Cybersecurity and Law

Altin Dastmalchi Jeff Davis

Genevieve Orchard Jack Menzel

Term Paper - Homeland Security / Cyber Security December 7, 2005

Introduction

Over the past 10 years the Internet has grown from a technical curiosity to an essential piece

of infrastructure. The more our economy and society become dependent on the Internet, the

more vulnerable we become to cyber crime. In this paper we discuss our preparedness against

cyber attacks from a legal standpoint. To set the stage we give a brief history of the

prosecution of cyber crime, from the relatively obscure Morris worm to the infamous

$250,000 Microsoft bounty that resulted in the capture and prosecution of the authors of

several worms. We then take a step back and discuss what cyber crime is and how it differs

from traditional crime, what the current federal laws that address these differences are, and

how our current legal trajectory will affect future cyber attacks. Cyberforensics and the

methods that are employed to catch cyber criminals are discussed, as well as how we deal

with cyber crimes which are committed across national borders. We conclude with a

discussion of how cyber law and policy need to change, both internationally and nationally, in

order to keep up with the ever changing landscape of cyber crime.

History of Prosecution of Cyber Attacks

The Internet as we know it today coalesced out of several smaller and disparate networks in

the mid 1980s. Since then it has become an invaluable tool for research and commerce, and,

like any new scientific and economic medium, it has also been used as a tool for espionage

and theft. Prosecution of crimes committed using a computer is not new; Kevin Mitnick and

his friends were getting arrested for hacking university and private computers as early as

19821. As an introduction to our discussion of cyber crime and law we will examine the more

notable prosecutions�those of worm authors, virus propagators and notorious hackers that

brought headlines and signaled paradigm shifts in the way people lived and worked with the

Internet.

The first widely publicized prosecution involving the Internet was the Morris worm. The

Morris worm was not an attack so much as it was just plain mischief. Robert Morris, for

whom the worm is named, wrote a program that exploited a security vulnerability in

Sendmail. The Sendmail application ran on most computers attached to the Internet in 1988

and, hence, Morris obviously intended to infect as many machines as possible. However

Morris almost certainly did not intend the large side-effect his worm had: it generated so

much traffic that the entire network was brought to its knees. Morris was prosecuted under

the US Computer Crime and Abuse act and found guilty in 1990. He faced possible jail time,

but the judge was lenient and Morris was only sentenced to probation, community service,

and a US$10,000 fine.2

1 http://www.takedown.com/coverage/mitnick-timeline.html 2 http://en.wikipedia.org/wiki/Robert_Tappan_Morris, http://www.swiss.ai.mit.edu/6805/articles/morris-worm.html

In 1990, the same year Morris was sentenced, Markus Hess, a German citizen who had been

recruited by the KGB, was arrested and tried for espionage. He had illegally gained access to

computers at the Lawrence Berkeley Lab (LBL) in California and used them as a launch pad

for attacks on a wide variety of US government installations. A system administrator at LBL,

Clifford Stoll, helped to uncover Hess� activities and track him down, and later wrote a book

about the experience. This book, named The Cuckoo�s Egg, helped bring the case and the

idea of computer hackers in general into the public eye. Hess was sentenced by a German

court to one to three years in prison but was later released on probation.3

Kevin Mitnick became the focus of an intense manhunt in February of 1995. Tsutomu

Shimomura�s picaresque tracing of Mitnick�s hacking activities would spawn several books

and documentaries, as well as a massive grass-roots campaign to �free Kevin.� Mitnick was

convicted under 18 U.S.C. 1030, �Fraud and Related Activity in Connection with

Computers.�4 He was accused of hacking into several private companies, stealing passwords

and software, and cloning cell phones and using other methods to make free calls. He served

approximately five years in prison and three years of probation during which he was barred

from using computers.

Things began to accelerate in 1999, however, when the Melissa virus appeared. Melissa was

the first virus to spread rampantly and cause considerable damage. The virus exploited a

Microsoft Office macro, infected over one million computers, and had damage estimates

upwards of US$80,000,0005. The author of the virus, David Smith, was sentenced to 40 years

3 http://en.wikipedia.org/wiki/Markus_Hess 4 http://www.freekevin.com/indictment.html

in a federal prison, but the sentence was reduced when he helped the FBI to identify, locate

and prosecute Jan DeWit, author of the Anna Kournikova virus and Simon Vallor, author of

the Gokar virus. Both DeWit and Gokar were eventually convicted in their native countries

of the Netherlands and United Kingdom, respectively. Smith also provided other services to

the FBI, including collecting virus samples, tracking other virus disseminators, writing tools,

and finding security vulnerabilities in various commercial software packages.5

The Melissa virus marked a turning point in the public consciousness; many people knew

about the Morris worm, but at the time, due to the size and nature of the Internet, very few

everyday citizens were actually affected. By the time Melissa hit, the Internet had grown in

size by several orders of magnitude and the popularity of the World Wide Web had brought

the Internet into homes and businesses, not just government and academic institutions.

