…OK, so this classic rock metaphor continues, but I seem to have an addiction (or perhaps affliction!) that won’t let me stop. The “Town” in this case, however, refers to both brick and mortar structure defined as where we physically live and hardware resides, as well as the virtual locations where we work, play, and connect; together this comprises places in which we all live on Friedman’s (2005/2007) “flat’ world. More germane to this week’s question is the nefarious activity known collectively as cyber crime, and the “Boys” (not intentionally chauvinistic, just trying to keep it simple, so “boys” in this case generically equates to both genders) who keep coming back to perpetrate these actions.
Cyber crime runs the gamut from individuals who use the open net to steal identities, to active phishing actions to either cause people to squander money on unnecessary items or to actively infect individual systems or networks, to “hacktivists” that are economically or politically motivated on a cause to gain information or disrupt activities, up to organization/state-sponsored actions executed to attempt disruption of institutions, even governments, or active theft of information. This wide range of activities under the over-arching descriptor of cyber crime is often also referred to in the media and government as cyber attacks. Neither is completely accurate nor completely false. How can something be labeled as “crime” where in many cases there is no law?
Nations have laws, there are some international agreements, but cyber is ubiquitous and doesn’t necessarily respect national borders and by extension sovereignty. In the US alone, there are innumerable bills emanating from both houses of Congress but few have passed muster to become law. Indulge me for a moment on a couple of examples-I won’t belabor this as a it’s a deep subject and perhaps one on which we can dialogue over the next weeks (months, years, decades…!).
- The US has military organizations dedicated to protection of US military network to detect and attempt to prevent intrusion, as well as identify intruders and under certain authorities take action to counter these actions. This military capability is supported, as with actions in other domains (air, land, sea, space..) by a robust intelligence community across all disciplines (signals, electronic, geo-spatial, human, etc.). If an actor infiltrates a civilian corporation that provides support or production of a military capability on an open unclassified network, and exfiltrates data for their own use, does that constitute crime? Under what statute if the actor is non-US, especially if it’s a non-state actor? This is the big debate going on in the media between the US and China for example.
- Add a layer of complexity on the issue by the physical and virtual location of each actor. Presume the actor perpetrates the intrusion from outside the US, but targets a corporate network inside the US. Even so, the point of intrusion might emanate from and internet service provider physically located on US soil. How does this affect what US actions might be appropriate, or more correctly stated legal? Think about the Constitutional/US Code restrictions on the use of intelligence activities targeting US citizens as well as Posse Comitatus restrictions on the use of military capabilities to enforce civil law. This may be frustrating to those in authority, but balance it from the perspective of sustainment of civil liberties, First Amendment rights, and the example we claim to set for the rest of the world as a democracy. Where does the balance between individual rights and privileges versus regulation and governmental control lie?
- What’s the threshold we should set between crime and attack? If an actor is purposely creating a worm or virus to insert into a financial institution because of anger over their perception that large banks were a significant cause of the current economic issues a crime? If that network disruption spreads deeper into other financial institutions causing loss of resources or a collapse of some specific capability (your ATM card no longer works, or worse NASDAQ fails) is that crime or does that constitute an attack; or does it matter whether the actor is an American citizen, sponsored by another nation-state, or extra-national (think about Iranian activists and Lebanese Hezbollah for example)?
I seem to be asking a lot more questions than providing answers, but this is a complex subject. Despite 20 years of fairly common access to the internet, the governance remains as designed fairly open and therefore what constitutes crime including potential litigation a nascent and very dynamic topic. Given consensus that our world is “flat” and becoming more wired, all digital citizens-natives and immigrants-owe their voice to the conversation. May be we’ve entered a new social compact recognizing that “The Boys are Back in Town” and likely to stay, so we all must know how to act accordingly.
Will 
To: Will
From: NotSocrates
I too have a number of questions regarding this issue. The current cyber world we live in has created a great deal of gray area between right and wrong. However, there is enough black and white with many elements of cyber crime that, in the words of Justice Potter Stewart, “I know it when I see it”. Both cyber crime and the ethical issues around cyber crime are rampant. I do believe you have it right that we need to begin a dialog where people can weigh in and where “the reasonable person” concept can guide our actions. I realize this is difficult in a world with competing ideologies and social economic backgrounds, however it must be done. If we just accept the world as it appears –totally open and free, where anything goes, we subject ourselves to world without rules or guides. That certainly is a dangerous slope so, as you point out, the dialog should begin and we should all add our voice.
As you note, lots of nuances here. Your examples reminded me of my first encounter with hackers. I was stationed at the Defense Communication Agency in Washington in the late 80’s. A book came out in 1989 by Clifford Stoll called The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage. It detailed how discovery of a 75 cent accounting error eventually led to finding Marcus Hess in West Germany, who was hacking in to government computers and selling data to the KGB. Since the DCA was responsible for the Defense side of the internet, this case was still fresh when I reported to Washington. And as the talks between the President and Chinese Premier indicate, this issue remains fresh.
Will – you’ve certainly found your niche with these blog titles. LOL!
You bring up some great points. How can there be a crime if there is not law? Our digital world is changing the game faster than legislation can handle (shocker).
However, to some of the follow-up here, we aren’t in a lawless digital society. The WikiLeaks trial is just now coming into focus. Army Pfc. Bradley Manning is facing life in prison for digital crime…
-Josh
I love the classic rock titles. We get to see the Steve Miller Band the end of the month. Ah…..now back to the post.
Cyber crime is really best analyzed broken down into categories. You hit them pretty well above in your explanations. In one of my law classes, we discussed Fraud, Computer trespassing ( gaining access to an individual computer), Hardware Hijacking, Bullying, Harassment , Stalking, Spam, and Informational Warfare, The last one, informational warfare is large scale attacks on websites, jamming communication, spreading malicious code or DDoS attacks which mean” distributed denial of service” . Our site became a victim of this during a particularly important sales campaign. The computers were swamped by traffic and it crashed. The big problem is the cost of tracking these and the limited number of trained individuals. Forensics Cyber work would be a fun job if you love computers.
The internet and laws are becoming very complicated. I am sure that there is a new area for attorneys to cover called “Cyber law”. I see this being just as lucrative as divorce or crimainal law. There are cases now that are serving as the norm for cyber law. This may be a difficult area as well with technolgy constantly changing.
Will,
The fact that there are no laws for “crimes” highlights that speed at which technology and learning how to abuse or use it in an unethical manner. Just as the founding fathers set the structure for laws of the new United States of America, a new structure to address digital actions must be set. By the time specific laws are approved and set in place new crimes without laws are being committed.