Infotech and the Law
Hackers Are Evermore, So Tighten the Locks
By James Fontana
USA Today reported recently that a new strain of the Melissa virus has returned. Not to be confused with the first Melissa intruder that caused billions of dollars in damage to computers earlier this year, this latest version has an e-mail message with the subject line "pictures," with an attachment that erases files indiscriminately.
Recently, the FBI reported that a "Bubbleboy," an e-mail-borne computer script that does not require a user to open an e-mail or its attachment to infect the host, has been making its way around cyberspace.
This summer, a North Carolina man pleaded guilty to hacking into the systems of Motorola, Novell, Sun Microsystems and others and stealing their proprietary software. He received a four-year prison sentence.
According to the Washington Post, there are at least 25 attempts per day to hack into the Defense Department's network alone.
You can forget about the Y2K bug. That passé issue is giving way to an increasing threat: online theft, cyberterrorism, Internet fraud. Call it what you like, it is America's newest crime spree, a digital Wild West.
The question is, are we doing enough about it?
There are several laws aimed at these particular types of offenses. The Computer Fraud and Abuse Act, enacted in the 1980s but recently amended for new-age technology, makes it a criminal offense to knowingly access a computer and steal national defense or other restricted government data.
Other federal statutes, not specifically designed for but used against cyberoffenders, include the Major Frauds Act (for frauds against U.S. government property or agencies) and the old, reliable federal wire fraud statutes, which were designed for telegraph and telephone-based frauds but have been applied to Internet-based crimes as well.
There also is the Economic Espionage Act of 1996, which makes it a federal crime to steal trade secrets. The law was designed to offer federal protection against misappropriation of commercial trade secrets governed by a patchwork of state civil laws. It has been used to prosecute industrial espionage through traditional means as well as the newer electronic pilfering methods.
Other statutes allowing prosecution for racketeering and interstate transport of stolen property have been used, or at least contemplated, against computer thugs.
But please do not rely on this impressive array of laws that purportedly protect against these cybercapers. Any lawyer trying to instill that peace of mind should be banished from the kingdom.
The truth is, regardless of the use of new law and creative application of old ones, and despite our law enforcement community's valiant attempts to keep up the pace of prosecution, cyberthugs find new ways and continue old ways to intrude into our systems and plunder, steal and destroy networks.
Many of these intruders are sitting in comfort beyond U.S. borders, virtually immune from prosecution but able to electronically knock on our network doors seemingly with as few strokes as a Midwest teen-age hacker. Others just do not care. It is the challenge, or greed, that drives them toward hacking into your system, rather than being driven away by the deterrence of these little-known laws.
We should focus on more than just laws to protect against cybercrimes. We should also focus on prevention. After all, it is illegal to break into someone's home, but that does not mean people will neglect to lock their doors at night to prevent those intruders. With the nation's networks, we need to pay more attention to those locks.
Congress has appropriated about $1.5 billion for fiscal 2000 for information security. But it is questionable whether that will be enough to procure even a minimal level of network security services, from security certification and accreditation support, to penetration testing, to high-assurance Web guards, to public key infrastructure. Those are among services offered by a handful of vendors in both the government and commercial sectors.
Of course, all the network security precautions will not eliminate these types of offenses. Hackers will find new ways to intrude into networks, and computer security companies will find new ways to foil them, and so on and so forth.
And you thought Y2K was getting boring.
On a personal note, after three years writing this column, I am making this my last. It has been a pleasure.
James Fontana is vice president and corporate counsel of Wang Government Services Inc. in McLean, Va. His e-mail address is firstname.lastname@example.org.