Cybercrime: Public and Private Entities Face Challenges in
Addressing Cyber Threats (22-JUN-07, GAO-07-705).
Computer interconnectivity has produced enormous benefits but has
also enabled criminal activity that exploits this
interconnectivity for financial gain and other malicious
purposes, such as Internet fraud, child exploitation, identity
theft, and terrorism. Efforts to address cybercrime include
activities associated with protecting networks and information,
detecting criminal activity, investigating crime, and prosecuting
criminals. GAO's objectives were to (1) determine the impact of
cybercrime on our nation's economy and security; (2) describe key
federal entities, as well as nonfederal and private sector
entities, responsible for addressing cybercrime; and (3)
determine challenges being faced in addressing cybercrime. To
accomplish these objectives, GAO analyzed multiple reports,
studies, and surveys and held interviews with public and private
officials.
-------------------------Indexing Terms-------------------------
REPORTNUM: GAO-07-705
ACCNO: A71229
TITLE: Cybercrime: Public and Private Entities Face Challenges
in Addressing Cyber Threats
DATE: 06/22/2007
SUBJECT: Computer networks
Criminals
Cyber crimes
Cyber security
Economic analysis
Fraud
Hackers
Homeland security
Identity theft
Internet
Investigations by federal agencies
Law enforcement
Law enforcement agencies
Policy evaluation
Software
Terrorism
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO Product. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
******************************************************************
GAO-07-705
* [1]Results in Brief
* [2]Background
* [3]Cybercrime: Comparison between Cybercrime and Traditional Cr
* [4]Framework for Addressing Cybercrime
* [5]Governments Have Enacted Various Laws to Address Cybercrime
* [6]Federal Laws
* [7]State and Local Laws
* [8]Other Nations' Laws
* [9]Cybercrime Has Significant Economic Impacts and Threatens U.
* [10]Economic Impacts of Cybercrime Are Significant
* [11]Cybercrime Is a Threat to National Security
* [12]Precise Magnitude of Cybercrime Is Unknown
* [13]Numerous Public and Private Organizations Have Responsibilit
* [14]Many Public Entities Have Responsibilities for Addressing Cy
* [15]Key Department of Justice Organizations
* [16]Key Department of Homeland Security Organizations
* [17]Key Department of Defense Organizations
* [18]Federal Trade Commission
* [19]Federal Inspectors General
* [20]State and Local Law Enforcement Organizations
* [21]Private-Sector Entities Focus on Protection and Detection Ef
* [22]Numerous Public and Private Partnerships Work to Address Cyb
* [23]Public and Private Sectors Face Challenges in Addressing Cyb
* [24]Reporting Cybercrime
* [25]Ensuring Adequate Law Enforcement Analytical and Technical C
* [26]Obtaining and Retaining Investigators, Prosecutors, and
Cybe
* [27]Keeping Up to Date with Current Technology and Criminal
Tech
* [28]Working in a Borderless Environment with Laws of Multiple Ju
* [29]Implementing Information Security Practices and Raising Awar
* [30]Protecting Information and Information Systems
* [31]Raising Awareness about Criminal Behavior
* [32]Conclusions
* [33]Recommendation for Executive Action
* [34]Agency Comments and Our Evaluation
* [35]Appendix I: Objectives, Scope, and Methodology
* [36]Appendix II: Comments from the Federal Bureau of Investigati
* [37]Appendix III: Comments from the U.S. Secret Service
* [38]Appendix IV: GAO Contacts and Staff Acknowledgments
* [39]GAO Contacts
* [40]Staff Acknowledgments
* [41]Order by Mail or Phone
Report to Congressional Requesters
United States Government Accountability Office
GAO
June 2007
CYBERCRIME
Public and Private Entities Face Challenges in Addressing Cyber Threats
GAO-07-705
Contents
Letter 1
Results in Brief 2
Background 5
Cybercrime Has Significant Economic Impacts and Threatens U.S. National
Security Interests, but Its Precise Magnitude Is Unknown 15
Numerous Public and Private Organizations Have Responsibilities to Protect
Against, Detect, Investigate, and Prosecute Cybercrime 23
Public and Private Sectors Face Challenges in Addressing Cybercrime 36
Conclusions 43
Recommendation for Executive Action 44
Agency Comments and Our Evaluation 44
Appendix I Objectives, Scope, and Methodology 47
Appendix II Comments from the Federal Bureau of Investigation 50
Appendix III Comments from the U.S. Secret Service 52
Appendix IV GAO Contacts and Staff Acknowledgments 54
Tables
Table 1: Techniques Used to Commit Cybercrimes 7
Table 2: Reported Volume of Cybercrime Techniques 8
Table 3: Key Federal Laws Used to Investigate and Prosecute Cybercrime 12
Table 4: Economic Impact of Cybercrime 16
Table 5: Reports and Testimonies Describing Threats to National Security
19
Table 6: Department of Justice's Key Organizations and Activities to
Mitigate Cybercrime 24
Table 7: Department of Homeland Security's Key Organizations and
Activities to Mitigate Cybercrime 27
Table 8: Department of Defense Key Organizations and Activities to
Mitigate Cybercrime 30
Table 9: Key Partnerships Established to Address Cybercrime 34
Table 10: Challenges to Addressing Cybercrime 36
Figures
Figure 1: Comparison between Traditional Criminal Techniques and
Cybercrime 6
Figure 2: Crime Mitigation Framework 9
Abbreviations
CCIPS Computer Crimes and Intellectual Property Section
CHIP Computer Hacking and Intellectual Property
DCIS Department of Defense Criminal Investigative Service
DC3 Defense Cyber Crime Center
DHS Department of Homeland Security
DOD Department of Defense
DOJ Department of Justice
FBI Federal Bureau of Investigation
FTC Federal Trade Commission
IC3 Internet Crime Complaint Center
NCIS Naval Criminal Investigative Service
NCSD National Cyber Security Division
Secret Service U.S. Secret Service
SAFETY Internet Stopping Adults Facilitating the Exploitation of Today's
Youth Act
US-CERT United States Computer Emergency Readiness Team
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.
United States Government Accountability Office
Washington, DC 20548
June 22, 2007
The Honorable Bennie G. Thompson
Chairman
Committee on Homeland Security
House of Representatives
The Honorable Lamar S. Smith
Ranking Member
Committee on the Judiciary
House of Representatives
The rapid increase in computer interconnectivity has revolutionized the
way that our government, our nation, and much of the world communicate and
conduct business. While the benefits have been enormous, the accelerated
use of the Internet has also enabled a dramatic rise in criminal activity
that exploits this interconnectivity for illicit financial gain and other
malicious purposes, such as Internet fraud, child exploitation, and
identity theft. Efforts to address cybercrime^1 include activities
associated with protecting networks and information, detecting criminal
activity, investigating crime, and prosecuting criminals.
As agreed, our objectives were to (1) determine the impact of cybercrime
on our nation's economy and security; (2) describe key federal entities,
as well as nonfederal and private sector entities, responsible for
addressing cybercrime; and (3) determine challenges being faced in
addressing cybercrime. To accomplish these objectives, we analyzed
multiple reports, studies, and surveys and held interviews with public and
private officials. Appendix I provides further details on our objectives,
scope, and methodology. We conducted this review from June 2006 to May
2007 in accordance with generally accepted government auditing standards.
^1Cybercrime, as used in this report, refers to criminal activities that
specifically target a computer or network for damage or infiltration and
also refers to the use of computers as tools to conduct criminal activity.
Results in Brief
Cybercrime is a threat to U.S. national economic and security interests.
Various studies and expert opinion estimate the direct economic impact
from cybercrime to be in the billions of dollars annually. The annual loss
due to computer crime was estimated to be $67.2 billion for U.S.
organizations, according to a 2005 Federal Bureau of Investigation (FBI)
survey. The estimated losses associated with particular crimes include
$49.3 billion in 2006 for identity theft and $1 billion annually due to
phishing.^2 These projected losses are based on direct and indirect costs
that may include actual money stolen, estimated cost of intellectual
property stolen, and recovery cost of repairing or replacing damaged
networks and equipment. In addition, there is concern about threats that
nation-states and terrorists pose to our national security through attacks
on our computer-reliant critical infrastructures and theft of our
sensitive information. For example, according to the U.S.-China Economic
and Security Review Commission report, Chinese military strategists write
openly about exploiting the vulnerabilities created by the U.S. military's
reliance on advanced technologies and the extensive infrastructure used to
conduct operations.^3 Also, according to FBI testimony, terrorist
organizations have used cybercrime to raise money to fund their
activities. Despite the reported loss of money and information and known
threats from adversaries, there remains a lack of understanding about the
precise magnitude of cybercrime and its impact because cybercrime is not
always detected or reported (cybercrime reporting is discussed further in
our challenges section).
Numerous public and private entities (federal agencies, state and local
law enforcement, industry, and academia) have individual and collaborative
responsibilities to protect against, detect, investigate, and prosecute
cybercrime. The Departments of Justice (DOJ), Homeland Security (DHS), and
Defense (DOD), and the Federal Trade Commission (FTC) have prominent roles
in addressing cybercrime within the federal government. DOJ's FBI and
DHS's U.S. Secret Service (Secret Service) are key federal organizations
with responsibility for investigating cybercrime. State and local law
enforcement organizations also have key responsibilities in addressing
cybercrime. Private entities--Internet service providers, security
vendors, software developers, and computer forensics vendors--focus on
developing and implementing technology systems to protect against computer
intrusions, Internet fraud, and spam and, if a crime does occur, detecting
it and gathering evidence for an investigation. In addition, numerous
partnerships have been established between public sector entities, between
public and private sector entities, and internationally to address various
aspects of cybercrime. For example, the Cyber Initiative and Resource
Fusion Unit is a partnership established among federal law enforcement,
academia, and industry to analyze cybercrime and determine its origin and
how to fight it.
