tures include unauthorized access to computer networks (either from an insider or an outside hacker), malicious code (such as viruses and worms), and distributed denial-of-service attacks. The conventional wisdom is that prosecution of computer crimes will help reduce the number of future computer attacks. This approach depends on the private sector entities—the owners of the information infrastructures—to report criminal computer activities. However, to use prosecution as a deterrent, the attack and subsequent prosecution must be publicized. This may be acceptable when criminals are caught in the process of attempting an attack (which is therefore rendered unsuccessful) but may not be desirable when the attack succeeds. Craig Silliman suggests that a victim’s decision to report a computer attack to law enforcement depends on a careful balancing of interests. For example, an ISP differentiates itself based on the quality and service of its networks; a single advertised attack could lead to a loss of customers and revenue. In addition, information in the public domain about the vulnerability of a network could lead to copycat attacks. Hence, it would take a large number of prosecutions, Mr. Silliman argues, to compensate an ISP for the corresponding bad publicity. These concerns—echoed by companies in many industries (e.g., financial institutions)—have contributed to private information-sharing efforts (such as ISACs and CERT) to reduce attacks and to detect and prevent the successful conclusion of an attack.

Congress has passed a number of laws related to computer crime.³ These laws are generally focused on hackers and other individuals who use computer networks for illegal purposes.⁴ This section provides a brief overview of the key computer crime laws.⁵