Abstract
Since the advent of networking of computer systems through the intranet and internet, security of data and information has always been threatened by unauthorized access, use and modification of data. A weak computer security cannot only affect government and state security but could also cause the collapse of the economy. As new threats continually crop up and devised by skilled computer hackers and individuals who wanted to earn or simply disrupt a specific computer network, the government should double its time in passing new laws that would deter attack on computer networks.
It occurs for a number of times that government prosecutors find it difficult to prosecute apprehended computer offenders due to lack of appropriate laws to cover specific acts. It is only after the fact of commission that the government can react and pass laws that would address such act. The government is merely reactive to circumstances when passing computer security laws but it can be proactive and pass laws that would cover possible computer violations and intrusions.
This paper will present the laws and acts enacted by Congress that would penalize cyber crimes and strengthen the computer networking system. Although the focus would be current laws involving computer security, previous laws shall also be cited to provide a historical perspective on the development of the laws and acts. Moreover, later laws are passed to cover issues that were not addressed by the previous laws. Cases of computer breach will also be cited to show how they affect legislation.
Introduction
The computer system is in constant threat from various sources, individuals, groups and even other governments. The computer system can be attacked internally, by unauthorized users who may be employees of the company, and externally (by hackers who want to steal information or simply to disrupt the operating system or program). With the rise of the internet, voluminous valuable data and information pass through international boundaries that involve commercial, banking and financial transactions. Intelligence and defense information accessed or damaged by unauthorized persons can disrupt the stability of a country.
The internet has become part of everyday life such as email messaging and online purchases (Smith, Moteff, Kruger, Seifert, Figliola & Tehan 2005). Retail purchases in November 2004 were done online with 69 percent using broadband and 31 percent through dial-up (Nielsen/ /NetRatings, 2005, as cited in Smith, Moteff, Kruger, et al., 2005). Out of the total retail sales of $938.5 billion for the fourth quarter of 2004, $18.4 billion comes from e-commerce retail sales (U.S. Census Bureau, 2004, as cited in Smith, Moteff, Kruger, et al., 2005).
Computer security is associated with vulnerability of a computer while connected with a network of computers (Kinkus, 2002). Computer security has three areas of concern (referred to as CIA) that should be addressed: a) confidentiality (access only by authorized users), b) integrity (protection of information from unauthorized changes which are not detected by authorized users, also refers to privacy), and c) authentication (verification of users) or availability (access to information by authorized users (Kinkus, 2002). Privacy of user information is the most important of the technical areas (Kinkus, 2002) since personal data must not be shared unless the user consents thereto.
Pieces of information of the user can be taken from various sources that can give a holistic search habit of the user (Kinkus, 2002). The user must have complete control of the information provided, the purposes it is used and who can use it (Kinkus, 2002). Breaching these technical concerns is considered a crime in several jurisdictions and referred to as cyber crime.
Context of the Problem
Cyber crime refers to activities committed using a computer intended to harm a computer and network (McConnell International 2000). Computer crimes have gained international attention but laws against such acts are unenforceable in other countries (McConnell International 2000). The absence of legal protection can only mean that establishments have to implement technical protection to hinder unauthorized access or prevent destruction of information (McConnell International 2000).
The commission of cyber crimes continue to increase but victims of illegal access prefer not to report them since it would expose their technical weakness, the possibility of commission of “copycat crimes,” and loss confidence by the user to the system (McConnell International 2000, p. 1). It is incumbent upon the government to provide sufficient protection to public and private computer network and system to avert huge financial losses and damage through appropriate regulation and passage of laws.
Problem Statement
The rise of the internet paves the way for a new mode by which to communicate and conduct commercial transactions. Valuable information stored electronically is also transmitted through this technology. Along with this development, individuals with criminal minds find this technology lucrative to prey upon. They continually seek ways to commit offenses either to earn or simply damage a system or information. They look for weaknesses in the computer system so that they can break into them. The government continually addresses the problem of computer security through the passage of laws that would penalize certain internet activities and regulate the system through guidelines and standards. But cyber crimes are not deterred by the laws and still occur. The government should pass laws that would totally eliminate the commission of internet crimes.
