Any doubts in the business community that hacking and computer crime pose a serious threat were shattered by the attacks last month that temporarily shut down Internet mega-sites Yahoo, Amazon.com, eBay and E-Trade. While the threat is real, it can be minimized by taking sensible steps including implementing compliance programs to protect company networks and mechanisms to detect, report, and respond to computer attacks.
For Fun, For Profit
Most people imagine a “hacker” as an anonymous cyber-intruder writing endless lines of code to penetrate a system from outside. But half of unauthorized system intrusions involve insiders who have, or had, legitimate access to the system and often a personal axe to grind. In addition, hacking has entered the mainstream, spurred by downloadable “hacking tools” that can enable even computer novices to launch devastating cyber-assaults.
Raising the stakes for would-be targets is the substantial profit motive driving much of the current crop of intrusions. Some hackers seek to cash in on their computer cunning. And unscrupulous businesses find it cheaper to have a hacker steal competitors’ secrets than to develop new products or customers themselves.
As with “hacking,” our popular conception of “computer crime” must be broadened. An attack on another computer to obtain stored data is just one illustration. Sometimes, cyber-criminals’ goal isn’t information but to damage the victim computer itself.
In other instances, a computer serves as the indispensable tool to commit an otherwise impossible crime. For example, a group of hackers employed a computer in a scheme to rig the telephone call-in contests on Los Angeles area radio stations. Their take: two Porsches, trips to Hawaii, and a bundle of cash.
The impact could have been far worse. The hackers had figured out how to seize control electronically of virtually any telephone line in California, and though they chose not to, had the capability to disrupt phone service to entire regions of the United States.
The Underreporting Problem
Businesses want the bottom line: How serious is the threat? In truth, no one knows. But data from governmental, academic and industry observers agree computer crime has mushroomed since the early 1990’s not surprising given the boom in computer usage and e-commerce.
What’s more, most published statistics actually understate the threat, due to poor detection and low reporting. These two problems are highlighted by a Department of Defense study in which DoD attacked 38,000 of its own machines, successfully penetrating 65 percent. Systems administrators detected just four percent of the successful intrusions. And of these, one fourth were actually reported meaning only one percent of successful attacks were both detected and reported. Similar detection and reporting rates occur within private industry.
A hacker must find a vulnerability, human or technical, he then exploits to circumvent security measures. “Social engineering” tricking company staff into providing information that can help establish access often entails posing as a member of the computer or MIS department to obtain passwords from unsuspecting employees.
Hackers frequently go “dumpster diving” in trash bins at or near a target company, finding outdated personnel rosters tailor-made for making pretext calls using real employees’ names. Businesses routinely discard outdated computer manuals or internal documents that contain a gold mine of information for a hacker.
Hackers also employ “sniffers” and other software to gain access to victim systems. One trick is to replace a victim company’s log-in program with a modified program that gives the hacker the user names and passwords of authorized users as they log into the system. Few companies routinely check for modified log-in programs.
Technical weaknesses should, of course, be remedied. But human vulnerabilities remain more difficult for companies to address. While training may heighten shredder usage and wariness toward unknown callers, most private industry employees still do not treat the threat as real.
Recognizing the Need for Compliance Programs
Nobody can predict which companies will be attacked. But a system isn’t immune just because the information inside has little value. A hacker may want to hijack one system to attack others, thereby concealing his tracks.
An attack brings obvious costs: lost computer time, employee hours spent on investigation or repairs, lost revenues for e-commerce firms. Consider also that e-commerce companies, once attacked, could find business interruption insurance more difficult or expensive to obtain. In addition, intrusions leading to loss of third party information such as credit card and social security numbers can expose companies to costly lawsuits. And the loss of proprietary information can threaten a business’s survival.
A comprehensive compliance program designed to guard against computer intrusions, ensure detection, improve reporting, and minimize harm can therefore prove enormously cost-effective.
Designing an Effective Compliance Program
An effective compliance program addresses both human and technical vulnerabilities, and protects against both outside and inside attacks.
Background and security checks should be performed on key computer network personnel, including outside contractors who build or service the network. Companies seldom conduct such checks, even where checks are routine for personnel who will have access to proprietary business information. All personnel, from the CEO to the stock clerk, must understand the risks of social engineering and learn what to do in the event of attack whom to notify, and how to preserve evidence that may prove useful to company counsel or law enforcement.
In addressing the inside threat, appropriate banners on company networks ensure that employees have no expectation of privacy in their use of the network. Companies must be vigilant concerning incidents where employees exceed system privileges without adequate explanation. Careful human resources policies can reduce the danger from disgruntled individuals.
Assessments of a system’s technical vulnerabilities should occur regularly. Installing firewalls and, for some firms, intrusion detection software, makes sense.
Effective compliance programs require long-term commitment. A company must designate a “compliance officer” a senior executive or outside counsel with authority to take corrective action and should maintain a compliance hotline for employees to report security or ethical breaches.
Existing Laws to Combat Computer Crime
The federal government and many states have laws to combat hacking, criminal use of a computer, and other computer-related offenses. Some state measures track the federal computer crime statute. Codified at 18 USC & #167; 1030, this statute addresses a range of conduct by outsiders and insiders, including attacks directed at a computer, attacks to obtain information, and attacks to further schemes to defraud or done with intent to extort. Besides providing criminal penalties, it permits private parties to bring civil suits for violations of the statute.
Other federal laws, including the wire fraud statute, provide additional bases for prosecution. Companies cannot assume, however, that intrusions into their systems will be prosecuted. Businesses must take responsibility for their own protection.
The recent explosion in e-commerce has expanded business opportunities considerably. Likewise, the rise in telecommuting has increased worker productivity and job satisfaction.
Less apparent, perhaps, is that these benefits come at a cost: remotely accessible computer networks are inherently more vulnerable to attack. There are those who say that future advances in technology will ensure that companies can do business in an open environment with no fear of being victimized. Until that day, however, companies that both recognize the threat of computer crime and take appropriate steps to guard against it will enjoy a competitive edge.
David J. Schindler is a Partner in the Los Angeles office of Latham & Watkins. Thomas H. Halpern, an associate in the Los Angeles office, assisted with this article.