Criminal Law in Cyberspace computer systems and run them from a remote location. University of California at berkeley's computers were the subject of such an attack-one perpetrated by East German agents. The crime of unauthorized access is one of simply invading another's workspace. Causing harm to the files or programs or using the data improperly are separate crimes There are several different targets for unauthorized access; broadly speaking, they may be categorized as crimes against the government, individuals, and commercial entities. The government has vast information on its computers, ranging from nuclear secrets to defense planning contingencies, from human intelligence to law enforcement information about criminal organizations. The specter of a curious computer geek who gains access to sensitive computers-popularized in the 1983 film"War Games"is not fanciful, as such attacks have successfully occurred on numerous occasions Unauthorized access to such material can pose severe security risks. By contrast, unauthorized access to an individuals personal files presents a different set of harms. These harms are generally harms to privacy, as personal files contain private and intimate thoughts. These thoughts may be as personal as love letters, as banal as grocery lists, or as tragic as unfinished drafts of articles. In any event, the computer thief gains access to that information without permission. A commercial access, by contrast, may place at risk a company's propriety information and trade secrets. There also may be individual privacy interests at stake(such as personnel files), but the interests here will largely be financial ones The different types of targets suggest that different motivations may be at stake for different crimes: to gain financial benefits(copyright theft, trade secrets), to benefit a foreign enemy 49See CLIFFORD STOLL, THE CUCKOO's EGG: TRACKING A SPY THROUGH THE MAZE OF COMPUTER ESPIONAGE (1989) For example, a group dubbed "the phonemasters"broke into MCI and aT&T computers to steal thousands of calling card numbers, and sold the numbers. The numbers eventually wound up in the hands of ltalian organized crime groups. Statement of Louis J. Freeh, supra note 22
Criminal Law in Cyberspace Page 20 49See CLIFFORD STOLL, THE CUCKOO'S EGG: TRACKING A SPY THROUGH THE MAZE OF COMPUTER ESPIONAGE (1989). 50For example, a group dubbed “the phonemasters” broke into MCI and AT&T computers to steal thousands of calling card numbers, and sold the numbers. The numbers eventually wound up in the hands of Italian organized crime groups. Statement of Louis J. Freeh, supra note22 . computer systems and run them from a remote location. University of California at Berkeley’s computers were the subject of such an attack–one perpetrated by East German agents.49 The crime of unauthorized access is one of simply invading another’s workspace. Causing harm to the files or programs or using the data improperly are separate crimes. There are several different targets for unauthorized access; broadly speaking, they may be categorized as crimes against the government, individuals, and commercial entities. The government has vast information on its computers, ranging from nuclear secrets to defense planning contingencies, from human intelligence to law enforcement information about criminal organizations. The specter of a curious computer geek who gains access to sensitive computers–popularized in the 1983 film “War Games”–is not fanciful, as such attacks have successfully occurred on numerous occasions. Unauthorized access to such material can pose severe security risks. By contrast, unauthorized access to an individual’s personal files presents a different set of harms. These harms are generally harms to privacy, as personal files contain private and intimate thoughts. These thoughts may be as personal as love letters, as banal as grocery lists, or as tragic as unfinished drafts of articles. In any event, the computer thief gains access to that information without permission. A commercial access, by contrast, may place at risk a company’s propriety information and trade secrets. There also may be individual privacy interests at stake (such as personnel files), but the interests here will largely be financial ones. The different types of targets suggest that different motivations may be at stake for different crimes: to gain financial benefits (copyright theft, trade secrets),50 to benefit a foreign enemy