Hypothesis
The laws and Acts passed by the government have sufficiently provided security to computer systems and maintain privacy of information against unauthorized intrusion, access and damage.
Research Questions
- What are the cyber crimes that affect computer security?
- What are the laws and Acts passed by the government to bolster computer security and protect information against illegal access and damage?
- How much damage and loss do cyber crimes have upon the computer network and resources?
- Did the laws and Acts deter the commission of cyber crimes?
Terms and Definitions
Act – statute passed either by the Federal Congress or State Congress. All statutes generally fall under the term law.
Artefact – same as artifact. The term used by social constructionists when referring to a technological device.
CALEA – Communications Assistance for Law Enforcement Act of 1994.
Closure – in SCOT, it is a stage wherein the meanings attributed to an artefact stabilize and further innovation to the device ceases.
Computer – a machine consisting of hardware, software, peripherals and accessories. It needs a software consisting of programs and applications in order to function as intended.
Computer Security – refers to the implementation of standards and guidelines, the technical and software applications that would protect the computer system, as well as the information stored and transferred electronically from one computer to another.
Computer System – comprises the hardware, software, and interconnection that enable transfer of information and communication through electronic gateway.
COPPA – Children’s Online Privacy Protection Act.
Cyber crime – crime committed upon a computer system or database with the use of computer.
ECPA – Electronic Communications Privacy Act of 1986.
FACT – Fair and Accurate Credit Transactions Act.
FCC – Federal Communications Commission.
FCRA –Fair Credit Reporting Act.
Federal law – statute or Act promulgated by the federal Congress.
FISMA – Federal Information Security Act.
GLBA – Gramm-Leach-Bliley Act.
Internet – interconnectivity of computer systems around the globe.
Intranet – networking a series of computers within a closed system or a single organization. A firewall protects the system from outside access.
Law – generic term that includes statutes, Acts, presidential issuances, etc. passed by federal or state governments and other government institutions authorized to pass such issuances.
NIIPA – National Information Infrastructure Protection Act of 1996.
Relevant social group – a group of users in society that exerts some influence upon the development of technology and ascribes meaning to the artefact.
SCOT – Social Construction of Technology.
Limitations
The materials included in this paper are sourced out from internet websites that provided commentaries on computer security laws, copies of the laws themselves and news items. All the laws are public documents and are readily available for public use on the net. Since the laws and articles that would be available on libraries can also be located on the internet, this student availed of the latter mode to search for data. No statistical correlation is included in the paper except the presentation of figures that correspond to damage or loss caused by cyber crimes.
Delimitations
The laws and Acts passed by the State Congress vary as there are a number of states in the US. Such laws and Acts have different contents, and requirements. Therefore, they are excluded in the discussion of this paper. State laws also have different definitions of specific acts as well as conditional requirements for the laws apply, therefore, they are intentionally not discussed in the paper.
Assumptions
From the numerous laws and issuances passed by the federal government and institutions, this student assumes that they have adequately addressed the need to protect the computer systems. The government is doing its utmost in order to maintain the integrity of the computer infrastructure and protect valuable information from passing to unscrupulous individuals preying upon any weakness in the computer system.
Theoretical Support
Privacy is a socially constructed value that should be upheld for being the foundation of other rights of an individual such as freedom, rights to property, right to associate, etc. (Levine, 2003). Privacy extends to computer systems that stored personal information (in digital form). Banks, hospitals, and other commercial firms possess personal information of who availed of medical, financial or banking services. Technology develops within society to meet specific needs of individuals in the community.