^2Identity theft is the wrongful obtaining and using of another person's
identifying information in some way that involves fraud or deception.
Phishing is a high-tech scam that frequently uses unsolicited messages to
deceive people into disclosing their financial and/or personal identity
information.
^3U.S.-China Economic and Security Review Commission, 2006 Report to
Congress of the U.S.-China Economic and Security Review Commission
(Washington, D.C.: November 2006).
Efforts by public and private entities to address cybercrime are impeded
by major challenges that include
o reporting cybercrime--entities do not always detect or report
cybercrimes;
o ensuring adequate law enforcement analytical and technical
capabilities--law enforcement organizations often have difficulty
obtaining and retaining investigators, prosecutors, and examiners
with the specialized skills needed to address cybercrime; this is
due in part to the staff rotation policies in place at certain law
enforcement organizations;
o working in a borderless environment with laws of multiple
jurisdictions--because cybercrime crosses national and state
borders, law enforcement organizations have to deal with multiple
jurisdictions with their own laws and legal procedures, a
situation that complicates investigations; and
o implementing and raising awareness about strong information
security practices--our experience in evaluating the information
security of federal agencies demonstrates the difficulty that
organizations face in maintaining strong information security
programs; despite efforts by public and private entities to raise
awareness about the importance of information security, many
organizations and individuals remain insecure.
Public and private entities, cybercrime partnerships, and task
forces have initiated efforts to address these challenges,
including leveraging resources and technologies to fight
cybercrime. However, more can be done to help ensure agencies have
adequate law enforcement capabilities. Specifically, staff
rotation policies at key law enforcement agencies may hinder the
agencies' abilities to retain analytical and technical
capabilities supporting law enforcement.
In order to address the challenge of ensuring adequate law
enforcement analytical and technical capabilities, we are
recommending that the Attorney General and the Secretary of
Homeland Security reassess and modify, as appropriate, current
rotation policies to retain key expertise necessary to investigate
and prosecute cybercrime.
We received written comments on a draft of this report from the
FBI and Secret Service (see app. II and III). In their comments,
the Deputy Assistant Director from the FBI's Cyber Division and
the Assistant Director, Office of Inspection, U.S. Secret Service
mentioned efforts to assess and enhance their analytical and
technical capabilities. The FBI official stated that the bureau's
rotational policies for new Special Agents and senior field
Supervisory Special Agents were put into place after careful
consideration, and that five career paths--including a specific
designation for cyber matters--have been established. The Secret
Service official stated that the service is expanding its
Electronic Crimes Special Agent Program and will have
approximately 770 trained and active agents by the end of fiscal
year 2007. The service also reported that the rotation of the
Electronic Crimes Special Agent Program agents does not have a
detrimental impact on the agency's cyber investigative
capabilities because Secret Service field offices send additional
agents through the program prior to a trained agent's departure,
and because the Electronic Crime Task Forces allow the agency to
draw on state and local law enforcement officials trained in cyber
investigations and computer forensics. Despite these efforts to
assess and expand cyber analytical and technical capabilities, our
review showed that current rotational policies may result in both
agencies underutilizing staff with cyber expertise; therefore, it
is important for them to continually reassess the rotational
policies that impact their ability to address the cyber threat.
DOD, DOJ, DHS, state and local government, and other officials
also provided technical corrections that have been incorporated in
this report as appropriate.
Background
Over 150 million U.S. citizens are connected to the Internet.
According to the FBI, the number of people with access to the
Internet increased 182 percent between 2000 and 2005. In 2006,
total nontravel-related spending on the Internet was estimated to
be $102 billion by a private sector entity, a 24 percent increase
over 2005. While the benefits of interconnectivity have been
enormous, it has provided new horizons and techniques for crime.
Cybercrime: Comparison between Cybercrime and Traditional Criminal
Techniques
Cybercrime refers to criminal activities that specifically target
a computer or network for damage or infiltration. For example, it
can be a crime to access ("hack into") a computer without
authorization or to distribute viruses. Cybercrime also includes
the use of computers as tools to conduct criminal activity such as
fraud, identity theft, and copyright infringement. Computers
significantly multiply the criminal's power and reach in
committing such crimes. Figure 1 describes and compares cybercrime
and traditional criminal techniques.
Figure 1: Comparison between Traditional Criminal Techniques and
Cybercrime
Cybercrime techniques have characteristics that can vastly enhance the
reach and impact of criminal activity, such as the following:
o Criminals do not need to be physically close to their victims to
commit a crime.
o Technology allows criminal actions to easily cross multiple
state and national borders.
o Cybercrime can be carried out automatically, at high speed, and
by attacking a vast number of victims at the same time.
o Cybercriminals can more easily remain anonymous.
To help facilitate cybercrimes, criminals use several techniques
listed in table 1.
Table 1: Techniques Used to Commit Cybercrimes
Source: GAO analysis based on public and private sector sources.
^aA pop-up message is a type of window that appears over the browser
window of a Web site that a user has visited.
Companies that process large volumes of Internet traffic, such as Postini,
Symantec, and IBM analyze their traffic for patterns and trends and have
found that the cybercrime techniques in table 1 are prevalent. Table 2
shows reported volumes of cybercrime techniques.
Table 2: Reported Volume of Cybercrime Techniques
Source: GAO analysis of private sector reports about Internet traffic
processed.
Framework for Addressing Cybercrime
Efforts to address cybercrime follow the same basic process as efforts to
address traditional crime. As figure 2 shows, this basic process is one of
protection, detection, investigation, and prosecution.
Figure 2: Crime Mitigation Framework
To protect networks and information against cybercrime, organizations and
individuals implement cybersecurity techniques such as access controls
(passwords) and firewalls. In addition, they use monitoring devices or
intrusion detection systems to detect incidents that could potentially be
criminal intrusions. As figure 2 shows, monitoring unusual activity allows
organizations and individuals to make adjustments to improve protection.
When a suspected cybercrime is detected, organizations and individuals
must decide what action to pursue. Depending on the severity of the
incident, the level of evidence, and their comfort with revealing the
incident, they may or not report it to law enforcement.
Generally, investigations begin once an incident is reported to law
enforcement. During the preliminary investigation, federal, state, or
local law enforcement, along with their respective prosecutors, determine
if a crime occurred and if a further investigation is warranted. Also, in
some cases, private sector and academic analysts may provide expertise.
Among the factors weighed by law enforcement authorities in determining
whether to conduct an investigation is whether their agency has
jurisdiction over the crime, the number and location of the victims, the
expected location of the criminal, the amount of loss, and the agency's
investigative priorities and available resources. If it is determined that
an investigation will not be pursued, law enforcement may provide advice
to victims that may be used to improve their protective measures. When a
criminal investigation is pursued, law enforcement investigators have the
initial responsibility for leading the evidence-gathering effort and
working with cyberforensic investigators and examiners with the technical
expertise to analyze the evidence. In cases where evidence is not
voluntarily provided, law enforcement can use various subpoena authorities
to obtain information needed to perform the investigation.
A key component of cybercrime investigations is the gathering and
examination of electronic evidence that can be useful for prosecution.
Using cyberforensic tools and techniques,^4 cybercrime investigators and
examiners gather and analyze electronic evidence. If available,
cyberforensic laboratories may be used to extract the electronic evidence
and present it in a court-admissible format. The evidence could entail
analysis of terabytes of information on multiple electronic devices, the
electronic path taken by a fraudulent e-mail, pornographic images stored
on a hard drive, or data stored on a mutilated but later reconstructed
CD-ROM. The ability to gather electronic evidence and the assurance that
cyberforensic procedures do not compromise the evidence gathered can be
key to building a case and prosecuting cybercriminals.
Cybercrime investigations and evidence gathering can also be conducted
while a crime is ongoing. If a crime is being investigated while it is
still occurring, investigators may use sophisticated techniques to
investigate criminal activity that include court-ordered wiretaps. In
determining whether and how to gather evidence of information transmitted
electronically, law enforcement may make an application to a court for a
wiretap pursuant to the Wiretap Act.^5 To obtain such orders, the
application to the court must describe, among other things, the criminal
activity and the identity of those involved, if known.
^4Cyberforensics employs electronic tools to extract data from computer
media storage without altering the data retrieved. Cyberforensics
techniques may also require the reconstruction of media to retrieve
digital evidence after attempts to hide, disguise, or destroy it.
If sufficient evidence is gathered, it can lead to a prosecution. Federal
and state prosecutors determine if a prosecution will be pursued based on
a number of factors including jurisdiction over the crime, the type and
seriousness of the offense, the sufficiency of the evidence, their
prosecutorial priorities, and the location and number of the victims.
Prosecuting attorneys will also consider the dollar loss and the number of
incidents. Some federal prosecuting attorneys may not pursue cybercrime
cases because they do not meet the minimum thresholds established for
their districts. Thresholds are established by prosecuting attorneys to
appropriately focus their limited resources on the most serious crimes
that match their district's priorities. For example, if fraud has been
committed through the use of a computer, the amount of the dollar loss may
need to reach a specific threshold amount for the U.S. Attorney to accept
the case. When the U.S. Attorney does not accept a case for prosecution
because it does not meet such a threshold, state authorities may decide to
accept the case for prosecution.
In addition to criminal remedies, civil remedies are available to address
cybercrime activity. The burden of proof in a civil case is not as high as
in a criminal case. At the federal level, the FTC investigates activities
that could be classified as cybercrime as part of its consumer protection
mission and seeks civil injunctions and monetary remedies. In addition,
many states have civil statutes that may be applied to cybercrime
situations. In the State of Washington, for example, the Attorney General
can apply the state's consumer protection statute to cases of
cyber-facilitated fraud. Pursuing the case in civil court, the state's
Attorney General can seek civil remedies such as the repayment of losses
or penalties for wrongdoing or fraud, which could potentially deter future
criminal attempts.