Criminal Law in Cyberspace (espionage),to gain personal satisfaction( to spy on a boyfriend or enemy ) to thwart law enforcement (by obtaining identities of informants), to exact revenge(a fired employee who wreaks computer havoc) 3 There may be other targets as well-such as hospitals and research institutions with important If a criminal uses fruits from an unauthorized access, the results may be devastating. Military secrets could be turned over to terrorist rogue states, people's most private thoughts could be placed on the Internet for all to see, a company's most cherished secrets-the formula for Coca-Cola and the like-could be given to rival firms, assets may be shaved off for profit. These are four separate types of activity, but each shares the common nucleus of unauthorized access combined with distribution of the information to others st Chinese military thinking considers computer network attacks an important means for waging warfare. See Economic Cyber Threats: Hearing Before the Joint Economic Comm, 106th Cong(Feb 23, 2000)(statement of Dr. Daniel Kuehl, National Defense University). The Journal of Slavic Military Studies reveals that Russia has also been developing an information warfare capacity. One Russian theorist suggested that the potential"psychological pact on the United States would be huge if the financial markets go down"due to cybercrime. ld. 52PARKER, supra note 19, at 108-09(" The mafia families need computer capabilities for three reasons. First, they engage in large scale business, whether operating a bank in Los Angeles or running drugs in Florida. Therefore, like any large business, they need the computers available to them through their legitimate business holdings. Second, they need computer technology capabilities to engage in crimes against organizations that use computers. Third, national and state or regional governments use computers in their organized crime investigations and prosecution functions. Therefore, crime organizations need a technical capability to attack those powerful tools, which can be so Joshua C Ramo. C the World Wiring for the Future, TIME DIGITAL, Sept. 23, 1996, at 32 (stating that Italian Mafia, Chinese gangs, Russian organized crime, and Columbian cartels are employ ing computer hackers) ICoVE ET AL, supra note 48 at 95 ("Employees of a company are the greatest threat of all typically because of grudges and sometimes due to simple human error. Just as most murders are committed by family members, so too most computer crimes are committed by inside users. PLaura DiDio, A Menace to Society(Computer Viruses may Begin to Take Their Toll in Lives as Well as Dollars) NETWORK WORLD, Feb 6, 1989, at 71, 84( describing how computer virus attacked a large hospital and destroyed 40% of its patient records); Christopher Elliot, Experts to Classify Computer Viruses, DAILY TELEGRAPH, Mar. 10, 1991, at 2 (describing how Italian University lost one year of AIDS research data due to a computer virus) Alternatively, the perpetrators of the theft could blackmail the victim for return of the information. In January 2000, a group of intruders based in the United Kingdom broke into the computer systems of at least 12 multi-national companies and stole confidential files. The group issued ransom demands of up to 10 million British pounds in exchange for the return of the files. Economic Cyber Threats: Hearing Before the oint Economic Comm, 106th Cong(Feb. 23, 2000)(statement of Dr Stephen Cross, Software Engineering Institute)
Criminal Law in Cyberspace Page 21 51 Chinese military thinking considers computer network attacks an important means for waging warfare. See Economic Cyber Threats: Hearing Before the Joint Economic Comm., 106th Cong. (Feb. 23, 2000) (statement of Dr. Daniel Kuehl, National Defense University). The Journal of Slavic Military Studies reveals that Russia has also been developing an information warfare capacity. One Russian theorist suggested that the potential “psychological impact on the United States would be huge if the financial markets go down” due to cybercrime. Id. 52PARKER, supra note 19 , at 108-09 (“The mafia families need computer capabilities for three reasons. First, they engage in large scale business, whether operating a bank in Los Angeles or running drugs in Florida. Therefore, like any large business, they need the computers available to them through their legitimate business holdings. Second, they need computer technology capabilities to engage in crimes against organizations that use computers. Third, national and state or regional governments use computers in their organized crime investigations and prosecution functions. Therefore, crime organizations need a technical capability to attack those powerful tools, which can be so effective in tracking them and their activities.”); Joshua C. Ramo, Crime Online: Mobsters Around the World are Wiring for the Future, TIME DIGITAL, Sept. 23, 1996, at 32 (stating that Italian Mafia, Chinese gangs, Russian organized crime, and Columbian cartels are employing computer hackers). 53ICOVE ET AL, supra note 48 at 95 (“Employees of a company are the greatest threat of all typically because of grudges and sometimes due to simple human error. Just as most murders are committed by family members, so too most computer crimes are committed by inside users.”). 54Laura DiDio, A Menace to Society (Computer Viruses may Begin to Take Their Toll in Lives as Well as Dollars), NETWORK WORLD, Feb. 6, 1989, at 71, 84 (describing how computer virus attacked a large hospital and destroyed 40% of its patient records); Christopher Elliot, Experts to Classify Computer Viruses, DAILY TELEGRAPH, Mar. 10, 1991, at 2 (describing how Italian University lost one year of AIDS research data due to a computer virus). 