Any doubts in the business community that hacking and computer crime pose a serious threat were shattered by the attacks last month that temporarily shut down Internet mega-sites Yahoo,, eBay and E-Trade. While the threat is real, it can be minimized by taking sensible steps including implementing compliance programs to protect company networks and mechanisms to detect, report, and respond to computer attacks.

For Fun, For Profit

Most people imagine a "hacker" as an anonymous cyber-intruder writing endless lines of code to penetrate a system from outside. But half of unauthorized system intrusions involve insiders who have, or had, legitimate access to the system and often a personal axe to grind. In addition, hacking has entered the mainstream, spurred by downloadable "hacking tools" that can enable even computer novices to launch devastating cyber-assaults.

Raising the stakes for would-be targets is the substantial profit motive driving much of the current crop of intrusions. Some hackers seek to cash in on their computer cunning. And unscrupulous businesses find it cheaper to have a hacker steal competitors' secrets than to develop new products or customers themselves.

As with "hacking," our popular conception of "computer crime" must be broadened. An attack on another computer to obtain stored data is just one illustration. Sometimes, cyber-criminals' goal isn't information but to damage the victim computer itself.

In other instances, a computer serves as the indispensable tool to commit an otherwise impossible crime. For example, a group of hackers employed a computer in a scheme to rig the telephone call-in contests on Los Angeles area radio stations. Their take: two Porsches, trips to Hawaii, and a bundle of cash.

The impact could have been far worse. The hackers had figured out how to seize control electronically of virtually any telephone line in California, and though they chose not to, had the capability to disrupt phone service to entire regions of the United States.

The Underreporting Problem

Businesses want the bottom line: How serious is the threat? In truth, no one knows. But data from governmental, academic and industry observers agree computer crime has mushroomed since the early 1990's not surprising given the boom in computer usage and e-commerce.

What's more, most published statistics actually understate the threat, due to poor detection and low reporting. These two problems are highlighted by a Department of Defense study in which DoD attacked 38,000 of its own machines, successfully penetrating 65 percent. Systems administrators detected just four percent of the successful intrusions. And of these, one fourth were actually reported meaning only one percent of successful attacks were both detected and reported. Similar detection and reporting rates occur within private industry.


For reprint and licensing requests for this article, CLICK HERE.