^5In 1986, Congress passed the Electronic Communications Privacy Act
("ECPA"), Pub. L. No. 99-508 (Oct. 21, 1986) which, among others things,
extended the prohibitions contained in Title III of the Omnibus Crime and
Control and Safe Streets Act of 1968 (the "Wiretap Act"), 18 U.S.C. SS
2510-2521, to electronic communications that are in transit between
machines and contain no aural (human voice) component. The Wiretap Act
prohibits installing "sniffer" software to record keystroke and computer
traffic of a specific target unless one of the statutory exceptions
applies.
Governments Have Enacted Various Laws to Address Cybercrime
Federal and state governments and other nations have enacted laws that
apply to cybercrime and the legal recourse or remedies available. In
addition, there are international agreements to improve the laws across
nations and international cooperation on addressing cybercrime.
Federal Laws
Federal statutes address specific types of cybercrime, while other federal
statutes address both traditional crime and cybercrime. Table 3 describes
key federal laws used to investigate and prosecute cybercrime activity.
Table 3: Key Federal Laws Used to Investigate and Prosecute Cybercrime
Source: GAO.
Members of Congress have proposed new federal legislation to augment
current cybercrime statutes. For example, in February 2007, the Internet
Stopping Adults Facilitating the Exploitation of Today's Youth Act
(SAFETY) was introduced in the House Judiciary Committee as an
anticybercrime bill. Among its various provisions addressing the
exploitation of children, the SAFETY Act provides for the promulgation of
regulations that would require Internet service providers to retain data
such as a subscriber's name and address, user identification, or telephone
number to facilitate law enforcement investigations. Also in February
2007, the Securing Adolescents From Exploitation-Online (SAFE) Act of 2007
was introduced in the Senate Committee on the Judiciary. The SAFE Act
would include explicit requirements for Internet service providers to
report suspected child pornography violations. The House of
Representatives passed the Securely Protect Yourself Against Cyber
Trespass Act in June 2007. This bill, if signed into law, would prohibit
the use of spyware that could take control of a computer or collect user
information without permission. The bill would authorize stiff civil
penalties against violators.
State and Local Laws
State and local governments have been enacting laws to serve law
enforcement efforts in their individual jurisdictions and to enhance
cybercrime prevention, investigation, and prosecution efforts. States have
also enacted laws against particular types of cybercrime, including laws
addressing spamming and spyware. For example, Virginia's Anti-Spam Act
outlaws the use of fraudulent means, such as using a false originating
address, to send spam. Further, aggravating factors (such as sending
10,000 spam messages in a 24-hour period or generating more than $1,000 in
revenue from a specific spam message) make the crime punishable as a
felony under Virginia law. Also, California's Consumer Protection Against
Computer Spyware Act makes it illegal for anyone to install software on
someone else's computer and use it to deceptively modify settings,
including a user's home page, default search page, or bookmarks. It also
outlaws the collection, through intentionally deceptive means, of
personally identifiable information through keystroke-logging, tracking
Web site visits, or extraction of such information from a user's hard
drive.
California has also enacted legislation requiring security measures and
warnings for wireless network devices. In addition, Westchester County,
New York, has taken action to improve the security of wireless networks.
Its wireless security law requires that commercial businesses secure their
wireless networks or face fines. The law also requires businesses
providing wireless Internet access to put up signs advising users of the
security risks. Westchester County's enforcement efforts have brought
fines against businesses exposing sensitive data over wireless networks.
Other Nations' Laws
Cybercrime laws vary across the international community. Australia enacted
its Cybercrime Act of 2001 to address this type of crime in a manner
similar to the U.S. Computer Fraud and Abuse Act, discussed above. In
addition, Japan enacted the Unauthorized Computer Access Law of 1999 to
cover certain basic areas similar to those addressed by the U.S. federal
cybercrime legislation. Countries such as Nigeria with minimal or less
sophisticated cybercrime laws have been noted sources of Internet fraud
and other cybercrime. In response, they have looked to the examples set by
industrialized nations to create or enhance their cybercrime legal
framework. A proposed cybercrime bill, the Computer Security and Critical
Information Infrastructure Protection Bill, is currently before Nigeria's
General Assembly for consideration. The bill, if adopted, would mirror
similar cybercrime legislation in industrialized nations like the United
States, the United Kingdom, Australia, South Africa, and Canada.
Because political or natural boundaries are not an obstacle to conducting
cybercrime, international agreements are essential to fighting cybercrime.
For example, on November 23, 2001, the United States and 29 other
countries signed the Council of Europe's Convention on Cybercrime as a
multilateral instrument to address the problems posed by criminal activity
on computer networks. Nations supporting this convention agree to have
criminal laws within their own nation to address cybercrime, such as
hacking, spreading viruses or worms, and similar unauthorized access to,
interference with, or damage to computer systems. It also enables
international cooperation in combating crimes such as child sexual
exploitation, organized crime, and terrorism through provisions to obtain
and share electronic evidence. The U.S. Senate ratified this convention in
August 2006. As the 16th of 43 countries to support the agreement, the
United States agrees to cooperate in international cybercrime
investigations. The governments of European countries such as Denmark,
France, and Romania have ratified the convention. Other countries
including Germany, Italy, and the United Kingdom have signed the
convention although it has not been ratified by their governments.
Non-European countries including Canada, Japan, and South Africa have also
signed but not yet ratified the convention.
Cybercrime Has Significant Economic Impacts and Threatens U.S. National Security
Interests, but Its Precise Magnitude Is Unknown
Cybercrime is a threat to U.S. national economic and security interests.
Based on various studies and expert opinion, the direct economic impact
from cybercrime is estimated to be in the billions of dollars. The overall
loss projection due to computer crime was estimated to be $67.2 billion
annually for U.S. organizations, according to a 2005 FBI survey. The
estimated losses associated with particular crimes include $49.3 billion
in 2006 for identity theft^6 to about $1 billion annually due to
phishing.^7 In addition, there is concern about threats that nation-states
and terrorists pose to our national security through attacks on our
computer-reliant critical infrastructures and theft of our sensitive
information. For example, according to the U.S.-China Economic and
Security Review Commission report, Chinese strategists are writing about
exploiting the vulnerabilities created by the U.S. military's reliance on
technologies and attacking key civilian targets.^8 Also, according to FBI
testimony, terrorist organizations have used cybercrime to raise money to
fund their activities. However, despite the reported loss of money and
information and known threats from our nation's adversaries, there remains
a lack of understanding about the true magnitude of cybercrime and its
impact because it is not always detected or reported.
^6Javelin Strategy & Research, 2007 Identity Fraud Survey Report: Identity
Fraud is Dropping, Continued Vigilance Necessary (Pleasanton, CA: February
2007).
^7Department of Homeland Security, Remarks by Assistant Secretary Gregory
Garcia at the RSA Conference on IT and Communications Security (San
Francisco, CA: February 2007).
^8U.S.-China Economic and Security Review Commission, 2006 Report to
Congress (Washington, D.C.: November 2006).
Economic Impacts of Cybercrime Are Significant
Based on various studies and expert opinion, the direct economic impact
from cybercrime is billions of dollars annually. The overall loss
projection due to computer crime was estimated to be $67.2 billion
annually for U.S. organizations, according to a 2005 FBI survey. The
estimated losses associated with particular crimes include $49.3 billion
in 2006 for identity theft and $1 billion annually due to phishing. The
studies and experts derive their projected losses based on direct and
indirect costs that may include
o actual money stolen,
o estimated cost of intellectual property stolen,
o recovery cost of repairing or replacing damaged networks and
equipment, and
o intangible loss due to the opportunity loss from lack of
customer confidence in the doing online commerce.
Table 4 shows the economic impact of cybercrime as reported by
various studies and reports over the last several years.
Table 4: Economic Impact of Cybercrime
Source: GAO analysis of government and private sector reports and studies
about cybercrime.
Many of the surveys and studies, such as those from IC3 and Computer
Security Institute/FBI, are performed at least annually. In addition, the
DOJ's Bureau of Justice Statistics has conducted a cybercrime survey of
private sector entities to gain a more definitive understanding of
cybercrime's economic impact on the United States. As of May 2007, the
response rate and results had not been reported.
Individual legal cases also illustrate the financial losses that victims
incur due to cybercrime. Examples include the following:
o In February 2007, a defendant was convicted of aggravated
identity theft, access device fraud, and conspiracy to commit bank
fraud in the Eastern District of Virginia. The defendant, who went
by the Internet nickname "John Dillinger," was involved in
extensive illegal online "carding" activities. He received e-mails
or instant messages containing hundreds of stolen credit card
numbers, usually obtained through phishing schemes or network
intrusions, from "vendors" who were located in Russia and Romania.
In his role as a "cashier" of these stolen credit card numbers,
the defendant would then electronically encode these numbers to
plastic bank cards, make ATM withdrawals, and return a portion to
the vendors. Computers seized from the defendant revealed over
4,300 compromised account numbers and full identity information
(i.e., name, address, date of birth, Social Security number, and
mother's maiden name) for over 1,600 individual victims.^9
o In September 2005, a Massachusetts juvenile was convicted in
connection with approximately $1 million in victim damages. Over a
15-month period, the juvenile hacked into Internet and telephone
service providers, stole an individual's personal information and
posted it on the Internet, and made bomb threats to high schools
in Florida and Massachusetts.^10
o In October 2004, the Secret Service investigated and shut down
an online organization that facilitated losses in excess of $4
million and trafficked in around 1.7 million stolen credit cards
and stolen identity information and documents. This high-profile
case, known as "Operation Firewall," focused on a criminal
organization of some 4,000 members whose Web site functioned as a
hub for identity theft activity.^11
o In July 2003, a man was convicted of causing an aggregate loss
of approximately $25 million and hacking into computers in the
United States. The defendant pleaded guilty in these proceedings
and admitted to numerous charges of conspiracy, computer
intrusion, computer fraud, credit card fraud, wire fraud, and
extortion. Those charges stemmed from the activities of the
defendant and others who operated from Russia and hacked into
dozens of computers throughout the United States, stealing
usernames, passwords, credit card information, and other financial
data, and then extorting money from those victims with the threat
of deleting their data and destroying their computer systems.^12
o In May 2002, a New Jersey man was convicted of causing more than
$80 million in damage by unleashing the "Melissa" computer virus
in 1999 and disrupting personal computers and computer networks in
business and government.^13
Cybercrime Is a Threat to National Security
There is continued concern about the threat that our adversaries
pose to our national security through attacks on our
computer-reliant critical infrastructures and theft of our
sensitive information. Over the last several years, such risks
have been described in a variety of reports and testimonies. Table
5 describes the concerns raised.
