The IT Law Wiki
Register
Advertisement

Introduction[]

On October 21, 2002, all 13 of the Internet’s root Domain Name System servers were targeted by a distributed denial-of-service attack (DDoS). While the attack had little overall effect on the performance of the Internet, a more sophisticated and sustained attack might have had a more deleterious impact.

As the use of the Internet grows, so has concern about security of and security on the Internet. A long list of security-related incidents that have received wide-ranging media coverage (e.g., the Melissa virus, the Love Bug, and the Code Red, Nimda, Slammer, and Blaster worms) represents the tip of the iceberg.

More recently, a series of data security breaches have resulted in the loss of credit card numbers and other personal identifying information. Every day, persons gain access, or try to gain access, to someone else’s computer without authorization to read, copy, modify, or destroy the information contained within. These persons range from juveniles to disgruntled (ex)employees, to criminals, to competitors, to politically or socially motivated groups, to agents of foreign governments.

Extent of security problems[]

The extent of the problem is unknown. Much of what gets reported as computerattacks” are probes, often conducted automatically with software widely available to Internet users. But the number of instances where someone has actually gained unauthorized access is not known. Not every person or company whose computer system has been compromised reports it either to the media or to authorities. Sometimes the victim judges the incident not to be worth the trouble. Sometimes the victim may judge that the adverse publicity would be worse. Sometimes the affected parties do not even know their systems have been compromised.

There is some evidence to suggest, however, that the number of incidents is increasing. According to the Computer Emergency Response Team (CERT) at Carnegie-Mellon University, the number of incidents reported to it has grown just about every year since the team’s establishment — from 132 incidents in 1989 to over 137,000 incidents in 2003. Since many attacks are now coordinated and cascade throughout the Internet, CERT no longer tracks the number of incidents reported to them. While the total number of incidents may be rising exponentially, it is interesting to note that, according to the Computer Crime and Security Survey, the percentage of respondents that reported unauthorized use of their computer systems over the previous 12 months has declined since the year 2000.

Impact on society[]

The impact on society from the unauthorized access or use of computers is also unknown. Again, some victims may choose not to report losses. In many cases, it is difficult or impossible to quantify the losses. But social losses are not zero. Trust in one’s system may be reduced. Proprietary and/or customer information (including credit card numbers) may be compromised. Any unwanted code must be found and removed. The veracity of the system’s data must be checked and restored if necessary. Money may be stolen from accounts or extorted from the victim.

If disruptions occur, sales may be lost. If adverse publicity occurs, future sales may be lost and stock prices may be affected. Estimates of the overall financial losses due to unauthorized access vary and are largely speculative. Estimates typically range in the billions of dollars per major event like the Love Bug virus or the series of denial-of-service attacks of February 2000.18 Similar estimates have been made for the Code Red worms. Estimates of losses internationally range up to the tens of billions of dollars. [1]

In the 2005 Computer Crime and Security Survey, 687 responders (out of a total of 700) estimated financial losses totaling $130 million in the previous 12 months. According to the survey, viruses accounted for the most financial losses ($43 million), followed by loss of proprietary information. Denial of service attacks accounted for $7 million in losses. [2]

National security risks[]

Aside from the losses discussed above, there is also growing concern that unauthorized access to computer systems could pose an overall national security risk should it result in the disruption of the nation’s critical infrastructures (e.g., transportation systems, banking and finance, electric power generation and distribution). These infrastructures rely increasingly on computer networks to operate, and are themselves linked by computer and communication networks.

In February 2003, the President’s Critical Infrastructure Protection Board[3] released a National Strategy to Secure Cyberspace. The Strategy assigned a number of responsibilities for coordinating the protection of the nation’s information infrastructure to the Department of Homeland Security. Most of the Department’s efforts in cybersecurity are managed by the National Cyber Security Division (NCSD) within the Preparedness Directorate.

Federal legislation[]

Congress has shown a strong interest in the security of computers and the Internet. The federal Computer Fraud and Abuse Act[4] was initially added as part of the Comprehensive Crime Control Act of 1984.[5] This Act, as amended, makes it a federal crime to gain unauthorized access to, damage, or use in an illegal manner, protected computer systems (including federal computers, bank computers, computers used in interstate and foreign commerce).[6]

Other legislation is primarily aimed at protecting privacy by protecting certain personal information held by government and private sector entities and affects computer security indirectly. For example, the Gramm-Leach-Bliley Act[7] and the Health Insurance Portability and Accountability Act of 1996[8] require that entities have in place programs that protect the financial and health-related information, respectively, in their possession.

The Sarbanes-Oxley Act of 2002[9] also indirectly affects private sector computers and networks, by requiring certain firms to certify the integrity of their unauthorized access.

A number of bills have been introduced that extend the requirements to safeguard and protect personal information, similar to that found in Gramm-Leach-Bliley Act and HIPPA, to “information brokers” and/or require any organization engaged in interstate commerce holding personal information to inform consumers of any security breach that may have compromised their information.

References[]

  1. This refers to the series of attacks, in February 2000, directed at online giants Yahoo, eBay, Amazon, E Trade, DATEK, Excite, ZDNEt, buy.com, and CNN.
  2. For more discussion on the economic impact of attacks against computer systems, and the difficulties in measuring it, see Brian Cashell, Will D. Jackson, Mark Jickling & Baird Webel, "The Economic Impact of Cyber-Attacks," CRS Report RL32331.
  3. The Board was established by President George W. Bush through E.O. 13231 but later dissolved by E.O. 13286.
  4. 18 U.S.C. §1030.
  5. Pub. L. No. 98-473.
  6. Some of the penalties under this statute have been increased by both the USA PATRIOT Act (Pub. L. No. 107-56, §814) and the Homeland Security Act of 2002 (Pub. L. No. 107-296, §225(g)).
  7. Pub. L. No. 106-102, Title V.
  8. HIPPA, Pub. L. No. 104-191, Title II, Subtitle F.
  9. Pub. L. No. 107-204.
Advertisement