|
Computer crime:
Challenges of new technology
Information technology offers new and highly sophisticated ways to break the law. Computer crime is rife, costing South Africans an estimated R360 million in 1997. Currently no effective laws exist to prosecute these crimes. South Africa needs effective legislation, training for police and prosecutors as well as internal controls and personnel policies in organisations and businesses to detect and reduce computer crime.
Computer crime is the use of computer systems for illegal, fraudulent or wrongful purposes. These crimes also involve the use of computer equipment either as the target of an offence or as a tool in the commission of such an offence. Computer crime manifests in various forms. Common types include:
- fraud by computer manipulation;
- damage to or modification of computer data or programmes;
- unauthorised access to computer systems and services; and
- unauthorised reproduction of legally protected computer programmes.
Computer systems enable criminals to commit traditional types of crimes (such as fraud) using non-traditional means. Using the Internet, criminals can establish phoney accounts, financially drain established accounts, change ownership of assets, purchase assets for private use, create phantom sales transactions and even give individuals personal credentials or rewards they have not earned.
Extent and nature in the US
The use of information technology in the last decade has increased dramatically. The Internet is currently estimated to have 15—25 million users in 92 countries, with the number of users growing at a rate of 5—8% every month. Increasingly it is being used as a medium for economic activity — not all of which is legal.
In 1998 the Federal Bureau of Investigation (FBI) and the Computer Security Institute (CSI) conducted a survey on computer crime and security in the United States. The study found that of the 520 security practitioners interviewed from corporations, government agencies, financial institutions and universities, 64% reported security breaches in their systems. This was an increase of 16% from 1997. Considering that only about 10% of information technology crimes are ever detected and not all are reported, the financial losses are probably much higher.
Table 1 illustrates the cost of specific computer crimes in 1998. In that year unauthorised insider access, theft of proprietary information (data theft), telecom fraud and financial fraud all cost more than $10 million. Survey results also show a dramatic increase in unauthorised insider access and data theft between 1997 and 1998. Losses caused by financial fraud, telecom fraud and viruses decreased.
Table 1 Financial loss associated with reported cases of computer crime in the US
Type of security breach
|
1997
|
1998
|
|
Theft of proprietary info
|
20 048 000
|
33 545 000
|
|
Sabotage of data
|
4 285 850
|
6 427 850
|
|
Telecom eavesdropping
|
1 281 000
|
1 743 000
|
|
System penetration by outsiders
|
2 911 700
|
1 637 000
|
|
Insider abuse of net access
|
1 006 750
|
3 720 000
|
|
Financial fraud
|
24 892 000
|
11 239 000
|
|
Denial of service
|
N/A
|
2 787 000
|
|
Virus
|
12 489 150
|
7 874 000
|
|
Unauthorised insider access
|
3 991 605
|
50 565 000
|
|
Telecom Fraud
|
22 660 300
|
17 256 000
|
|
Laptop theft
|
6 132 200
|
5 250 000
|
|
Active wiretapping
|
N/A
|
254 000
|
"Source: FBI survey on computer crime and security, 1998"
To prevent internal and external threats, organisations and businesses must establish security policies, personnel procedures and counter-measures to control the use of their computer systems. Computer hackers may pose an external threat, but disgruntled employees and other insiders pose the greatest risk to corporations. These individuals usually know what controls are in place and may be able to circumvent these controls or exploit weaknesses in applications, systems and networks.
The South African situation
According to police statistics quoted by Nanoteq (SA), an estimated R360 million was lost through computer crime (including computer fraud) in South Africa during 1997. Appropriate legislative mechanisms to effectively prosecute computer crimes (in particular computer fraud) need to be enacted as an effective legislative mechanism does not exist.
The legal and technical issues involved in the investigation and prosecution of computer fraud are complex. A dynamic and technical legal structure is required that empowers law enforcement agencies to act efficiently against the perpetrators. Currently statute and common law deals with certain computer related offences, albeit inadequately.
A recent submission to the South African Law Commission’s inquiry into the law regarding computer crime and related issues, identifies some of these deficiencies:
- The common law does not cater for offences involving the theft and abuse of data and programmes stored and found on computers.
- General provisions applicable to search and seizure of ‘articles’ are inadequate when it comes to evidence on a computer.
- Civil law (for example through the ‘Anton Piller orders’) may prove adequate where competitors ‘steal’ and make use of data on a competitor’s computer. But it does not cater for situations where a party who steals such data is not a competitor.
- How to balance the right to privacy with other competing rights in this regard.
The basic legislative framework required to successfully prosecute these crimes is essential. Government also needs to prioritise training for law enforcement officials to deal effectively with computer crimes. At a recent fraud conference organised by Business Against Crime, Visa International and the US Secret Service, a training course for Southern African police agencies was initiated to update officials with the latest technology for fighting computer crime. Since computer criminals are not restricted by national boundaries, Interpol has also established a forum (with South African representation) to deal specifically with this problem.
Government cannot be expected to fight computer crime alone. Organisations and businesses must institute vigilant internal and external controls along with personnel policies and practices to detect and reduce losses.
Nceba Gomomo,
Institute for Security Studies
|
|
|