Nature of Crimes
Crimes of the Future
Research IncreasingFortunately, more and more groups like Carnegie Mellon University's CERT Coordination Center are attempting to take measurements. Internet Fraud Watch, a National Consumers League project, and InterGOV, an organization dedicated to serving the Internet community, are some other examples ["Latest Web" 1-4, McKee 1-2]. These three organizations all offer statistics based on incidents reported to them. InterGOV even collects data on child pornography and some of the other areas of computer crime that are sometimes seen as separate ["Latest Web" 3].
Computers have become widespread over the last decade. Computer crimes have increased correspondingly. To place statistics on the rise of computer crime in perspective, we present them following statistics on the growth of the Internet.
Number of Web UsersAccording to CERT, the number of Internet host computers was 13 million in 1996. Furthermore, this number doubles in size each 12 to 15 months, so the Internet is projected to have about 200 million host computers by 2001. Now, "a common method of estimating the number of people that use the Internet host computers is to multiply the number of hosts by a factor of 10," which would indicate 2 billion users by 2001. But that seems a little high, so CERT treats it a reasonable upper bound; a good lower bound is the number of host computers, 200 million. The exact number will probably be somewhere in ornear that range [Howard 9-10].
InterGOV has released its own figures:
Increase in Computer CrimeAccording to the Department of Justice, "from 1991 through 1994, there was a 498% increase in the number of computer intrusions, and a 702% rise in the number of sites affected... During 1994, for example, approximately 40,000 Internet computers were attacked in 2,460 incidents... Similarly, the FBI's National Computer Crime Squad has opened over 200 hacker cases since the Squad was created in 1991" ["National Information" 1]. And according to another CERT study based on reported incidents, the number of computer intrusions increased 77% between 1994 and 1995 alone ["Sun Microsystems" 1]. InterGOV finds computer crime to be increasing at a rate of about 4.1% per week ["Latest Web" 3]. However, it should be noted that all these statistics are based on reported or estimated intrusions. Because detection is difficult, the accuracy of these statistics is questionable.
A typical example of a report of estimated losses from an investigated computer crime ranges from $145 million to $730 million and most people feel it is impossible to generate a more precise estimate. This broad range illustrates the problem in estimating losses. Not only is it difficult to identify and document these crimes, it is even more difficult to place a monetary value on the loss of intellectual property for which the actual value may not be known for months or even years.
The Computer Security Institute's 3rd annual Computer Crime and Security Survey recently released statistics indicating that computer crime is still rising at a significant rate: ["Annual Costs" 1]
64% of respondents report computer security breaches within the last twelve months. This figure represents dramatic increases of 16% increase over the "1997 CSI/FBI Computer Crime and Security Survey" results, in which 48% of respondents reported unauthorized use and 22% increase over the initial 1996 survey, in which 42% acknowledged unauthorized use. (Note: If you include those reporting only incidents of computer virus or laptop theft, the number rises to 88% of all respondents.)
Although 72% of respondents acknowledge suffering financial losses from such security breaches, only 46% were able to quantify their losses. The total financial losses for the 241 organizations that could put a dollar figure on them adds up to $136,822,000. This figure represents a 36% increase in reported losses over the 1997 figure of $100,115,555 in losses.
Security breaches detected by respondents include a diverse array of serious attacks. For example, 44% reported unauthorized access by employees, 25% reported denial of service attacks, 24% reported system penetration from the outside, 18% reported theft of proprietary information, 15% reported incidents of financial fraud, and 14% reported sabotage of data or networks.
The most serious financial losses occurred through unauthorized access by insiders (18 respondents reported a total of $50,565,000 in losses), theft of proprietary information (20 respondents reported a total of $33,545,000 in losses), telecommunications fraud (32 respondents reported a total of $17,256,000 in losses) and financial fraud (29 respondents reported a total of $11,239,000 in losses).
The number of organizations that cited their Internet connection as a frequent point of attack rose from 47% in 1997 to 54% in 1998. This represents a 17% increase over the initial 1996 figure of 37%. And significantly, the number of respondents citing their Internet connection as a frequent point of attack is now equal to the number of respondents citing internal systems as a frequent point of attack. (In the past, internal systems has been considered to be the greater of problems. It is not that the threat from inside the perimeter has diminished, it is simply that the threat from outside, via Internet connections, has increased.) This trend was reinforced by another piece of data. Of those who acknowledged unauthorized use, 74% reported from one to five incidents originating outside the organization, and 70% reported from one to five incidents originating inside the organization.
In a study conducted by the FBI in 1996: A trend of victimization that increased significantly over previous studies was found, with 98.5 percent of the respondents reporting they had been victimized, and 43.3 percent admitting to being victimized more than 25 times.
Several studies have confirmed that employees committed most of the reported crimes. The primary threat came from full-time employees, followed by part-time and contract employees, with computer crackers a close third.