Millions were affected, and they were angry. They were angry at computer manufacturers

and software companies (especially Microsoft). There was public outcry for legislation of all

sorts. Anti-virus makers made a lot of money, but viruses and worms would continue to

plague the Internet at an ever increasing pace.

The following year Reomel Lamores released the ILOVEYOU virus, another macro virus,

which spread faster and farther than Melissa. Strong evidence existed that Lamores was

responsible, and while he and his girlfriend were arrested, they were both residents of the

Philippines and there were no laws under which they could be successfully prosecuted.

Eventually both were released and the charges dropped6.

5 http://castlecops.com/article3273.html 6 http://www.theregister.co.uk/2005/05/11/love_bug_author/

Melissa, though nobody was ever prosecuted for it, taught millions of Americans not to open

untrustworthy attachments they receive in e-mail. It forced Microsoft to take drastic action by

blocking certain attachment types in its email clients, and by locking down security defaults

for macros and other �active content� in e-mails. The cost to Microsoft, and to the companies

that had to test and roll-out the patches and updates, was massive. In May of 2000 President

Bill Clinton equated viruses, specifically ILOVEYOU, with terrorism.7

A series of fast spreading worms appeared in 2001, each garnering brief media attention and

patches from various software vendors, and generally hastening the public�s disillusionment

with their Internet connections. These worms included Sadmind, Sircam, Code Red, Nimda

and Klez.8 There were no arrests relating to these worms.9 Each spread faster then the last,

and they were progressively more sophisticated.

While virus and worm writers continued to elude authorities, the FBI was busy on another

front. On July 17th, 2001, Dmitry Sklyarov was arrested and charged with �distributing a

product designed to circumvent copyright protection measures.�10 He was indicted under the

Digital Millennium Copyright Act for presenting the work he had done at a Russian company,

Elcomsoft, creating an e-Book reader. Jurisdictional issues ensued and a huge public opinion

7 http://www.theregister.co.uk/2000/05/18/bill_clinton_associates_love_bug/ 8 http://en.wikipedia.org/wiki/Timeline_of_notable_computer_viruses_and_worms#2001 9 http://club.cdfreaks.com/showthread.php?t=74721 10 http://en.wikipedia.org/wiki/Dmitri_Sklyarov

backlash forced Adobe to drop its support for the case11. Six months later, Sklyarov was

released and allowed to return to Russia.

There was one bright spot for law enforcement in 2002, when Jason Allen Diekman was

sentenced to prison for breaking into �hundreds, maybe thousands� of computers and stealing

credit card numbers which he used in attempts to illegally wire money to himself. His targets

were universities and government institutions (such as NASA). He was sentenced to 21

months in a federal prison and ordered to pay over US$80,000 in restitution.12

The next turning point was in 2003 when another series of devastating worms hit. The SQL

slammer worm on January 24, the Blaster worm on August 12 and the Sobig worm on August

19. These worms exploited security holes and spread incredibly quickly. Slammer13 and

Blaster14 added a new twist to the game by being set to launch Distributed Denial of Service

(DDoS) attacks against various servers once they had been given time to spread. Blaster had

an unintended side effect of causing the Microsoft RPC service to crash15, which caused

Microsoft Windows to shutdown unexpectedly. It was very difficult to repair infected

machines since they would shut down in the middle of the removal process. Things got so

bad that Brian Valentine, one of Microsoft�s senior vice-presidents in the Windows division,

asked the development team to come in on the weekend and do technical support. Two of the

authors of this paper were among the developers who honored his request; it was mass chaos.

Things got so bad that on November 5, 2003, Microsoft offered a US$250,000 bounty for

11 http://www.adobe.com/aboutadobe/pressroom/pressreleases/200108/elcomsoftqa.html 12 http://www.usdoj.gov/criminal/cyber crime/diekmanSent.htm 13 http://securityresponse.symantec.com/avcenter/venc/data/w32.sqlexp.worm.html 14 http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html 15 http://en.wikipedia.org/wiki/Blaster_worm

information leading to the arrest of the authors of the worms16. The SCO group would follow

suit in 2004 when it became the target of the MyDoom worm17. The only arrest to come out

of this group was 18 year old Jeffrey Lee Parson who was arrested for writing the B variant of

Blaster18. The original author was never caught, but Parson was sentenced to 18 months in

prison.

The corporate bounties did pay off in 2004 when Sven Jaschan was arrested for writing Sasser

and Netsky. He was turned in by two sources, a friend and a classmate, each hoping to claim

the Microsoft bounty19. Jaschan was a juvenile at the time and tried as such, and therefore

escaped a jail sentence.

Recent events in 2005 have been more positive. The authors of the Zotob worm (and

variants) were arrested in Turkey and Morocco20. Jeanson James Ancheta, the proprieter of a

400,000 PC botnet, was arrested in California21. These are international bad guys and their

prosecution shows definite progress on the part of law enforcement agencies in understanding

and apprehending those responsible for new forms of cyber crime.

As we look at the various noteworthy cyber crimes, we see two types of criminal emerge.

The first is the Lone Hacker: script kiddies and IT professionals looking for glory, etc. In our

track record, these are the types that have been most successfully apprehended and

16 http://news.com.com/2100-7355_3-5102110.html 17 http://www.theregister.co.uk/2004/01/28/sco_posts_250_000_worm/ 18 http://minneapolis.about.com/cs/crime/a/blasterworm.htm 19 http://en.wikipedia.org/wiki/Sven_Jaschan 20 http://www.washingtonpost.com/wp-dyn/content/article/2005/08/26/AR2005082601201.html 21 http://www.pcworld.com/news/article/0,aid,123436,00.asp

prosecuted. The second type is the more nefarious figures: the saboteurs, government agents,

and members of organized crime rings. This second type has proved much more difficult to

prosecute for various reasons which will be presented in later sections of this paper, but they

do the most damage. Consequently, they are the ones we need to catch, and we should adopt

policies and procedures with that in mind.

Cyber crime Legislation

Having established several clear examples of the criminal activity that constitutes cyber

crime, we will now examine cyber crime itself: its formal definition, how it differs from more

traditional forms of crime, what types of legislation the federal government has produced to

deal with cyber crime, what effect these laws have on the types of attacks currently observed,

and how the current evolution of this legislation will affect future attacks.

What is Cyber crime?

While definitions of cyber crime vary from source to source, cyber crime is most often

described, with varying levels of specificity, as �a criminal activity committed on a computer

or computer network.� At first glace this definition seems a bit peculiar. Is criminal activity

somehow fundamentally different once computers are involved? Is cyber crime nothing more

than a convenient classification of traditional criminal acts that just happen to involve a

computer? It turns out that in most cases this initial reaction is correct. Current laws, more

often than not, can be applied or extended to cover most instances of cyber crime.22

22 Brenner, Susan, �Is There Such a Thing as Virtual Crime?�, http://www.boalt.org/CCLR/v4/v4brenner.htm

Before the creation of the current cyber crime laws, cyber crime was prosecuted primarily

under the wire fraud statute23 and the interstate transport of stolen property statute24. Though

we have not needed a complete overhaul of the US legal system, the new digital, virtual

landscape in which cyber crimes are committed has required a number of changes to the way

we think about traditional legal concepts such as theft, trespass, destruction of property, and

jurisdiction25.

It may be obvious that it is possible for someone to compromise a computer system to which

they have no permission and steal information or services, but traditionally �theft� implied

that you would physically remove something from a location. Cyber crime complicates this

by the fact that copying information on digital systems has a marginal cost approaching zero.

If you break into a computer system and copy all the files, have you really stolen anything in

the traditional sense? Does intellectual property have value?

Trespass was also traditionally physical. If you remotely log into a computer for which you

do not have access without ever leaving your home, is that trespass?

Destruction of property has the obvious association to destroying the hardware itself, however

what about malicious software or intruders that delete data? And how does one draw a line

between a �bug� that has unintentionally malicious consequences and code that is specifically

authored to do harm?

23 Title 18 U.S.C. § 1343. 24 Title 18 U.S.C. § 1343. 25 Rasch, Mark, �A Lawyer's Guide to the Emerging Legal Issues, Criminal Law and The Internet�, http://cla.org/RuhBook/chp11.htm

Jurisdiction also proves problematic since a criminal on the Internet can cause harm to anyone

else on the Internet. A hacker in Manila, for example, may steal credit card numbers from a

computer in Iowa by way of a gateway in Ukraine�where did this crime actually take place?

Who has jurisdiction? We discuss this in more detail later.

Further complicating the issues are questions about public and private spaces. A retail store is

obviously a public place; however is everything on the Internet public? Is a chat room public

while instant messaging is private, even though they may be using the exact same mediums of

communication?

Finally, to add to these complications is the relative anonymity that the Internet provides. As

will be discussed later in the forensics section of this paper, our current computer networks

were not necessarily designed to be secure to the point of authenticating every last piece of

data being transmitted; much of the data that could indicate a perpetrator or even that the

crime occurred may be compromised or non-existent.

Current Legislation

The first federal computer crime statute attempting to clarify some of the questions raised

above was the Computer Fraud and Abuse Act of 1986 (CFAA)26. The CFAA clearly

criminalizes and spells out the penalties for the unauthorized access of computer systems with

intent to defraud or attain anything of value.

26 Computer Fraud and Abuse Act, Wikipedia, http://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act

The CFAA was originally passed in 1984 and was specifically intended to protect government

computers and financial data. In 1986, Congress passed amendments to broaden the scope

such that it protected all computers of �federal interest.� In 1994 it was modified to cover

viruses with the addition of provisions that refer to malicious, potentially self-propagating

code.

In 1996 the law was modified again, this time broadening its scope from computers of

�federal interests� to the more general �protected computer� and at that point could address

the questions of theft, trespass, and destruction of property. In 2001, the PATRIOT act

modified the CFAA once again, this time providing for stiffer penalties for offenders.

Since the original passing of the CFAA in 1984, there have been dozens of new laws passed

in response to the ever-evolving Internet. These were mainly in the areas of child protection,

identity theft, digital copyright, spam, e-commerce, and general promotion of computer

technology.