^9Statement of Associate Deputy Attorney General before the Subcommittee
on Terrorism, Technology and Homeland Security the Committee on the
Judiciary (Mar. 21, 2007).
^10U.S. Attorney's Office District of Massachusetts, Press Release,
"Massachusetts Teen Convicted for Hacking into Internet and Telephone
Service Providers and Making Bomb Threats to High Schools in Massachusetts
and Florida" (Sept. 8, 2005),
[42]www.cybercrime.gov/juvenileSentboston.htm (Accessed Mar. 30, 2007).
^11Department of Justice (DOJ) Criminal Division, Press Release,
"Shadowcrew Organization Called `One-Stop Online Marketplace for Identity
Theft'" (Oct. 28, 2004), www.cybercrime.gov/mantovaniIndict.htm (Accessed
Mar. 30, 2007).
^12U.S. Attorney's Office District of Connecticut, Press Release, "Russian
Man Sentenced for Hacking into Computers in the United States" (July 25,
2003), [43]www.cybercrime.gov/ivanovSent.htm (Accessed Mar. 30, 2007).
^13U.S. Attorney's Office District of New Jersey, Press Release, "Creator
of Melissa Computer Virus Sentenced to 20 Months in Federal Prison" (May
1, 2002), www.cybercrime.gov/melissaSent.htm (Accessed Mar. 30, 2007).
Table 5: Reports and Testimonies Describing Threats to National Security
Source: GAO analysis of various reports and testimonies.
^aStatement for the Record by the Director of Central Intelligence to the
U.S. Senate Committee on Governmental Affairs, Permanent Subcommittee on
Investigations, "Foreign Information Warfare Programs and Capabilities"
(June 25, 1996).
^bStatement for the Record, Deputy Assistant Director and Chief, National
Infrastructure Protection Center, Federal Bureau of Investigation, before
the Congressional Joint Economic Committee (Mar. 24, 1998).
^cThe Center for Strategic and International Studies, "Cybercrime,
Cyberterrorism, and Cyberwarfare: Averting an Electronic Waterloo" (Dec.
15, 1999).
^dNational Communications System, "The Electronic Intrusion Threat to
National Security and Emergency Preparedness (NS/EP) Telecommunications:
An Awareness Document," third edition (March 1999).
^eStatement of the Director of Central Intelligence to the U.S. Senate
Select Committee on Intelligence, "Current and Projected National Security
Threats to the United States" (Feb. 6, 2002).
^fInstitute for Security Technology Studies at Dartmouth
College,"Examining the Cyber Capabilities of Islamic Terrorist Groups"
(Hanover, N.H.: March 2004).
^gStatement of the FBI Director to the U.S. Senate Select Committee on
Intelligence, "Current and Projected National Security Threats to the
United States" (Feb. 16, 2005).
The risks posed by this increasing and evolving threat are demonstrated by
actual and potential attacks and disruptions, such as those cited below.
o DOD officials stated that its information network, representing
approximately 20 percent of the entire Internet, receives
approximately 6 million probes/scans a day. Further,
representatives from DOD stated that between January 2005 and July
2006, the agency initiated 92 cybercrime cases, the majority of
which involved intrusions or malicious activities directed against
its information network.
o In November 2006, the U.S.-China Economic and Security Review
Commission^14 reported that China is actively improving its
nontraditional military capabilities. According to the study,
Chinese military strategists write openly about exploiting the
vulnerabilities created by the U.S. military's reliance on
advanced technologies and the extensive infrastructure used to
conduct operations. Chinese military writings also refer to
attacking key civilian targets such as financial systems. In
addition, the report stated that Chinese intelligence services are
capable of compromising the security of computer systems. The
commission also provided instances of computer network
penetrations coming from China. For example, in August and
September 2006, attacks on computer systems of the Department of
Commerce's Bureau of Industry and Security forced the bureau to
replace hundreds of computers and lock down Internet access for 1
month.
^14U.S.-China Economic and Security Review Commission, 2006 Report to
Congress of the U.S.-China Economic and Security Review Commission
(Washington, D.C.: November 2006).
o In August 2006, a California man was convicted for conspiracy to
intentionally cause damage to a protected computer and commit
computer fraud. Between 2004 and 2005, he created and operated a
botnet that was configured to constantly scan for and infect new
computers. For example, in 2 weeks in February of 2005, the
defendant's bots reported more than 2 million infections of more
than 629,000 unique addresses (some infected repeatedly). It
damaged hundreds of DOD computers worldwide. The DOD reported a
total of $172,000 of damage due to a string of computer intrusions
at numerous military installations in the United States (including
Colorado, Florida, Hawaii, Maryland, South Carolina, and Texas)
and around the world (including Germany and Italy). In addition,
the botnet compromised computer systems at a Seattle hospital,
including patient systems, and damaged more than 1,000 computers
in a California school district over the course of several months
in 2005. Officials from the California school district reported
damages between $50,000 and $75,000 to repair its computers after
the botnet struck in February 2005.^15
o The Central Intelligence Agency has identified two known
terrorist organizations with the capability and greatest
likelihood to use cyber attacks against our infrastructures.^16
o In March 2005, security consultants within the electric industry
reported that hackers were targeting the U.S. electric power grid
and had gained access to U.S. utilities' electronic control
systems. Computer security specialists reported that, in a few
cases, these intrusions had "caused an impact." While officials
stated that hackers had not caused serious damage to the systems
that feed the nation's power grid, the constant threat of
intrusion has heightened concerns that electric companies may not
have adequately fortified their defenses against a potential
catastrophic strike.^17
^15DOJ, United States Attorney for the Western District of Washington,
Press Release, California Man Sentenced for "Botnet" Attack that
Implicated Millions: Network of Robot Computers Damaged Military
Installations, Northwest Hospital, and California School District
(Seattle, WA: Aug. 25, 2006).
^16Statement for the Record, Information Operations Issue Manager, Central
Intelligence Agency, before the Congressional Joint Economic Committee
(Feb. 23, 2000).
^17GAO, Critical Infrastructure Protection: Department of Homeland
Security Faces Challenges in Fulfilling Cybersecurity Responsibilities,
[44]GAO-05-434 (Washington, D.C.: May 26, 2005).
o Terrorist organizations have used cyberspace and cybercrime to
raise money in a number of ways, such as facilitating protection
schemes, credit card fraud, and drug smuggling. For example, in a
July 2002 testimony, FBI officials stated that Al Qaeda terrorist
cells in Spain used stolen credit card information to make
numerous purchases.^18 In addition, Indonesian police officials
believe the 2002 terrorist bombings in Bali were partially
financed through online credit card fraud, according to press
reports.^19
As larger amounts of money are transferred through computer
systems, as more sensitive economic and commercial information is
exchanged electronically, and as the nation's defense and
intelligence communities increasingly rely on commercially
available information technology, the likelihood increases that
information attacks will threaten vital national interests.
Precise Magnitude of Cybercrime Is Unknown
Despite the large reported impact of cybercrime, the true impact
of cybercrime in the United States is unknown because cybercrimes
are not always detected or reported. Organizations and individuals
do not always detect cybercrimes. The effectiveness of the systems
put in place to audit and monitor systems, including intrusion
detection systems, intrusion protection systems, security event
correlation tools, and computer forensics tools,^20 have
limitations that impact their ability to detect a crime
occurring.^21 For example, the effectiveness of intrusion
detection systems is limited by their ability to capture accurate
baselines or normal network or system activity. Also, these
systems are prone to false positives and false negatives and are
not as effective in protecting against unknown attacks. In
addition, the effectiveness of security event correlation tools is
limited by their ability to interface with numerous security
products and the quality of the logs they rely upon.
^18Statement for the Record, Chief, Terrorist Financial Review Group, FBI,
before the Senate Judiciary Committee, Subcommittee on Technology,
Terrorism and Government Information (July 9, 2002).
^19The Washington Post, An Indonesian's Prison Memoir Takes Holy War Into
Cyberspace (Dec. 14, 2004).
^20Intrusion detection systems detect inappropriate, incorrect, or
anomalous activity on a network or computer system. Intrusion prevention
systems build on intrusion detection systems to detect attacks on a
network and take action to prevent them from being successful. Security
event correlation tools monitor and document actions on network devices
and analyze the actions to determine if an attack is ongoing or has
occurred. Computer forensic tools identify, preserve, extract, and
document computer-based evidence.
When a cybercrime is detected, companies and individuals can
choose not to report the crime. Companies and individuals weigh
the cost and impact of the incident with the time and effort
needed to support an investigation and prosecution. Cybercrime
reporting is discussed further in our challenges section.
Numerous Public and Private Organizations Have Responsibilities
to Protect Against, Detect, Investigate, and Prosecute Cybercrime
Federal agencies, state and local law enforcement, private
industry, and academia have responsibilities, based on their
primary missions or business interests, to protect against,
detect, investigate, and prosecute cybercrime. Public and private
sector entities are engaged in these efforts individually and
through collaborative efforts.
Many Public Entities Have Responsibilities for Addressing Cybercrime
DOJ, DHS, and DOD and the FTC have key roles in addressing
cybercrime within the federal government, along with the federal
inspectors general. State and local law enforcement organizations
also have key responsibilities in addressing cybercrime. Efforts
range from fighting cybercrime by investigating and prosecuting it
and improving the protection of systems through raising awareness
and building relationships.
^21GAO, Technology Assessment: Cybersecurity for Critical Infrastructure
Protection, [45]GAO-04-321 (Washington, D.C.: May 28, 2004).
Key Department of Justice Organizations
The key agencies within DOJ that focus on enforcing cybercrime
violations include the Criminal Division, U.S. Attorneys, and the
FBI. Table 6 shows key DOJ organizations, suborganizations, and
activities.
Table 6: Department of Justice's Key Organizations and Activities to
Mitigate Cybercrime
Sources: GAO and DOJ.
Key Department of Homeland Security Organizations
Three key agencies within DHS have a role in addressing cybercrime
issues--the Secret Service, the Cyber Security and Communications Office's
National Cyber Security Division, and Immigration and Customs Enforcement.
Table 7 shows key DHS organizations, suborganizations, and activities.
Table 7: Department of Homeland Security's Key Organizations and
Activities to Mitigate Cybercrime
Sources: GAO and DHS.
^aThe National Cyber Response Coordination Group is a forum of national
security, law enforcement, defense, intelligence, and other government
agencies that coordinates governmental and public/private preparedness and
response to and recovery from national level cyber incidents and physical
attacks that have significant cyber consequences.
Key Department of Defense Organizations
Within DOD, the Defense Criminal and Counterintelligence Investigation
Organizations conduct all law enforcement investigations and the Defense
Cyber Crime Center (DC3) can provide forensics support. Table 8 shows key
organizations, suborganizations, and activities.
Table 8: Department of Defense Key Organizations and Activities to
Mitigate Cybercrime
Sources: GAO and DOD.
^aDOD Criminal and Counterintelligence Investigative Organizations include
the Air Force Office of Special Investigations, Army Military
Intelligence, Army Criminal Investigations Command, Naval Criminal
Investigative Service, and Defense Criminal Investigative Service.
Federal Trade Commission
The FTC was created to prevent unfair methods of competition. Its mission
expanded over time with additional legislation authorizing it to serve as
a protective force for U.S. consumers. The agency has the authority to
file civil enforcement actions either in federal district court or
administratively. Remedies in these civil actions range from orders to
stop the illegal conduct to requiring disgorgement of illegal proceeds or
payment of restitution.
FTC's Bureau of Consumer Protection investigates and enforces matters
related to activities that may be classified as cybercrime. It has several
divisions that focus primarily on different aspects of the FTC's consumer
protection mission. According to FTC staff, the Bureau of Consumer
Protection is composed of six divisions, which target different
substantive areas for enforcement and outreach purposes. The divisions
routinely coordinate initiatives and share resources to most efficiently
and effectively further the consumer protection mission. Its resources
include headquarter staff and staff located at eight regional offices that
investigate and bring a variety of consumer protection and competition
cases and engage in outreach efforts. In addition, the Criminal Liaison
Unit coordinates for all of the Bureau of Consumer Protection's divisions
with criminal law enforcement agencies across the U.S. to encourage the
prosecution of criminal fraud.
Federal Inspectors General
Federal Inspectors General have a role in preventing, detecting, and
investigating cybercrime within their respective agencies. Specifically,
14 of 19 Inspectors General that provided information to us stated that
they handle cybercrime investigations affecting their respective agency
within their own capabilities. For example, certain Inspectors General
reported having significant efforts in addressing cybercrime, including
those for the Departments of Education, Energy, and Transportation and the
Environmental Protection Agency. Additionally, 11 of the 19 Inspectors
General stated that they perform an education and awareness role within
their respective agencies by conducting training, providing presentations,
and performing activities mandated by the Federal Information Security
Management Act.^22
State and Local Law Enforcement Organizations
State and local organizations address cybercrime through efforts to share
information, improve expertise, and facilitate cybercrime prosecutions
both nationally and locally. For example, on a national basis, SEARCH, an
organization dedicated to improving state-level law enforcement, has three
cybercrime focused programs related to providing high-tech crime training,
technical assistance, and research on emerging technology nationwide. In
addition, the National Association of Attorneys General has a cybercrime
initiative benefiting state prosecutors. It also hosts a cybercrime
conference that provides training in cybercrime investigative areas,
legislation, case law, and public education tools. The association's
executive working group meets quarterly and shares information on criminal
issues, including cybercrime.
^22The Federal Information Security Management Act was enacted as Title
III, E-Government Act of 2002, Pub. L. No. 107-347, to establish clear
criteria to improve federal agencies' information security programs.
According to the act, information security is defined as protecting
information and information systems from unauthorized access, use,
disclosure, disruption, modification, or destruction in order to maintain
their integrity, confidentiality, and availability.
State-level law enforcement entities have implemented initiatives to
facilitate the investigation and prosecution of cybercrime in the states.
For example, the Commonwealth of Virginia's Office of the Attorney General
has a Computer Crime unit dedicated to investigating criminal cases
violating the Virginia Computer Crimes Act. In addition, Virginia's
Attorney General formed the Virginia Cyber Crime Strike Force that
collaborates with the U.S. Attorneys' Offices, the Virginia State Police,
the FBI and Virginia's Bedford County Sheriff's Office to investigate and
prosecute cybercrime. Other examples of state efforts are the (1)
Washington Attorney General's High Tech Crime Unit, which litigates cases
of cyberfraud, and pursues civil remedies under the state's broad consumer
protection law and (2) Washington State Patrol Computer Crime unit that
serves as a first responder to computer crimes affecting state-funded
institutions such as state and local governments and public schools and
universities.
Private-Sector Entities Focus on Protection and Detection Efforts
The private sector's focus is on the development and implementation of
technology systems to protect against computer intrusions, Internet fraud,
and spam and, if a crime does occur, to detect it and gather admissible
evidence for an investigation. The private entities that focus on these
technological efforts include Internet service providers, security
vendors, software developers, and computer forensics vendors:
o Internet service providers offer businesses and home users
various levels of access to the Internet and other
Internet-related services such as customer support and spam and
virus protection. Providers also assist law enforcement by
monitoring and providing information on selected Internet
activities and provide technical expertise to assist with
investigations. In addition, providers can pursue civil action
against users to punish inappropriate behavior.
o Security vendors such as e-mail security firms can screen
electronic messages for harmful data and take action to prevent
such data from reaching the intended target. Vendors also assist
law enforcement by reporting instances of computer crime,
providing technical assistance, and pursuing civil action against
inappropriate behavior.
o Software developers are improving the quality and security of
operating system programs to detect and block malicious code.
o Computer forensics vendors provide private companies with
computer forensics investigative services to detect the theft of
trade secrets and intellectual property, detect employee fraud,
locate and recover previously inaccessible documents and files,
provide reports on all user activity, and access
password-protected files. In addition, computer forensic vendors
develop tools used by law enforcement to investigate cybercrime.
These tools allow for the analysis of digital media and the
gathering of evidence that is admissible in court.
Numerous Public and Private Partnerships Work to Address Cybercrime
Numerous partnerships have been established between public sector
entities, between public and private sector entities, and
internationally to collaborate and implement effective cybercrime
strategies. Each of their strategies includes information sharing
activities and consumer awareness efforts. Table 9 gives brief
descriptions of key partnerships, their purposes, and primary
stakeholders.
Table 9: Key Partnerships Established to Address Cybercrime
Source: GAO analysis of various reports and documents.
^aThe National White Collar Crime Center provides a nationwide support
system for agencies involved in the prevention, investigation, and
prosecution of economic and high-tech crimes and to support and partner
with other appropriate entities in addressing homeland security
initiatives, as they relate to economic and high-tech crimes. Through a
combination of training and critical support services, they equip state
and local law enforcement agencies with skills and resources they need to
tackle emerging economic and cybercrime problems.
Public and Private Sectors Face Challenges in Addressing Cybercrime
Numerous challenges impede the efforts of public and private entities to
mitigate cybercrime (see table 10) including (1) reporting cybercrime, (2)
ensuring adequate law enforcement analytical and technical capabilities,
(3) working in a borderless environment with laws of multiple
jurisdictions, and (4) implementing information security practices and
raising awareness.
Table 10: Challenges to Addressing Cybercrime
Source: GAO.
Reporting Cybercrime
Although surveys and studies show that the nation potentially loses both
billions of dollars annually and sensitive information as a result of
cybercrime, definitive data on the amount of cybercrime is not available.
Understanding the impact of cybercrime in the United States is a challenge
because reporting of cybercrime is limited.
When a cybercrime is detected, entities and individuals can choose to
report it to law enforcement or not. They weigh the cost and impact of the
incident with the time and effort needed to support an investigation and
prosecution. In addition, our work and findings of the Congressional
Research Service related to information sharing have shown that businesses
do not always want to report problems because there is a perception that
their information will be disclosed publicly, which could, in turn, cause
harm to their business.^23 Reasons for not reporting a crime to law
enforcement include the following:
o Financial market impacts. The stock and credit markets and bond
rating firms react negatively to security breach announcements,
which could raise the cost of capital to reporting firms. Even
firms that are privately held and are not active in public
securities markets can be adversely affected if banks and other
lenders judge them to be more risky than previously thought.
o Reputation or confidence effects. Negative publicity damages a
reporting firm's reputation or brand, and could cause customers to
lose confidence, giving commercial rivals a competitive advantage.
o Litigation concerns. If an organization reports a security
breach, investors, customers, or other stakeholders can use the
courts to seek recovery of damages. If the organization has been
open in the past about previous incidents, plaintiffs may allege a
pattern of negligence.
o Signal to attackers. A public announcement alerts hackers that
an organization's cyber-defenses are weak and can inspire further
attacks.
o Inability to share information. Some private-sector entities
want to share information about an incident with law enforcement
and other entities; however, once the information becomes part of
an ongoing investigation, their ability to share information may
be limited.
o Job security. IT personnel fear for their jobs after an incident
and seek to conceal the breach from senior management.
o Lack of law enforcement action. According to private sector
officials, law enforcement entities have failed to investigate
cases reported to them, which is a disincentive for them reporting
crimes in the future.
