Feds Ready to Tackle Cybercrime
As the threat of cybercrime continues to mount, the U.S. Department of Justice says it’s ready to make more of a federal case out of the issue.
A December survey by the Ponemon Institute, which researches and educates about data security issues, showed that nearly half of IT security professionals and about a quarter of IT operations experts saw cyberthieves as their biggest concern as far as data loss and whether it affects their employers or the employers’ customers.
The survey also found a whopping 92 percent of responding organizations had suffered some form of cyberattack. Consumer complaints are also rising. The Federal Trade Commission has collected data for all 50 states on consumer complaints related to Internet fraud. These include complaints submitted not only to the FTC, but also to the Justice Department, Better Business Bureau, National Consumers League and 13 state attorneys general.
For 2007, the FTC reported 221,226 Internet-related fraud complaints, up almost 16,000 from 2006 and more than 24,000 above the 2005 total. And those numbers may understate the problem since consumers are often unaware of the presence of “malware” on their computers.
But federal prosecutors say new legislation will allow them to better pursue cybercriminals and compensate victims.
The Identity Theft Enforcement and Restitution Act of 2008 targets identity theft, phishing and spam.
ITERA also eliminates a requirement that victims show $5,000 in damages before prosecution for hacking or other cybercrimes can proceed.
“ITERA makes significant improvements in the law but doesn’t necessarily create whole new categories of criminality,” says John Lynch, a deputy chief in the computer crime and intellectual property division of the Justice Department.
“One significant change to the statute targets ‘botnets,’ which are networks of infected computers used for sending spam, conducting identity theft schemes and phishing,” Lynch says. “In these cases, often the victims don’t know their computer is infected or damaged.
“Instead of prosecutors having to prove 100 victims who suffered $50 each worth of damage to their computers to meet the statute’s $5,000 monetary threshold, the statute allows us to demonstrate that there were at least 10 damaged computers in a botnet.”
ITERA also makes it easier for the federal government to take jurisdiction.
“In the prior law, … one of the elements of proof was there had to be some interstate communication,” says Lynch. “But sometimes an attack would happen—for instance, against a hospital by somebody in the parking lot using the hospital’s wireless network. The federal government might want to prosecute such a case because it had better resources, but could not because there was no interstate communication. The new bill removes that requirement.”
Lynch says the DOJ has the personnel to staff ITERA.
“The Department of Justice can call on more than 200 assistant U.S. attorneys trained to work on computer crime and intellectual property cases,” Lynch says.
ITERA also expands the definition of cyberextortion. “The old statute had only covered one type of extortion, which was a threat to cause damage—for example, ‘If you don’t pay me $100,000, I will harm your system,’ ” Lynch explains. “We saw extortion that went beyond that to the potential resale and intrusion into personal data, so that extortion could be ‘I hacked your system. Unless you pay me X dollars, I will make your data public.’ The statute now covers this type of extortion.”