While certainly not the most frightening of cyber crimes, theft in the form of digital piracy has

received a lot of attention from Congress. Since the passage of the Digital Millennium

Copyright Act of 1998 (DMCA)27, digital piracy has been pushed to the forefront of cyber

crime legislation by the Recording Industry Association of America, Motion Picture

Association of America, the software industry, and other associated lobbyists. The DMCA

not only increases the penalties for copyright infringement but makes illegal the distribution

of technology that can circumvent copy protection. Still, faced with substantial piracy on the 27 Digital Millennium Copyright Act, Wikipedia, http://en.wikipedia.org/wiki/DMCA

Internet, Congress continues to propose bizarrely draconian bills such as the Peer-to-Peer

hacking bill28, which would allow a copyright holder to gain unauthorized access to a

computer system that they suspected contained pirated content. Thankfully this ambiguously

worded bill was defeated when Congress realized that its primary effect would be to create a

gaping hole in the CFAA which criminalized such intrusions. The Consumer Broadband and

Digital Television Promotion Act29 is another good example of an overzealous reaction to

digital piracy which would make the sale of any digital equipment without DRM illegal. This

bill also was sent to languish in committee after it was realized that what the legislation

proposed was not technically feasible with current technology.

Many attempts at extending current laws have been made, both successful and unsuccessful.

In 1998 there was concern that unscrupulous companies and persons may use the Internet to

take advantage of minors. This lead to the passage of the Child Online Protection Act of 1998

(COPA)30, which makes it a crime for anyone to use the Internet to engage in �harmful�

communication with minors, as well as the Child Protection and Sexual Predator Punishment

Act of 199831, which defines a strict �zero-tolerance� policy regarding the possession and

propagation of child pornography online.

Congress has passed a number of bills in reaction to the evolution of cyber crime on the

Internet. To address the growing problems of identity theft, Congress passed the Identity

28 http://www.politechbot.com/docs/berman.coble.p2p.final.072502.pdf 29 http://www.politechbot.com/docs/cbdtpa/hollings.s2048.032102.html 30 http://www.cdt.org/speech/copa/ 31 http://www.protectkids.com/policy/

Theft & Assumption Deterrence Act of 199832 which made it a crime to use someone else�s

identity to �commit, aid or abet, any unlawful activity.� This was followed up by the Fair

Credit Reporting Act33. There is also currently legislation in progress that will attempt to

deter phishing attacks, such as the Anti-Phishing act of 2005.

Several attempts have been made at passing online privacy acts which in part speak to the

�public or private� Internet question raised above, such as the E-Privacy Act and the Federal

Agency Protection of Privacy Act. However, the only bill currently signed into law is the

Electronic Privacy Bill of Rights Act34 which merely dictates that no personal information can

be collected from children under the age of thirteen.

Congress has tried to address the problem of spam with a number of proposed anti-spam laws.

The only one to make it into law has been the Controlling the Assault of Non-Solicited

Pornography and Marketing Act of 200335. The CAN Spam Act (or �You CAN Spam� act, as

it was called by its critics) sought to curb the rising flood of spam on the Internet by banning

misleading header information and deceptive subject lines, and requiring that the recipient be

able to opt out of receiving future messages. Unfortunately despite several high profile

prosecutions the law has had little effect on the total amount of spam on the Internet.

Similarly, Congress is currently trying to tackle the spyware issue. Bills are being proposed

such as the Spy Block Act, the Securely Protecting Yourself against Cyber Trespass�SPY

32 http://www.ftc.gov/os/statutes/itada/itadact.htm 33 http://bankruptcy-law.freeadvice.com/credit_problems/fair_credit.htm 34 http://thomas.loc.gov/cgi-bin/query/z?c106:H.R.3321: 35 http://www.ftc.gov/bcp/conline/pubs/buspubs/canspam.htm

Act, and the Enhanced Consumer Protection Against Spyware Act, though as of this writing

none have actually made it into law.

Effectiveness of Current Legislation

Given the additional complexities introduced by cyber crime and the laws Congress has

passed, has this legislation been an appropriate response to the types of attacks that we have

seen? Have they been effective?

Each area of legislation has sought to prevent or correct very real problems. However, spam

and spyware continue to eat away at productivity of the nation�s IT workers, and it continues

to frustrate home users. In 2004, security research firm IDC estimated that spam accounts for

38% of all e-mails sent36. Consumers have lost billions of dollars to identity thieves. In 2003

the Federal Trade Commission estimated that losses to identity theft totaled $48 billion dollars

in that year alone37. Piracy losses for the software industry are estimated in the tens of

billions of dollars each year38. And though clearly outlawed over 10 years ago by the CFAA,

virus attacks accounted for the largest source of financial loss according to a 2005 Computer

Security Institute/FBI survey39.

Taken at face value, it would appear that even though legislation has been appropriately

targeted at very real problems, the current legislation is failing miserably. A more realistic

explanation is that technology is failing us. Security was an afterthought in much of the

36 http://news.com.com/2100-1032_3-5339257.html 37 http://www.ftc.gov/opa/2003/09/idtheft.htm 38 http://arstechnica.com/news.ars/post/20040707-3968.html 39 http://i.cmpnet.com/gocsi/db_area/pdfs/fbi/FBI2005.pdf

design of the Internet and it will be no small engineering feat to add effective security.