The Social Construction of Technology or SCOT is a theoretical framework that views a social group as an active participant in the construction of technology (Bijker, 1995, as cited in Engel, 2006). SCOT is the first constructivist outlook that views development in technology as a “social process that shapes society and is shaped by society” (Engel, 2006, p. 2). Technology develops in response to a perceived need of society. The users in that society react to the technological development or innovation. SCOT is also utilized in exploring the issues concerning anonymity of users, online payment, security and privacy (Phillips, 1998).
The users as relevant social groups are not passive end-users but participate actively to further innovate technology (Engel, 2006). Different social groups give different meanings to an artefact (i.e. technological device) that allows for the different forms of the device (Bijker, 1995, as cited in Engel, 2006). It is when a dominant meaning prevails that flexibility of forms slows down until a closure occurs (Bijker, 1995, as cited in Engel, 2006). The users are capable of influencing the development of the technology through the different meanings attributed to it that gives different forms and thereby contribute to the construction of the technology (Engel, 2006).
The computer and internet technology can have different meanings for various users (Engel, 2006). They can use the technology according to the meaning they ascribe to the technology. Thus, one group may use it for social networking, another for remote teleconferencing, or for banking services. However, a group of users can attribute a meaning to the device which is to inflict damage or gain profit.
There is a constant shaping between society and technology (Bijker, 1995). The computer system developed as a stand-alone machine. Later, the computer was able to connect with other computers through a network of cables within a closed system. The internet allowed interconnection with other computer systems across boundaries to other organizations. In all the stages of these developments, the users exert some influence (Engel, 2006). The meanings of a technological artefact in a developed country may not differ from the meanings of the relevant social groups in developing countries since the former can transfer the meanings together with the artefact (Engel, 2006).
There has been continuous innovation being introduced into the artefact with the two-way influence of technology and society. At present, there is no stabilization of the meaning or closure since user groups continually introduce changes into the device. The user group that causes damage or loss to the computer system continually challenges the security setup of the computer and find new modes by which to break into it.
The government as another user group, has to pass laws and Acts that would criminalize activities that infiltrate the computer system since it violates privacy and confidentially, as well as profit from illegal activities. The laws also impose a certain fine for the damages caused to institutions infiltrated. As new acts are perpetrated against computer security, the government must cope up with new laws that would properly define such acts so that the offender can be prosecuted. The offender that causes the damage and loss should not only be sanctioned with fines but be penalized under the criminal justice system since the extent of the damage is widespread with pecuniary loss reaching billions of dollars.
The government also prescribes standards and guidelines for organizations that store information and offer online services to the public to strengthen their computer security and which should be regulated by government agencies to ensure compliance. With the interplay of the various user groups in society, the consumers, the organizations offering financial or banking services, organizations that hold personal information (e.g. hospitals), the software programmers, the hackers and offenders, and the government, the artefact changes in order to make computer security invulnerable to cyber attacks. While the programmers make new programs to hinder existing threats, on their own because the product software can be sold to users or through the prodding of an existing client that used the software company’s application to run the information management of the client, the government must seek ways through standards, regulation and laws so that computer security can be strengthened.
Since computer systems within the US can be accessed via the internet by offenders in other jurisdictions, social construction occurs on a global level. That is why great powers as well as established international organizations encourage all countries to codify their laws to cover cyber crimes so that prosecution would be facilitated on all fronts, locally and internationally. On the global scale, the user groups would include the states and countries, international bodies, and international corporations.
Significance of the Study
This study is a great contribution to existing studies that explore the effectiveness of laws passed to address the problem on computer security. There is no study identified that addresses the effectiveness of the laws in deterring cyber crime. Thus, this paper can provide the groundwork for future studies concerning this area of research.
Research Design and Methodology
This paper used the quantitative research design and methodology in exploring the impact of the laws and Acts passed on deterring cyber crimes. The research design is non-experimental wherein no variables are manipulated but only establishes the relationship between the variables (Belli, 2008). The variables – the laws and cyber crimes – are analyzed as they exist because they cannot be manipulated (Belli, 2008). Literature, laws and Acts, and available statistics are included in the research to determine if the laws are able to maintain the integrity of the computer systems and information and the newer offenses not yet addressed by legislation.