To improve the reporting of cybercrime, the numerous
public/private partnerships (e.g., the National Cyber Forensics
and Training Alliance, InfraGard, and the Electronic Crimes Task
Forces), as well as the awareness and outreach efforts of law
enforcement discussed earlier, are methods for building better
relationships and understanding between the public and private
sectors. These efforts may increase trust between the public and
private sector and encourage better reporting of cybercrimes when
they occur.
^23GAO, Information Sharing: Practices That Can Benefit Critical
Infrastructure Protection, [57]GAO-02-24 (Washington, D.C.: Oct. 15, 2001)
and GAO, Critical Infrastructure Protection: Challenges for Selected
Agencies and Industry Sectors, [58]GAO-03-233 (Washington, D.C.: Feb. 28,
2003); Congressional Research Service, The Economic Impact of Cyber
Attacks, RL 32331 (Washington, D.C.: Apr. 1, 2004).
Ensuring Adequate Law Enforcement Analytical and Technical
Capabilities
Efforts by law enforcement to investigate and prosecute cybercrime
require individuals with specialized skills and tools. According
to federal, state, and local law enforcement and private sector
officials, it is a challenge to recruit such individuals from a
limited pool of available talent, retain them in the face of
competing offers, and train them to stay up to date with changing
technology and increasingly sophisticated criminal techniques.
Obtaining and Retaining Investigators, Prosecutors, and
Cyberforensics Examiners
Federal and state law enforcement organizations face challenges in
having the appropriate number of skilled investigators, forensic
examiners, and prosecutors. According to federal and state law
enforcement officials, the pool of qualified candidates is limited
because individuals involved in investigating or examining
cybercrime are highly trained specialists requiring both law
enforcement and technical skills, including knowledge of various
IT hardware and software and forensic tools. According to Defense
Cyber Crime Center officials, once an investigator or examiner
specializes in cybercrime, it can take up to 12 months for those
individuals to become proficient enough to fully manage their own
investigations. Further, according to state officials, state and
local law enforcement agencies do not have the resources needed to
hire the investigators with adequate technical knowledge required
to address cybercrime.
Law enforcement organizations also find it difficult to retain
highly skilled cyberforensic investigators and examiners.
According to federal and state officials, the private sector
demands individuals with the same skills and successfully attracts
them away from their government positions with much higher
salaries and better benefits. For example, according to an
Assistant U.S. Attorney, several cybercrime experts, including
attorneys, federal and state law enforcement agents, and
cyberforensic examiners, have left their government positions due
to the higher salaries and benefits offered by the private sector.
The available pool of experienced federal cybercrime investigators
is also impacted by FBI and Secret Service rotation policies. For
example, according to FBI officials, new FBI agents, not initially
assigned to one of the 15 largest field offices, are required to
rotate to one of the these large offices after 3 years in order to
have diversified experiences. According to FBI headquarters and
field agents, when cybercrime investigators rotate out under this
policy, they are not necessarily reassigned to cybercrime
investigations in their new field office, and so their extensive
cyber background is underutilized. In addition, the agents who
rotate in to replace experienced cybercrime investigators may have
little or no cybercrime experience or background. Further,
according to FBI officials, the pool of experienced senior
managers is impacted by the FBI's current policy that senior field
supervisory agents are limited to 5-year terms in their positions
and then most move to seek further career advancement. This can
include the movement of experienced cybercrime investigators out
of senior cybercrime positions. Similarly, according to Secret
Service officials, most Secret Service agents, including those
with technical, cybercrime investigation expertise, rotate to a
protective assignment, which focuses on the protection of the
President, Vice President, and others and not on the investigation
of cybercrime. In addition, officials stated that there is an
investigative career track that allows agents to continue doing
investigations, including those related to cybercrime; however,
protective assignments are perceived as higher profile and could
lead to greater career advancement. FBI and Secret Service
officials acknowledged that the rotation policies have at times
resulted in these agencies underutilizing staff with cyber
expertise.
Keeping Up to Date with Current Technology and Criminal Techniques
The rapid evolution of technology and cybercrime techniques means
that law enforcement agencies must continuously upgrade technical
equipment and software tools. Such equipment and tools are
expensive, and agencies' need for them does not always fall into
the typical federal replacement cycle. For example, in order for
investigators to perform cyberforensic examinations and gather the
evidence required to support a prosecution, the examiners and
investigators must, in some cases, store and analyze huge amounts
of digital data. According to federal law enforcement officials,
the amount of data being collected is growing exponentially.
However, according to law enforcement officials, state and local
law enforcement agencies do not always have the resources to
obtain the equipment necessary to analyze large amounts of data.
Law enforcement organizations also find that maintaining a current
understanding of new criminal techniques and technologies can be
difficult. For example, law enforcement agents are required to
extract forensic data from IT devices that have only been on the
market for months. They also must keep up with innovative criminal
techniques and approaches. For example, techniques for assembling
and controlling botnets are becoming increasingly sophisticated
and difficult to trace, making it difficult to identify certain
spamming and phishing schemes. In addition, criminals are
increasing their use of encryption techniques.^24 This requires
law enforcement to continue to research and develop appropriate
countermeasures. Training can help to keep investigators' skills
current, but relevant courses are limited, costly, and
time-consuming, and take agents away from the cases that they are
investigating.
Federal and state law enforcement organizations are taking steps
to improve their analytic and technical capabilities. For example,
the Secret Service has developed training programs for federal,
state, and local law enforcement and DOD's Defense Cyber Crime
Center has a cyberforensic training program for DOD investigators
and other law enforcement officials. Further, the FBI's Cyber
Action Teams rapidly provide technical expertise to cybercrime
investigations worldwide, when needed. To overcome shortfalls in
equipment and electronic storage, the FBI is sponsoring regional
computer forensics laboratories to serve the needs of an entire
region's law enforcement. In addition, public/private
partnerships, like the FBI's Infragard and National Cyber
Forensics Training Alliance and the Secret Service's Electronic
Crimes Task Forces, provide ways to share expertise between law
enforcement, the private sector, and academia. Although it will
continue to be a challenge to keep current with the rapid
evolution of technology and cybercrime techniques, these DOD, FBI,
and Secret Service efforts are positive steps to attempt to keep
up with techniques and technology for investigations.
Working in a Borderless Environment with Laws of Multiple Jurisdictions
Law enforcement organizations face the challenge of investigating
and prosecuting cybercrime that crosses national and state
borders, and working with laws, legal procedures, and law
enforcement entities from multiple jurisdictions. Working in this
environment complicates most cyber investigations.
Private sector, individual, and law enforcement efforts are
complicated by the borderless nature of cybercrime. As discussed
earlier, cybercriminals are not hampered by physical proximity or
regional, national, or international borders. Cybercriminals can
be physically located in one nation or state, direct their crime
through computers in multiple nations or states, and store
evidence of the crime on computers in yet another nation or state.
This makes it difficult to trace the cybercriminals to their
physical location. In addition, cybercriminals can take steps to
remain anonymous, making it difficult, if not impossible, to
attribute a crime to them.
^24Encryption is the process of encoding a message so that it can be read
only by the sender and the intended recipient.
Similar to efforts addressing traditional crime, efforts to
investigate and prosecute cybercrime are complicated by the
multiplicity of laws and procedures that govern in the various
nations and states where victims may be found, and the conflicting
priorities and varying degrees of expertise of law enforcement
authorities in those jurisdictions. Laws used to address
cybercrime differ across states and nations. For example, not all
U.S. states have antispam laws or antispyware laws. In addition,
an act that is illegal in the United States may be legal in
another nation or not directly addressed in the other nation's
laws. Developing countries, for example, may lack cybercrime laws
and enforcement procedures.
Further, jurisdictional boundaries can limit the actions that
federal, state, and local law enforcement can take to investigate
cybercrime that crosses local, regional, and national borders. For
example, state and local officials may be unable to pursue
investigations outside of their jurisdiction, so when a cybercrime
goes beyond their jurisdiction, they may need to rely upon
officials of other jurisdictions to further investigate the crime.
Additionally, extradition between states can be complicated
depending on the laws of the state where the suspect is located
and the knowledge of the states' law enforcement and judiciary
regarding cybercrime. In addition, the United States does not have
extradition arrangements with all nations, which makes it
impossible to extradite a cybercriminal from certain nations.
Extradition from nations having an extradition agreement with the
United States can be complicated or impossible if the nation's
laws do not make the action illegal or its magistrate is not
knowledgeable about cybercrime. Also, state and local officials
are unable to extradite persons from other nations without federal
law enforcement assistance.
Conflicting priorities also complicate cybercrime investigations
and prosecutions. Cybercrime can occur without physical proximity
to the victim, and thus a cybercriminal can operate without
victimizing a citizen in the jurisdiction or federal judicial
district in which the crime originated. With no negative impact on
the citizens in that district, there may be no incentive for the
local citizens to press their law enforcement officers to
investigate the crime. According to state officials, it is
difficult to commit resources to crimes where the victims are
outside their state or jurisdiction, although the suspected
cybercriminal may be prosecuted in the jurisdiction where the
victim is located.