55Alternatively, the perpetrators of the theft could blackmail the victim for return of the information. In January 2000, a group of intruders based in the United Kingdom broke into the computer systems of at least 12 multi-national companies and stole confidential files. The group issued ransom demands of up to 10 million British pounds in exchange for the return of the files. Economic Cyber Threats: Hearing Before the Joint Economic Comm., 106th Cong. (Feb. 23, 2000) (statement of Dr. Stephen Cross, Software Engineering Institute). (espionage),51 to gain personal satisfaction (to spy on a boyfriend or enemy), to thwart law enforcement (by obtaining identities of informants),52 to exact revenge (a fired employee who wreaks computer havoc).53 There may be other targets as well–such as hospitals and research institutions with important data.54 If a criminal uses fruits from an unauthorized access, the results may be devastating. Military secrets could be turned over to terrorist rogue states, people’s most private thoughts could be placed on the Internet for all to see, a company’s most cherished secrets–the formula for Coca-Cola and the like–could be given to rival firms,55 assets may be shaved off for profit. These are four separate types of activity, but each shares the common nucleus of unauthorized access combined with distribution of the information to others
Criminal Law in Cyberspace Page 22 B Unauthorized disruption Unauthorized disruption is the heart of what most people consider cybercrime. It occurs when an entity, without permission, interferes with the functional ity of computer software or hardware. By now, the lingo is familiar-viruses, worms, logic bombs, trojan horses, and denial of service attacks Viruses A virus is a program that modifies other computer programs. The modifications ensure that the infected program replicates the virus. In other words, the original program(the analog to a healthy cell) is changed by the virus to allow the virus to multiply. Once infected, the program secretly requests the computer's operating system to add a copy of the virus code to the target program. >b Once that computer is connected to another computer, either through the Internet, direct computer connection, or even through a common floppy disk, the virus may spread beyond the original host computer. A virus is not inherently harmful-its harmfulness will depend on the additional codes placed into the virus besides the code for self-replication. Some viruses, however, have caused enormous damage. 7 Worms 'Peter J. Denning, Computer Viruses, in COMPUTERS UNDER ATTACK, 253, 258(Peter J. Denning ed. 1990) A recent example is the Melissa virus, which became famous in March of 1999. Melissa infected its first victim when a reader of the pornographic alt sex newsgroup caught it. Within days of this initial contact, Melissa infected more than one hundred Fortune 1000 companies(and the U.s. Marine Corps). The virus operated by emailing a list fifty recipients received emails with the subject line Important Message From."and the virus automatically filled in of eighty pornographic Web sites to fifty email addresses in the electronic address book of the infected system. The the initial user's name-so that it appeared that the recipient was receiving a message from his or her friend, rather than from the Melissa culprit. The email systems of the fifty recipient computers then were infected, and each passed the virus to fifty additional addresses. When this process was repeated over and over, the number of rected computers increased dramatically. As a result, the virus caused many millions of dollars in damage to computers worldwide; in the United States alone, the virus affected 1. 2 million computers in one-fifth of the country's largest businesses. David Smith pleaded guilty last December to state and federal charges associated with his creation of the Melissa virus. Jim Conley, Germ Warfare, ZIFF DAVIS SMART BUSINESS FOR NEW ECON. June 1 2000.at62
Criminal Law in Cyberspace Page 22 56Peter J. Denning,Computer Viruses, in COMPUTERS UNDER ATTACK, 253, 258 (Peter J. Denning ed. 1990). 57A recent example is the Melissa virus, which became famous in March of 1999. Melissa infected its first victim when a reader of the pornographic alt.sex newsgroup caught it. Within days of this initial contact, Melissa infected more than one hundred Fortune 1000 companies (and the U.S. Marine Corps). The virus operated by emailing a list of eighty pornographic Web sites to fifty email addresses in the electronic address book of the infected system. The fifty recipients received emails with the subject line Important Message From...'' and the virus automatically filled in the initial user's name–so that it appeared that the recipient was receiving a message from his or her friend, rather than from the Melissa culprit. The email systems of the fifty recipient computers then were infected, and each passed the virus to fifty additional addresses. When this process was repeated over and over, the number