Study note on cybercrime, Study notes of Cyberlaw and Internet Law

Download Study note on cybercrime and more Study notes Cyberlaw and Internet Law in PDF only on Docsity!

Salem State University

College of Peace and Social Sciences

Criminal Justice

CSS 414: Cyber Crime

Lecture Material

By

Dr. Lawrence Smith

Contents Cover Page ……………………………………………………………………………….. i Content Page ……………………………………………………………………………… ii Introductory Page………………………………………………………………………… iii Course Outline …………………………………………………………………………… iv Teaching Methods ……………………………………………………………………….. v Assessment ………………………………………………………………………………. v General Texts /Annotated Reading List …………………………………………………. Vi Main Note ………………………………………………………………………………. 1

Course Outline Module 1: Understanding Crime Unit i: Conceptualizing Crime Unit ii: Elements of Crime Unit iii: Nigerian Criminal Justice System and Crime Module 2: Understanding Cyber Crime Unit i: Conceptualizing Cyber Crime Unit ii: Locating Cyber Crime, Actors and Victims Unit iii: Motivation Unit iv: Cyber Crime and the Law Module 3: Curbing Cyber Crime Unit i: Strategies Unit ii: Measuring /Tracking Cyber Crime Unit iii: Self-reporting Cyber Crime Victimization Module 4: Related Concept and its Usage

Teaching Method The will be taught in thirteen weeks via three hour contact period ensuring that both theoretical and practical requirement of the course are judiciously dealt with. To facilitate the involvement of students, they will be advised to study the topic of each day before coming for lecture as questions will be asked randomly. Assignment will be given frequently as well as a compulsory term paper. Assessment This course will be assessed through the administration of two continuous assessments (CA) which carries 40 marks. i.e. a test for 20marks and a term paper for 20 marks. End of semester examination will attract 60 marks.

Module 1: Understanding Crime At the end of this module, students should be able to discuss and write extensively on the following sub-topics: Unit i: Conceptualizing Crime Unit ii: Elements of Crime Unit iii: Nigerian Criminal Justice System and Crime Unit i: Conceptualizing Crime Numerous effort have been made to provide generally accepted definition of crime but this turned out to be unfruitful as the so-called standard definitions of crime do not stand the test of time. In strict legal perspective, a crime is a violation of the criminal law which is subsequently followed by a legal punishment. In criminal law, a crime is an act or omission which attract sanction, such as fine, imprisonment or even death. Criminologist on the other hand, are concerned with the potential criminal behaviour not only in the strict legal sense. The definition of crime from this angle recognize factors such as value system, norms and religious attitudes in a given culture. According to Igbo (2007), a crime is any act in omission resulting from human conduct which is considered in itself or in its outcome to be harmful and which the state wishes to prevent, which renders the person responsible liable to some kind of punishment as a result of the proceedings which are usually initiated on behalf of the state and which are designed to ascertain the nature, extent and the legal consequence of the person’s responsibility.

Unit ii: Elements of crime There are certain conditions that have to be present before an act can be considered as a crime. Hall (1960) delineated seven interrelated and overlapping conditions which can make an act a crime. These conditions of crime are summarized by Sutherland and Cressey (1978 p. 13-14) as follows:

1. There must be harm or injury inflicted on some other person(s) by actor(s).
2. The act must be prohibited by the criminal law, at the time it was committed.
3. The act must be reckless conduct, which causes the harm or injury directly or indirectly ( actus reus ).
4. There must be mens rea or criminal intent on the part of the actor when he/she decided to engage in the act. The intention or motive of the actor must be shown to be deliberate in engaging in the outlaw conduct.
5. There must be a coincidence of actus reus and mens rea. The mental element (criminal intent) must correspond with the physical element (harm conduct).
6. There must be a causal relationship between the outlawed harm and the voluntary misconduct. This means that if A shots B and B later died in the hospital from typhoid fever, there is no direct link between the gunshot wound and the death of B. Consequently, A cannot be held liable for the death of B.
7. There must be legally proscribed punishment for the outlawed conduct. If there is no legally sanctioned punishment for the conduct, that conduct does not constitute a crime.

Today’s cyber criminals according to Europol (2011), “have evolved their practices to make their crimes more profitable.... They choose specialties, master their skills, create networks of colleagues, and organize their crimes.” These criminals can victimize individuals and organizations alike. They are motivated by self interest and profit. One estimate has placed the annual cost of cybercrime to adults in 24 countries across the globe at $110 billion.5 In addition to the economic impact, cybercrimes can have public health and national security consequences, among others. U.S. officials face the challenging task of identifying the perpetrators of malicious cyber incidents in which victim and criminal can be far removed from one another. The person or persons behind an incident can range from lone actors to expansive criminal networks or even nation states. This challenge of actor attribution is further compounded by the anonymity afforded by the digital realm. It can sometimes be difficult to determine the actor’s motivation— is the criminal driven by greed or glory in the form of recognition among fellow criminals in the cyber world, or does the criminal have broader ideological motives? Finding the answers to these questions is key to distinguishing between cybercrimes and other cyber threats such as cyber attacks, cyber espionage, and cyber warfare. Relevant distinctions exist between these various malicious activities in the cyber domain just as lines have been drawn between the their real world counterparts. A singular, agreed-upon definition of cybercrime does not exist. Various definitions have been offered by industry experts and scholars, and several have been formulated within the federal government. Definitions have varied in their levels of specificity and breadth. For instance, one of the largest computer security companies, Symantec Corporation (2013), defines cybercrime as “any crime that is committed using a computer or network, or hardware device.” Irrespective of

the definition, conceptualizing cybercrime involves a number of key elements and questions, including where do the criminal acts exist in the real and digital worlds (and what technologies are involved), why are malicious activities initiated, and who is involved in carrying out the malicious acts? The term cyber crime generally connotes the use of computer in carrying out illegal activity (Jewkesy, 2003). It is a crime committed on the internet with the use of computer as either a tool or a target (Joseph, 2006). Much of what are termed as cyber crimes are basically violations of longstanding criminal law, perpetrated through the use of computers or information networks (Sandip, 2008). The Nigerian cyber crime working group (2005, p. 2) gives a more encompassing definition of cyber crime as “conducts prohibited by law with prescribed punishment carried out using computers, electronic, ancillary devices, processes and/or procedure”. Foggetti (2003, p. 44) distinguishes cyber crime from other criminal activities and underscores the nature of cyber attack. He observes that the distinguishing feature of cyber crime is basically its cross boarder nature. It is usually difficult to identify the Locus commissi delicti (locating the place where the offence was committed) when the offender uses informatics and telemetric means to commit the offence. He further noted that the attacker may, violate several computer systems with just one illegal access and carry out several unlawful operations on computers which are interconnected but physically located in different territories or countries. Unit ii: Where: Location of Criminal Activities, Actors, and Victims The notion of location as it relates to cybercrime involves both the physical and digital domains. The relatively clear borders and locations within the physical world, however, are not replicated

• in other instances, computers or other digital technologies are used as tools for carrying out crimes (victimizing individuals, organizations, or government); and
• technological devices may serve as repositories for evidence of a cybercrime. All of these issues underscore the salience of location in any conceptualization of cybercrime. Conceptualizing Cyberspace In determining what constitutes cybercrime, it may be beneficial to outline what constitutes cyberspace. After determining what constitutes the cyber realm, then boundaries for permissible behaviour—as it intersects with this space—can be outlined. The National Security Presidential Directive 54/Homeland Security Presidential Directive 23 (NSPD-54/HSPD-23) defines cyberspace as “the interdependent network of information technology infrastructures, and includes the Internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries.” In other words, cyberspace is the “virtual environment of information and interactions between people.” A 2008 Deputy Secretary of Defense Memorandum defined cyberspace as “a global domain within the information environment consisting of the interdependent network of information technology infrastructures, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers.” As noted by Brenner (n.d), cyberspace “is not a fixed, predetermined reality operating according to principles and dynamics that cannot be controlled or altered by man. The cyberworld is a constructed world, a fabrication. Because it is a construct, cyberspace is mutable; much of it can be modified and transformed.” Criminal actors do not exist in cyberspace. Rather, they exist in the physical world and their actions traverse the real world as well as cyberspace, impacting

victims in the real world. In this vein, criminals may rely upon cyberspace as a marketplace to help carry out malicious activities, but they—and their victims—remain in the physical world. Unit iii: Why: Motivation The distinction between cybercrime and other cyber-based malicious acts such as terrorism or state sponsored espionage is the actor’s motivation. Cyber criminals can exhibit a wide range of self interests, deriving profit, notoriety, and/or gratification from activities such as hacking, cyber stalking, and online child pornography. Rushe (2011) stated that, “hacking into a company, whether it’s to put information on the web for everyone to see or if you’re going to make money, is still hacking, it’s still a crime.” Without knowing the criminal intent or motivation, however, some activities of cyber criminals and other malicious actors may appear on the surface to be similar, causing confusion as to whether a particular action should be categorized as cybercrime or not. As noted by Homeland Security (2003), “the speed and anonymity of cyber attacks makes distinguishing among the actions of terrorists, criminals, and nation states difficult, a task which often occurs only after the fact, if at all.” This challenge of attribution is discussed in detail in the in the next unit, “Who: Attribution.” Categories of Cyber Crime Actors The FBI (2012) has noted three primary categories of cyber threat actors: [1] Organized crime groups that are primarily threatening the financial services sector, and they are expanding the scope of their attacks; [2] State sponsors—foreign governments that are interested in pilfering data, including intellectual property and research and development data from major manufacturers, government agencies, and defense contractors; and

Unit iv: Who: Attribution The blurry lines between various types of malicious activity in cyberspace may make it difficult for investigators to attribute an incident to a specific individual or organization. Criminal attribution is a key delineating factor between cybercrime and other cyber threats. When investigating a given threat, law enforcement is challenged with tracing the action to its source and determining whether the actor is a criminal or whether the actor may be a terrorist or state actor posing a potentially greater national security threat. Take, for example, the July– September 2011 attacks on private companies primarily involved in the chemical industry. In what has been dubbed the “Nitro” attacks, hackers sent phony emails to members of Fortune 100 companies, businesses developing advanced materials for military vehicles, and companies developing manufacturing infrastructure for the chemical industry (Chien & O’Gorman, 2011). The emails contained attachments with a malicious Trojan called PoisonIvy, which ultimately allowed hackers access to other computers in the company workgroup as well as to needed passwords. They could then navigate to the targeted intellectual property, copy the content, and upload the information to servers external to the compromised organization. Because the victimized companies were involved in the research, development, and manufacture of chemicals and advanced materials, it may have initially been unclear whether the attacker was a terrorist attempting to procure chemicals or a hacker seeking corporate secrets. The purpose of the attacks was likely industrial espionage, and the attackers appear to have been seeking intellectual property, including design documents, formulas, and manufacturing processes, for competitive advantage. The source of the attack was identified as a computer system owned by an individual —dubbed Covert Grove—in China.

Attribution continues to be a challenge in identifying both public security and national security threats. In the 2012 Worldwide Threat Assessment of the U.S. Intelligence Community, James Clapper, Director of National Intelligence (2012), outlined cyber threats as the third most pressing threat to national security—behind terrorism and nuclear proliferation—and noted the challenges in cyber actor attribution. More specifically, he noted that two of our greatest strategic challenges regarding cyber threats are: (1) the difficulty of providing timely, actionable warning of cyber threats and incidents, such as identifying past or present security breaches, definitively attributing them and accurately distinguishing between cyber espionage intrusions and potentially disruptive cyber attacks; and (2) the highly complex vulnerabilities associated with the IT supply chain for US networks p. 8. The FBI, for one, has bolstered its efforts to better attribute cyber threats to specific sources and motives. Through the Next Generation Cyber Initiative , the FBI is developing agents to connect with critical infrastructure components and computer scientists to “extract hackers’ digital signatures” and determine their identities, all to help concretely attribute a specific malicious actor to a particular cyber incident. Similarly, the Department of Defense has reportedly “made significant investments in forensics to address this problem of attribution.” Attribution, however, may be more important for government and law enforcement than for private sector organizations. Law enforcement, through their investigations, may strive for attribution so that the actual perpetrator may be prosecuted. Industry organizations, however, may be less concerned and may focus more on damage control and prevention—regardless of the actor or his motivations.

these crimes as well as other cyber threats. However, because of the multi-faceted nature of many of these crimes, other divisions are likely involved in their investigation as well.

• The Internet Crime Complaint Center (IC3)—a partnership between the FBI and the National White Collar Crime Center71 (NW3C)—views cybercrime as a term encompassing “online fraud in its many forms including Intellectual Property Rights (IPR) matters, Computer Intrusions (hacking), Economic Espionage (Theft of Trade Secrets), Online Extortion, International Money Laundering, Identity Theft, and a growing list of IInternet-facilitatedcrimes”
• The Council of Europe Convention on Cybercrime, to which the United States is a signatory, defines cybercrime as a range of maliciouss activities that fall into four broad categories of computer-related crimes: (1) security breaches such as hacking, illegal data interception, and system interferences that compromise network integrity and availability; (2) fraud and forgery; (3) child pornography; and (4) copyright infringements. In prosecuting cases with a cyber component, CJS does not explicitly define cybercrime or comprehensively list all offenses that may be considered cybercrimes. Data on cybercrime prosecutions tend to reflect cases prosecuted under the computer fraud statute,76 18 U.S.C. Section 1030, as well as those statutes related to stored wire and electronic communications, 18 U.S.C. Section 2101-2711.77 DOJ does indicate, however, that other cybercrimes are prosecuted under federal fraud, identity theft, illegal intercept of electronic communications, access device fraud, illegal access to stored communications, copyright infringement, and counterfeit products/trademark infringement statutes.

Discussion Questions

1. With relevant citations, attempt a definition of: a. Cyber crime b. Cyber space
2. Identify and explain the categories of cyber crime actors as presented by FBI (2012)
3. “Hacking into a company, whether it is to put information on the web for everyone to see or if you are going to make money, is still hacking” (Rushe, 2011). Discuss.
4. Discuss cyber crime location as distinct from traditional crime. Module 3: Curbing Cyber Crime At the end of this module, students should be able to discuss and write extensively on the following sub-topics: Unit i: Strategies Unit ii: Measuring /Tracking cyber crime Unit iii: Self-reporting cyber crime victimization Discussion Questions Unit i: Strategies Most nations do not have a national strategy exclusively focused on combating cybercrime. Rather, there are other, broader strategies that have cybercrime components. Policymakers may question whether there should be a distinct strategy for combating cybercrime or whether efforts to control these crimes are best addressed through more wide-ranging strategies, such as those