Today�s Internet is an unwieldy behemoth; not only will securing the current systems be

required, but thorough security research and development of new protocols and systems must

be done. The most useful laws Congress has managed to pass to combat cyber crime are

along the lines of the Cyber Security Research and Development Act (November 2002)40,

which earmarks US$903 million dollars for cybersecurity research and development.

How will current and future legislation affect the cyber attacks of the future? Since the

Internet does not exist in a single country, no single country�s laws will be able to control the

entire Internet. Worldwide legislation will be required to positively affect future trends of

cyber attacks. For the part of the US, cyber crime legislation is still a nascent concept and

though we are moving in the right direction, it will take some time before we have a mature

corpus of cyber crime laws, and similar laws will hopefully be adopted world wide. It should

be stressed that, as will be discussed in the following section on cyberforensics, it will take

technology, in addition to legislation, that will drive the ubiquitousness of cyber crime

downwards.

The State of the Art of Cyberforensics, Evidence and Attestation

Cyberforensics is the process of investigating and analyzing computer data in such a way that

the computer crime evidence obtained is admissible in a court of law. In this section we will

discuss the high level tracking and tracing of a cyber attack to its source, which is problem-

ridden given today�s technologies. We will also discuss the low-level �dissection� of an

40 http://www.house.gov/science/cyber/hr3394.pdf

individual computer from which a crime may have been committed or on which a crime may

have been perpetrated. This is an area for which commercial applications are readily

available.

Intrusion Detection Systems (IDSs) are fast gaining popularity as a mechanism to alert

network administrators that their system or network has been compromised. An IDS can be

implemented as hardware or software, and can work in different ways such as monitoring for

known attack signatures, or detecting unusual traffic. Once it is known that a machine or

network has been attacked, audit logs are usually duplicated and the level of traffic

monitoring is increased to be able to obtain more evidence should the attack continue

further41.

The rough chain of events that occurs after an attack is recognized looks something like this41:

1. Determine if the attack came from inside the network

2. Track the attack packet back to its source

3. Alert law enforcement

4. Collect data

5. Obtain search warrants

6. Chain of custody of evidence

7. Apprehension and prosecution

Problems Associated With Tracing Attack Packets

41 Lukasik, Stephen J. �Current and Future Technical Capabilities� The Transnational Dimension of Cyber Crime and Terrorism. 2001, Hoover Press.

Sophisticated attacks can be almost impossible to trace to their true source using current

practices42. TCP/IP, a network protocol introduced in 1982, is still the standard for network

communications and severely limits the ability to track a given packet to its source. Tracking

infrastructure was not included in the original design of the Internet and attackers commonly

hide their tracks by forging the source address of the packets they send and tampering with

log files on the machines they compromise.

Other challenges investigators may have to overcome while tracing an Internet Protocol (IP)

packet to its source include an attacker�s use of �stepping stones,� in which intermediate hosts

are compromised on the way to the final victim, so that the attack appears to have originated

from the last stepping stone42; the actual origin of the attack is thus obscured. The attack code

on the intermediate �zombie� machines may also be timer-based. In a timer-based attack, the

launching of the final attack is usually not preceded by a flood of command packets that

would otherwise be useful in tracing. In a reflector attack, flooding packets originate from

many different machines, which also makes tracing difficult.

If the investigators do manage to discover the attack�s originating IP address, it may still

prove impossible to link the address with a specific person. The address field in the current IP

protocol is a mere 32 bits wide, which does not provide enough unique addresses for the

number of computers requiring them. Internet Service Providers (ISPs) have worked around

this problem by assigning dynamic IP addresses from a pool to their dial-in users; these IP

addresses are only constant for one session. What this means in terms of IP tracing is that ISP

42 Lipson, Howard F. Tracking and Tracing Cyber-Attacks: Technical Challenges and Global Policy Issues, <http://www.cert.org/archive/pdf/02sr009.pdf November 2002>

log files provide the only way of determining which user was assigned a given address at a

given time. Fortunately, ISPs have a strong incentive to cooperate with law enforcement42 and

will usually provide this information (if they still have it) in the event of an attack originating

from one of its pool of IP addresses.

Next generation IP protocols such as IPv6 expand the address field to 128 bits, which means

all hosts can have unique, static addresses. This will be a significant advantage in tracing an

attack to the individual responsible42. IPv6 also provides a �hop-by-hop� header field for its

messages41 which could allow each of the routers that touches the message to record its

address in the header, providing a detailed roadmap should anyone wish to perform a trace.

Finally, IPv6 has IPSec � an emerging standard which provides new security protocols � built

in. Among other things, IPSec will help in authenticating the origin of data.

Current and Future Tracing Techniques

Using today�s Internet protocols and standards, one of the most effective ways to trace and

block a Distributed Denial of Service (DDoS) attack is the backscatter traceback technique.