of affected computers increased dramatically. As a result, the virus caused many millions of dollars in damage to computers worldwide; in the United States alone, the virus affected 1.2 million computers in one-fifth of the country’s largest businesses. David Smith pleaded guilty last December to state and federal charges associated with his creation of the Melissa virus. Jim Conley, Germ Warfare, ZIFF DAVIS SMART BUSINESS FOR NEW ECON. June 1, 2000, at 62. B. Unauthorized Disruption Unauthorized disruption is the heart of what most people consider cybercrime. It occurs when an entity, without permission, interferes with the functionality of computer software or hardware. By now, the lingo is familiar–viruses, worms, logic bombs, trojan horses, and denial of service attacks. 1. Viruses A virus is a program that modifies other computer programs. The modifications ensure that the infected program replicates the virus. In other words, the original program (the analog to a healthy cell) is changed by the virus to allow the virus to multiply. Once infected, the program secretly requests the computer’s operating system to add a copy of the virus code to the target program.56 Once that computer is connected to another computer, either through the Internet, direct computer connection, or even through a common floppy disk, the virus may spread beyond the original host computer. A virus is not inherently harmful–its harmfulness will depend on the additional codes placed into the virus besides the code for self-replication. Some viruses, however, have caused enormous damage.57 2. Worms
Criminal Law in Cyberspace A worm is a stand-alone program that replicates itself. Both worms and viruses self-replicate But a virus requires human action, from downloading a specific file to placing an infected disk in a computer-while a worm uses a computer network to duplicate itself and does not require human activity for transmission. The infamous ILove You bug shares elements of both viruses and worms, it resembled a virus because it bred on a host computers hard drive but was a worm because it reproduced without any additional human input over a network. More than 1 million computers in North America alone received a copy of the bug, and it spread nine times faster than the melissa virus Most companies, including AT&T Corp, Ford Motor Co., and Merrill Lynch Co, shut down their email systems to prevent a spread of the attack, resulting in lost time and productivity. Government agencies were also affected, including the Pentagon, the CIA, Nasa, the Swiss Govemment, Danish Parliament, and the British House of Commons. Investigators traced the Ilove You bug to several S John Snell, Think you've seen computer viruses STAR TRIBUNE (MINNEAPOLIS ) Apr 3, 2000; STOLL, supra note 49, at 341. The ILove You bug was spread primarily through email, but was also transmitted through Internet Chat and company Intranet systems. In general, here is how most users were infected. First, a user would open an email entitled"ILOVEYOU and its attachment, entitled"LOVE-LETTER-FOR-YOUTXT vbs. " Then, as a result, the bug installed itself in the computers system to launch. Once the machine was restarted, the bug spread by mailing itself to everyone in the users e-mail address book, using the popular Microsoft Outlook Express. The bug then overwrote certain files with extensions such as jpg, jpeg, mp3, and, mp2, deleting them and leaving infected copies of the files in the computer. The bug also used the Internet Explorer home page to download a program that stole passwords and mailed them to e-mail addresses in the Philippines. Finally, the bug changed the default home page to one of the four Web pages hosted by skynet. net, a Philippine Internet Service Provider The perpetrators were discovered because one of them, Onel A, de guzman, had proposed a thesis to a professor that had the ability to steal computer passwords. The proposal was rejected because of its immorality This helped link Philippine investigators to de guzman and another primary suspect, Michael Buen. Foolish mistakes by the suspects led investigators to an apartment owned by de guzman sister. The duo posted the password-stealing program on the Web using an Internet service provider in Manila. That service provider, as well as another provider that Guzman and Buen subsequently hacked into, had caller-identification technology, which allowed technicians to quickly pinpoint the phone number. A search of the apartment produced little evidence since the original computers and disks had been removed. See John Schwartz, No Love for Computer Bugs, WASH. POST, July 5, 2000, at Al, Any ldiot Can Make a virus, STRAITS TIMES (Singapore), July 12, 2000
