Computer Crime Research Center

staff/mohamed.jpg

A Critical Look at the Regulation of Cybercrime

Date: May 11, 2005
Source: Computer Crime Research Center
By: Mohamed Chawki

... Thus, the definition of cybercrime under state law differs, depending on the state. Perhaps we should look to international organizations to provide a standard definition of cybercrime.
At the Tenth United Nations Congress on the Prevention of Crime and Treatment of Offenders, in a workshop devoted to the issues of crimes related to computer networks, cybercrime was broken into two categories and defined thus:

‘(a) Cybercrime in a narrow sense: Any illegal behaviour directed by means of electronic operations that targets the security of computers systems and the data processed by them.

(b) Cybercrime in a border sense: Any illegal behaviour committed by means of, or in relation to, a computer system or network, including such crimes as illegal possession and offering or disturbing information by means of a computer system or network’.

These definitions, although not completely definitive, do give us a good starting point-on that has some international recognition and agreement – for determining just what we mean by term cybercrime. Cybercrime, by these definitions, involves computers and networks. In cybercrime, the “cyber” component usually refers to perpetrating qualitatively new offences enabled by information technology or integrating cyberspace into more traditional activities. Having defined the concept of cybercrime, it becomes necessary to compare it with traditional crime. This involves examination of its characteristics, what makes it vulnerable to being manipulates and reviews the reports that have been conducted on its incidence and the damage it inflicts.

1.1.2 Terrestrial Crime versus Cybercrime
The act of defining crime is often, but not always, a step toward controlling it. That is, the ostensible purpose of defining illegal behaviours as criminals is to make them liable to public prosecution and punishment. Historically, ‘crime’ was addressed at the local, community level of government. Crime was a small-scale, consisting of illegal acts committed by some persons that were directed against one victim. The ‘crimes’, which were consistent across societies; fell into routinized, clearly-defined categories that reflected the basic categories of anti-social motivations: Crime was a murder, it was robbery, crime was rape.
Crime was also personal, if the victim and the offender did not know each other; they were likely to share community ties that put offences into a manageable, knowable context. This principle did not only facilitate the process of apprehending offenders – who stood a good chance of being identified by the victim or by reputation – but also gave citizens at least the illusion of security, the conceit that they could avoid being victimized if they avoided some activities or certain associations. Law enforcement officers, dealt with this type of crime because its parochial character meant investigations were limited in scope and because the incidence of crime stood in relatively modest proportion the size of the local populace. Lax enforcement’s effectiveness in this regard contributed to a popular perception that social order was being maintained and that crime did not go unpunished.
The development in ICTs in urbanization and in geographical mobility under minded this model to some extent. However, it persisted functioned effectively for the most part. Legislators quickly adapted to the fact that ICTs could be used to commit fraud and to harass others. Because, they modified their substantive criminal law to encompass these activities, the old model still functions effectively for traditional real world crime.
Unlike this traditional crime, cybercrime is global crime. As a European Report explains:

‘[c]omputer-related crimes are committed across cyber space and don’t stop at the conventional state-borders. They can be perpetrated from anywhere and against any computer user in the world.’

Some cybercrimes- stalking, say-tend, so far, at least, to be small-scale, single-offender/ single victim crimes, but the world’s experience with cybercrime is still in its infancy and yet large-scale offences targeting multiple, geographically dispersed victims are already being committed.

In order to understand the sea change ICTs introduces into criminal activity, it is important to consider a hypothetical: One can analogize a denial of service attack to using the telephone to shut down a supermarket business, by calling the business’ telephone number repeatedly, persistently without remorse. Thereby preventing any other callers from getting through to place their orders. On such a base, the vector of cyberspace lets someone carry out an attack such as this easily and with very little risk of apprehension, so easy, in fact, that a 13 year-old hacker used a denial of service attack to shut down a computer company. In addition to the increased scale of criminal activity the cybercrime offers, it also has a tendency to evade traditional offence categories. While some of its categories consists of using ICTs to commit traditional crimes, it also manifests itself as new varieties of activity that cannot be prosecuted using traditional offence categories.

The dissemination of the “Love Bug” virus illustrates this. Virus experts quickly traced this virus to the Philippines. Using Information supplied by an Internet service provider, agents from the Philippines’ National Bureau of Investigation and from the FBI identified individuals suspected of creating and disseminating the ‘Love Bug’. However, they ran into problems with their investigation: The Philippines had no ICTs laws, so creating and disseminating a virus was not a crime. Therefore, the law enforcement officers had no hard time convincing a magistrate to issue a warrant to search the suspects’ apartment. Later on the suspected author of the virus could not be prosecuted under the repertoire of offences defined by the Philippines criminal code.

On such a basis cybercrime’s ability to morph into new and different forms of antisocial activity that evade the reach of existing penal law creates challenges for legislations around the world. Criminals have the ability of exploiting gaps in their won country’s penal law in order to victimize their fellow citizens with impunity. Also, cybercriminals can exploit gaps in penal laws of other countries in order to victimize the citizens of those, and other, nations; as the ‘Love Bug’ episode demonstrated, cybercrime is global crime.

1.2 The Scope of the Phenomenon

Knowing how much crime is committed might help us decide on how much to spend on security. Estimates by security experts of annual losses from computer crime range from $ 555 million to more than $ 13 billion, but there are actually no valid statistics on the losses from this type of crime, because no one knows how many cases go unreported. Even when the victims of computer crimes are aware of the crimes, they are usually relocated to report their losses- especially if those losses can be easily hidden. Victims can lose more from reporting crimes than they lose from the crimes themselves. Embarrassment, key staff diverted to prepare evidence and testify, legal fees, increased insurance premiums, and exposure of vulnerabilities and security failures can all result from reporting computer crime incidents.

However, the results of national surveys bear out the picture that cybercrime is consistently and dramatically on the increase. One of the famous cited national surveys for the United States is the ‘Computer Crime and Security Survey’ conducted by the Computer Security Institute with the participation of the San Francisco branch of the Federal Bureau of Investigation’s Computer Intrusion Squad. The CSI/FBI survey which has been conducted in 2004 – reports the results questionnaire administrated to 494 computer security practitioners in U.S corporations government agencies, financial institutions, medical institutions and universities. One area the survey explores is security breaches; the questionnaire asks the respondents if they have experienced breaches of information security in the last year. The percentage of the respondents answering that their organization experienced unauthorized use of computer systems in the last 12 month declined to 53 percent, the smallest percentage since this question first appeared in the survey in 1999. Moreover, the percentage of respondents answering that there was no unauthorized use of their organization’s computer systems increased to 35 percent as the respondents not knowing if such unauthorized use occurred dropped to a low of 11 percent.

The year 2004 showed the lowest percentage (12 percent) of respondents estimating that organization experienced more than ten computer security incidents during the past year. The survey provides a visual demonstration that attacks of computer systems or misuse of these systems has been slowly, but fairly steadily decreasing over many years in nearly all categories. In fact, there has been a dramatic drop in reports of system penetrations, insider abuse and theft of proprietary information.
Data from other countries reveal similar trends. According to a November 2000 report from the United Kingdom:

Full article - http://www.crime-research.org/library/Critical.doc (371 Kb)
Add comment  Email to a Friend

Copyright © 2001-2024 Computer Crime Research Center
CCRC logo