Federal and state law enforcement organizations are taking steps
to help them work in the borderless environment within which
cybercriminals operate. For example, federal, state, and local law
enforcement organizations participate in cybercrime task forces
that combine a region's law enforcement capabilities to
investigate and prosecute cybercrime in the most advantageous way.
To address transnational jurisdiction, investigation, and
prosecution issues, DOJ and the State Department have established
agreements with more than 40 nations through the G-8 High Tech
Crime Working Group to address cybercrime cooperatively. The
Council of Europe's Cybercrime Convention is a similar
international effort. These and other efforts are essential to
addressing the transborder nature of cybercrime and enhancing the
ability of law enforcement to capture, prosecute, and punish
cybercriminals.
Implementing Information Security Practices and Raising Awareness
A major challenge in mitigating cybercrime is improving
information security practices on the part of organizations and
individual Internet users. Raising awareness about criminal
behavior and the need to protect information and systems is a key
activity in addressing cybercrime.
Protecting Information and Information Systems
Criminals often take advantage of poor computer security
practices, which makes maintaining a strong information security
posture vital to efforts to stop cybercrime. However, individuals
allow easy access for criminals to their personal computers and
electronic devices by not enabling security on those devices.
Without adequate information security, critical systems and
sensitive data are more susceptible to criminal access, theft,
modification, and destruction. Further, our audits have shown that
federal agencies do not adequately protect the information systems
that the government relies upon to deliver services to its
customers. In addition, over the last several years, we have
identified the challenges associated with the federal government's
efforts to coordinate public and private sector efforts to protect
the computer systems that support our nation's critical
infrastructures. As a result, federal information security has
been on GAO's list of high-risk areas since 1997 and cyber
critical infrastructure protection since 2003.^25 In addition, we
have made numerous recommendations to enhance the security of
federal information systems and cyber critical infrastructure
protection efforts. Implementation of these recommendations is
essential to protecting federal information systems.
^25GAO, High-Risk Series: An Update, [59]GAO-07-310 (Washington, D.C.:
January 2007).
Raising Awareness about Criminal Behavior
A major challenge is educating the public in how to recognize
cybercrime when it is occurring. Criminals prey on people's
ignorance and susceptibility to ruses. For example, attackers
create e-mail and Web sites that appear legitimate, often copying
images and layouts of actual Web sites. Some cybercrime techniques
also take advantage of combinations of vulnerabilities. For
example, phishing entices users to provide the sensitive
information desired. However, phishers also use technical methods
to exploit software and system vulnerabilities to reinforce users'
perceptions that they are on a legitimate Web site.
Despite efforts by public and private entities to raise awareness
about the importance of information security and the techniques
used by criminals, users continue to not understand the need for
protecting their personal information and to recognize unusual
requests that could be criminal activity. The types of cybercrime
that the media highlight, such as child pornography cases and
major companies being hacked, do not tend to undermine people's
trust in the Internet. For example, there continue to be reports
of people falling victim to well-known scams such as the Nigerian
4-1-9 fraud.^26 In addition, even as awareness grows, practices
are not easily changed. Further, the issues of adequate awareness
apply to law enforcement. State and local law enforcement may not
be aware of the cybercrime problem that could be impacting their
citizens.
There are numerous steps being taken to improve security of
information systems and raise user awareness. For example, as
discussed earlier, information security vendors provide software
and services; software developers are attempting to improve the
quality and security of their products; public and private
entities are working together to identify and mitigate risks,
including criminal activities; and federal organizations, such as
the FBI, the Secret Service, FTC, and DHS, sponsor programs and
organizations to raise user awareness about securing their
information and not becoming a victim of cybercrime. These are
positive steps to improve security and raise awareness.
Conclusions
The actual and potential harms that result from cybercrime attacks
in the United States are significant. Although the precise amount
of economic loss due to cybercrime is unknown, its impact is
likely billions of dollars. In addition, nation-state and
terrorist adversaries are seeking ways to attack our nation's
critical infrastructures and steal our sensitive information.
While numerous public and private entities--federal agencies,
state and local law enforcement, industry, and academia--have
responsibilities to address these threats, they face challenges in
protecting against, detecting, investigating, and prosecuting
cybercrimes. These challenges include reporting cybercrime,
ensuring adequate law enforcement analytical and technical
capabilities, working in a borderless environment with laws of
multiple jurisdictions, and implementing information security
practices and raising awareness.
^26The Nigerian 4-1-9 fraud is an advance fee scam where criminals deceive
victims into the payment of a fee by persuading them that they will
receive a very large benefit in return. Through the Internet, businesses
and individuals around the world have been, and continue to be, targeted
by perpetrators of this scam.
Public and private entities are working to address these
challenges by expanding public/private partnerships to increase
the trust between entities, to improve the quality and quantity of
shared information, and to leverage resources and technologies
across public and private boundaries. In addition, law enforcement
organizations have formed task forces and international agreements
to foster working in a borderless environment with laws from
multiple jurisdictions. Continued expansion of these efforts is
essential. Additionally, more can be done to assure an adequate
pool of individuals with the skills needed to effectively combat
cybercrime. Although law enforcement agencies must be sensitive to
a number of organizational issues and objectives in their human
capital programs, current staff rotation policies at key law
enforcement agencies may negatively impact the agencies'
analytical and technical capabilities to combat cybercrime.
Recommendation for Executive Action
We recommend that the Attorney General direct the FBI Director and
the Secretary of Homeland Security direct the Director of the
Secret Service to assess the impact of the current rotation
approach on their respective law enforcement analytical and
technical capabilities to investigate and prosecute cybercrime and
to modify their approaches, as appropriate.
Agency Comments and Our Evaluation
We received written comments on a draft of this report from the
FBI (see app. II). In the response, the Deputy Assistant Director
from the FBI's Cyber Division stated that the FBI Director had
approved rotational policies after careful consideration of the
viable alternatives provided by analysis and study conducted by
the Human Resources Division. Further, he stated that the FBI
Director had endorsed the establishment of five distinct career
paths for both new and veteran special agents, including a
specific designation for cyber matters. According to the Assistant
Director, this career path will ensure the FBI recruits, trains,
and deploys special agents with the critical cyber skill set
required to maintain the FBI on the cutting edge of computer
technology and development, and positioned to counter the
constantly evolving cyber threat. Despite these efforts to assess
and expand analytical and technical capabilities, the current
rotational policies may adversely affect the FBI's use of staff
with cyber expertise; therefore, it is important to continually
reassess the rotational policies that impact the FBI's ability to
address the cyber threat.
In addition, we received written comments on a draft of this
report from the Secret Service (see app. III). In the response,
the Assistant Director, Office of Inspection, stated that agents
who complete the Electronic Crimes Special Agent Program's
computer forensics training course are required to serve a minimum
of four years in the program. In addition, he stated that the
Secret Service is expanding its Electronic Crimes Special Agent
Program and will have approximately 770 trained and active agents
by the end of fiscal year 2007. He also stated that the rotation
of the Electronic Crimes Special Agent Program agents does not
have a detrimental impact on the agency's cyber investigative
capabilities because Secret Service field offices send additional
agents through the program prior to a trained agent's departure,
and because the Electronic Crimes Task Forces allow the agency to
draw on state and local law officials trained in cyber
investigations and computer forensics. While we agree that
expanding the Electronic Crimes Special Agent Program and
leveraging the relationships and capabilities of the Electronic
Crimes Task Forces is important to adequately addressing
cybercrime, the current rotational policy may adversely affect the
Secret Service's use of staff with cyber expertise; therefore, it
is important for the Secret Service to continually reassess the
rotational policies that impact its ability to address the cyber
threat.
DOD, DOJ, DHS, state and local government, and other officials
also provided technical corrections that have been incorporated in
this report as appropriate.
As agreed with your office, unless you publicly announce the
contents of this report earlier, we plan no further distribution
until 30 days from the report date. At that time, we will send
copies of this report to interested congressional committees, the
Attorney General, the Secretaries of Defense and Homeland
Security, the Chairman of the Federal Trade Commission, and other
interested parties. We also will make copies available to others
upon request. In addition, this report will be available at no
charge on GAO's Web site at http:// [46]www.gao.gov .
If you or your staff has any questions about this report, please
contact David Powner at (202) 512-9286, or [47][email protected] ;
or Keith Rhodes at (202) 512-6412, or [48][email protected] .
Contact points for our Offices of Congressional Relations and
Public Affairs may be found on the last page of this report. Major
contributors to this report are listed in appendix IV.
David A. Powner
Director, Information Technology Management Issues
Keith A. Rhodes
Chief Technologist Director, Center for Technology
and Engineering
Appendix I: Objectives, Scope, and Methodology
Our objectives were to (1) determine the impact of cybercrime on
our nation's economy and security; (2) describe key federal
entities, as well as nonfederal and private-sector entities,
responsible for addressing cybercrime; and (3) determine
challenges being faced in addressing cybercrime.
To determine the impact of cybercrime on the U.S. economy and
security, we analyzed various government and private-sector
reports, surveys, and statistics related to cybercrime and
conducted interviews with experts from law enforcement, academia,
and information technology and security companies to verify,
clarify, and gain a greater understanding of cybercrime's impact.
Further, we interviewed officials and staff at key federal
agencies, including the Departments of Defense, Justice, and
Homeland Security; and the Federal Trade Commission; and obtained,
through structured interview questions, information from 19
federal Office of Inspectors General about the number and
frequency of cybercrimes experienced at their respective agencies
and the subsequent cost associated with addressing these
incidents, among other things.