Criminal Law in Cyberspace Page 23 58John Snell, Think you've seen computer viruses?, STAR TRIBUNE (MINNEAPOLIS), Apr. 3, 2000; STOLL, supra note 49, at 341. The ILoveYou bug was spread primarily through email, but was also transmitted through Internet Chat and company Intranet systems. In general, here is how most users were infected. First, a user would open an email, entitled “ILOVEYOU” and its attachment, entitled “LOVE-LETTER-FOR-YOU.TXT.vbs.” Then, as a result, the bug installed itself in the computer’s system to launch. Once the machine was restarted, the bug spread by mailing itself to everyone in the user’s e-mail address book, using the popular Microsoft Outlook Express. The bug then overwrote certain files with extensions such as .jpg, .jpeg, .mp3, and .mp2, deleting them and leaving infected copies of the files in the computer. The bug also used the Internet Explorer home page to download a program that stole passwords and mailed them to e-mail addresses in the Philippines. Finally, the bug changed the default home page to one of the four Web pages hosted by skyinet.net, a Philippine Internet Service Provider. The perpetrators were discovered because one of them, Onel A. de Guzman, had proposed a thesis to a professor that had the ability to steal computer passwords. The proposal was rejected because of its immorality. This helped link Philippine investigators to de Guzman and another primary suspect, Michael Buen. Foolish mistakes by the suspects led investigators to an apartment owned by de Guzman’s sister. The duo posted the password-stealing program on the Web using an Internet service provider in Manila. That service provider, as well as another provider that Guzman and Buen subsequently hacked into, had caller-identification technology, which allowed technicians to quickly pinpoint the phone number. A search of the apartment produced little evidence since the original computers and disks had been removed. See John Schwartz, No Love for Computer Bugs, WASH. POST, July 5, 2000, at A1; Any Idiot Can Make a Virus, STRAITS TIMES (Singapore), July 12, 2000. A worm is a stand-alone program that replicates itself. Both worms and viruses self-replicate. But a virus requires human action, from downloading a specific file to placing an infected disk in a computer–while a worm uses a computer network to duplicate itself and does not require human activity for transmission. The infamous ILoveYou bug shares elements of both viruses and worms; it resembled a virus because it bred on a host computer's hard drive, but was a worm because it reproduced without any additional human input over a network.58 More than 1 million computers in North America alone received a copy of the bug, and it spread nine times faster than the Melissa virus. Most companies, including AT&T Corp., Ford Motor Co., and Merrill Lynch & Co., shut down their email systems to prevent a spread of the attack, resulting in lost time and productivity. Government agencies were also affected, including the Pentagon, the CIA, NASA, the Swiss Government, Danish Parliament, and the British House of Commons. Investigators traced the ILoveYou bug to several
Criminal Law in Cyberspace computer students in the Philippines, but the case was ultimately dropped because the Philippines had no applicable law against viruses or hacking. 3. Logic Bombs Trojan Horses A logic bomb tells a computer to execute a set of instructions at a certain time under certain specified conditions. Those commands could be benign(a nice message from the programmer each ear on her birthday)or damaging( telling the hard disk to erase itself on May day). a logic bomb can lie undetected in software or hardware, ready to be detonated when a series of events unfolds Sometimes the logic bomb will be used to help facilitate an attack in realspace, such as a bank robber who shuts down bank security through software at 3: 00 p. m on any given Friday. Other times it may used to demonstrate someone's displeasure with a particular act, such as using Microsoft Explorer, or using America OnLine to trade tobacco stocks. Infecting software code with a logic bomb is a powerful way to magnify a crime so that its effects are far greater than they would be were the crime committed in realspace. The bomb resides in each version of the software, and millions of copies might be sold, all ready to detonate at a certain time. With a logic bomb, instead of just assaulting one computer, an attacker can reach thousands or even millions at once 62 s9See supra note 2. Another example of a worm was the"Joke"email sent to about 13,000 people in June 2000. This email said it was a joke and when opened, said, this is funny"or funny. When the actual attachment, titled"Life Stages. txt. shs"was opened, the worm spread much like the ILove You bug. The Robert Morris case is another famous example, where a Cornell student launched a worm that ultimately caused major computer havoc. See Ted Eisenberg et al., The Cornell Commission: On Morris and the worm, in COMPUTERS UNDER ATTACK, supra note 56 at253,254 bUMichelle slatalla Quittner, Masters of Deception 75-76(1995) 6 See, e.g., State v. Corcoran, 522 N W 2d 226(Wis. Ct. App. 1994)(computer programmer prosecuted under Wisconsin Computer Crimes Act for inserting code in computer program that erased data when the computers clock reached a specified time, programmer inserted such code to guarantee he would be paid to write program) "STOLL, supra note 49, at 252