This method, developed by Morrow and Gemberling, makes use of the many spoofed packed

source addresses that are not legitimate Internet addresses42. Once the attack is reported,

packets destined for the victim are rejected and returned to the �sender.� The ISP routes those

returned packets which were headed for an invalid IP address to a �black hole� machine,

where analysis can be done to identify the router at which the attack entered the ISP�s

network. From that point on, neighboring ISPs must continue the trace.

A simpler approach in use today is hop-by-hop traceback. Assuming the source IP address is

spoofed, the attack packet is traced back to its origin (or to the edge of the ISP�s network)

router by router, using each router�s diagnostic functions to determine the closest upstream

router carrying attack traffic. This technique is labor-intensive and technical42. For the short

term future, the practice of overlaying a specialized hop-by-hop tracking network on an

existing network could greatly enhance this technique. Such an overlay network, designed by

Robert Stone, uses special-purpose tracking routers connected to edge routers in an ISP�s

network, where the flow of attack packets will be routed in the event of a Denial of Service

(DOS) attack42.

More scalable, and thus more promising, tracing techniques will require the use of new

protocols. These techniques include sampling packets to either generate trace packets, or

actually place tracking information into header fields in the packet itself. This tracking

information can be used to recreate the path that the attack packet took. This process is called

probabilistic packet marking42. It should be noted that these methods are only useful in attacks

that generate a large amount of traffic, since they are only sampling.

The ability to trace a single IP packet is problematic in that it would require huge amounts of

storage at each router, where a record of every packet that passes through would be kept. The

extra overhead of logging each packet would degrade router performance, and raise potential

privacy issues. A traceback technique proposed by Snoeren, in which compact �packet

digests� created by applying a hash function to the original packet are stored at each router42,

addresses these issues and looks to be very promising for the future tracing of cyber attacks.

Evidence Recovery

An individual computer may be analyzed to determine if it has been used for illegal,

unauthorized, or suspicious activities such as piracy, copyright infringement, thoughtcrime or

destruction of information. Investigators must take care not to readily identify themselves to

the computer as such, since an expert attacker may have installed countermeasures to forensic

techniques, such as wiping out data upon a certain event.

The first step in analyzing a computer is to isolate it. The original evidence is handled as little

as possible, and every step is clearly documented. Information stored in RAM is recovered

and running processes are noted before the machine is carefully powered down. Physical traps

such as self-destruct explosives should be ruled out, at which point the cover can be taken off

the machine to document the hardware configuration, including serial numbers and boot

order. Contamination of data must be avoided, so a digital copy of the hard drive is made,

upon which all further investigative work is performed. During the search of the hard drive,

hidden folders as well as unallocated disk space are inspected, so that all files including those

that might be deleted or encrypted are examined.

Chain of custody is of vital importance in proving the authenticity of evidence; this is done by

computing hash codes of files. At various points in the investigation, the hash codes are

recomputed and compared with the original to verify that the file has not been modified at all.

During legal proceedings, crime scene evidence obtained by law enforcement officials, such

as username/password lists and computer addresses, is combined with intrusion

documentation evidence provided by the victim, to try and show that these pieces of evidence

are directly tied to each other.

Issues and Challenges with Attacks Across Political Borders

The Internet is designed to allow packets to flow easily across geographical, administrative,

and political boundaries43. In addition to the fact that IP packets will likely be routed across

multiple borders during normal request/response execution, a cyber attacker may make

specific use of the global aspect of the Internet to his own advantage. It is easy for him to

launch an attack from a foreign site, and he does so with the knowledge that tracing the attack

will require international cooperation, a nascent area whose potential deterrence value is vital

to the future safety of our information infrastructure. According to Richard D. Pethia, Director

of the CERT Centers, �It is common to see U.S.-based attackers gain�safety by first

breaking into one or more foreign sites before coming back to attack their desired target in the

U.S.�43. As an example of an attacker evading U.S. prosecution, in the mid-1990�s an

Argentinean named Julio Cesar Ardita compromised computers in U.S. institutions such as

Harvard University and the Department of Defense from his home in Buenos Aires. His

actions were not considered criminal in Argentina, and Argentina refused to extradite him to

the USA44.

Another common present-day attack is the Distributed Denial of Service attack, which may

involve remote-controlled �zombie� machines in every corner of the globe. Thus, the actions

43 Pethia, Richard D. �Information Technology�Essential But Vulnerable: Internet Security Trends�, Testimony of Richard D. Pethia, November 19, 2002. <http://www.cert.org/Congressional_testimony/pethia-11-02/Pethia_testimony_11-19-02.html#trace> 44 Sofaer, Abraham D.; Goodman, Seymour E. �Cyber Crime and Security � The Transnational Dimension.� The Transnational Dimension of Cyber Crime and Terrorism. 2001, Hoover Press.

of an individual community to track a cyber attacker are insufficient. Since there is no single

entity in charge of the Internet, tracing an attack path and seeing to it that the culprits gets

their comeuppance requires involvement from multiple nations and jurisdictions. It also

requires that pre-existing international treaties be in place; the inherent slowness in

developing these treaties means it may be a while before trans-border cooperation is efficient

enough to deter cyber attacks.