To identify the key public and private-sector entities that work
to mitigate and investigate computer crime and prosecute cyber
criminals, we analyzed reports, surveys, and studies related to
cybercrime. In addition, we held interviews with cybercrime
experts from government and the private sector to identify
entities and verify the entities identified as being important. To
verify information and determine relevant activities, we performed
document analysis, held site visits, conducted structured
interviews, and received written responses to structured interview
questions. The entities contacted during the course of our work
include the following:
o Department of Justice: Computer Crime and Intellectual Property
Section; Bureau of Justice Statistics; United States Attorneys,
including the Pittsburgh and Seattle Computer Hacking and
Intellectual Property units; FBI's Cyber Division, including the
Computer Intrusion Section and the Innocent Images National
Initiative unit; FBI's National Cyber Forensics and Training
Alliance; FBI's Cyber Initiative and Resource Fusion Unit; FBI's
Internet Crime Complaint Center; and FBI's Pittsburgh and Seattle
Field Office units.
o Department of Homeland Security: Special Agent in Charge of the
Secret Service's Criminal Investigative Division; the National
Cyber Security Division's Deputy Director of the Law Enforcement
and Intelligence Section and Deputy Director of the United States
Computer Emergency Readiness Center.
o Department of Defense: Defense Cyber Crime Center; Joint Task
Force for Global Network Operations; Defense Criminal
Investigative Service; Air Force Office of Special Investigation,
Army Military Intelligence, and the Naval Criminal Investigative
Service.
o Federal Trade Commission: Officials from the Divisions of
Advertising Practices, Enforcement, and Marketing Practices. In
addition, members of the team attended sessions of a Federal Trade
Commission sponsored conference that focused attention on
cybercrime.
o Office of Inspectors General: Department of Education's Computer
Crime Division/Office of Inspector General; written responses from
structured interview questions from officials from the Inspectors
General of the Small Business Administration, Department of
Defense, Nuclear Regulatory Commission, Health and Human Services,
National Science Foundation, Department of Veterans Affairs,
General Services Administration, Department of Labor, Department
of Transportation, Agency for International Development, Office of
Personnel Management, Department of the Treasury, Department of
Justice, Housing and Urban Development, Social Security
Administration, Department of Energy, Department of the Interior.
o Private Sector: Counterpane Internet Security; Cyber Security
Industry Alliance; CypherTrust; Guidance Software; InfraGard;
Information Technology-Information Sharing and Analysis Center;
Microsoft; Postini; SEARCH; Symantec; and other cybercrime
experts.
o State and Local Entities: Office of the Attorney General of
Washington; Washington State Highway Patrol's Computer Crime Unit;
Office of the Attorney General of Virginia--Computer Crime Unit;
and the National Association of Attorneys General.
We also met with representatives from the State Department to
discuss the department's role in addressing cybercrime. However,
after meeting with representatives from the department's Bureau of
Resource Management, Political-Military Affairs, International
Narcotics and Law Enforcement, and others, we determined that the
department's cybercrime responsibilities were outside the scope of
our engagement. In addition, State Department representatives
stated that they work closely with the Department of Justice's
Computer Crime and Intellectual Property Section on cybercrime
issues and that Justice officials would be a better source to
determine the impact of cybercrime on the United States and
international efforts to address cybercrime.
To determine the challenges being faced in addressing cybercrime,
we gathered and analyzed relevant documents, interviewed key
government and private-sector officials regarding challenges to
fighting cybercrime, and conducted Internet and media research.
Based on the information received and our knowledge of the issues,
we determined the major challenges impeding efforts to address
cybercrime.
To observe operations of cybercrime related entities and interview
relevant federal, state, and local government and private-sector
officials, we performed our work between June 2006 and May 2007 in
the Washington, D.C., metropolitan area; Pittsburgh, Pennsylvania;
Seattle, Washington; and Fairmont, West Virginia; in accordance
with generally accepted government auditing standards.
Appendix II: Comments from the Federal Bureau of Investigation
Appendix III: Comments from the U.S. Secret Service
Appendix IV: GAO Contacts and Staff Acknowledgments
GAO Contacts
David A. Powner, (202) 512-9286, or [49][email protected] Keith A.
Rhodes, (202) 512-6412, or [50][email protected]
Staff Acknowledgments
In addition to the individuals named above, Barbara Collier, Neil
Doherty, Michael Gilmore, Steve Gosewehr, Barbarol James, Kenneth
A. Johnson, Kush K. Malhotra, Amos Tevelow, and Eric Winter made
key contributions to this report.
GAO's Mission
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in
meeting its constitutional responsibilities and to help improve
the performance and accountability of the federal government for
the American people. GAO examines the use of public funds;
evaluates federal programs and policies; and provides analyses,
recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony
The fastest and easiest way to obtain copies of GAO documents at
no cost is through GAO's Web site ( [51]www.gao.gov ). Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of
newly posted products every afternoon, go to [52]www.gao.gov and
select "Subscribe to Updates."
Order by Mail or Phone
The first copy of each printed report is free. Additional copies
are $2 each. A check or money order should be made out to the
Superintendent of Documents. GAO also accepts VISA and Mastercard.
Orders for 100 or more copies mailed to a single address are
discounted 25 percent. Orders should be sent to:
U.S. Government Accountability Office 441 G Street NW, Room LM
Washington, D.C. 20548
To order by Phone:
Voice: (202) 512-6000
TDD: (202) 512-2537
Fax: (202) 512-6061
To Report Fraud, Waste, and Abuse in Federal Programs
Contact:
Web site: [53]www.gao.gov/fraudnet/fraudnet.htm
E-mail: [54][email protected]
Automated answering system: (800) 424-5454 or (202) 512-7470
Congressional Relations
Gloria Jarmon, Managing Director, [55][email protected] (202)
512-4400 U.S. Government Accountability Office, 441 G Street NW,
Room 7125 Washington, D.C. 20548
Public Affairs
Paul Anderson, Managing Director, [56][email protected] (202)
512-4800 U.S. Government Accountability Office, 441 G Street NW,
Room 7149 Washington, D.C. 20548
(310820)
www.gao.gov/cgi-bin/getrpt?GAO-07-705.
To view the full product, including the scope
and methodology, click on the link above.
For more information, contact Dave Powner at (202) 512-9286 or
[email protected].
Highlights of GAO-07-705, a report to congressional requesters
June 2007
CYBERCRIME
Public and Private Entities Face Challenges in Addressing Cyber Threats
Computer interconnectivity has produced enormous benefits but has also
enabled criminal activity that exploits this interconnectivity for
financial gain and other malicious purposes, such as Internet fraud, child
exploitation, identity theft, and terrorism. Efforts to address cybercrime
include activities associated with protecting networks and information,
detecting criminal activity, investigating crime, and prosecuting
criminals.
GAO's objectives were to (1) determine the impact of cybercrime on our
nation's economy and security; (2) describe key federal entities, as well
as nonfederal and private sector entities, responsible for addressing
cybercrime; and (3) determine challenges being faced in addressing
cybercrime. To accomplish these objectives, GAO analyzed multiple reports,
studies, and surveys and held interviews with public and private
officials.
[60]What GAO Recommends
GAO recommends that the Attorney General and the Secretary of Homeland
Security help ensure adequate law enforcement analytical and technical
capabilities. In written comments on a draft of this report, the FBI and
the U.S. Secret Service noted efforts to assess and enhance these
capabilities.
Cybercrime has significant economic impacts and threatens U.S. national
security interests. Various studies and experts estimate the direct
economic impact from cybercrime to be in the billions of dollars annually.
The annual loss due to computer crime was estimated to be $67.2 billion
for U.S. organizations, according to a 2005 Federal Bureau of
Investigation (FBI) survey. In addition, there is continued concern about
the threat that our adversaries, including nation-states and terrorists,
pose to our national security. For example, intelligence officials have
stated that nation-states and terrorists could conduct a coordinated cyber
attack to seriously disrupt electric power distribution, air traffic
control, and financial sectors. Also, according to FBI testimony,
terrorist organizations have used cybercrime to raise money to fund their
activities. Despite the estimated loss of money and information and known
threats from adversaries, the precise impact of cybercrime is unknown
because it is not always detected and reported (cybercrime reporting is
discussed further in GAO's challenges section).
Numerous public and private entities have responsibilities to protect
against, detect, investigate, and prosecute cybercrime. The Departments of
Justice, Homeland Security, and Defense, and the Federal Trade Commission
have prominent roles in addressing cybercrime within the federal
government, and state and local law enforcement entities play similar
roles at their levels. Private entities such as Internet service providers
and software developers focus on the development and implementation of
technology systems to detect and protect against cybercrime, as well as
gather evidence for investigations. In addition, numerous cybercrime
partnerships have been established between public sector entities, between
public and private sector entities, and internationally, including
information-sharing efforts.
Entities face a number of key challenges in addressing cybercrime,
including reporting cybercrime and ensuring that there are adequate
analytical capabilities to support law enforcement (see table). While
public and private entities, partnerships, and tasks forces have initiated
efforts to address these challenges, federal agencies can take additional
action to help ensure adequate law enforcement capabilities.
Challenges to Addressing Cybercrime
Source: GAO.
References
Visible links
42. http://www.cybercrime.gov/juvenileSentboston.htm
43. http://www.cybercrime.gov/ivanovSent.htm
44. http://www.gao.gov/cgi-bin/getrpt?GAO-05-434
45. http://www.gao.gov/cgi-bin/getrpt?GAO-04-321
46. http://www.gao.gov
47. mailto:[email protected]
48. mailto:[email protected]
49. mailto:[email protected]
50. mailto:[email protected]
51. http://www.gao.gov/
52. http://www.gao.gov/
53. http://www.gao.gov/fraudnet/fraudnet.htm
54. mailto:[email protected]
55. mailto:[email protected]
56. mailto:[email protected]
57. http://www.gao.gov/cgi-bin/getrpt?GAO-02-24
58. http://www.gao.gov/cgi-bin/getrpt?GAO-03-233
59. http://www.gao.gov/cgi-bin/getrpt?GAO-07-310
*** End of document. ***