Organization of Study
Data will be gathered from available literature on the internet on the kinds of cyber crimes already addressed by law. Also to be explored are the activities that affect computer security but cannot be prosecuted criminally because they are not defined as crimes by existing law. The extent of damage, frequency of commission of cyber crimes and cost of loss will be correlated with the laws already passed in order to determine if specific crimes are deterred.
Types of Cyber Crimes: Damage, Loss and Prosecution
The Federal Bureau of Investigation has a four-fold mission to counter cyber crime, namely: a) “to stop those behind the most serious computer intrusions and the spread of malicious code,” b) “to identify and thwart online sexual predators who use the Internet to meet and exploit children and to produce, possess, or share child pornography,” c) to counteract operations that target U.S. intellectual property, endangering ….. national security and competitiveness,” and d) “to dismantle national and transnational organized criminal enterprises engaging in Internet fraud” (U.S. Department of Justice, n.d., para. 1). These FBI objectives reflect the common illegal acts committed on the internet.
There are a number of computer or cyber crimes that can impact upon privacy and invades the computer system illegally. Hacking is infiltrating a system without authorization to access confidential information, or entering into a transaction under false representation (Go, 2009). In phishing, spurious emails are sent to a user with links that leads the user to a fake website (presented as an authentic or real website of a company) that would extract username, password or credit card data (Go, 2009). Pharming is an online fraud that redirect users to a fake website that looks authentic in order to steal relevant information (Online Fraud: Pharming, 2010). The user who wants to access a website is redirected to the fake website without the user knowing it, even if the correct web address is entered into the browser (Online Fraud: Pharming, 2010).
Creation and deployment of viruses (programs that replicate themselves) that can cause harm to the computer system without the knowledge of the user (Go, 2009) is a common cyber crime. A virus is a software program attached to a file (e.g. document, excel) to spread to the computer system (Kutner, 2001). The virus runs once the file is opened and then attaches itself to other programs and replicates itself (Kutner, 2001). An email virus is attached to an email that reproduces itself by sending emails automatically to everyone stored in the email address book (Kutner, 2001). There is also the worm that uses the internet to find vulnerable servers wherein it can reproduce (Kutner, 2001). The Trojan horse presents itself as a game or other program that can delete hard drive contents or block the screen with some graphics (Kutner, 2001).
In identity theft, the criminal takes money, receives benefit or purchases goods using the identity or credit card of another person (Go, 2009). Identity theft is carried out by cyber criminals through phishing and pharming (Brody, Mulig, & Kimball, 2007). Cyberstalking (usually preys on women and children) is a crime wherein the criminal stalks a person by sending emails and threats as well as dissemination of false information (Go, 2009).
As reported by the U.S. Uniform Crime Reporting Statistics, there are more than 300 million internet users (starting year 2000) worldwide with 1 million of them engaged cyber crimes (Computer Crime – Definitions, 2010). As of 2004, $30 billion has been used in the maintenance of computer security (Computer Crime – Definitions, 2010). In the survey conducted by the Computer Security Institute (CSI) and the FBI with 538 private and government institutions surveyed, it was reported that as of the year 2000, 85 percent experienced breaches in security (Computer Crime – Definitions, 2010).
The breaches caused financial loss to 65 percent of the respondents while 35 percent (186 firms) quantified its losses to a total of $378 million (Computer Crime – Definitions, 2010). Three hundred seventy seven (377) respondents said that the breaches occurred through internet connectivity (Computer Crime – Definitions, 2010). Internal attacks are committed by disgruntled and terminated employees (Computer Crime – Definitions, 2010). Organized crime groups even recruit telecommunication experts to “commit fraud, piracy, and money laundering” (Computer Crime – Definitions, 2010, para. 3).
One of the first to be prosecuted under the Computer Fraud and Abuse Act is Robert T. Morris (Cornell University student) who deployed a worm to show the vulnerability of computer security but miscalculated the speed the worm replicated itself that by the time he publicly released the instruction on how to kill the worm, it had infected around 6,000 computers causing them to crash (Computer Crime, 2010). The damage suffered was $200 to a maximum of $53,000 for each organization (Computer Crime, 2010).
A computer science student created a virus that momentarily disrupted the operations of military network and contractors, as well as universities in 1988, although no files or data were destroyed (Gerth, 1988). This case is unprecedented without any previous case being prosecuted (Gerth, 1988). The Secret Service admitted difficulty in investigation because numerous computers were affected (Gerth, 1988). Smith, Moteff, Kruger, et al. (2005) stated that the expanse of the problem on computer security cannot be known.
A gang of hackers (called Masters of Deception) was also prosecuted and indicted in 1992 under the Computer Fraud and Abuse Act for unlawfully obtaining computer passwords, illegal possession of long-distance call card numbers and wire fraud (Computer Crime, 2010).
Phishing activities and related fraud reached $1.2 billion annually with around 57 million US citizens targeted in 2004 (Phishing, n.d.). The bill (Anti-Phishing Act of 2005) proposed by US Sen. Patrick Leahy that aims to penalize phishing and pharming with a maximum fine of $250,000 and maximum imprisonment of five years (Phishing, n.d.) was never passed to become a law (S. 472–109th Congress, 2005).
Federal Laws on Cyber Crime
The federal government generally does not regulate the security of private computer systems but merely requires protection of specific information under the control of private systems against illegal access and dissemination (Moteff, 2004). Even the control of domain name (Domain Name System or DNS) has been transferred from the federal to the private sector (Smith, Moteff, Kruger, et al., 2005).
The enacted of the Counterfeit Access Device and Computer Fraud and Abuse Act in 1984, the first computer crime law, criminalizes infliction of damage to computer systems, networks, hardware and software, and makes wrongful the act of obtaining financial and credit data protected by statutes (Computer Crime, 2010).
There are laws enacted to protect privacy and personal information held by the government and private institutions such as the Gramm-Leach-Bliley Act (specific provisions under Title V) (Moteff, 2004; Smith, Moteff, Kruger, et al., 2005), Health Insurance Portability and Accountability Act of 1996 (specific provisions under Title II), and the Sarbannes-Oxley Act of 2002 (mandates accounting firms to certify integrity of their control systems as part of the annual financial reporting requirements) (Smith, Moteff, Kruger, et al., 2005). The privacy concern is confined to financial information (under the Gramm-Leach-Bliley Act, Title V) and medical information (under the Health Insurance Portability and Accountability Act of 1996) (Moteff, 2004). The Secretary of Health is authorized to prescribe the standards to be used in the protection of medical information (Moteff, 2004).
Under the Health Insurance Portability and Accountability Act of 1996, healthcare institutions must comply with the standards set by the Secretary to ensure the confidentiality of medical information and records which are transferred electronically (Fogie, 2004). Development of standards on financial control under SOA and enforcement of the same is done by the Security Exchange Commission who has authority to prescribe standards and enforce these regulations (Moteff, 2004).
Further laws that prohibit disclosure of personal information of consumers include Federal Trade Commission Act (Section 5), and the Fair Credit Reporting Act (FCRA) (Smith, Moteff, Kruger, et al., 2005). Congress has also passed laws to protect identity such as the 1998 Identity Theft and Assumption Deterrence Act, the 2003 Fair and Accurate Credit Transactions (FACT) Act, and the 2004 Identity Theft Penalty Enhancement Act with corresponding remedies for victims of identity theft (Smith, Moteff, Kruger, et al., 2005). The Children’s Online Privacy Protection Act (COPPA) was passed by Congress in 1998 (Smith, Moteff, Kruger, et al., 2005) to regulate the collection of personal information of websites created specifically for children (Children’s Online, 1998).
For acts committed against computer security when no cyber crime laws have been passed yet, government institutions use commerce and federal telecommunications laws to prosecute computer hackers (Fogie, 2004). The US Congress passed in 1984 the Computer Fraud and Abuse Act, the first computer crime statute (Fogie, 2004) that makes it a crime the act of intentionally accessing computer systems of the government without approval and thereby disrupting its normal operation (Gerth, 1988). It was later amended in 1986 and 1994 (Fogie, 2004). It further penalizes use of a password without authority to access a computer system or accomplish fraudulent acts (Fogie, 2004). The penalty for violation of the Act consists of a fine of $5,000 or twice the damage done or benefit gained and one year imprisonment for first time offenders, and a maximum fine of $10,000 plus two times the damage done or gain and imprisonment of ten years for second time offenders (Gerth, 1988).
The 21st Century Department of Justice Authorization Act mandated the Department of Justice to report to Congress the latter’s use of DCS 1000 software and similar programs at the end of fiscal years 2002 and 2003 (Smith, Moteff, Kruger, et al., 2005). Earlier, the FBI installed DCS 1000 (previously called Carnivore) into the system of ISPs (Internet Service Providers) to intercept email messages and surfing activities (Smith, Moteff, Kruger, et al., 2005). The FBI said that it ceased using the DCS 1000 and substituted identical commercial software instead (Smith, Moteff, Kruger, et al., 2005).
The Electronic Communications Privacy Act of 1986 (ECPA) updated the Federal Wiretap Act of 1968 (The Federal Wiretap, 2010) to cover intercepting of electronic communications and deliberate illegal access to “electronically stored data” (Fogie, 2004, para. 10). ECPA applies to both private and government institutions to protect access and disclosure of electronic communications (The Federal Wiretap 2010). Although the Act did not specifically mention email messages as covered by the protection, decisions of U.S. courts said that they should be included (The Federal Wiretap 2010). ECPA caused modification in company policies and procedures in that at present, the company has to inform telephone callers that the conversation is recorded for quality control (The Federal Wiretap 2010).
The U.S. Communications Assistance for Law Enforcement Act of 1994 (CALEA) introduced changes in wiretapping activities by enjoining telecommunication companies to allow wiretapping by law enforcers provided a court order is duly issued (Fogie, 2004). Through CALEA, law enforcement agencies can still perform surveillance while the privacy of individuals is assured (Ask CALEA, 2009).
The National Information Infrastructure Protection Act of 1996 (NIIPA) defined more computer crimes to enhance protection of computer systems (Fogie, 2004). NIIPA also extended the protection to computer systems used in local and international commercial transactions and communications (Fogie, 2004). The law substantially amends the precursor Computer Fraud and Abuse Act of 1984 (which was amended in 1986 and 1994) (National Information Infrastructure, 2010).
The Gramm-Leach-Bliley Act (GLBA), otherwise known as Financial Services Modernization Act of 1999 (The Gramm-Leach-Bliley, n.d.) delimited the occurrences that a financial firm can divulge consumer personal information to non-affiliate third parties (Fogie, 2004). Financial agencies are also mandated to reveal their privacy polices and procedures on such information sharing with affiliates and non-affiliate third parties (Fogie, 2004). Private financial records (e.g. balances, account numbers) are regularly sold and purchased by banks, credit cards and financial firms (The Gramm-Leach-Bliley, n.d.). It also provided protection of persons against “pretexting” (i.e. gaining personal information through fraudulent pretension (The Gramm-Leach-Bliley, n.d., para. 1).
The USA PATRIOT Act (enacted after the September 11, 2001 attack) expanded the government’s intervention on the privacy rights over the internet (Smith, Moteff, Kruger, et al., 2005). Under this law, the ISP is authorized to disclose records and information (excluding the content of message) of a subscriber to specific government agencies if it believes that death or injury might occur (Smith, Moteff, Kruger, et al., 2005). Section 225 of the Homeland Security Act amended in 2002 the provision on disclosure wherein the ISP is now authorized to disclose the content of the communication to local or federal agency on the same grounds (Smith, Moteff, Kruger, et al., 2005).
Laws that Strengthen Computer Security
Laws are also enacted to strengthen computer security besides penalizing the wrongdoer. For instance, the Computer Security Act of 1987 was enacted to strengthen the security of government computers and thus make it difficult for external computers to infect the system with virus (Gerth, 1988). Strengthening the network must be accomplished along with the passage of more laws that would penalize cyber crimes, Democrat Sen. Patrick J. Leahy (Vermont) said (Gerth, 1988).
The Homeland Security Act of 2002 authorizes the Department of Homeland Security to work with the private sector in protecting the information infrastructure (Moteff, 2004). The passage of Federal Information Security Management Act (in 2002) granted the head of the Management and Budget supervisory authority over the drafting of the standards and security guidelines and conformance thereto (Moteff, 2004). Excluded in that authority are computer systems utilized for national security (governed by the National Security Directive 42) (Moteff, 2004). The Homeland Security Presidential Directive No. 7 and National Strategy for Securing Cyberspace further bolster the department’s role in security reinforcement (Moteff, 2004).
The Telecommunications Act of 1996 granted authority to the Federal Communications Commission (FCC) if the latter determined that broadband has not been implemented reasonably and timely (Smith, Moteff, Kruger, et al., 2005, p. CRS-4). Pres. Bush even endorsed in March 26, 2004 the deployment of universal broadband access without taxes (Smith, Moteff, Kruger, et al., 2005). The Critical Infrastructure Board (created by E.O. 13231 passed by Pres. George W. Bush, later dissolved by E.O. 13286) issued the National Strategy to Secure Cyberspace that enumerated the responsibilities to the Department of Homeland Security to protect the information infrastructure (Smith, Moteff, Kruger, et al., 2005). The National Cyber Security Division (NCSD, under the Information Analysis and Infrastructure Protection Directorate) managed Homeland’s cybersecurity activities (Smith, Moteff, Kruger, et al., 2005).
The federal statute Computer Fraud and Abuse was passed in congruence with the Comprehensive Crime Control Act of 1984 (makes as federal crime the unauthorized access and damage to government and private computers that deal with banking and foreign commerce) (Smith, Moteff, Kruger, et al., 2005). The Federal Information Security Act of 2002 (FISMA) lays down the primary statutory needs in securing federal computers and network (Moteff, 2004). FISMA was founded upon the Computer Security Act of 1987, the Paperwork Reduction Act of 1995, and the Information Technology Management Reform Act of 1996 (Moteff, 2004). This Act mandates all agencies to have an inventory of all computer systems, to identify the security protection needed and provide measures to address the need, and to “develop, document, and implement an agency-wide information security program” (Moteff, 2004, para. 10).
Conclusion
Numerous laws have been passed that cover computer security and protection of information for specific institutions, the government and the private sector. Even FTC Chairwoman Majoras called it (during the Senate Banking Committee hearing in March 10, 2005) a “complicated maze” the existence of numerous laws on data protection in the various government and private institutions (Smith, Moteff, Kruger, et al., 2005).
Many possible threats have already been identified and addressed at present with the laws enacted. The voluminous laws should be re-codified so as to streamline them, thus making enforcement, regulation and prosecutions easier. Newer computer acts that cause damage or financial loss occur on the net that cannot be penalized or sanctioned since the law does not define them. And if one jurisdiction has defined the act making it a crime, the law cannot be enforced in another jurisdiction or country when the latter has no law for it or does not recognize the criminal law of the other country whose citizens suffered loss or damage.
It is therefore necessary to create a few comprehensive cyber crime law that would define all computer crimes at present and the future, even if unknown in the present. This would facilitate prosecution of the offenders and deter others from committing cyber crimes and device new means to infiltrate computer security. As what previously occurred, government prosecutors find difficulty in handling a case due to lack of supporting law. The government has the primary authority in regulating computer security matters and it should assume full responsibility for the task.
On the wider scale, not all countries have enforced computer security measures strictly. And still, a number of states do not criminalize certain malicious acts on the internet. A study supported by the World Information Technology and Services Alliances (WITSA, an international organization composed of 41 IT industry organizations) revealed that only nine countries out of the 52 subjected to the study criminalized certain acts involving cyber space (Fogie, 2004). Without cooperation by all countries, there will be a break in the international legal system wherein cyber criminals can still commit crimes and find refuge in the holes in the law. Only when there is a global move to prosecute and penalize cyber crimes, together with the strengthening of the computer systems can breach of computer security ceases.
References
Ask CALEA. (2009). Web.
Belli, G. (2008). Nonexperimental Quantitative Research, pp. 59-77. Web.
Brody, R.G., Mulig, E., & Kimball, V. (2007). Phishing, pharming and identity theft. Academy of Accounting and Financial Studies Journal. AllBusiness. Web.
Children’s Online Privacy Protection Act of 1998. Web.
Computer Crime. (2010). TheFreeDictionary. Web.
Computer Crime – definitions, Types of computer crimes, Anti-cyber-crime legislation, Enforcement agencies, International computer crime. (2010). Free Encyclopedia of Ecommerce. Web.
Engel. N. (2006). Technology users in developing countries – Do they matter? Web.
Fogie, S. (2004). Computer Crime Legislation. InformIT. Web.
Gerth, J. (1988). Intruders into Computer Systems Still Hard to Prosecute. The New York Times. Web.
Go, P. (2009). Types of Computer Crimes. EzineArticles.com. Web.
Kinkus, J.F. (2002). Computer Security. Science and Technology Resources on the Internet. Web.
Kutner, T. (2001). What’s the difference between a Virus and a Worm? Web.
Levine, P. (2003, May-June). Information technology and the social construction of information privacy: Comment. Journal of Accounting and Public Policy, (22)3, pp. 281-285.
McConnell International. (2000). Cyber Crime… and Punishment? Archaic Laws Threaten Global Information. Web.
Moteff, J. (2004). Computer security: a summary of selected federal laws, executive orders, and presidential directives. Congressional Research Service (CRS) Reports and Issue Briefs. Web.
National Information Infrastructure Protection Act (NIIPA) of (1996). (2010). Free Encyclopedia of Ecommerce. Web.
Online Fraud: Pharming. (2010). Symantec Corporation. Web.
Phillips, D.J. (1998). The social construction of a secure, anonymous electronic payment system: frame alignment and mobilization around Ecash. Journal of Information Technology, (13), pp. 273–284. Web.
Phishing. (n.d.). Phishing and Pharming Information Site. 2010, Web.
Ross, S.T. (1999). Computer Security: A Practical Definition. Unix System Security Tools. The McGraw-Hill Companies. Web.
S. 472–109th Congress: Anti-phishing Act of 2005. (2005). In GovTrack.us (database of federal legislation). Web.
Smith, M.S., Moteff, J.D., Kruger, L.G., Seifert, J.W., Figliola, P.M. & Tehan, R. (2005). Internet: An overview of key technology policy issues affecting its use and growth. Web.
The Federal Wiretap Act of 1968 and The Electronic Communications Privacy Act of 1986. (2010). YourDictionary.com. Web.
The Gramm-Leach-Bliley Act. (n.d.). epic.org. Electronic Privacy Information Center. 2010. Web.
U.S. Department of Justice. (n.d.). Cyber Investigation. Federal Bureau of Investigation. 2010. Web.