Coordinating international efforts adds significant complexity to the already difficult tasking

of tracing an attack, gathering evidence, and bringing a perpetrator to justice. Be that as it

may, there are analogous situations requiring multilateral cooperation where successful

arrangements have been made, such as in air travel and telecommunications44. That being

said, it is important to understand the many different kinds of geopolitical issues involved,

including the obvious ones such as languages and time zones, which must be considered when

dealing with trans-border response coordination.

Tracking Issues

Cooperation of entities such as ISPs, telecommunications providers, and law enforcement in

different countries and jurisdictions is needed when performing, for example, a hop-by-hop IP

trace-back. If any one link fails to provide information, the chain is broken and it is unlikely

that the attacker will ever be found or prosecuted. States could fail to uphold their part of the

investigation for any number of reasons, including dislike for the requesting state, lack of

technical resources, or lack of incentive. States must be convinced that cooperation is in their

best interests, but a basis for that incentive is unclear44. In addition, some states may lack the

finances for purchasing the hardware necessary to implement certain trace-back schemes.

Funding arrangements need to be made to assist these less developed nations in meeting their

responsibilities41.

For trans-border tracking to succeed, there must exist international agreements on how

information is shared: how fast the data must be provided (time is of the essence in tracing a

cyber attack); what procedures will be used to obtain the information necessary to continue

the trace (technologies should be standardized); who will foot the costs of the investigation

(both fixed and variable). Currently, there are no universal technical standards or agreements

for monitoring or record keeping, including how long the data must be retained42. In addition,

differing privacy laws may impede a trans-border investigation, for example if an ISP is asked

to provide a customer name associated with one of its IP addresses.

Once the information is obtained, how can its trustworthiness be guaranteed? Countries or

jurisdictions that have a history of adversity could be requesting information from each other.

In addition there may be conflicts of interest if the very people being asked to provide the

tracking information are liable, or even directly responsible, for the attack. Possible solutions

include using certificates to authenticate information and users, or to keep encrypted

�snapshots� of key data throughout the network.

Conflict could arise if one state needs to access data stored within the borders of another state,

in order to complete an investigation. Agreements as to under what circumstances such

seizures could take place need to be made. For example, such an agreement could specify that

a search warrant must be granted by the nation where the data is stored before that data can be

accessed.

Lipson suggests the need for a shared international technical organization for exchanging

highly technical information42. This organization would perform the vital task of

disseminating data such as vulnerability information, hacker trends (including evasion

techniques), and trace-back technologies, to every (trusted) country with Internet connectivity.

Prosecution Issues

Prosecution presents a significant problem when cyber attacks are launched from a remote

state whose laws regarding cyber crime may be lax. Countries opinions� differ on what sort of

conduct is considered a cyber attack. The vital task of getting international agreement on the

specific definitions of cyber crimes is likely to be considerably more difficult than obtaining

consensus on cooperation procedures. Legality of retaliation may also differ between

countries/states.

Liability differences present another problem. For example, whether or not an ISP through

which an attack originated is at all liable for that attack could vary between nations.

Punishments associated with breaking cyber crime laws vary from country to country. This

may give an attacker incentive to launch an attack from a state different to that of his own or

his victim�s, in order to seek refuge. In a case like this, the prosecution may request that the

attacker be extradited to that country. Since extradition laws differ across national boundaries,

such extradition treaties for cyber offenders need to be internationally harmonized.

We are making progress on the trans-border problems discussed above. A multilateral treaty

has been proposed by the Council of Europe, to establish consensus on what constitutes a

cyber crime and the responsibility for cooperation during investigation and prosecution44.

There is also a group composed of incident response and security teams from nineteen

countries, named the Forum of Incident Response and Security Teams (FIRST), which

provides a closed discussion forum for its members. While it lacks the operational elements

necessary for coordinated global investigations, it could be used as a technical framework for

expanded international cooperation41.

What gaps remain between law and policy, and the ability to prosecute?

Individuals, corporations, and states rely on cyberspace for just about any service imaginable.

Preserving the confidentiality, integrity, and accessibility of networks, and the information

they sustain increases the level of trust consumers give services on the web. This level of trust

must always be improved if sites want to ensure the flow of clients to their website. Increasing

levels will only help innovation to prosper, which is generally the end goal of any website that

runs on secure networks. How we shape legal norms of conduct today will set new precedents

for the future of Internet users. Any new regulations and laws created must include greater

flexibility to account for growth in technological advances.

Modern technology has brought its share of problems. With hackers on the rise, many new

types of criminal actions are being committed on the Internet. To prevent further security

violations and allow for easier prosecution, new laws must constantly be and old versions

updated, to safeguard the reliability of the network. International laws are especially

important because they help set guidelines for world conduct. National laws are important to

any given country, yet they should follow international guidelines. Distinctions can be made

as to what is deemed legally punishable within every state�s own laws. States may exclude

minor misdemeanors such as individual acts of piracy and instead focus on criminals such as

those who distribute copyrighted material in massive amounts. This would prevent an

overhaul in case load that might go to a state or national court, as well as prosecute critical

violators. Key focus should be set on far-reaching crimes that are intentionally committed,

that is, willful or deliberate acts. An example is a hacker who deliberately violates someone-

else�s privacy for their own economic gains.

