Computer crime: Changing the public's perception

[InfoSec News <isn () C4I ORG>]

Forwarded By: kelley <kwalker2 () gte net>

http://www.herald.com/content/mon/business/tech/digdocs/076302.htm

You remember Jonathan James? He made national news a couple of weeks
ago. You know, he's that nice 16-year-old young man convicted of
hacking into computers at the Pentagon, NASA, BellSouth, the
Miami-Dade school system and many other places. That's pretty funny.
Right?

Can you imagine that some nasty judge put him in jail? Young Jonathan
put it so well when he said, ``I don't think they should be putting a
kid in jail because he proved they don't have very good security.''

Fortunately, poor misunderstood Jonathan didn't delete files or infect
any computers with viruses while he was engaged in his youthful
mischief. As his father put it, ``All he did was go look at top secret
government information.''

Hey, you know what they say -- values come from the home. I can see
where Jonathan learned his.

His father described his son as contrite. I guess that the obscene
gesture he made at the courthouse to a photographer was yet another
minor aberration.

Jonathan was lucky I wasn't the judge.

Computer crime isn't a joke. This attitude that he did them a favor by
showing them that their security was bad is warped -- absolutely and
completely warped.

I suppose that Daddy James would be the first one thanking the burglar
for breaking into his poorly secured home if the burglar only looked
at his most private and personal possessions, but didn't take
anything.

We're at a point where computers are an essential part of our
society's infrastructure. Any crime that touches the infrastructure of
our society is by definition a significant crime.

The ``ILOVEYOU'' virus a few months ago is yet another example of the
types of problems that can come from computer crime. ``ILOVEYOU''
disrupted businesses, governments, and people worldwide. We cannot
permit these sorts of things to happen.

``ILOVEYOU'' demonstrates that every computer has the capability of
being a weapon of mass disruption, even destruction. As we become even
more dependent on computers, hackers will have even more opportunities
to cause mass disruption or destruction.

``Wasn't it cool when I turned off the air traffic control system?''
``Wasn't it great when I turned off all the respirators in the
hospital from home?'' I assure you that it's just a matter of time
before the things hackers do become even more outrageous and
dangerous.

Hey why not? As young Jonathan put it, ``All the girls thought it was
cool.'' If you're a male over about age 14, what more reason do you
need to do something really stupid.

The problem with security, whether it's hi-tech computer security or
physical security is that ``perfect'' is an impossible goal. The goal
is reasonable security.

Everybody can and should implement three basic security concepts. You
should start by controlling physical and logical access to sensitive
information. Your methods could include passwords and encryption.

Next, you should require individual accountability for sensitive
information and identify those with access. Finally, you need to have
audit trails that show who accessed what information. Your audit trail
should be able to answer the basic who, what, where, when, why, and
how questions.

All too often, we see computer crime as not that big a deal. While the
Computer Abuse Act of 1984 imposes a $250,000 fine or a five-year
prison sentence, or both, for each offense, it just doesn't often work
that way.

While I don't have any formal study to cite, experience has taught me
that computer crime is generally not sternly punished.

We need to have a basic change in attitude about computer crime. What
we must do is use harsh punishment along with reasonable security as
deterrents. We have to deliver the message that hacking and other
computer crimes are so difficult to prevent and the dangers that come
from them are so great that our society simply won't tolerate them.

What Jonathan did wasn't a childish prank. Saying that there were no
horrible consequences from what he did is like justifying drunk
driving by saying, ``But I got home and I didn't have an accident.''

If I'd been the judge in a world with perfect laws, Jonathan wouldn't
get out of jail until he was 21 and would never, never, never earn a
living in any job involving computers or programming. That's
punishment. That's a message to others.

Mark Grossman is a shareholder and chairs the Computer and E-Commerce
Law Group of Becker & Poliakoff, P.A. His website is
http://www.EcomputerLaw.com and his e-mail address is
techlaw () ecomputerlaw com. Research assistant is Andrew Chulock.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".