Strategic Cybersecurity, Module 10: Cyber Crime and the Law.
This lecture expands on the difficulty in determining computer intrusion attribution by discussing the challenges of constructing laws to deal with such criminal activity.
Once you have completed the readings, lecture, activity, and assessment, you will be able to
- Describe why cybercrime investigations are more problematic than traditional crimes
- Articulate why the CFAA is criticized for being overly broad.
Welcome to Strategic Cybersecurity, Module 10. The last module focused on the difficulty in determining attribution in computer intrusions. This module takes that topic a step further, considering the challenges of constructing laws to deal with such criminal activity.
Challenges of Constructing Cybersecurity Laws
When motivated, a cyber criminal can easily register a web address under a false name to make tracking of his or her identity quite difficult. Thus, identification of cyber criminals is one of the greatest issues in stopping cyber crime.
Even if the criminal actor is identified, collecting evidence and prosecuting the criminal may be much more difficult than in traditional crimes, due to such problems as determining attribution beyond a reasonable doubt.
The Nigerian Fraud
The readings for this module introduce criminals based in Nigeria referred to as “419 fraudsters,” named after the section of the Nigerian criminal code that deals with fraud.
Their scheme involved cold-calling potential victims with a fraudulent offer to gain millions of dollars in exchange for assistance in moving money out of Nigeria. Before the money could be moved out of the country, however, the victims would need to wire money of their own into Nigeria, so that the caller who posed as a corrupt government official could bribe other government officials.
Ironically, the criminals posed as criminals in the Nigerian government, likely as an effort to appear authentic and gain trust from their victims.
If you fell victim to such a scheme, you would likely call the police to report the crime. The obvious problem is that the crime originated in Nigeria, and neither local nor federal police in the United States, including the Federal Bureau of Investigation, would have the jurisdiction to immediately help you.
If enough U.S. citizens were victims, the FBI may potentially work through its system of legal attaché offices, or LEGATs, to try to persuade the Nigerian government to investigate.
However, unless a country has an unusually close relationship with the United States, that country will not likely be motivated to investigate and expose the issue to negative press.
When foreign governments are willing to investigate, they usually run into problems with, as we noted earlier, determining attribution and, ultimately, tracking the criminals down.
Unlike traditional crimes that place the criminal near the crime scene, computer crimes leave no physical evidence: no surveillance cameras to catch a glimpse of the criminal, no hair follicles with DNA remains, no physical evidence to assist in tracing that crime to a particular person.
When cyber criminals are based in the United States, these issues are not as profound. But additional challenges make fair and proper prosecution of computer crimes difficult. As an example, although laws exist, they may be too broad for proper enforcement.
The Computer Fraud and Abuse Act
The Computer Fraud and Abuse Act, or CFAA, passed by Congress in 1986, was one of the first laws to address computer crimes. Essentially, the act prohibits the access of governmental computer systems or computer systems used in interstate or foreign commerce by unauthorized persons with the intent to damage, defraud, or extort.
This law against cyber crime has been criticized by many legal scholars as being too broad.
The Law is Too Broad
One of the most notorious instances reflecting such potential weakness in the law occurred in January 2011, when Jason Swartz, a Harvard University research fellow, was arrested for unlawfully accessing a university computer and downloading multiple academic journal articles.
Using the provisions in the law, an overly aggressive federal prosecutor indicted Swartz in federal court on several counts under the CFAA. Swartz was subsequently arrested and later released on bond. However, while a plea deal was being negotiated to keep Swartz out of prison, he committed suicide.
Although the Swartz case was unusual, it highlights the challenges of properly constructing laws to deal with rapidly changing technology that most lawyers and judges don't understand. The law has been amended more than half a dozen times, but a movement continues to further amend the CFAA to make it more appropriate for crimes lacking physical or economic harm.
Quiz Question 1: Which of the following best describes why cyber crime investigations are more challenging than traditional crimes?
A: Cyber crime investigations are generally more labor intensive than traditional crimes.
B: Cyber criminals are generally more intelligent and savvy than traditional criminals. C: Cyber criminals do not have to be physically close to their victims.
D: Cyber crimes are generally more expensive to investigate than traditional crimes.
The answer is C: Cyber criminals do not have to be physically close to their victims.
Quiz Question 2: True or false: The Computer Fraud and Abuse Act (CFAA) is criticized for being too broad because it states that accessing a computer “without” or “in excess” of proper “authorization” is a crime.
The answer is True. The activity for this module asks that you download and read the Computer Fraud and Abuse Act.
Write a one-page reflection on your impressions of the law. Do you feel that it is too broad, or do you feel that it is appropriate? What, if any, modifications, additions, or deletions would you make to this law in order to make it more specific to cyber crime?