Full Text

Robust economic growth carries with it the potential for corruption. Evidence that this potential has become reality for many businesses can be found in a 2003 survey by the Computer Security Institute, which showed that 56% of businesses reported some form of unauthorized use of their computer system. The same technology that is driving greater productivity is also facilitating large-scale fraud. The increasing number of technologically skilled individuals accessing a company's computer system increases the system's vulnerability to attack from within and without.

General federal laws have been used to prosecute many computer-related crimes; however, these laws are difficult to apply to some computer-related offenses. The most notable antifraud law specifically addressing computer crime is the Computer Fraud and Abuse Act (CFAA). The original focus of the CFAA, enacted in 1984, was to provide a legal recourse against hackers who accessed government and financial-industry electronic data without authorization. Subsequent amendments up to and including the 1996 amendment have, however, broadened the CFA A's scope to include computers "used in interstate or foreign commerce or communication." Penalties provided in the CFAA include fines and imprisonment up to a maximum of 20 years.

Case Analysis

Analyzing cases tried under the federal laws presents an opportunity to learn about the perpetrators of computer fraud and their methods of operation. Press releases regarding completed and ongoing cases of computer fraud can be found at the Department of Justice website (www. cybercrime.gov/cccases.html). A total of 50 cases between 1999 and 2002 were analyzed.

Perpetrators. Exhibit 1 presents information regarding the perpetrators involved in the cases. The perpetrators are subdivided into two main types: unauthorized users and authorized users. Authorized users are those who, at the time of the fraud, had been granted authorization to use the system for some legitimate purpose. Unauthorized users are those who had not received such authorization or had had such authorization revoked but were still able to gain access.

As Exhibit 1 shows, unauthorized users represented the largest group. Approximately two-thirds were hackers that preyed on weaknesses in security to gain unauthorized access and commit fraud. The "former employees" category refers to cases where the actual crime took place after the employee was released from the company. Often, being laid off or terminated from a...