International attention has been brought to this matter and various countries have increased

the level of involvement they provide to various organizations who are attempting to solve

issues relevant to cyber crime. The G-8 in 1997 established a Subgroup of High-Tech Crime

with the goal of guaranteeing that no criminal receives �safe havens� anywhere. Thus, G-8

countries adopted ten principles in the combat against computer crime. At the last meeting

which took place in Washington D.C. on May 10-11, 2004, G-8 Justice and Home Affairs

Ministers issued a joint document stating:

�Continuing to Strengthen Domestic Laws. To truly build global capacities to

combat terrorist and criminal uses of the Internet, all countries must continue

to improve laws that criminalize misuses of computer networks and that allow

for faster cooperation on Internet-related investigations.�45

In the United Nations numerous resolutions are being worked on to ensure that advancements

in cyberspace security be maintained to combat misuse of information technologies. In one

particular resolution it was asserted:

�a. States should ensure that their laws and practices eliminate safe havens for

those who criminally misuse information technologies.�

�e. Legal systems should protect the confidentiality, integrity and availability

of data and computer systems from unauthorized impairment and ensure that

criminal abuse is penalized.�46

These are just some examples of international organizations implementing a defense

plan against cyber threats and cyber terrorism.

How should existing law be changed?

Enacted in the 1980s, the Computer Fraud and Abuse Act has been recently amended

to keep it up-to-date with cyber vulnerabilities. The Act makes it a criminal offense to

knowingly access a computer and steal national defense or other restricted government

data. Other federal statutes used against cyber-offenders include the Major Frauds Act

45 See http://www.usdoj.gov/ag/events/g82004/index.html. 46 The resolution was adopted by the General Assembly on December 4, 2000 (A/res/55/63). 47 See http://www.usdoj.gov/ag/events/g82004/index.html. 48 The resolution was adopted by the General Assembly on December 4, 2000 (A/res/55/63).

(for frauds against government property or agencies), and an old federal wire fraud

statute, which originally was enacted for telegraph and telephone based frauds but is

now being applied to Internet-based crimes also49. While we concede it is important to

have a national defense that aims to keep hackers away from national security targets,

greater reform is needed to take into account the privacy of individuals. The only way

this is possible is if national strategy aimed at protection of U.S. government

computers is also directed towards anyone with a home or office computer. This might

not be a simple process, yet it is possible. If, for example, the federal government

allows local government to enforce tougher laws aimed at individual computer

security, people may be better protected against hackers. Furthermore, if computer

security companies work with local lawmakers to guarantee our protection, a business

flow would be created and more security would be available. The companies can then

turn a profit and provide for personal security at the local level..

Regardless of the use of new international and federal laws and amendments to older laws,

cyber-criminals find new ways and continue old ways (with new loopholes) to infringe upon

our computer systems and networks. This is especially true of those intruders who avoid

prosecution under US law because they are beyond our borders. We cannot let them be

immune to prosecution but still able to knock on our electronic doors. Although it is

important to continue to create laws that help fight this problem, more individual action is

vital.

49 See http://www.washingtontechnology.com/ 50 See http://www.washingtontechnology.com/.

It is crucial for local government to focus more on laws aimed at our personal protection. To

do so more state laws need to be created and enforced. Furthermore individuals need to take

on greater responsibility to ensure that their personal computers are being protected.

Individual users should therefore focus on prevention of attacks. After all, it is illegal to break

into someone�s home, but that does not mean people will neglect to lock their doors at night

to prevent those intruders. If people take on a bigger role at preventing personal attacks, then

greater security will be the end result. This would also raise awareness at the government

level that continuous prevention laws need to be enacted. Within the nation�s networks, we

need to pay more attention to those locks that keep intruders away. To ensure our defense,

these new laws need to give tougher penalties to high level acts of misconduct. If prevention

becomes the key focus of policy-making, more money will ultimately be saved since people

will be more aware of problems before they occur. That is why Congress needs to increase

funding for cyber-crime security and ultimately help prevent more Americans from falling

victim to cyber-fraud.

Conclusion

After examining cyber prosecution, the current cyber crime legislation, as well the technical

and political challenges involved in capturing cyber criminals, we conclude that while the

current state of cyber laws is moving in the right direction, its effectiveness has been limited.

And regardless of the effectiveness of any one nation�s legislation, we will need close

collaboration between nations in order to define a cohesive legal environment for the Internet.

It is crucial that Congress keep our legislation current; however, the driving function that will

be able to reduce and mitigate cyber crime will primarily be technological advances. In order

for our nation to secure itself against cyber crime, we will need to facilitate not only security

research to improve our systems, but also programs that disseminate this new technology and

IT policy. While we can never be completely protected against cyber crime, by following

through on such endeavors we will be prepared to handle it as best we can.