tures include unauthorized access to computer networks (either from an insider or an outside hacker), malicious code (such as viruses and worms), and distributed denial-of-service attacks. The conventional wisdom is that prosecution of computer crimes will help reduce the number of future computer attacks. This approach depends on the private sector entities—the owners of the information infrastructures—to report criminal computer activities. However, to use prosecution as a deterrent, the attack and subsequent prosecution must be publicized. This may be acceptable when criminals are caught in the process of attempting an attack (which is therefore rendered unsuccessful) but may not be desirable when the attack succeeds. Craig Silliman suggests that a victim’s decision to report a computer attack to law enforcement depends on a careful balancing of interests. For example, an ISP differentiates itself based on the quality and service of its networks; a single advertised attack could lead to a loss of customers and revenue. In addition, information in the public domain about the vulnerability of a network could lead to copycat attacks. Hence, it would take a large number of prosecutions, Mr. Silliman argues, to compensate an ISP for the corresponding bad publicity. These concerns—echoed by companies in many industries (e.g., financial institutions)—have contributed to private information-sharing efforts (such as ISACs and CERT) to reduce attacks and to detect and prevent the successful conclusion of an attack.

Domestic Jurisdiction

Congress has passed a number of laws related to computer crime.3 These laws are generally focused on hackers and other individuals who use computer networks for illegal purposes.4 This section provides a brief overview of the key computer crime laws.5

3  

Many states also have computer crime laws that may affect critical information infrastructure protection.

4  

Many of the attacks that occur today are the result of malicious or indifferent acts by individuals (often referred to as “script kiddies”). They generally do not have the sophistication to develop their own attacks, but rely on programs (“scripts”) written by others and/or other ready-made tools to launch network attacks. An in-depth analysis might be helpful to consider a variety of issues surrounding these hacker kits such as whether such kits are protected under the First Amendment rights (e.g., bomb-making is protected, so arguably hacker kits should be as well); whether these kits are circumvention tools; when it is appropriate to use these kits (e.g., security firms that use them to conduct audits for insurance purposes).

5  

There are many laws that pertain to conduct on computer networks that are not designed solely for online environments (e.g., the Espionage Act, 18 U.S.C. Sec. 793, 794, and 798; Wire Fraud, 18 U.S.C. Sec. 1343; and the Economic Espionage Act, 18 U.S.C. Sec. 1831 et al.). The laws cited in this section are all part of Title 18, “Crimes and Criminal Procedures.”



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement