This is the accessible text file for GAO report number GAO-07-705 entitled 'Cybercrime: Public and Private Entities Face Challenges in Addressing Cyber Threats' which was released on July 23, 2007.
This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately.
Report to Congressional Requesters:
United States Government Accountability Office:
GAO:
June 2007:
Cybercrime:
Public and Private Entities Face Challenges in Addressing Cyber Threats:
GAO-07-705:
GAO Highlights:
Highlights of GAO-07-705, a report to congressional requesters
Why GAO Did This Study:
Computer interconnectivity has produced enormous benefits but has also enabled criminal activity that exploits this interconnectivity for financial gain and other malicious purposes, such as Internet fraud, child exploitation, identity theft, and terrorism. Efforts to address cybercrime include activities associated with protecting networks and information, detecting criminal activity, investigating crime, and prosecuting criminals.
GAO’s objectives were to (1) determine the impact of cybercrime on our nation’s economy and security; (2) describe key federal entities, as well as nonfederal and private sector entities, responsible for addressing cybercrime; and (3) determine challenges being faced in addressing cybercrime. To accomplish these objectives, GAO analyzed multiple reports, studies, and surveys and held interviews with public and private officials.
What GAO Found:
Cybercrime has significant economic impacts and threatens U.S. national security interests. Various studies and experts estimate the direct economic impact from cybercrime to be in the billions of dollars annually. The annual loss due to computer crime was estimated to be $67.2 billion for U.S. organizations, according to a 2005 Federal Bureau of Investigation (FBI) survey. In addition, there is continued concern about the threat that our adversaries, including nation-states and terrorists, pose to our national security. For example, intelligence officials have stated that nation-states and terrorists could conduct a coordinated cyber attack to seriously disrupt electric power distribution, air traffic control, and financial sectors. Also, according to FBI testimony, terrorist organizations have used cybercrime to raise money to fund their activities. Despite the estimated loss of money and information and known threats from adversaries, the precise impact of cybercrime is unknown because it is not always detected and reported (cybercrime reporting is discussed further in GAO’s challenges section).
Numerous public and private entities have responsibilities to protect against, detect, investigate, and prosecute cybercrime. The Departments of Justice, Homeland Security, and Defense, and the Federal Trade Commission have prominent roles in addressing cybercrime within the federal government, and state and local law enforcement entities play similar roles at their levels. Private entities such as Internet service providers and software developers focus on the development and implementation of technology systems to detect and protect against cybercrime, as well as gather evidence for investigations. In addition, numerous cybercrime partnerships have been established between public sector entities, between public and private sector entities, and internationally, including information sharing efforts.
Entities face a number of key challenges in addressing cybercrime, including reporting cybercrime and ensuring that there are adequate analytical capabilities to support law enforcement (see table). While public and private entities, partnerships, and tasks forces have initiated efforts to address these challenges, federal agencies can take additional action to help ensure adequate law enforcement capabilities.
Table: Challenges to Addressing Cybercrime:
Challenge: Reporting cybercrime;
Description: Accurately reporting cybercrime to law enforcement.
Challenge: Ensuring adequate law enforcement analytical and technical capabilities;
Description: Obtaining and retaining investigators, prosecutors, and cyberforensics examiners; Keeping up-to-date with current technology and criminal techniques.
Challenge: Working in a borderless environment with laws of multiple jurisdictions;
Description: nvestigating and prosecuting cybercrime that transcends borders with laws and legal procedures of multiple jurisdictions.
Challenge: Implementing information security practices and raising awareness;
Description: Protecting information and information systems; Raising awareness about criminal behavior.
Source: GAO.
[End of table]
What GAO Recommends:
GAO recommends that the Attorney General and the Secretary of Homeland Security help ensure adequate law enforcement analytical and technical capabilities. In written comments on a draft of this report, the FBI and the U.S. Secret Service noted efforts to assess and enhance these capabilities.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-705].
To view the full product, including the scope and methodology, click on the link above. For more information, contact Dave Powner at (202) 512-9286 or pownerd@gao.gov.
[End of section]
Contents:
Letter:
Results in Brief:
Background:
Cybercrime Has Significant Economic Impacts and Threatens U.S. National Security Interests, but Its Precise Magnitude Is Unknown:
Numerous Public and Private Organizations Have Responsibilities to Protect Against, Detect, Investigate, and Prosecute Cybercrime:
Public and Private Sectors Face Challenges in Addressing Cybercrime:
Conclusions:
Recommendation for Executive Action:
Agency Comments and Our Evaluation:
Appendix I: Objectives, Scope, and Methodology:
Appendix II: Comments from the Federal Bureau of Investigation:
Appendix III: Comments from the U.S. Secret Service:
Appendix IV: GAO Contacts and Staff Acknowledgments:
Tables:
Table 1: Techniques Used to Commit Cybercrimes:
Table 2: Reported Volume of Cybercrime Techniques:
Table 3: Key Federal Laws Used to Investigate and Prosecute Cybercrime:
Table 4: Economic Impact of Cybercrime:
Table 5: Reports and Testimonies Describing Threats to National Security:
Table 6: Department of Justice's Key Organizations and Activities to Mitigate Cybercrime:
Table 7: Department of Homeland Security's Key Organizations and Activities to Mitigate Cybercrime:
Table 8: Department of Defense Key Organizations and Activities to Mitigate Cybercrime:
Table 9: Key Partnerships Established to Address Cybercrime:
Table 10: Challenges to Addressing Cybercrime:
Figures:
Figure 1: Comparison between Traditional Criminal Techniques and Cybercrime:
Figure 2: Crime Mitigation Framework:
Abbreviations:
CCIPS: Computer Crimes and Intellectual Property Section:
CHIP: Computer Hacking and Intellectual Property:
DCIS: Department of Defense Criminal Investigative Service:
DC3: Defense Cyber Crime Center:
DHS: Department of Homeland Security:
DOD: Department of Defense:
DOJ: Department of Justice:
FBI: Federal Bureau of Investigation:
FTC: Federal Trade Commission:
IC3: Internet Crime Complaint Center:
NCIS: Naval Criminal Investigative Service:
NCSD: National Cyber Security Division:
Secret Service: U.S. Secret Service:
SAFETY: Internet Stopping Adults Facilitating the Exploitation of Today's Youth Act:
US-CERT: United States Computer Emergency Readiness Team:
United States Government Accountability Office:
Washington, DC 20548:
June 22, 2007:
The Honorable Bennie G. Thompson:
Chairman:
Committee on Homeland Security:
House of Representatives:
The Honorable Lamar S. Smith:
Ranking Member:
Committee on the Judiciary:
House of Representatives:
The rapid increase in computer interconnectivity has revolutionized the way that our government, our nation, and much of the world communicate and conduct business. While the benefits have been enormous, the accelerated use of the Internet has also enabled a dramatic rise in criminal activity that exploits this interconnectivity for illicit financial gain and other malicious purposes, such as Internet fraud, child exploitation, and identity theft. Efforts to address cybercrime[Footnote 1] include activities associated with protecting networks and information, detecting criminal activity, investigating crime, and prosecuting criminals.
As agreed, our objectives were to (1) determine the impact of cybercrime on our nation's economy and security; (2) describe key federal entities, as well as nonfederal and private sector entities, responsible for addressing cybercrime; and (3) determine challenges being faced in addressing cybercrime. To accomplish these objectives, we analyzed multiple reports, studies, and surveys and held interviews with public and private officials. Appendix I provides further details on our objectives, scope, and methodology. We conducted this review from June 2006 to May 2007 in accordance with generally accepted government auditing standards.
Results in Brief:
Cybercrime is a threat to U.S. national economic and security interests. Various studies and expert opinion estimate the direct economic impact from cybercrime to be in the billions of dollars annually. The annual loss due to computer crime was estimated to be $67.2 billion for U.S. organizations, according to a 2005 Federal Bureau of Investigation (FBI) survey. The estimated losses associated with particular crimes include $49.3 billion in 2006 for identity theft and $1 billion annually due to phishing.[Footnote 2] These projected losses are based on direct and indirect costs that may include actual money stolen, estimated cost of intellectual property stolen, and recovery cost of repairing or replacing damaged networks and equipment. In addition, there is concern about threats that nation-states and terrorists pose to our national security through attacks on our computer-reliant critical infrastructures and theft of our sensitive information. For example, according to the U.S.-China Economic and Security Review Commission report, Chinese military strategists write openly about exploiting the vulnerabilities created by the U.S. military's reliance on advanced technologies and the extensive infrastructure used to conduct operations.[Footnote 3] Also, according to FBI testimony, terrorist organizations have used cybercrime to raise money to fund their activities. Despite the reported loss of money and information and known threats from adversaries, there remains a lack of understanding about the precise magnitude of cybercrime and its impact because cybercrime is not always detected or reported (cybercrime reporting is discussed further in our challenges section).
Numerous public and private entities (federal agencies, state and local law enforcement, industry, and academia) have individual and collaborative responsibilities to protect against, detect, investigate, and prosecute cybercrime. The Departments of Justice (DOJ), Homeland Security (DHS), and Defense (DOD), and the Federal Trade Commission (FTC) have prominent roles in addressing cybercrime within the federal government. DOJ's FBI and DHS's U.S. Secret Service (Secret Service) are key federal organizations with responsibility for investigating cybercrime. State and local law enforcement organizations also have key responsibilities in addressing cybercrime. Private entities--Internet service providers, security vendors, software developers, and computer forensics vendors--focus on developing and implementing technology systems to protect against computer intrusions, Internet fraud, and spam and, if a crime does occur, detecting it and gathering evidence for an investigation. In addition, numerous partnerships have been established between public sector entities, between public and private sector entities, and internationally to address various aspects of cybercrime. For example, the Cyber Initiative and Resource Fusion Unit is a partnership established among federal law enforcement, academia, and industry to analyze cybercrime and determine its origin and how to fight it.
Efforts by public and private entities to address cybercrime are impeded by major challenges that include:
* reporting cybercrime--entities do not always detect or report cybercrimes;
* ensuring adequate law enforcement analytical and technical capabilities--law enforcement organizations often have difficulty obtaining and retaining investigators, prosecutors, and examiners with the specialized skills needed to address cybercrime; this is due in part to the staff rotation policies in place at certain law enforcement organizations;
* working in a borderless environment with laws of multiple jurisdictions--because cybercrime crosses national and state borders, law enforcement organizations have to deal with multiple jurisdictions with their own laws and legal procedures, a situation that complicates investigations; and:
* implementing and raising awareness about strong information security practices--our experience in evaluating the information security of federal agencies demonstrates the difficulty that organizations face in maintaining strong information security programs; despite efforts by public and private entities to raise awareness about the importance of information security, many organizations and individuals remain insecure.
Public and private entities, cybercrime partnerships, and task forces have initiated efforts to address these challenges, including leveraging resources and technologies to fight cybercrime. However, more can be done to help ensure agencies have adequate law enforcement capabilities. Specifically, staff rotation policies at key law enforcement agencies may hinder the agencies' abilities to retain analytical and technical capabilities supporting law enforcement.
In order to address the challenge of ensuring adequate law enforcement analytical and technical capabilities, we are recommending that the Attorney General and the Secretary of Homeland Security reassess and modify, as appropriate, current rotation policies to retain key expertise necessary to investigate and prosecute cybercrime.
We received written comments on a draft of this report from the FBI and Secret Service (see app. II and III). In their comments, the Deputy Assistant Director from the FBI's Cyber Division and the Assistant Director, Office of Inspection, U.S. Secret Service mentioned efforts to assess and enhance their analytical and technical capabilities. The FBI official stated that the bureau's rotational policies for new Special Agents and senior field Supervisory Special Agents were put into place after careful consideration, and that five career paths-- including a specific designation for cyber matters--have been established. The Secret Service official stated that the service is expanding its Electronic Crimes Special Agent Program and will have approximately 770 trained and active agents by the end of fiscal year 2007. The service also reported that the rotation of the Electronic Crimes Special Agent Program agents does not have a detrimental impact on the agency's cyber investigative capabilities because Secret Service field offices send additional agents through the program prior to a trained agent's departure, and because the Electronic Crime Task Forces allow the agency to draw on state and local law enforcement officials trained in cyber investigations and computer forensics. Despite these efforts to assess and expand cyber analytical and technical capabilities, our review showed that current rotational policies may result in both agencies underutilizing staff with cyber expertise; therefore, it is important for them to continually reassess the rotational policies that impact their ability to address the cyber threat.
DOD, DOJ, DHS, state and local government, and other officials also provided technical corrections that have been incorporated in this report as appropriate.
Background:
Over 150 million U.S. citizens are connected to the Internet. According to the FBI, the number of people with access to the Internet increased 182 percent between 2000 and 2005. In 2006, total nontravel-related spending on the Internet was estimated to be $102 billion by a private sector entity, a 24 percent increase over 2005. While the benefits of interconnectivity have been enormous, it has provided new horizons and techniques for crime.
Cybercrime: Comparison between Cybercrime and Traditional Criminal Techniques:
Cybercrime refers to criminal activities that specifically target a computer or network for damage or infiltration. For example, it can be a crime to access ("hack into") a computer without authorization or to distribute viruses. Cybercrime also includes the use of computers as tools to conduct criminal activity such as fraud, identity theft, and copyright infringement. Computers significantly multiply the criminal's power and reach in committing such crimes. Figure 1 describes and compares cybercrime and traditional criminal techniques.
Figure 1: Comparison between Traditional Criminal Techniques and Cybercrime:
[See PDF for Image]
Source: GAO.
[End of figure]
Cybercrime techniques have characteristics that can vastly enhance the reach and impact of criminal activity, such as the following:
* Criminals do not need to be physically close to their victims to commit a crime.
* Technology allows criminal actions to easily cross multiple state and national borders.
* Cybercrime can be carried out automatically, at high speed, and by attacking a vast number of victims at the same time.
* Cybercriminals can more easily remain anonymous.
To help facilitate cybercrimes, criminals use several techniques listed in table 1.
Table 1: Techniques Used to Commit Cybercrimes:
Type: Spamming;
Description: Sending unsolicited commercial e-mail advertising for products, services, and Web sites. Spam can also be used as a delivery mechanism for malware and other cyber threats.
Type: Phishing;
Description: A high-tech scam that frequently uses spam or pop-up messages[A] to deceive people into disclosing their credit card numbers, bank account information, Social Security numbers, passwords, or other sensitive information. Internet scammers use e-mail bait to "phish" for passwords and financial data from the sea of Internet users.
Type: Spoofing;
Description: Creating a fraudulent Web site to mimic an actual, well-known Web site run by another party. E-mail spoofing occurs when the sender address and other parts of an e-mail header are altered to appear as though the e-mail originated from a different source. Spoofing hides the origin of an e-mail message.
Type: Pharming;
Description: A method used by phishers to deceive users into believing that they are communicating with a legitimate Web site. Pharming uses a variety of technical methods to redirect a user to a fraudulent or spoofed Web site when the user types in a legitimate Web address. For example, one pharming technique is to redirect users —without their knowledge—to a different Web site from the one they intended to access. Also, software vulnerabilities may be exploited or malware employed to redirect the user to a fraudulent Web site when the user types in a legitimate address.
Type: Denial-of-service attack;
Description: An attack in which one user takes up so much of a shared resource that none of the resource is left for other users. Denial-of-service attacks compromise the availability of the resource.
Type: Distributed denial-of-service;
Description: A variant of the denial-of-service attack that uses a coordinated attack from a distributed system of computers rather than from a single source. It often makes use of worms to spread to multiple computers that can then attack the target.
Type: Viruses;
Description: A program that "infects" computer files, usually executable programs, by inserting a copy of itself into the file. These copies are usually executed when the infected file is loaded into memory, allowing the virus to infect other files. A virus requires human involvement (usually unwitting) to propagate.
Type: Trojan horse;
Description: A computer program that conceals harmful code. It usually masquerades as a useful program that a user would wish to execute.
Type: Worm;
Description: An independent computer program that reproduces by copying itself from one system to another across a network. Unlike computer viruses, worms do not require human involvement to propagate.
Type: Malware;
Description: Malicious software designed to carry out annoying or harmful actions. Malware often masquerades as useful programs or is embedded into useful programs so that users are induced into activating them. Malware can include viruses, worms, and spyware.
Type: Spyware;
Description: Malware installed without the user’s knowledge to surreptitiously track and/or transmit data to an unauthorized third party.
Type: Botnet;
Description: A network of remotely controlled systems used to coordinate attacks and distribute malware, spam, and phishing scams. Bots (short for "robots") are programs that are covertly installed on a targeted system allowing an unauthorized user to remotely control the compromised computer for a variety of malicious purposes.
Source: GAO analysis based on public and private sector sources.
[A] A pop-up message is a type of window that appears over the browser window of a Web site that a user has visited.
[End of table]
Companies that process large volumes of Internet traffic, such as Postini, Symantec, and IBM analyze their traffic for patterns and trends and have found that the cybercrime techniques in table 1 are prevalent. Table 2 shows reported volumes of cybercrime techniques.
Table 2: Reported Volume of Cybercrime Techniques:
Type: Spam;
Findings: Has increased over 65 percent since January 2002.
Approximately 88 percent of all e mail processed at service centers is classified as "junk."
From September 2006 to March 2007, Postini collected over 60 billion pieces of spam totaling 537.7 terabytes of data;
Source: Postini.
Type: Spam;
Findings: Between July and December 2006, spam constituted 59 percent of all e mail monitored;
Source: Symantec.
Type: Spam;
Findings: Through 2005, hackers most frequently targeted the telecommunications and health care sectors, where almost 80 percent of all e-mail traffic was spam;
Source: Counterpane.
Type: Botnets;
Findings: Between July and December 2006, an average of 63,912 active, bot-infected computers per day were observed, an 11 percent increase from the previous reporting period;
Source: Symantec.
Type: Phishing;
Findings: Between July and December 2006, 166,248 unique phishing messages detected, a 6 percent increase over the first 6 months of 2006.
An average of 904 unique phishing messages per day was reported for the second half of 2006.
During the same period, over 1.5 billion phishing messages were blocked;
Source: Symantec.
Type: Phishing;
Findings: During 2006, U.S. based businesses were the most targeted organizations of phishing e-mails, accounting for 71.37 percent of all phishing e-mail. In addition, more than 55 percent of the world’s phishing attacks fabricate company Web sites that are hosted in the United States;
Source: IBM.
Type: Malware;
Findings: Between January and June 2006, approximately 2 million of the 4 million computers cleaned by the malicious software removal tool had at least one backdoor Trojan horse.
43,000 new variants of malware were found in the same period;
Source: Microsoft.
Type: Trojan horses;
Findings: In 2005, close to 40 percent of the financial services and banking industry sector suffered the most Trojan horse attacks;
Source: Counterpane.
Source: GAO analysis of private sector reports about Internet traffic processed.
[End of table]
Framework for Addressing Cybercrime:
Efforts to address cybercrime follow the same basic process as efforts to address traditional crime. As figure 2 shows, this basic process is one of protection, detection, investigation, and prosecution.
Figure 2: Crime Mitigation Framework:
[See PDF for image]
Source: GAO.
[End of figure]
To protect networks and information against cybercrime, organizations and individuals implement cybersecurity techniques such as access controls (passwords) and firewalls. In addition, they use monitoring devices or intrusion detection systems to detect incidents that could potentially be criminal intrusions. As figure 2 shows, monitoring unusual activity allows organizations and individuals to make adjustments to improve protection. When a suspected cybercrime is detected, organizations and individuals must decide what action to pursue. Depending on the severity of the incident, the level of evidence, and their comfort with revealing the incident, they may or not report it to law enforcement.
Generally, investigations begin once an incident is reported to law enforcement. During the preliminary investigation, federal, state, or local law enforcement, along with their respective prosecutors, determine if a crime occurred and if a further investigation is warranted. Also, in some cases, private sector and academic analysts may provide expertise. Among the factors weighed by law enforcement authorities in determining whether to conduct an investigation is whether their agency has jurisdiction over the crime, the number and location of the victims, the expected location of the criminal, the amount of loss, and the agency's investigative priorities and available resources. If it is determined that an investigation will not be pursued, law enforcement may provide advice to victims that may be used to improve their protective measures. When a criminal investigation is pursued, law enforcement investigators have the initial responsibility for leading the evidence-gathering effort and working with cyberforensic investigators and examiners with the technical expertise to analyze the evidence. In cases where evidence is not voluntarily provided, law enforcement can use various subpoena authorities to obtain information needed to perform the investigation.
A key component of cybercrime investigations is the gathering and examination of electronic evidence that can be useful for prosecution. Using cyberforensic tools and techniques,[Footnote 4] cybercrime investigators and examiners gather and analyze electronic evidence. If available, cyberforensic laboratories may be used to extract the electronic evidence and present it in a court-admissible format. The evidence could entail analysis of terabytes of information on multiple electronic devices, the electronic path taken by a fraudulent e-mail, pornographic images stored on a hard drive, or data stored on a mutilated but later reconstructed CD-ROM. The ability to gather electronic evidence and the assurance that cyberforensic procedures do not compromise the evidence gathered can be key to building a case and prosecuting cybercriminals.
Cybercrime investigations and evidence gathering can also be conducted while a crime is ongoing. If a crime is being investigated while it is still occurring, investigators may use sophisticated techniques to investigate criminal activity that include court-ordered wiretaps. In determining whether and how to gather evidence of information transmitted electronically, law enforcement may make an application to a court for a wiretap pursuant to the Wiretap Act.[Footnote 5] To obtain such orders, the application to the court must describe, among other things, the criminal activity and the identity of those involved, if known.
If sufficient evidence is gathered, it can lead to a prosecution. Federal and state prosecutors determine if a prosecution will be pursued based on a number of factors including jurisdiction over the crime, the type and seriousness of the offense, the sufficiency of the evidence, their prosecutorial priorities, and the location and number of the victims. Prosecuting attorneys will also consider the dollar loss and the number of incidents. Some federal prosecuting attorneys may not pursue cybercrime cases because they do not meet the minimum thresholds established for their districts. Thresholds are established by prosecuting attorneys to appropriately focus their limited resources on the most serious crimes that match their district's priorities. For example, if fraud has been committed through the use of a computer, the amount of the dollar loss may need to reach a specific threshold amount for the U.S. Attorney to accept the case. When the U.S. Attorney does not accept a case for prosecution because it does not meet such a threshold, state authorities may decide to accept the case for prosecution.
In addition to criminal remedies, civil remedies are available to address cybercrime activity. The burden of proof in a civil case is not as high as in a criminal case. At the federal level, the FTC investigates activities that could be classified as cybercrime as part of its consumer protection mission and seeks civil injunctions and monetary remedies. In addition, many states have civil statutes that may be applied to cybercrime situations. In the State of Washington, for example, the Attorney General can apply the state's consumer protection statute to cases of cyber-facilitated fraud. Pursuing the case in civil court, the state's Attorney General can seek civil remedies such as the repayment of losses or penalties for wrongdoing or fraud, which could potentially deter future criminal attempts.
Governments Have Enacted Various Laws to Address Cybercrime:
Federal and state governments and other nations have enacted laws that apply to cybercrime and the legal recourse or remedies available. In addition, there are international agreements to improve the laws across nations and international cooperation on addressing cybercrime.
Federal Laws:
Federal statutes address specific types of cybercrime, while other federal statutes address both traditional crime and cybercrime. Table 3 describes key federal laws used to investigate and prosecute cybercrime activity.
Table 3: Key Federal Laws Used to Investigate and Prosecute Cybercrime:
Source: GAO.
[End of table]
Figure 14: Members of Congress have proposed new federal legislation to augment current cybercrime statutes. For example, in February 2007, the Internet Stopping Adults Facilitating the Exploitation of Today's Youth Act (SAFETY) was introduced in the House Judiciary Committee as an anticybercrime bill. Among its various provisions addressing the exploitation of children, the SAFETY Act provides for the promulgation of regulations that would require Internet service providers to retain data such as a subscriber's name and address, user identification, or telephone number to facilitate law enforcement investigations. Also in February 2007, the Securing Adolescents From Exploitation-Online (SAFE) Act of 2007 was introduced in the Senate Committee on the Judiciary. The SAFE Act would include explicit requirements for Internet service providers to report suspected child pornography violations. The House of Representatives passed the Securely Protect Yourself Against Cyber Trespass Act in June 2007. This bill, if signed into law, would prohibit the use of spyware that could take control of a computer or collect user information without permission. The bill would authorize stiff civil penalties against violators.
[See PDF for image]
[End of figure]
Figure 15: State and Local Laws:
[See PDF for image]
[End of figure]
Figure 16: State and local governments have been enacting laws to serve law enforcement efforts in their individual jurisdictions and to enhance cybercrime prevention, investigation, and prosecution efforts. States have also enacted laws against particular types of cybercrime, including laws addressing spamming and spyware. For example, Virginia's Anti-Spam Act outlaws the use of fraudulent means, such as using a false originating address, to send spam. Further, aggravating factors (such as sending 10,000 spam messages in a 24-hour period or generating more than $1,000 in revenue from a specific spam message) make the crime punishable as a felony under Virginia law. Also, California's Consumer Protection Against Computer Spyware Act makes it illegal for anyone to install software on someone else's computer and use it to deceptively modify settings, including a user's home page, default search page, or bookmarks. It also outlaws the collection, through intentionally deceptive means, of personally identifiable information through keystroke-logging, tracking Web site visits, or extraction of such information from a user's hard drive.
[See PDF for image]
[End of figure]
Figure 17: California has also enacted legislation requiring security measures and warnings for wireless network devices. In addition, Westchester County, New York, has taken action to improve the security of wireless networks. Its wireless security law requires that commercial businesses secure their wireless networks or face fines. The law also requires businesses providing wireless Internet access to put up signs advising users of the security risks. Westchester County's enforcement efforts have brought fines against businesses exposing sensitive data over wireless networks.
[See PDF for image]
[End of figure]
Figure 18: Other Nations' Laws:
[See PDF for image]
[End of figure]
Figure 19: Cybercrime laws vary across the international community. Australia enacted its Cybercrime Act of 2001 to address this type of crime in a manner similar to the U.S. Computer Fraud and Abuse Act, discussed above. In addition, Japan enacted the Unauthorized Computer Access Law of 1999 to cover certain basic areas similar to those addressed by the U.S. federal cybercrime legislation. Countries such as Nigeria with minimal or less sophisticated cybercrime laws have been noted sources of Internet fraud and other cybercrime. In response, they have looked to the examples set by industrialized nations to create or enhance their cybercrime legal framework. A proposed cybercrime bill, the Computer Security and Critical Information Infrastructure Protection Bill, is currently before Nigeria's General Assembly for consideration. The bill, if adopted, would mirror similar cybercrime legislation in industrialized nations like the United States, the United Kingdom, Australia, South Africa, and Canada.
[See PDF for image]
[End of figure]
Figure 20: Because political or natural boundaries are not an obstacle to conducting cybercrime, international agreements are essential to fighting cybercrime. For example, on November 23, 2001, the United States and 29 other countries signed the Council of Europe's Convention on Cybercrime as a multilateral instrument to address the problems posed by criminal activity on computer networks. Nations supporting this convention agree to have criminal laws within their own nation to address cybercrime, such as hacking, spreading viruses or worms, and similar unauthorized access to, interference with, or damage to computer systems. It also enables international cooperation in combating crimes such as child sexual exploitation, organized crime, and terrorism through provisions to obtain and share electronic evidence. The U.S. Senate ratified this convention in August 2006. As the 16th of 43 countries to support the agreement, the United States agrees to cooperate in international cybercrime investigations. The governments of European countries such as Denmark, France, and Romania have ratified the convention. Other countries including Germany, Italy, and the United Kingdom have signed the convention although it has not been ratified by their governments. Non-European countries including Canada, Japan, and South Africa have also signed but not yet ratified the convention.
[See PDF for image]
[End of figure]
Cybercrime Has Significant Economic Impacts and Threatens U.S. National Security Interests, but Its Precise Magnitude Is Unknown:
Cybercrime is a threat to U.S. national economic and security interests. Based on various studies and expert opinion, the direct economic impact from cybercrime is estimated to be in the billions of dollars. The overall loss projection due to computer crime was estimated to be $67.2 billion annually for U.S. organizations, according to a 2005 FBI survey. The estimated losses associated with particular crimes include $49.3 billion in 2006 for identity theft[Footnote 6] to about $1 billion annually due to phishing.[Footnote 7] In addition, there is concern about threats that nation-states and terrorists pose to our national security through attacks on our computer-reliant critical infrastructures and theft of our sensitive information. For example, according to the U.S.-China Economic and Security Review Commission report, Chinese strategists are writing about exploiting the vulnerabilities created by the U.S. military's reliance on technologies and attacking key civilian targets.[Footnote 8] Also, according to FBI testimony, terrorist organizations have used cybercrime to raise money to fund their activities. However, despite the reported loss of money and information and known threats from our nation's adversaries, there remains a lack of understanding about the true magnitude of cybercrime and its impact because it is not always detected or reported.
Economic Impacts of Cybercrime Are Significant:
Based on various studies and expert opinion, the direct economic impact from cybercrime is billions of dollars annually. The overall loss projection due to computer crime was estimated to be $67.2 billion annually for U.S. organizations, according to a 2005 FBI survey. The estimated losses associated with particular crimes include $49.3 billion in 2006 for identity theft and $1 billion annually due to phishing. The studies and experts derive their projected losses based on direct and indirect costs that may include:
* actual money stolen,
* estimated cost of intellectual property stolen,
* recovery cost of repairing or replacing damaged networks and equipment, and:
* intangible loss due to the opportunity loss from lack of customer confidence in the doing online commerce.
* Table 4 shows the economic impact of cybercrime as reported by various studies and reports over the last several years.
Table 3: Economic Impact of Cybercrime:
[End of table]
* Source: GAO analysis of government and private sector reports and studies about cybercrime.
* Many of the surveys and studies, such as those from IC3 and Computer Security Institute/FBI, are performed at least annually. In addition, the DOJ's Bureau of Justice Statistics has conducted a cybercrime survey of private sector entities to gain a more definitive understanding of cybercrime's economic impact on the United States. As of May 2007, the response rate and results had not been reported.
* Individual legal cases also illustrate the financial losses that victims incur due to cybercrime. Examples include the following:
* In February 2007, a defendant was convicted of aggravated identity theft, access device fraud, and conspiracy to commit bank fraud in the Eastern District of Virginia. The defendant, who went by the Internet nickname "John Dillinger," was involved in extensive illegal online "carding" activities. He received e-mails or instant messages containing hundreds of stolen credit card numbers, usually obtained through phishing schemes or network intrusions, from "vendors" who were located in Russia and Romania. In his role as a "cashier" of these stolen credit card numbers, the defendant would then electronically encode these numbers to plastic bank cards, make ATM withdrawals, and return a portion to the vendors. Computers seized from the defendant revealed over 4,300 compromised account numbers and full identity information (i.e., name, address, date of birth, Social Security number, and mother's maiden name) for over 1,600 individual victims.[Footnote 9]
* In September 2005, a Massachusetts juvenile was convicted in connection with approximately $1 million in victim damages. Over a 15- month period, the juvenile hacked into Internet and telephone service providers, stole an individual's personal information and posted it on the Internet, and made bomb threats to high schools in Florida and Massachusetts.[Footnote 10]
* In October 2004, the Secret Service investigated and shut down an online organization that facilitated losses in excess of $4 million and trafficked in around 1.7 million stolen credit cards and stolen identity information and documents. This high-profile case, known as "Operation Firewall," focused on a criminal organization of some 4,000 members whose Web site functioned as a hub for identity theft activity.[Footnote 11]
* In July 2003, a man was convicted of causing an aggregate loss of approximately $25 million and hacking into computers in the United States. The defendant pleaded guilty in these proceedings and admitted to numerous charges of conspiracy, computer intrusion, computer fraud, credit card fraud, wire fraud, and extortion. Those charges stemmed from the activities of the defendant and others who operated from Russia and hacked into dozens of computers throughout the United States, stealing usernames, passwords, credit card information, and other financial data, and then extorting money from those victims with the threat of deleting their data and destroying their computer systems.[Footnote 12]
* In May 2002, a New Jersey man was convicted of causing more than $80 million in damage by unleashing the "Melissa" computer virus in 1999 and disrupting personal computers and computer networks in business and government.[Footnote 13]
* Cybercrime Is a Threat to National Security:
* There is continued concern about the threat that our adversaries pose to our national security through attacks on our computer-reliant critical infrastructures and theft of our sensitive information. Over the last several years, such risks have been described in a variety of reports and testimonies. Table 5 describes the concerns raised.
Table 4: Reports and Testimonies Describing Threats to National Security:
[End of table]
* Source: GAO analysis of various reports and testimonies.
* [A] Statement for the Record by the Director of Central Intelligence to the U.S. Senate Committee on Governmental Affairs, Permanent Subcommittee on Investigations, "Foreign Information Warfare Programs and Capabilities" (June 25, 1996).
* [B] Statement for the Record, Deputy Assistant Director and Chief, National Infrastructure Protection Center, Federal Bureau of Investigation, before the Congressional Joint Economic Committee (Mar. 24, 1998).
* [C] The Center for Strategic and International Studies, "Cybercrime, Cyberterrorism, and Cyberwarfare: Averting an Electronic Waterloo" (Dec. 15, 1999).
* [D] National Communications System, "The Electronic Intrusion Threat to National Security and Emergency Preparedness (NS/EP) Telecommunications: An Awareness Document," third edition (March 1999).
* [E] Statement of the Director of Central Intelligence to the U.S. Senate Select Committee on Intelligence, "Current and Projected National Security Threats to the United States" (Feb. 6, 2002).
* [F] Institute for Security Technology Studies at Dartmouth College,"Examining the Cyber Capabilities of Islamic Terrorist Groups" (Hanover, N.H.: March 2004).
* [G] Statement of the FBI Director to the U.S. Senate Select Committee on Intelligence, "Current and Projected National Security Threats to the United States" (Feb. 16, 2005).
* The risks posed by this increasing and evolving threat are demonstrated by actual and potential attacks and disruptions, such as those cited below.
* DOD officials stated that its information network, representing approximately 20 percent of the entire Internet, receives approximately 6 million probes/scans a day. Further, representatives from DOD stated that between January 2005 and July 2006, the agency initiated 92 cybercrime cases, the majority of which involved intrusions or malicious activities directed against its information network.
* In November 2006, the U.S.-China Economic and Security Review Commission[Footnote 14] reported that China is actively improving its nontraditional military capabilities. According to the study, Chinese military strategists write openly about exploiting the vulnerabilities created by the U.S. military's reliance on advanced technologies and the extensive infrastructure used to conduct operations. Chinese military writings also refer to attacking key civilian targets such as financial systems. In addition, the report stated that Chinese intelligence services are capable of compromising the security of computer systems. The commission also provided instances of computer network penetrations coming from China. For example, in August and September 2006, attacks on computer systems of the Department of Commerce's Bureau of Industry and Security forced the bureau to replace hundreds of computers and lock down Internet access for 1 month.
* In August 2006, a California man was convicted for conspiracy to intentionally cause damage to a protected computer and commit computer fraud. Between 2004 and 2005, he created and operated a botnet that was configured to constantly scan for and infect new computers. For example, in 2 weeks in February of 2005, the defendant's bots reported more than 2 million infections of more than 629,000 unique addresses (some infected repeatedly). It damaged hundreds of DOD computers worldwide. The DOD reported a total of $172,000 of damage due to a string of computer intrusions at numerous military installations in the United States (including Colorado, Florida, Hawaii, Maryland, South Carolina, and Texas) and around the world (including Germany and Italy). In addition, the botnet compromised computer systems at a Seattle hospital, including patient systems, and damaged more than 1,000 computers in a California school district over the course of several months in 2005. Officials from the California school district reported damages between $50,000 and $75,000 to repair its computers after the botnet struck in February 2005.[Footnote 15]
* The Central Intelligence Agency has identified two known terrorist organizations with the capability and greatest likelihood to use cyber attacks against our infrastructures.[Footnote 16]
* In March 2005, security consultants within the electric industry reported that hackers were targeting the U.S. electric power grid and had gained access to U.S. utilities' electronic control systems. Computer security specialists reported that, in a few cases, these intrusions had "caused an impact." While officials stated that hackers had not caused serious damage to the systems that feed the nation's power grid, the constant threat of intrusion has heightened concerns that electric companies may not have adequately fortified their defenses against a potential catastrophic strike.[Footnote 17]
* Terrorist organizations have used cyberspace and cybercrime to raise money in a number of ways, such as facilitating protection schemes, credit card fraud, and drug smuggling. For example, in a July 2002 testimony, FBI officials stated that Al Qaeda terrorist cells in Spain used stolen credit card information to make numerous purchases.[Footnote 18] In addition, Indonesian police officials believe the 2002 terrorist bombings in Bali were partially financed through online credit card fraud, according to press reports.[Footnote 19]
* As larger amounts of money are transferred through computer systems, as more sensitive economic and commercial information is exchanged electronically, and as the nation's defense and intelligence communities increasingly rely on commercially available information technology, the likelihood increases that information attacks will threaten vital national interests.
Precise Magnitude of Cybercrime Is Unknown:
Despite the large reported impact of cybercrime, the true impact of cybercrime in the United States is unknown because cybercrimes are not always detected or reported. Organizations and individuals do not always detect cybercrimes. The effectiveness of the systems put in place to audit and monitor systems, including intrusion detection systems, intrusion protection systems, security event correlation tools, and computer forensics tools,[Footnote 20] have limitations that impact their ability to detect a crime occurring.[Footnote 21] For example, the effectiveness of intrusion detection systems is limited by their ability to capture accurate baselines or normal network or system activity. Also, these systems are prone to false positives and false negatives and are not as effective in protecting against unknown attacks. In addition, the effectiveness of security event correlation tools is limited by their ability to interface with numerous security products and the quality of the logs they rely upon.
When a cybercrime is detected, companies and individuals can choose not to report the crime. Companies and individuals weigh the cost and impact of the incident with the time and effort needed to support an investigation and prosecution. Cybercrime reporting is discussed further in our challenges section.
Numerous Public and Private Organizations Have Responsibilities to Protect Against, Detect, Investigate, and Prosecute Cybercrime:
Federal agencies, state and local law enforcement, private industry, and academia have responsibilities, based on their primary missions or business interests, to protect against, detect, investigate, and prosecute cybercrime. Public and private sector entities are engaged in these efforts individually and through collaborative efforts.
Many Public Entities Have Responsibilities for Addressing Cybercrime:
DOJ, DHS, and DOD and the FTC have key roles in addressing cybercrime within the federal government, along with the federal inspectors general. State and local law enforcement organizations also have key responsibilities in addressing cybercrime. Efforts range from fighting cybercrime by investigating and prosecuting it and improving the protection of systems through raising awareness and building relationships.
Key Department of Justice Organizations:
The key agencies within DOJ that focus on enforcing cybercrime violations include the Criminal Division, U.S. Attorneys, and the FBI. Table 6 shows key DOJ organizations, suborganizations, and activities.
Table 5: Department of Justice's Key Organizations and Activities to Mitigate Cybercrime:
[End of table]
Sources: GAO and DOJ.
Key Department of Homeland Security Organizations:
Three key agencies within DHS have a role in addressing cybercrime issues--the Secret Service, the Cyber Security and Communications Office's National Cyber Security Division, and Immigration and Customs Enforcement. Table 7 shows key DHS organizations, suborganizations, and activities.
Table 6: Department of Homeland Security's Key Organizations and Activities to Mitigate Cybercrime:
[End of table]
Sources: GAO and DHS.
[A] The National Cyber Response Coordination Group is a forum of national security, law enforcement, defense, intelligence, and other government agencies that coordinates governmental and public/private preparedness and response to and recovery from national level cyber incidents and physical attacks that have significant cyber consequences.
Key Department of Defense Organizations:
Within DOD, the Defense Criminal and Counterintelligence Investigation Organizations conduct all law enforcement investigations and the Defense Cyber Crime Center (DC3) can provide forensics support. Table 8 shows key organizations, suborganizations, and activities.
Table 7: Department of Defense Key Organizations and Activities to Mitigate Cybercrime:
[End of table]
Sources: GAO and DOD.
[A] DOD Criminal and Counterintelligence Investigative Organizations include the Air Force Office of Special Investigations, Army Military Intelligence, Army Criminal Investigations Command, Naval Criminal Investigative Service, and Defense Criminal Investigative Service.
Federal Trade Commission:
The FTC was created to prevent unfair methods of competition. Its mission expanded over time with additional legislation authorizing it to serve as a protective force for U.S. consumers. The agency has the authority to file civil enforcement actions either in federal district court or administratively. Remedies in these civil actions range from orders to stop the illegal conduct to requiring disgorgement of illegal proceeds or payment of restitution.
FTC's Bureau of Consumer Protection investigates and enforces matters related to activities that may be classified as cybercrime. It has several divisions that focus primarily on different aspects of the FTC's consumer protection mission. According to FTC staff, the Bureau of Consumer Protection is composed of six divisions, which target different substantive areas for enforcement and outreach purposes. The divisions routinely coordinate initiatives and share resources to most efficiently and effectively further the consumer protection mission. Its resources include headquarter staff and staff located at eight regional offices that investigate and bring a variety of consumer protection and competition cases and engage in outreach efforts. In addition, the Criminal Liaison Unit coordinates for all of the Bureau of Consumer Protection's divisions with criminal law enforcement agencies across the U.S. to encourage the prosecution of criminal fraud.
Federal Inspectors General:
Federal Inspectors General have a role in preventing, detecting, and investigating cybercrime within their respective agencies. Specifically, 14 of 19 Inspectors General that provided information to us stated that they handle cybercrime investigations affecting their respective agency within their own capabilities. For example, certain Inspectors General reported having significant efforts in addressing cybercrime, including those for the Departments of Education, Energy, and Transportation and the Environmental Protection Agency. Additionally, 11 of the 19 Inspectors General stated that they perform an education and awareness role within their respective agencies by conducting training, providing presentations, and performing activities mandated by the Federal Information Security Management Act.[Footnote 22]
State and Local Law Enforcement Organizations:
State and local organizations address cybercrime through efforts to share information, improve expertise, and facilitate cybercrime prosecutions both nationally and locally. For example, on a national basis, SEARCH, an organization dedicated to improving state-level law enforcement, has three cybercrime focused programs related to providing high-tech crime training, technical assistance, and research on emerging technology nationwide. In addition, the National Association of Attorneys General has a cybercrime initiative benefiting state prosecutors. It also hosts a cybercrime conference that provides training in cybercrime investigative areas, legislation, case law, and public education tools. The association's executive working group meets quarterly and shares information on criminal issues, including cybercrime.
State-level law enforcement entities have implemented initiatives to facilitate the investigation and prosecution of cybercrime in the states. For example, the Commonwealth of Virginia's Office of the Attorney General has a Computer Crime unit dedicated to investigating criminal cases violating the Virginia Computer Crimes Act. In addition, Virginia's Attorney General formed the Virginia Cyber Crime Strike Force that collaborates with the U.S. Attorneys' Offices, the Virginia State Police, the FBI and Virginia's Bedford County Sheriff's Office to investigate and prosecute cybercrime. Other examples of state efforts are the (1) Washington Attorney General's High Tech Crime Unit, which litigates cases of cyberfraud, and pursues civil remedies under the state's broad consumer protection law and (2) Washington State Patrol Computer Crime unit that serves as a first responder to computer crimes affecting state-funded institutions such as state and local governments and public schools and universities.
Private-Sector Entities Focus on Protection and Detection Efforts:
The private sector's focus is on the development and implementation of technology systems to protect against computer intrusions, Internet fraud, and spam and, if a crime does occur, to detect it and gather admissible evidence for an investigation. The private entities that focus on these technological efforts include Internet service providers, security vendors, software developers, and computer forensics vendors:
* Internet service providers offer businesses and home users various levels of access to the Internet and other Internet-related services such as customer support and spam and virus protection. Providers also assist law enforcement by monitoring and providing information on selected Internet activities and provide technical expertise to assist with investigations. In addition, providers can pursue civil action against users to punish inappropriate behavior.
* Security vendors such as e-mail security firms can screen electronic messages for harmful data and take action to prevent such data from reaching the intended target. Vendors also assist law enforcement by reporting instances of computer crime, providing technical assistance, and pursuing civil action against inappropriate behavior.
* Software developers are improving the quality and security of operating system programs to detect and block malicious code.
* Computer forensics vendors provide private companies with computer forensics investigative services to detect the theft of trade secrets and intellectual property, detect employee fraud, locate and recover previously inaccessible documents and files, provide reports on all user activity, and access password-protected files. In addition, computer forensic vendors develop tools used by law enforcement to investigate cybercrime. These tools allow for the analysis of digital media and the gathering of evidence that is admissible in court.
Numerous Public and Private Partnerships Work to Address Cybercrime:
Numerous partnerships have been established between public sector entities, between public and private sector entities, and internationally to collaborate and implement effective cybercrime strategies. Each of their strategies includes information sharing activities and consumer awareness efforts. Table 9 gives brief descriptions of key partnerships, their purposes, and primary stakeholders.
Table 8: Key Partnerships Established to Address Cybercrime:
(Continued From Previous Page)
[End of table]
Source: GAO analysis of various reports and documents.
[A] The National White Collar Crime Center provides a nationwide support system for agencies involved in the prevention, investigation, and prosecution of economic and high-tech crimes and to support and partner with other appropriate entities in addressing homeland security initiatives, as they relate to economic and high-tech crimes. Through a combination of training and critical support services, they equip state and local law enforcement agencies with skills and resources they need to tackle emerging economic and cybercrime problems.
Public and Private Sectors Face Challenges in Addressing Cybercrime:
Numerous challenges impede the efforts of public and private entities to mitigate cybercrime (see table 10) including (1) reporting cybercrime, (2) ensuring adequate law enforcement analytical and technical capabilities, (3) working in a borderless environment with laws of multiple jurisdictions, and (4) implementing information security practices and raising awareness.
Table 9: Challenges to Addressing Cybercrime:
[End of table]
Source: GAO.
Reporting Cybercrime:
Although surveys and studies show that the nation potentially loses both billions of dollars annually and sensitive information as a result of cybercrime, definitive data on the amount of cybercrime is not available. Understanding the impact of cybercrime in the United States is a challenge because reporting of cybercrime is limited.
When a cybercrime is detected, entities and individuals can choose to report it to law enforcement or not. They weigh the cost and impact of the incident with the time and effort needed to support an investigation and prosecution. In addition, our work and findings of the Congressional Research Service related to information sharing have shown that businesses do not always want to report problems because there is a perception that their information will be disclosed publicly, which could, in turn, cause harm to their business.[Footnote 23] Reasons for not reporting a crime to law enforcement include the following:
* Financial market impacts. The stock and credit markets and bond rating firms react negatively to security breach announcements, which could raise the cost of capital to reporting firms. Even firms that are privately held and are not active in public securities markets can be adversely affected if banks and other lenders judge them to be more risky than previously thought.
* Reputation or confidence effects. Negative publicity damages a reporting firm's reputation or brand, and could cause customers to lose confidence, giving commercial rivals a competitive advantage.
* Litigation concerns. If an organization reports a security breach, investors, customers, or other stakeholders can use the courts to seek recovery of damages. If the organization has been open in the past about previous incidents, plaintiffs may allege a pattern of negligence.
* Signal to attackers. A public announcement alerts hackers that an organization's cyber-defenses are weak and can inspire further attacks.
* Inability to share information. Some private-sector entities want to share information about an incident with law enforcement and other entities; however, once the information becomes part of an ongoing investigation, their ability to share information may be limited.
* Job security. IT personnel fear for their jobs after an incident and seek to conceal the breach from senior management.
* Lack of law enforcement action. According to private sector officials, law enforcement entities have failed to investigate cases reported to them, which is a disincentive for them reporting crimes in the future.
* To improve the reporting of cybercrime, the numerous public/private partnerships (e.g., the National Cyber Forensics and Training Alliance, InfraGard, and the Electronic Crimes Task Forces), as well as the awareness and outreach efforts of law enforcement discussed earlier, are methods for building better relationships and understanding between the public and private sectors. These efforts may increase trust between the public and private sector and encourage better reporting of cybercrimes when they occur.
Ensuring Adequate Law Enforcement Analytical and Technical Capabilities:
Efforts by law enforcement to investigate and prosecute cybercrime require individuals with specialized skills and tools. According to federal, state, and local law enforcement and private sector officials, it is a challenge to recruit such individuals from a limited pool of available talent, retain them in the face of competing offers, and train them to stay up to date with changing technology and increasingly sophisticated criminal techniques.
Obtaining and Retaining Investigators, Prosecutors, and Cyberforensics Examiners:
Federal and state law enforcement organizations face challenges in having the appropriate number of skilled investigators, forensic examiners, and prosecutors. According to federal and state law enforcement officials, the pool of qualified candidates is limited because individuals involved in investigating or examining cybercrime are highly trained specialists requiring both law enforcement and technical skills, including knowledge of various IT hardware and software and forensic tools. According to Defense Cyber Crime Center officials, once an investigator or examiner specializes in cybercrime, it can take up to 12 months for those individuals to become proficient enough to fully manage their own investigations. Further, according to state officials, state and local law enforcement agencies do not have the resources needed to hire the investigators with adequate technical knowledge required to address cybercrime.
Law enforcement organizations also find it difficult to retain highly skilled cyberforensic investigators and examiners. According to federal and state officials, the private sector demands individuals with the same skills and successfully attracts them away from their government positions with much higher salaries and better benefits. For example, according to an Assistant U.S. Attorney, several cybercrime experts, including attorneys, federal and state law enforcement agents, and cyberforensic examiners, have left their government positions due to the higher salaries and benefits offered by the private sector.
The available pool of experienced federal cybercrime investigators is also impacted by FBI and Secret Service rotation policies. For example, according to FBI officials, new FBI agents, not initially assigned to one of the 15 largest field offices, are required to rotate to one of the these large offices after 3 years in order to have diversified experiences. According to FBI headquarters and field agents, when cybercrime investigators rotate out under this policy, they are not necessarily reassigned to cybercrime investigations in their new field office, and so their extensive cyber background is underutilized. In addition, the agents who rotate in to replace experienced cybercrime investigators may have little or no cybercrime experience or background. Further, according to FBI officials, the pool of experienced senior managers is impacted by the FBI's current policy that senior field supervisory agents are limited to 5-year terms in their positions and then most move to seek further career advancement. This can include the movement of experienced cybercrime investigators out of senior cybercrime positions. Similarly, according to Secret Service officials, most Secret Service agents, including those with technical, cybercrime investigation expertise, rotate to a protective assignment, which focuses on the protection of the President, Vice President, and others and not on the investigation of cybercrime. In addition, officials stated that there is an investigative career track that allows agents to continue doing investigations, including those related to cybercrime; however, protective assignments are perceived as higher profile and could lead to greater career advancement. FBI and Secret Service officials acknowledged that the rotation policies have at times resulted in these agencies underutilizing staff with cyber expertise.
Keeping Up to Date with Current Technology and Criminal Techniques:
The rapid evolution of technology and cybercrime techniques means that law enforcement agencies must continuously upgrade technical equipment and software tools. Such equipment and tools are expensive, and agencies' need for them does not always fall into the typical federal replacement cycle. For example, in order for investigators to perform cyberforensic examinations and gather the evidence required to support a prosecution, the examiners and investigators must, in some cases, store and analyze huge amounts of digital data. According to federal law enforcement officials, the amount of data being collected is growing exponentially. However, according to law enforcement officials, state and local law enforcement agencies do not always have the resources to obtain the equipment necessary to analyze large amounts of data.
Law enforcement organizations also find that maintaining a current understanding of new criminal techniques and technologies can be difficult. For example, law enforcement agents are required to extract forensic data from IT devices that have only been on the market for months. They also must keep up with innovative criminal techniques and approaches. For example, techniques for assembling and controlling botnets are becoming increasingly sophisticated and difficult to trace, making it difficult to identify certain spamming and phishing schemes. In addition, criminals are increasing their use of encryption techniques.[Footnote 24] This requires law enforcement to continue to research and develop appropriate countermeasures. Training can help to keep investigators' skills current, but relevant courses are limited, costly, and time-consuming, and take agents away from the cases that they are investigating.
Federal and state law enforcement organizations are taking steps to improve their analytic and technical capabilities. For example, the Secret Service has developed training programs for federal, state, and local law enforcement and DOD's Defense Cyber Crime Center has a cyberforensic training program for DOD investigators and other law enforcement officials. Further, the FBI's Cyber Action Teams rapidly provide technical expertise to cybercrime investigations worldwide, when needed. To overcome shortfalls in equipment and electronic storage, the FBI is sponsoring regional computer forensics laboratories to serve the needs of an entire region's law enforcement. In addition, public/private partnerships, like the FBI's Infragard and National Cyber Forensics Training Alliance and the Secret Service's Electronic Crimes Task Forces, provide ways to share expertise between law enforcement, the private sector, and academia. Although it will continue to be a challenge to keep current with the rapid evolution of technology and cybercrime techniques, these DOD, FBI, and Secret Service efforts are positive steps to attempt to keep up with techniques and technology for investigations.
Working in a Borderless Environment with Laws of Multiple Jurisdictions:
Law enforcement organizations face the challenge of investigating and prosecuting cybercrime that crosses national and state borders, and working with laws, legal procedures, and law enforcement entities from multiple jurisdictions. Working in this environment complicates most cyber investigations.
Private sector, individual, and law enforcement efforts are complicated by the borderless nature of cybercrime. As discussed earlier, cybercriminals are not hampered by physical proximity or regional, national, or international borders. Cybercriminals can be physically located in one nation or state, direct their crime through computers in multiple nations or states, and store evidence of the crime on computers in yet another nation or state. This makes it difficult to trace the cybercriminals to their physical location. In addition, cybercriminals can take steps to remain anonymous, making it difficult, if not impossible, to attribute a crime to them.
Similar to efforts addressing traditional crime, efforts to investigate and prosecute cybercrime are complicated by the multiplicity of laws and procedures that govern in the various nations and states where victims may be found, and the conflicting priorities and varying degrees of expertise of law enforcement authorities in those jurisdictions. Laws used to address cybercrime differ across states and nations. For example, not all U.S. states have antispam laws or antispyware laws. In addition, an act that is illegal in the United States may be legal in another nation or not directly addressed in the other nation's laws. Developing countries, for example, may lack cybercrime laws and enforcement procedures.
Further, jurisdictional boundaries can limit the actions that federal, state, and local law enforcement can take to investigate cybercrime that crosses local, regional, and national borders. For example, state and local officials may be unable to pursue investigations outside of their jurisdiction, so when a cybercrime goes beyond their jurisdiction, they may need to rely upon officials of other jurisdictions to further investigate the crime. Additionally, extradition between states can be complicated depending on the laws of the state where the suspect is located and the knowledge of the states' law enforcement and judiciary regarding cybercrime. In addition, the United States does not have extradition arrangements with all nations, which makes it impossible to extradite a cybercriminal from certain nations. Extradition from nations having an extradition agreement with the United States can be complicated or impossible if the nation's laws do not make the action illegal or its magistrate is not knowledgeable about cybercrime. Also, state and local officials are unable to extradite persons from other nations without federal law enforcement assistance.
Conflicting priorities also complicate cybercrime investigations and prosecutions. Cybercrime can occur without physical proximity to the victim, and thus a cybercriminal can operate without victimizing a citizen in the jurisdiction or federal judicial district in which the crime originated. With no negative impact on the citizens in that district, there may be no incentive for the local citizens to press their law enforcement officers to investigate the crime. According to state officials, it is difficult to commit resources to crimes where the victims are outside their state or jurisdiction, although the suspected cybercriminal may be prosecuted in the jurisdiction where the victim is located.
Federal and state law enforcement organizations are taking steps to help them work in the borderless environment within which cybercriminals operate. For example, federal, state, and local law enforcement organizations participate in cybercrime task forces that combine a region's law enforcement capabilities to investigate and prosecute cybercrime in the most advantageous way. To address transnational jurisdiction, investigation, and prosecution issues, DOJ and the State Department have established agreements with more than 40 nations through the G-8 High Tech Crime Working Group to address cybercrime cooperatively. The Council of Europe's Cybercrime Convention is a similar international effort. These and other efforts are essential to addressing the transborder nature of cybercrime and enhancing the ability of law enforcement to capture, prosecute, and punish cybercriminals.
Implementing Information Security Practices and Raising Awareness:
A major challenge in mitigating cybercrime is improving information security practices on the part of organizations and individual Internet users. Raising awareness about criminal behavior and the need to protect information and systems is a key activity in addressing cybercrime.
Protecting Information and Information Systems:
Criminals often take advantage of poor computer security practices, which makes maintaining a strong information security posture vital to efforts to stop cybercrime. However, individuals allow easy access for criminals to their personal computers and electronic devices by not enabling security on those devices. Without adequate information security, critical systems and sensitive data are more susceptible to criminal access, theft, modification, and destruction. Further, our audits have shown that federal agencies do not adequately protect the information systems that the government relies upon to deliver services to its customers. In addition, over the last several years, we have identified the challenges associated with the federal government's efforts to coordinate public and private sector efforts to protect the computer systems that support our nation's critical infrastructures. As a result, federal information security has been on GAO's list of high- risk areas since 1997 and cyber critical infrastructure protection since 2003.[Footnote 25] In addition, we have made numerous recommendations to enhance the security of federal information systems and cyber critical infrastructure protection efforts. Implementation of these recommendations is essential to protecting federal information systems.
Raising Awareness about Criminal Behavior:
A major challenge is educating the public in how to recognize cybercrime when it is occurring. Criminals prey on people's ignorance and susceptibility to ruses. For example, attackers create e-mail and Web sites that appear legitimate, often copying images and layouts of actual Web sites. Some cybercrime techniques also take advantage of combinations of vulnerabilities. For example, phishing entices users to provide the sensitive information desired. However, phishers also use technical methods to exploit software and system vulnerabilities to reinforce users' perceptions that they are on a legitimate Web site.
Despite efforts by public and private entities to raise awareness about the importance of information security and the techniques used by criminals, users continue to not understand the need for protecting their personal information and to recognize unusual requests that could be criminal activity. The types of cybercrime that the media highlight, such as child pornography cases and major companies being hacked, do not tend to undermine people's trust in the Internet. For example, there continue to be reports of people falling victim to well-known scams such as the Nigerian 4-1-9 fraud.[Footnote 26] In addition, even as awareness grows, practices are not easily changed. Further, the issues of adequate awareness apply to law enforcement. State and local law enforcement may not be aware of the cybercrime problem that could be impacting their citizens.
There are numerous steps being taken to improve security of information systems and raise user awareness. For example, as discussed earlier, information security vendors provide software and services; software developers are attempting to improve the quality and security of their products; public and private entities are working together to identify and mitigate risks, including criminal activities; and federal organizations, such as the FBI, the Secret Service, FTC, and DHS, sponsor programs and organizations to raise user awareness about securing their information and not becoming a victim of cybercrime. These are positive steps to improve security and raise awareness.
Conclusions:
The actual and potential harms that result from cybercrime attacks in the United States are significant. Although the precise amount of economic loss due to cybercrime is unknown, its impact is likely billions of dollars. In addition, nation-state and terrorist adversaries are seeking ways to attack our nation's critical infrastructures and steal our sensitive information.
While numerous public and private entities--federal agencies, state and local law enforcement, industry, and academia--have responsibilities to address these threats, they face challenges in protecting against, detecting, investigating, and prosecuting cybercrimes. These challenges include reporting cybercrime, ensuring adequate law enforcement analytical and technical capabilities, working in a borderless environment with laws of multiple jurisdictions, and implementing information security practices and raising awareness.
Public and private entities are working to address these challenges by expanding public/private partnerships to increase the trust between entities, to improve the quality and quantity of shared information, and to leverage resources and technologies across public and private boundaries. In addition, law enforcement organizations have formed task forces and international agreements to foster working in a borderless environment with laws from multiple jurisdictions. Continued expansion of these efforts is essential. Additionally, more can be done to assure an adequate pool of individuals with the skills needed to effectively combat cybercrime. Although law enforcement agencies must be sensitive to a number of organizational issues and objectives in their human capital programs, current staff rotation policies at key law enforcement agencies may negatively impact the agencies' analytical and technical capabilities to combat cybercrime.
Recommendation for Executive Action:
We recommend that the Attorney General direct the FBI Director and the Secretary of Homeland Security direct the Director of the Secret Service to assess the impact of the current rotation approach on their respective law enforcement analytical and technical capabilities to investigate and prosecute cybercrime and to modify their approaches, as appropriate.
Agency Comments and Our Evaluation:
We received written comments on a draft of this report from the FBI (see app. II). In the response, the Deputy Assistant Director from the FBI's Cyber Division stated that the FBI Director had approved rotational policies after careful consideration of the viable alternatives provided by analysis and study conducted by the Human Resources Division. Further, he stated that the FBI Director had endorsed the establishment of five distinct career paths for both new and veteran special agents, including a specific designation for cyber matters. According to the Assistant Director, this career path will ensure the FBI recruits, trains, and deploys special agents with the critical cyber skill set required to maintain the FBI on the cutting edge of computer technology and development, and positioned to counter the constantly evolving cyber threat. Despite these efforts to assess and expand analytical and technical capabilities, the current rotational policies may adversely affect the FBI's use of staff with cyber expertise; therefore, it is important to continually reassess the rotational policies that impact the FBI's ability to address the cyber threat.
In addition, we received written comments on a draft of this report from the Secret Service (see app. III). In the response, the Assistant Director, Office of Inspection, stated that agents who complete the Electronic Crimes Special Agent Program's computer forensics training course are required to serve a minimum of four years in the program. In addition, he stated that the Secret Service is expanding its Electronic Crimes Special Agent Program and will have approximately 770 trained and active agents by the end of fiscal year 2007. He also stated that the rotation of the Electronic Crimes Special Agent Program agents does not have a detrimental impact on the agency's cyber investigative capabilities because Secret Service field offices send additional agents through the program prior to a trained agent's departure, and because the Electronic Crimes Task Forces allow the agency to draw on state and local law officials trained in cyber investigations and computer forensics. While we agree that expanding the Electronic Crimes Special Agent Program and leveraging the relationships and capabilities of the Electronic Crimes Task Forces is important to adequately addressing cybercrime, the current rotational policy may adversely affect the Secret Service's use of staff with cyber expertise; therefore, it is important for the Secret Service to continually reassess the rotational policies that impact its ability to address the cyber threat.
DOD, DOJ, DHS, state and local government, and other officials also provided technical corrections that have been incorporated in this report as appropriate.
As agreed with your office, unless you publicly announce the contents of this report earlier, we plan no further distribution until 30 days from the report date. At that time, we will send copies of this report to interested congressional committees, the Attorney General, the Secretaries of Defense and Homeland Security, the Chairman of the Federal Trade Commission, and other interested parties. We also will make copies available to others upon request. In addition, this report will be available at no charge on GAO's Web site at http://www.gao.gov.
If you or your staff has any questions about this report, please contact David Powner at (202) 512-9286, or pownerd@gao.gov; or Keith Rhodes at (202) 512-6412, or rhodesk@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. Major contributors to this report are listed in appendix IV.
David A. Powner Director, Information Technology Management Issues:
Keith A. Rhodes Chief Technologist Director, Center for Technology and Engineering:
[End of section]
Appendix I Objectives, Scope, and Methodology:
[End of section]
Our objectives were to (1) determine the impact of cybercrime on our nation's economy and security; (2) describe key federal entities, as well as nonfederal and private-sector entities, responsible for addressing cybercrime; and (3) determine challenges being faced in addressing cybercrime.
[End of section]
To determine the impact of cybercrime on the U.S. economy and security, we analyzed various government and private-sector reports, surveys, and statistics related to cybercrime and conducted interviews with experts from law enforcement, academia, and information technology and security companies to verify, clarify, and gain a greater understanding of cybercrime's impact. Further, we interviewed officials and staff at key federal agencies, including the Departments of Defense, Justice, and Homeland Security; and the Federal Trade Commission; and obtained, through structured interview questions, information from 19 federal Office of Inspectors General about the number and frequency of cybercrimes experienced at their respective agencies and the subsequent cost associated with addressing these incidents, among other things.
[End of section]
To identify the key public and private-sector entities that work to mitigate and investigate computer crime and prosecute cyber criminals, we analyzed reports, surveys, and studies related to cybercrime. In addition, we held interviews with cybercrime experts from government and the private sector to identify entities and verify the entities identified as being important. To verify information and determine relevant activities, we performed document analysis, held site visits, conducted structured interviews, and received written responses to structured interview questions. The entities contacted during the course of our work include the following:
* Department of Justice: Computer Crime and Intellectual Property Section; Bureau of Justice Statistics; United States Attorneys, including the Pittsburgh and Seattle Computer Hacking and Intellectual Property units; FBI's Cyber Division, including the Computer Intrusion Section and the Innocent Images National Initiative unit; FBI's National Cyber Forensics and Training Alliance; FBI's Cyber Initiative and Resource Fusion Unit; FBI's Internet Crime Complaint Center; and FBI's Pittsburgh and Seattle Field Office units.
* Department of Homeland Security: Special Agent in Charge of the Secret Service's Criminal Investigative Division; the National Cyber Security Division's Deputy Director of the Law Enforcement and Intelligence Section and Deputy Director of the United States Computer Emergency Readiness Center.
* Department of Defense: Defense Cyber Crime Center; Joint Task Force for Global Network Operations; Defense Criminal Investigative Service; Air Force Office of Special Investigation, Army Military Intelligence, and the Naval Criminal Investigative Service.
* Federal Trade Commission: Officials from the Divisions of Advertising Practices, Enforcement, and Marketing Practices. In addition, members of the team attended sessions of a Federal Trade Commission sponsored conference that focused attention on cybercrime.
* Office of Inspectors General: Department of Education's Computer Crime Division/Office of Inspector General; written responses from structured interview questions from officials from the Inspectors General of the Small Business Administration, Department of Defense, Nuclear Regulatory Commission, Health and Human Services, National Science Foundation, Department of Veterans Affairs, General Services Administration, Department of Labor, Department of Transportation, Agency for International Development, Office of Personnel Management, Department of the Treasury, Department of Justice, Housing and Urban Development, Social Security Administration, Department of Energy, Department of the Interior.
* Private Sector: Counterpane Internet Security; Cyber Security Industry Alliance; CypherTrust; Guidance Software; InfraGard; Information Technology-Information Sharing and Analysis Center; Microsoft; Postini; SEARCH; Symantec; and other cybercrime experts.
* State and Local Entities: Office of the Attorney General of Washington; Washington State Highway Patrol's Computer Crime Unit; Office of the Attorney General of Virginia--Computer Crime Unit; and the National Association of Attorneys General.
* We also met with representatives from the State Department to discuss the department's role in addressing cybercrime. However, after meeting with representatives from the department's Bureau of Resource Management, Political-Military Affairs, International Narcotics and Law Enforcement, and others, we determined that the department's cybercrime responsibilities were outside the scope of our engagement. In addition, State Department representatives stated that they work closely with the Department of Justice's Computer Crime and Intellectual Property Section on cybercrime issues and that Justice officials would be a better source to determine the impact of cybercrime on the United States and international efforts to address cybercrime.
* To determine the challenges being faced in addressing cybercrime, we gathered and analyzed relevant documents, interviewed key government and private-sector officials regarding challenges to fighting cybercrime, and conducted Internet and media research. Based on the information received and our knowledge of the issues, we determined the major challenges impeding efforts to address cybercrime.
* To observe operations of cybercrime related entities and interview relevant federal, state, and local government and private-sector officials, we performed our work between June 2006 and May 2007 in the Washington, D.C., metropolitan area; Pittsburgh, Pennsylvania; Seattle, Washington; and Fairmont, West Virginia; in accordance with generally accepted government auditing standards.
[End of section]
Appendix II Comments from the Federal Bureau of Investigation:
[End of section]
Appendix III Comments from the U.S. Secret Service:
[End of section]
Appendix IV GAO Contacts and Staff Acknowledgments:
[End of section]
GAO Contacts:
[End of section]
David A. Powner, (202) 512-9286, or pownerd@gao.gov Keith A. Rhodes, (202) 512-6412, or rhodesk@gao.gov:
Staff Acknowledgments:
In addition to the individuals named above, Barbara Collier, Neil Doherty, Michael Gilmore, Steve Gosewehr, Barbarol James, Kenneth A. Johnson, Kush K. Malhotra, Amos Tevelow, and Eric Winter made key contributions to this report.
GAO's Mission:
The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site (www.gao.gov). Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to www.gao.gov and select "Subscribe to Updates.":
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to:
U.S. Government Accountability Office 441 G Street NW, Room LM Washington, D.C. 20548:
To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Gloria Jarmon, Managing Director, JarmonG@gao.gov (202) 512-4400 U.S. Government Accountability Office, 441 G Street NW, Room 7125 Washington, D.C. 20548:
Public Affairs:
Paul Anderson, Managing Director, AndersonP1@gao.gov (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, D.C. 20548:
FOOTNOTES
[1] Cybercrime, as used in this report, refers to criminal activities that specifically target a computer or network for damage or infiltration and also refers to the use of computers as tools to conduct criminal activity.
[2] Identity theft is the wrongful obtaining and using of another person's identifying information in some way that involves fraud or deception. Phishing is a high-tech scam that frequently uses unsolicited messages to deceive people into disclosing their financial and/or personal identity information.
[3] U.S.-China Economic and Security Review Commission, 2006 Report to Congress of the U.S.-China Economic and Security Review Commission (Washington, D.C.: November 2006).
[4] Cyberforensics employs electronic tools to extract data from computer media storage without altering the data retrieved. Cyberforensics techniques may also require the reconstruction of media to retrieve digital evidence after attempts to hide, disguise, or destroy it.
[5] In 1986, Congress passed the Electronic Communications Privacy Act ("ECPA"), Pub. L. No. 99-508 (Oct. 21, 1986) which, among others things, extended the prohibitions contained in Title III of the Omnibus Crime and Control and Safe Streets Act of 1968 (the "Wiretap Act"), 18 U.S.C. §§ 2510-2521, to electronic communications that are in transit between machines and contain no aural (human voice) component. The Wiretap Act prohibits installing "sniffer" software to record keystroke and computer traffic of a specific target unless one of the statutory exceptions applies.
[6] Javelin Strategy & Research, 2007 Identity Fraud Survey Report: Identity Fraud is Dropping, Continued Vigilance Necessary (Pleasanton, CA: February 2007).
[7] Department of Homeland Security, Remarks by Assistant Secretary Gregory Garcia at the RSA Conference on IT and Communications Security (San Francisco, CA: February 2007).
[8] U.S.-China Economic and Security Review Commission, 2006 Report to Congress (Washington, D.C.: November 2006).
[9] Statement of Associate Deputy Attorney General before the Subcommittee on Terrorism, Technology and Homeland Security the Committee on the Judiciary (Mar. 21, 2007).
[10] U.S. Attorney's Office District of Massachusetts, Press Release, "Massachusetts Teen Convicted for Hacking into Internet and Telephone Service Providers and Making Bomb Threats to High Schools in Massachusetts and Florida" (Sept. 8, 2005), www.cybercrime.gov/ juvenileSentboston.htm (Accessed Mar. 30, 2007).
[11] Department of Justice (DOJ) Criminal Division, Press Release, "Shadowcrew Organization Called 'One-Stop Online Marketplace for Identity Theft'" (Oct. 28, 2004), www.cybercrime.gov/ mantovaniIndict.htm (Accessed Mar. 30, 2007).
[12] U.S. Attorney's Office District of Connecticut, Press Release, "Russian Man Sentenced for Hacking into Computers in the United States" (July 25, 2003), www.cybercrime.gov/ivanovSent.htm (Accessed Mar. 30, 2007).
[13] U.S. Attorney's Office District of New Jersey, Press Release, "Creator of Melissa Computer Virus Sentenced to 20 Months in Federal Prison" (May 1, 2002), www.cybercrime.gov/melissaSent.htm (Accessed Mar. 30, 2007).
[14] U.S.-China Economic and Security Review Commission, 2006 Report to Congress of the U.S.-China Economic and Security Review Commission (Washington, D.C.: November 2006).
[15] DOJ, United States Attorney for the Western District of Washington, Press Release, California Man Sentenced for "Botnet" Attack that Implicated Millions: Network of Robot Computers Damaged Military Installations, Northwest Hospital, and California School District (Seattle, WA: Aug. 25, 2006).
[16] Statement for the Record, Information Operations Issue Manager, Central Intelligence Agency, before the Congressional Joint Economic Committee (Feb. 23, 2000).
[17] GAO, Critical Infrastructure Protection: Department of Homeland Security Faces Challenges in Fulfilling Cybersecurity Responsibilities, GAO-05-434 (Washington, D.C.: May 26, 2005).
[18] Statement for the Record, Chief, Terrorist Financial Review Group, FBI, before the Senate Judiciary Committee, Subcommittee on Technology, Terrorism and Government Information (July 9, 2002).
[19] The Washington Post, An Indonesian's Prison Memoir Takes Holy War Into Cyberspace (Dec. 14, 2004).
[20] Intrusion detection systems detect inappropriate, incorrect, or anomalous activity on a network or computer system. Intrusion prevention systems build on intrusion detection systems to detect attacks on a network and take action to prevent them from being successful. Security event correlation tools monitor and document actions on network devices and analyze the actions to determine if an attack is ongoing or has occurred. Computer forensic tools identify, preserve, extract, and document computer-based evidence.
[21] GAO, Technology Assessment: Cybersecurity for Critical Infrastructure Protection, GAO-04-321 (Washington, D.C.: May 28, 2004).
[22] The Federal Information Security Management Act was enacted as Title III, E-Government Act of 2002, Pub. L. No. 107-347, to establish clear criteria to improve federal agencies' information security programs. According to the act, information security is defined as protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to maintain their integrity, confidentiality, and availability.
[23] GAO, Information Sharing: Practices That Can Benefit Critical Infrastructure Protection, GAO-02-24 (Washington, D.C.: Oct. 15, 2001) and GAO, Critical Infrastructure Protection: Challenges for Selected Agencies and Industry Sectors, GAO-03-233 (Washington, D.C.: Feb. 28, 2003); Congressional Research Service, The Economic Impact of Cyber Attacks, RL 32331 (Washington, D.C.: Apr. 1, 2004).
[24] Encryption is the process of encoding a message so that it can be read only by the sender and the intended recipient.
[25] GAO, High-Risk Series: An Update, GAO-07-310 (Washington, D.C.: January 2007).
[26] The Nigerian 4-1-9 fraud is an advance fee scam where criminals deceive victims into the payment of a fee by persuading them that they will receive a very large benefit in return. Through the Internet, businesses and individuals around the world have been, and continue to be, targeted by perpetrators of this scam.
GAO's Mission:
The Government Accountability Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO's Web site ( www.gao.gov ) contains abstracts and full-text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics.
Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as "Today's Reports," on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select "Subscribe to e-mail alerts" under the "Order GAO Products" heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to:
U.S. Government Accountability Office
441 G Street NW, Room LM
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director,
NelliganJ@gao.gov
(202) 512-4800
U.S. Government Accountability Office,
441 G Street NW, Room 7149
Washington, D.C. 20548: