. v. Sullivan (W.D. NC)V April 13, 2001V | I, A | 100K | Private | No | 24-month sentence; pay $194,000 | |
| U.S. v. Morch (N.D. CA) March 21, 2001 | C | 5K | Private | No | 36 months probation | |
| U.S. v. Ventimiglia (M.D. FL) March 20, 2001 | I, A | 209K | Private | No | 60 months probation; pay $233,000 | |
| U.S. v. Dennis (D. Alaska) January 22, 2001 | A | Unknown | Public | No | 6-month sentence; pay $5,000 | |
| U.S. v. Sanford (N.D. TX) December 6, 2000 | C, I, A | 45K | Private | Yes | Yes | 60 months probation; pay $45,000 |
| U.S. v. Torricelli (S.D. NY) December 1, 2000 | C, I | Unknown | Private, public | Yes | TBD | TBD |
| U.S. v. Diekman I (C.D. CA) November 7, 2000 | C, I | 23K | Public | No | TBD | TBD |
| U.S. v. “cOmrade” (S.D. FL) September 21, 2000 | C, A | 41K | Public | Yes | 6-month sentence | |
| U.S. v. Gregory (N.D. TX) September 6, 2000 | 1.5M | Private | Yes | 26-month sentence; pay $154,000 | ||
| U.S. v. Zezov et al. (S.D. NY) August 14, 2000 | C | Unknown | Private | Yes | TBD | TBD |
| U.S. v. Lloyd (D. NJ) May 9, 2000 | I, A | 10M | Private | No | TBD | TBD |
| U.S. v. Davis (E.D. WI) March 1, 2000 | C, A | Unknown | Public | Yes | 6-month sentence; pay $8,000 | |
| U.S. v. Iffih (D. Mass.) February 23, 2000 | C, A | Unknown | Public | No | TBD | TBD |
[1] Colloquial case name (district), press release date
[2] Confidentiality = C; Integrity = I; Availability = A
[3] Private, public, or threat to public health or safety
[4] Juvenile, group, or international
[5] Sentence; fine, forfeiture, or restitution
The appropriate legislation is not in place to address all these cases. Legislators have been notorious for falling behind in addressing the way technology has affected criminal activity; they hope to apply the same old laws to attacks from cybercriminals. Urging companies to be more vigilant and implement security measures has failed in addressing new attacks against consumers and businesses as is proven by the numerous cases that go to trial and never send anyone to jail, or the numerous cases that can't even make it to court because the laws being broken are too vague or do not exist.
The U.K. is one of the few countries that has passed reasonable laws against hackers. In 2000, the U.K. passed the Terrorism Act of 2000; if a hacker endangers the life of the public through breaking into a computer system, he will be deemed a cyberterrorist and punished under the anti-terrorism law as a normal terrorist would be. The police can interpret how violent the break-ins are and whether they are terrorist acts. The U.S.-based Center for Strategic and International Studies (CSIS) warns that there could be a future cyberarms race, and the rise of terrorist groups will be Internet criminals. As we saw recently in the attacks on the World Trade Center, terrorists are using Internet message boards, Web sites, and encrypted data and images to transmit information to their people all over the world. The ease of use and availability of Internet communications helps businesses as well as terrorists. It would be easy for terrorists to learn hacking skills and then attack power utilities or other Internet-capable businesses that can have a dramatic impact on public safety.
Most countries make it illegal to hack through one law or another, but the lack of cooperation between countries enables political hacking to grow and become more detrimental. Subtle encouragement by some countries will definitely promote hacktivism in the future. It's easy to see how a company, becoming tired of being attacked by another country's hackers would launch an attack because it can't get any help from foreign governments. One company that did just that was the California ISP Conxion. It launched its own denial-of-service attack against hackers in mid-2001. Just detecting and securing your own sites might no longer be enough when governments and politically motivated groups become involved in hacking. Because laws do not currently provide the relief many people and businesses need, counter-hacking, which is as illegal as hacking, will be turned to as an alternative to getting attacked on a daily basis.