Cybercrime: Public and Private Entities Face Challenges in	 
Addressing Cyber Threats (22-JUN-07, GAO-07-705).		 
                                                                 
Computer interconnectivity has produced enormous benefits but has
also enabled criminal activity that exploits this		 
interconnectivity for financial gain and other malicious	 
purposes, such as Internet fraud, child exploitation, identity	 
theft, and terrorism. Efforts to address cybercrime include	 
activities associated with protecting networks and information,  
detecting criminal activity, investigating crime, and prosecuting
criminals. GAO's objectives were to (1) determine the impact of  
cybercrime on our nation's economy and security; (2) describe key
federal entities, as well as nonfederal and private sector	 
entities, responsible for addressing cybercrime; and (3)	 
determine challenges being faced in addressing cybercrime. To	 
accomplish these objectives, GAO analyzed multiple reports,	 
studies, and surveys and held interviews with public and private 
officials.							 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-07-705 					        
    ACCNO:   A71229						        
  TITLE:     Cybercrime: Public and Private Entities Face Challenges  
in Addressing Cyber Threats					 
     DATE:   06/22/2007 
  SUBJECT:   Computer networks					 
	     Criminals						 
	     Cyber crimes					 
	     Cyber security					 
	     Economic analysis					 
	     Fraud						 
	     Hackers						 
	     Homeland security					 
	     Identity theft					 
	     Internet						 
	     Investigations by federal agencies 		 
	     Law enforcement					 
	     Law enforcement agencies				 
	     Policy evaluation					 
	     Software						 
	     Terrorism						 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-07-705

   

     * [1]Results in Brief
     * [2]Background

          * [3]Cybercrime: Comparison between Cybercrime and Traditional Cr
          * [4]Framework for Addressing Cybercrime
          * [5]Governments Have Enacted Various Laws to Address Cybercrime

               * [6]Federal Laws
               * [7]State and Local Laws
               * [8]Other Nations' Laws

     * [9]Cybercrime Has Significant Economic Impacts and Threatens U.

          * [10]Economic Impacts of Cybercrime Are Significant
          * [11]Cybercrime Is a Threat to National Security
          * [12]Precise Magnitude of Cybercrime Is Unknown

     * [13]Numerous Public and Private Organizations Have Responsibilit

          * [14]Many Public Entities Have Responsibilities for Addressing Cy

               * [15]Key Department of Justice Organizations
               * [16]Key Department of Homeland Security Organizations
               * [17]Key Department of Defense Organizations
               * [18]Federal Trade Commission
               * [19]Federal Inspectors General
               * [20]State and Local Law Enforcement Organizations

          * [21]Private-Sector Entities Focus on Protection and Detection Ef
          * [22]Numerous Public and Private Partnerships Work to Address Cyb

     * [23]Public and Private Sectors Face Challenges in Addressing Cyb

          * [24]Reporting Cybercrime
          * [25]Ensuring Adequate Law Enforcement Analytical and Technical C

               * [26]Obtaining and Retaining Investigators, Prosecutors, and
                 Cybe
               * [27]Keeping Up to Date with Current Technology and Criminal
                 Tech

          * [28]Working in a Borderless Environment with Laws of Multiple Ju
          * [29]Implementing Information Security Practices and Raising Awar

               * [30]Protecting Information and Information Systems
               * [31]Raising Awareness about Criminal Behavior

     * [32]Conclusions
     * [33]Recommendation for Executive Action
     * [34]Agency Comments and Our Evaluation
     * [35]Appendix I: Objectives, Scope, and Methodology
     * [36]Appendix II: Comments from the Federal Bureau of Investigati
     * [37]Appendix III: Comments from the U.S. Secret Service
     * [38]Appendix IV: GAO Contacts and Staff Acknowledgments

          * [39]GAO Contacts
          * [40]Staff Acknowledgments

               * [41]Order by Mail or Phone

Report to Congressional Requesters

United States Government Accountability Office

GAO

June 2007

CYBERCRIME

Public and Private Entities Face Challenges in Addressing Cyber Threats

GAO-07-705

Contents

Letter 1

Results in Brief 2
Background 5
Cybercrime Has Significant Economic Impacts and Threatens U.S. National
Security Interests, but Its Precise Magnitude Is Unknown 15
Numerous Public and Private Organizations Have Responsibilities to Protect
Against, Detect, Investigate, and Prosecute Cybercrime 23
Public and Private Sectors Face Challenges in Addressing Cybercrime 36
Conclusions 43
Recommendation for Executive Action 44
Agency Comments and Our Evaluation 44
Appendix I Objectives, Scope, and Methodology 47
Appendix II Comments from the Federal Bureau of Investigation 50
Appendix III Comments from the U.S. Secret Service 52
Appendix IV GAO Contacts and Staff Acknowledgments 54

Tables

Table 1: Techniques Used to Commit Cybercrimes 7
Table 2: Reported Volume of Cybercrime Techniques 8
Table 3: Key Federal Laws Used to Investigate and Prosecute Cybercrime 12
Table 4: Economic Impact of Cybercrime 16
Table 5: Reports and Testimonies Describing Threats to National Security
19
Table 6: Department of Justice's Key Organizations and Activities to
Mitigate Cybercrime 24
Table 7: Department of Homeland Security's Key Organizations and
Activities to Mitigate Cybercrime 27
Table 8: Department of Defense Key Organizations and Activities to
Mitigate Cybercrime 30
Table 9: Key Partnerships Established to Address Cybercrime 34
Table 10: Challenges to Addressing Cybercrime 36

Figures

Figure 1: Comparison between Traditional Criminal Techniques and
Cybercrime 6
Figure 2: Crime Mitigation Framework 9

Abbreviations

CCIPS Computer Crimes and Intellectual Property Section
CHIP Computer Hacking and Intellectual Property
DCIS Department of Defense Criminal Investigative Service
DC3 Defense Cyber Crime Center
DHS Department of Homeland Security
DOD Department of Defense
DOJ Department of Justice
FBI Federal Bureau of Investigation
FTC Federal Trade Commission
IC3 Internet Crime Complaint Center
NCIS Naval Criminal Investigative Service
NCSD National Cyber Security Division
Secret Service U.S. Secret Service
SAFETY Internet Stopping Adults Facilitating the Exploitation of Today's
  Youth Act
US-CERT United States Computer Emergency Readiness Team

This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.

United States Government Accountability Office
Washington, DC 20548

June 22, 2007

The Honorable Bennie G. Thompson
Chairman
Committee on Homeland Security
House of Representatives

The Honorable Lamar S. Smith
Ranking Member
Committee on the Judiciary
House of Representatives

The rapid increase in computer interconnectivity has revolutionized the
way that our government, our nation, and much of the world communicate and
conduct business. While the benefits have been enormous, the accelerated
use of the Internet has also enabled a dramatic rise in criminal activity
that exploits this interconnectivity for illicit financial gain and other
malicious purposes, such as Internet fraud, child exploitation, and
identity theft. Efforts to address cybercrime^1 include activities
associated with protecting networks and information, detecting criminal
activity, investigating crime, and prosecuting criminals.

As agreed, our objectives were to (1) determine the impact of cybercrime
on our nation's economy and security; (2) describe key federal entities,
as well as nonfederal and private sector entities, responsible for
addressing cybercrime; and (3) determine challenges being faced in
addressing cybercrime. To accomplish these objectives, we analyzed
multiple reports, studies, and surveys and held interviews with public and
private officials. Appendix I provides further details on our objectives,
scope, and methodology. We conducted this review from June 2006 to May
2007 in accordance with generally accepted government auditing standards.

^1Cybercrime, as used in this report, refers to criminal activities that
specifically target a computer or network for damage or infiltration and
also refers to the use of computers as tools to conduct criminal activity.

Results in Brief

Cybercrime is a threat to U.S. national economic and security interests.
Various studies and expert opinion estimate the direct economic impact
from cybercrime to be in the billions of dollars annually. The annual loss
due to computer crime was estimated to be $67.2 billion for U.S.
organizations, according to a 2005 Federal Bureau of Investigation (FBI)
survey. The estimated losses associated with particular crimes include
$49.3 billion in 2006 for identity theft and $1 billion annually due to
phishing.^2 These projected losses are based on direct and indirect costs
that may include actual money stolen, estimated cost of intellectual
property stolen, and recovery cost of repairing or replacing damaged
networks and equipment. In addition, there is concern about threats that
nation-states and terrorists pose to our national security through attacks
on our computer-reliant critical infrastructures and theft of our
sensitive information. For example, according to the U.S.-China Economic
and Security Review Commission report, Chinese military strategists write
openly about exploiting the vulnerabilities created by the U.S. military's
reliance on advanced technologies and the extensive infrastructure used to
conduct operations.^3 Also, according to FBI testimony, terrorist
organizations have used cybercrime to raise money to fund their
activities. Despite the reported loss of money and information and known
threats from adversaries, there remains a lack of understanding about the
precise magnitude of cybercrime and its impact because cybercrime is not
always detected or reported (cybercrime reporting is discussed further in
our challenges section).

Numerous public and private entities (federal agencies, state and local
law enforcement, industry, and academia) have individual and collaborative
responsibilities to protect against, detect, investigate, and prosecute
cybercrime. The Departments of Justice (DOJ), Homeland Security (DHS), and
Defense (DOD), and the Federal Trade Commission (FTC) have prominent roles
in addressing cybercrime within the federal government. DOJ's FBI and
DHS's U.S. Secret Service (Secret Service) are key federal organizations
with responsibility for investigating cybercrime. State and local law
enforcement organizations also have key responsibilities in addressing
cybercrime. Private entities--Internet service providers, security
vendors, software developers, and computer forensics vendors--focus on
developing and implementing technology systems to protect against computer
intrusions, Internet fraud, and spam and, if a crime does occur, detecting
it and gathering evidence for an investigation. In addition, numerous
partnerships have been established between public sector entities, between
public and private sector entities, and internationally to address various
aspects of cybercrime. For example, the Cyber Initiative and Resource
Fusion Unit is a partnership established among federal law enforcement,
academia, and industry to analyze cybercrime and determine its origin and
how to fight it.

^2Identity theft is the wrongful obtaining and using of another person's
identifying information in some way that involves fraud or deception.
Phishing is a high-tech scam that frequently uses unsolicited messages to
deceive people into disclosing their financial and/or personal identity
information.

^3U.S.-China Economic and Security Review Commission, 2006 Report to
Congress of the U.S.-China Economic and Security Review Commission
(Washington, D.C.: November 2006).

Efforts by public and private entities to address cybercrime are impeded
by major challenges that include

           o reporting cybercrime--entities do not always detect or report
           cybercrimes;
           o ensuring adequate law enforcement analytical and technical
           capabilities--law enforcement organizations often have difficulty
           obtaining and retaining investigators, prosecutors, and examiners
           with the specialized skills needed to address cybercrime; this is
           due in part to the staff rotation policies in place at certain law
           enforcement organizations;
           o working in a borderless environment with laws of multiple
           jurisdictions--because cybercrime crosses national and state
           borders, law enforcement organizations have to deal with multiple
           jurisdictions with their own laws and legal procedures, a
           situation that complicates investigations; and
           o implementing and raising awareness about strong information
           security practices--our experience in evaluating the information
           security of federal agencies demonstrates the difficulty that
           organizations face in maintaining strong information security
           programs; despite efforts by public and private entities to raise
           awareness about the importance of information security, many
           organizations and individuals remain insecure.

           Public and private entities, cybercrime partnerships, and task
           forces have initiated efforts to address these challenges,
           including leveraging resources and technologies to fight
           cybercrime. However, more can be done to help ensure agencies have
           adequate law enforcement capabilities. Specifically, staff
           rotation policies at key law enforcement agencies may hinder the
           agencies' abilities to retain analytical and technical
           capabilities supporting law enforcement.

           In order to address the challenge of ensuring adequate law
           enforcement analytical and technical capabilities, we are
           recommending that the Attorney General and the Secretary of
           Homeland Security reassess and modify, as appropriate, current
           rotation policies to retain key expertise necessary to investigate
           and prosecute cybercrime.

           We received written comments on a draft of this report from the
           FBI and Secret Service (see app. II and III). In their comments,
           the Deputy Assistant Director from the FBI's Cyber Division and
           the Assistant Director, Office of Inspection, U.S. Secret Service
           mentioned efforts to assess and enhance their analytical and
           technical capabilities. The FBI official stated that the bureau's
           rotational policies for new Special Agents and senior field
           Supervisory Special Agents were put into place after careful
           consideration, and that five career paths--including a specific
           designation for cyber matters--have been established. The Secret
           Service official stated that the service is expanding its
           Electronic Crimes Special Agent Program and will have
           approximately 770 trained and active agents by the end of fiscal
           year 2007. The service also reported that the rotation of the
           Electronic Crimes Special Agent Program agents does not have a
           detrimental impact on the agency's cyber investigative
           capabilities because Secret Service field offices send additional
           agents through the program prior to a trained agent's departure,
           and because the Electronic Crime Task Forces allow the agency to
           draw on state and local law enforcement officials trained in cyber
           investigations and computer forensics. Despite these efforts to
           assess and expand cyber analytical and technical capabilities, our
           review showed that current rotational policies may result in both
           agencies underutilizing staff with cyber expertise; therefore, it
           is important for them to continually reassess the rotational
           policies that impact their ability to address the cyber threat.

           DOD, DOJ, DHS, state and local government, and other officials
           also provided technical corrections that have been incorporated in
           this report as appropriate.
			  
			  Background

           Over 150 million U.S. citizens are connected to the Internet.
           According to the FBI, the number of people with access to the
           Internet increased 182 percent between 2000 and 2005. In 2006,
           total nontravel-related spending on the Internet was estimated to
           be $102 billion by a private sector entity, a 24 percent increase
           over 2005. While the benefits of interconnectivity have been
           enormous, it has provided new horizons and techniques for crime.
			  
			  Cybercrime: Comparison between Cybercrime and Traditional Criminal
			  Techniques

           Cybercrime refers to criminal activities that specifically target
           a computer or network for damage or infiltration. For example, it
           can be a crime to access ("hack into") a computer without
           authorization or to distribute viruses. Cybercrime also includes
           the use of computers as tools to conduct criminal activity such as
           fraud, identity theft, and copyright infringement. Computers
           significantly multiply the criminal's power and reach in
           committing such crimes. Figure 1 describes and compares cybercrime
           and traditional criminal techniques.

Figure 1: Comparison between Traditional Criminal Techniques and
Cybercrime

Cybercrime techniques have characteristics that can vastly enhance the
reach and impact of criminal activity, such as the following:

           o Criminals do not need to be physically close to their victims to
           commit a crime.
           o Technology allows criminal actions to easily cross multiple
           state and national borders.
           o Cybercrime can be carried out automatically, at high speed, and
           by attacking a vast number of victims at the same time.
           o Cybercriminals can more easily remain anonymous.

           To help facilitate cybercrimes, criminals use several techniques
           listed in table 1.

Table 1: Techniques Used to Commit Cybercrimes

Source: GAO analysis based on public and private sector sources.

^aA pop-up message is a type of window that appears over the browser
window of a Web site that a user has visited.

Companies that process large volumes of Internet traffic, such as Postini,
Symantec, and IBM analyze their traffic for patterns and trends and have
found that the cybercrime techniques in table 1 are prevalent. Table 2
shows reported volumes of cybercrime techniques.

Table 2: Reported Volume of Cybercrime Techniques

Source: GAO analysis of private sector reports about Internet traffic
processed.

Framework for Addressing Cybercrime

Efforts to address cybercrime follow the same basic process as efforts to
address traditional crime. As figure 2 shows, this basic process is one of
protection, detection, investigation, and prosecution.

Figure 2: Crime Mitigation Framework

To protect networks and information against cybercrime, organizations and
individuals implement cybersecurity techniques such as access controls
(passwords) and firewalls. In addition, they use monitoring devices or
intrusion detection systems to detect incidents that could potentially be
criminal intrusions. As figure 2 shows, monitoring unusual activity allows
organizations and individuals to make adjustments to improve protection.
When a suspected cybercrime is detected, organizations and individuals
must decide what action to pursue. Depending on the severity of the
incident, the level of evidence, and their comfort with revealing the
incident, they may or not report it to law enforcement.

Generally, investigations begin once an incident is reported to law
enforcement. During the preliminary investigation, federal, state, or
local law enforcement, along with their respective prosecutors, determine
if a crime occurred and if a further investigation is warranted. Also, in
some cases, private sector and academic analysts may provide expertise.
Among the factors weighed by law enforcement authorities in determining
whether to conduct an investigation is whether their agency has
jurisdiction over the crime, the number and location of the victims, the
expected location of the criminal, the amount of loss, and the agency's
investigative priorities and available resources. If it is determined that
an investigation will not be pursued, law enforcement may provide advice
to victims that may be used to improve their protective measures. When a
criminal investigation is pursued, law enforcement investigators have the
initial responsibility for leading the evidence-gathering effort and
working with cyberforensic investigators and examiners with the technical
expertise to analyze the evidence. In cases where evidence is not
voluntarily provided, law enforcement can use various subpoena authorities
to obtain information needed to perform the investigation.

A key component of cybercrime investigations is the gathering and
examination of electronic evidence that can be useful for prosecution.
Using cyberforensic tools and techniques,^4 cybercrime investigators and
examiners gather and analyze electronic evidence. If available,
cyberforensic laboratories may be used to extract the electronic evidence
and present it in a court-admissible format. The evidence could entail
analysis of terabytes of information on multiple electronic devices, the
electronic path taken by a fraudulent e-mail, pornographic images stored
on a hard drive, or data stored on a mutilated but later reconstructed
CD-ROM. The ability to gather electronic evidence and the assurance that
cyberforensic procedures do not compromise the evidence gathered can be
key to building a case and prosecuting cybercriminals.

Cybercrime investigations and evidence gathering can also be conducted
while a crime is ongoing. If a crime is being investigated while it is
still occurring, investigators may use sophisticated techniques to
investigate criminal activity that include court-ordered wiretaps. In
determining whether and how to gather evidence of information transmitted
electronically, law enforcement may make an application to a court for a
wiretap pursuant to the Wiretap Act.^5 To obtain such orders, the
application to the court must describe, among other things, the criminal
activity and the identity of those involved, if known.

^4Cyberforensics employs electronic tools to extract data from computer
media storage without altering the data retrieved. Cyberforensics
techniques may also require the reconstruction of media to retrieve
digital evidence after attempts to hide, disguise, or destroy it.

If sufficient evidence is gathered, it can lead to a prosecution. Federal
and state prosecutors determine if a prosecution will be pursued based on
a number of factors including jurisdiction over the crime, the type and
seriousness of the offense, the sufficiency of the evidence, their
prosecutorial priorities, and the location and number of the victims.
Prosecuting attorneys will also consider the dollar loss and the number of
incidents. Some federal prosecuting attorneys may not pursue cybercrime
cases because they do not meet the minimum thresholds established for
their districts. Thresholds are established by prosecuting attorneys to
appropriately focus their limited resources on the most serious crimes
that match their district's priorities. For example, if fraud has been
committed through the use of a computer, the amount of the dollar loss may
need to reach a specific threshold amount for the U.S. Attorney to accept
the case. When the U.S. Attorney does not accept a case for prosecution
because it does not meet such a threshold, state authorities may decide to
accept the case for prosecution.

In addition to criminal remedies, civil remedies are available to address
cybercrime activity. The burden of proof in a civil case is not as high as
in a criminal case. At the federal level, the FTC investigates activities
that could be classified as cybercrime as part of its consumer protection
mission and seeks civil injunctions and monetary remedies. In addition,
many states have civil statutes that may be applied to cybercrime
situations. In the State of Washington, for example, the Attorney General
can apply the state's consumer protection statute to cases of
cyber-facilitated fraud. Pursuing the case in civil court, the state's
Attorney General can seek civil remedies such as the repayment of losses
or penalties for wrongdoing or fraud, which could potentially deter future
criminal attempts.

^5In 1986, Congress passed the Electronic Communications Privacy Act
("ECPA"), Pub. L. No. 99-508 (Oct. 21, 1986) which, among others things,
extended the prohibitions contained in Title III of the Omnibus Crime and
Control and Safe Streets Act of 1968 (the "Wiretap Act"), 18 U.S.C. SS
2510-2521, to electronic communications that are in transit between
machines and contain no aural (human voice) component. The Wiretap Act
prohibits installing "sniffer" software to record keystroke and computer
traffic of a specific target unless one of the statutory exceptions
applies.

Governments Have Enacted Various Laws to Address Cybercrime

Federal and state governments and other nations have enacted laws that
apply to cybercrime and the legal recourse or remedies available. In
addition, there are international agreements to improve the laws across
nations and international cooperation on addressing cybercrime.

  Federal Laws

Federal statutes address specific types of cybercrime, while other federal
statutes address both traditional crime and cybercrime. Table 3 describes
key federal laws used to investigate and prosecute cybercrime activity.

Table 3: Key Federal Laws Used to Investigate and Prosecute Cybercrime

Source: GAO.

Members of Congress have proposed new federal legislation to augment
current cybercrime statutes. For example, in February 2007, the Internet
Stopping Adults Facilitating the Exploitation of Today's Youth Act
(SAFETY) was introduced in the House Judiciary Committee as an
anticybercrime bill. Among its various provisions addressing the
exploitation of children, the SAFETY Act provides for the promulgation of
regulations that would require Internet service providers to retain data
such as a subscriber's name and address, user identification, or telephone
number to facilitate law enforcement investigations. Also in February
2007, the Securing Adolescents From Exploitation-Online (SAFE) Act of 2007
was introduced in the Senate Committee on the Judiciary. The SAFE Act
would include explicit requirements for Internet service providers to
report suspected child pornography violations. The House of
Representatives passed the Securely Protect Yourself Against Cyber
Trespass Act in June 2007. This bill, if signed into law, would prohibit
the use of spyware that could take control of a computer or collect user
information without permission. The bill would authorize stiff civil
penalties against violators.

  State and Local Laws

State and local governments have been enacting laws to serve law
enforcement efforts in their individual jurisdictions and to enhance
cybercrime prevention, investigation, and prosecution efforts. States have
also enacted laws against particular types of cybercrime, including laws
addressing spamming and spyware. For example, Virginia's Anti-Spam Act
outlaws the use of fraudulent means, such as using a false originating
address, to send spam. Further, aggravating factors (such as sending
10,000 spam messages in a 24-hour period or generating more than $1,000 in
revenue from a specific spam message) make the crime punishable as a
felony under Virginia law. Also, California's Consumer Protection Against
Computer Spyware Act makes it illegal for anyone to install software on
someone else's computer and use it to deceptively modify settings,
including a user's home page, default search page, or bookmarks. It also
outlaws the collection, through intentionally deceptive means, of
personally identifiable information through keystroke-logging, tracking
Web site visits, or extraction of such information from a user's hard
drive.

California has also enacted legislation requiring security measures and
warnings for wireless network devices. In addition, Westchester County,
New York, has taken action to improve the security of wireless networks.
Its wireless security law requires that commercial businesses secure their
wireless networks or face fines. The law also requires businesses
providing wireless Internet access to put up signs advising users of the
security risks. Westchester County's enforcement efforts have brought
fines against businesses exposing sensitive data over wireless networks.

  Other Nations' Laws

Cybercrime laws vary across the international community. Australia enacted
its Cybercrime Act of 2001 to address this type of crime in a manner
similar to the U.S. Computer Fraud and Abuse Act, discussed above. In
addition, Japan enacted the Unauthorized Computer Access Law of 1999 to
cover certain basic areas similar to those addressed by the U.S. federal
cybercrime legislation. Countries such as Nigeria with minimal or less
sophisticated cybercrime laws have been noted sources of Internet fraud
and other cybercrime. In response, they have looked to the examples set by
industrialized nations to create or enhance their cybercrime legal
framework. A proposed cybercrime bill, the Computer Security and Critical
Information Infrastructure Protection Bill, is currently before Nigeria's
General Assembly for consideration. The bill, if adopted, would mirror
similar cybercrime legislation in industrialized nations like the United
States, the United Kingdom, Australia, South Africa, and Canada.

Because political or natural boundaries are not an obstacle to conducting
cybercrime, international agreements are essential to fighting cybercrime.
For example, on November 23, 2001, the United States and 29 other
countries signed the Council of Europe's Convention on Cybercrime as a
multilateral instrument to address the problems posed by criminal activity
on computer networks. Nations supporting this convention agree to have
criminal laws within their own nation to address cybercrime, such as
hacking, spreading viruses or worms, and similar unauthorized access to,
interference with, or damage to computer systems. It also enables
international cooperation in combating crimes such as child sexual
exploitation, organized crime, and terrorism through provisions to obtain
and share electronic evidence. The U.S. Senate ratified this convention in
August 2006. As the 16th of 43 countries to support the agreement, the
United States agrees to cooperate in international cybercrime
investigations. The governments of European countries such as Denmark,
France, and Romania have ratified the convention. Other countries
including Germany, Italy, and the United Kingdom have signed the
convention although it has not been ratified by their governments.
Non-European countries including Canada, Japan, and South Africa have also
signed but not yet ratified the convention.

Cybercrime Has Significant Economic Impacts and Threatens U.S. National Security
Interests, but Its Precise Magnitude Is Unknown

Cybercrime is a threat to U.S. national economic and security interests.
Based on various studies and expert opinion, the direct economic impact
from cybercrime is estimated to be in the billions of dollars. The overall
loss projection due to computer crime was estimated to be $67.2 billion
annually for U.S. organizations, according to a 2005 FBI survey. The
estimated losses associated with particular crimes include $49.3 billion
in 2006 for identity theft^6 to about $1 billion annually due to
phishing.^7 In addition, there is concern about threats that nation-states
and terrorists pose to our national security through attacks on our
computer-reliant critical infrastructures and theft of our sensitive
information. For example, according to the U.S.-China Economic and
Security Review Commission report, Chinese strategists are writing about
exploiting the vulnerabilities created by the U.S. military's reliance on
technologies and attacking key civilian targets.^8 Also, according to FBI
testimony, terrorist organizations have used cybercrime to raise money to
fund their activities. However, despite the reported loss of money and
information and known threats from our nation's adversaries, there remains
a lack of understanding about the true magnitude of cybercrime and its
impact because it is not always detected or reported.

^6Javelin Strategy & Research, 2007 Identity Fraud Survey Report: Identity
Fraud is Dropping, Continued Vigilance Necessary (Pleasanton, CA: February
2007).

^7Department of Homeland Security, Remarks by Assistant Secretary Gregory
Garcia at the RSA Conference on IT and Communications Security (San
Francisco, CA: February 2007).

^8U.S.-China Economic and Security Review Commission, 2006 Report to
Congress (Washington, D.C.: November 2006).

Economic Impacts of Cybercrime Are Significant

Based on various studies and expert opinion, the direct economic impact
from cybercrime is billions of dollars annually. The overall loss
projection due to computer crime was estimated to be $67.2 billion
annually for U.S. organizations, according to a 2005 FBI survey. The
estimated losses associated with particular crimes include $49.3 billion
in 2006 for identity theft and $1 billion annually due to phishing. The
studies and experts derive their projected losses based on direct and
indirect costs that may include

           o actual money stolen,
           o estimated cost of intellectual property stolen,
           o recovery cost of repairing or replacing damaged networks and
           equipment, and
           o intangible loss due to the opportunity loss from lack of
           customer confidence in the doing online commerce.

           Table 4 shows the economic impact of cybercrime as reported by
           various studies and reports over the last several years.

Table 4: Economic Impact of Cybercrime

Source: GAO analysis of government and private sector reports and studies
about cybercrime.

Many of the surveys and studies, such as those from IC3 and Computer
Security Institute/FBI, are performed at least annually. In addition, the
DOJ's Bureau of Justice Statistics has conducted a cybercrime survey of
private sector entities to gain a more definitive understanding of
cybercrime's economic impact on the United States. As of May 2007, the
response rate and results had not been reported.

Individual legal cases also illustrate the financial losses that victims
incur due to cybercrime. Examples include the following:

           o In February 2007, a defendant was convicted of aggravated
           identity theft, access device fraud, and conspiracy to commit bank
           fraud in the Eastern District of Virginia. The defendant, who went
           by the Internet nickname "John Dillinger," was involved in
           extensive illegal online "carding" activities. He received e-mails
           or instant messages containing hundreds of stolen credit card
           numbers, usually obtained through phishing schemes or network
           intrusions, from "vendors" who were located in Russia and Romania.
           In his role as a "cashier" of these stolen credit card numbers,
           the defendant would then electronically encode these numbers to
           plastic bank cards, make ATM withdrawals, and return a portion to
           the vendors. Computers seized from the defendant revealed over
           4,300 compromised account numbers and full identity information
           (i.e., name, address, date of birth, Social Security number, and
           mother's maiden name) for over 1,600 individual victims.^9 
           o In September 2005, a Massachusetts juvenile was convicted in
           connection with approximately $1 million in victim damages. Over a
           15-month period, the juvenile hacked into Internet and telephone
           service providers, stole an individual's personal information and
           posted it on the Internet, and made bomb threats to high schools
           in Florida and Massachusetts.^10 
           o In October 2004, the Secret Service investigated and shut down
           an online organization that facilitated losses in excess of $4
           million and trafficked in around 1.7 million stolen credit cards
           and stolen identity information and documents. This high-profile
           case, known as "Operation Firewall," focused on a criminal
           organization of some 4,000 members whose Web site functioned as a
           hub for identity theft activity.^11 
           o In July 2003, a man was convicted of causing an aggregate loss
           of approximately $25 million and hacking into computers in the
           United States. The defendant pleaded guilty in these proceedings
           and admitted to numerous charges of conspiracy, computer
           intrusion, computer fraud, credit card fraud, wire fraud, and
           extortion. Those charges stemmed from the activities of the
           defendant and others who operated from Russia and hacked into
           dozens of computers throughout the United States, stealing
           usernames, passwords, credit card information, and other financial
           data, and then extorting money from those victims with the threat
           of deleting their data and destroying their computer systems.^12 
           o In May 2002, a New Jersey man was convicted of causing more than
           $80 million in damage by unleashing the "Melissa" computer virus
           in 1999 and disrupting personal computers and computer networks in
           business and government.^13
			  
			  Cybercrime Is a Threat to National Security

           There is continued concern about the threat that our adversaries
           pose to our national security through attacks on our
           computer-reliant critical infrastructures and theft of our
           sensitive information. Over the last several years, such risks
           have been described in a variety of reports and testimonies. Table
           5 describes the concerns raised.

^9Statement of Associate Deputy Attorney General before the Subcommittee
on Terrorism, Technology and Homeland Security the Committee on the
Judiciary (Mar. 21, 2007).

^10U.S. Attorney's Office District of Massachusetts, Press Release,
"Massachusetts Teen Convicted for Hacking into Internet and Telephone
Service Providers and Making Bomb Threats to High Schools in Massachusetts
and Florida" (Sept. 8, 2005),
[42]www.cybercrime.gov/juvenileSentboston.htm (Accessed Mar. 30, 2007).

^11Department of Justice (DOJ) Criminal Division, Press Release,
"Shadowcrew Organization Called `One-Stop Online Marketplace for Identity
Theft'" (Oct. 28, 2004), www.cybercrime.gov/mantovaniIndict.htm  (Accessed
Mar. 30, 2007).

^12U.S. Attorney's Office District of Connecticut, Press Release, "Russian
Man Sentenced for Hacking into Computers in the United States" (July 25,
2003), [43]www.cybercrime.gov/ivanovSent.htm (Accessed Mar. 30, 2007).

^13U.S. Attorney's Office District of New Jersey, Press Release, "Creator
of Melissa Computer Virus Sentenced to 20 Months in Federal Prison" (May
1, 2002), www.cybercrime.gov/melissaSent.htm (Accessed Mar. 30, 2007).

Table 5: Reports and Testimonies Describing Threats to National Security

Source: GAO analysis of various reports and testimonies.

^aStatement for the Record by the Director of Central Intelligence to the
U.S. Senate Committee on Governmental Affairs, Permanent Subcommittee on
Investigations, "Foreign Information Warfare Programs and Capabilities"
(June 25, 1996).

^bStatement for the Record, Deputy Assistant Director and Chief, National
Infrastructure Protection Center, Federal Bureau of Investigation, before
the Congressional Joint Economic Committee (Mar. 24, 1998).

^cThe Center for Strategic and International Studies, "Cybercrime,
Cyberterrorism, and Cyberwarfare: Averting an Electronic Waterloo" (Dec.
15, 1999).

^dNational Communications System, "The Electronic Intrusion Threat to
National Security and Emergency Preparedness (NS/EP) Telecommunications:
An Awareness Document," third edition (March 1999).

^eStatement of the Director of Central Intelligence to the U.S. Senate
Select Committee on Intelligence, "Current and Projected National Security
Threats to the United States" (Feb. 6, 2002).

^fInstitute for Security Technology Studies at Dartmouth
College,"Examining the Cyber Capabilities of Islamic Terrorist Groups"
(Hanover, N.H.: March 2004).

^gStatement of the FBI Director to the U.S. Senate Select Committee on
Intelligence, "Current and Projected National Security Threats to the
United States" (Feb. 16, 2005).

The risks posed by this increasing and evolving threat are demonstrated by
actual and potential attacks and disruptions, such as those cited below.

           o DOD officials stated that its information network, representing
           approximately 20 percent of the entire Internet, receives
           approximately 6 million probes/scans a day. Further,
           representatives from DOD stated that between January 2005 and July
           2006, the agency initiated 92 cybercrime cases, the majority of
           which involved intrusions or malicious activities directed against
           its information network.
           o In November 2006, the U.S.-China Economic and Security Review
           Commission^14 reported that China is actively improving its
           nontraditional military capabilities. According to the study,
           Chinese military strategists write openly about exploiting the
           vulnerabilities created by the U.S. military's reliance on
           advanced technologies and the extensive infrastructure used to
           conduct operations. Chinese military writings also refer to
           attacking key civilian targets such as financial systems. In
           addition, the report stated that Chinese intelligence services are
           capable of compromising the security of computer systems. The
           commission also provided instances of computer network
           penetrations coming from China. For example, in August and
           September 2006, attacks on computer systems of the Department of
           Commerce's Bureau of Industry and Security forced the bureau to
           replace hundreds of computers and lock down Internet access for 1
           month.
			  
^14U.S.-China Economic and Security Review Commission, 2006 Report to
Congress of the U.S.-China Economic and Security Review Commission
(Washington, D.C.: November 2006).
			  
           o In August 2006, a California man was convicted for conspiracy to
           intentionally cause damage to a protected computer and commit
           computer fraud. Between 2004 and 2005, he created and operated a
           botnet that was configured to constantly scan for and infect new
           computers. For example, in 2 weeks in February of 2005, the
           defendant's bots reported more than 2 million infections of more
           than 629,000 unique addresses (some infected repeatedly). It
           damaged hundreds of DOD computers worldwide. The DOD reported a
           total of $172,000 of damage due to a string of computer intrusions
           at numerous military installations in the United States (including
           Colorado, Florida, Hawaii, Maryland, South Carolina, and Texas)
           and around the world (including Germany and Italy). In addition,
           the botnet compromised computer systems at a Seattle hospital,
           including patient systems, and damaged more than 1,000 computers
           in a California school district over the course of several months
           in 2005. Officials from the California school district reported
           damages between $50,000 and $75,000 to repair its computers after
           the botnet struck in February 2005.^15 
           o The Central Intelligence Agency has identified two known
           terrorist organizations with the capability and greatest
           likelihood to use cyber attacks against our infrastructures.^16 
           o In March 2005, security consultants within the electric industry
           reported that hackers were targeting the U.S. electric power grid
           and had gained access to U.S. utilities' electronic control
           systems. Computer security specialists reported that, in a few
           cases, these intrusions had "caused an impact." While officials
           stated that hackers had not caused serious damage to the systems
           that feed the nation's power grid, the constant threat of
           intrusion has heightened concerns that electric companies may not
           have adequately fortified their defenses against a potential
           catastrophic strike.^17 
			  
^15DOJ, United States Attorney for the Western District of Washington,
Press Release, California Man Sentenced for "Botnet" Attack that
Implicated Millions: Network of Robot Computers Damaged Military
Installations, Northwest Hospital, and California School District
(Seattle, WA: Aug. 25, 2006).

^16Statement for the Record, Information Operations Issue Manager, Central
Intelligence Agency, before the Congressional Joint Economic Committee
(Feb. 23, 2000).

^17GAO, Critical Infrastructure Protection: Department of Homeland
Security Faces Challenges in Fulfilling Cybersecurity Responsibilities,
[44]GAO-05-434 (Washington, D.C.: May 26, 2005).

           o Terrorist organizations have used cyberspace and cybercrime to
           raise money in a number of ways, such as facilitating protection
           schemes, credit card fraud, and drug smuggling. For example, in a
           July 2002 testimony, FBI officials stated that Al Qaeda terrorist
           cells in Spain used stolen credit card information to make
           numerous purchases.^18 In addition, Indonesian police officials
           believe the 2002 terrorist bombings in Bali were partially
           financed through online credit card fraud, according to press
           reports.^19

           As larger amounts of money are transferred through computer
           systems, as more sensitive economic and commercial information is
           exchanged electronically, and as the nation's defense and
           intelligence communities increasingly rely on commercially
           available information technology, the likelihood increases that
           information attacks will threaten vital national interests.
			  			  
           Precise Magnitude of Cybercrime Is Unknown

           Despite the large reported impact of cybercrime, the true impact
           of cybercrime in the United States is unknown because cybercrimes
           are not always detected or reported. Organizations and individuals
           do not always detect cybercrimes. The effectiveness of the systems
           put in place to audit and monitor systems, including intrusion
           detection systems, intrusion protection systems, security event
           correlation tools, and computer forensics tools,^20 have
           limitations that impact their ability to detect a crime
           occurring.^21 For example, the effectiveness of intrusion
           detection systems is limited by their ability to capture accurate
           baselines or normal network or system activity. Also, these
           systems are prone to false positives and false negatives and are
           not as effective in protecting against unknown attacks. In
           addition, the effectiveness of security event correlation tools is
           limited by their ability to interface with numerous security
           products and the quality of the logs they rely upon.
			  
^18Statement for the Record, Chief, Terrorist Financial Review Group, FBI,
before the Senate Judiciary Committee, Subcommittee on Technology,
Terrorism and Government Information (July 9, 2002).

^19The Washington Post, An Indonesian's Prison Memoir Takes Holy War Into
Cyberspace (Dec. 14, 2004).

^20Intrusion detection systems detect inappropriate, incorrect, or
anomalous activity on a network or computer system. Intrusion prevention
systems build on intrusion detection systems to detect attacks on a
network and take action to prevent them from being successful. Security
event correlation tools monitor and document actions on network devices
and analyze the actions to determine if an attack is ongoing or has
occurred. Computer forensic tools identify, preserve, extract, and
document computer-based evidence.

           When a cybercrime is detected, companies and individuals can
           choose not to report the crime. Companies and individuals weigh
           the cost and impact of the incident with the time and effort
           needed to support an investigation and prosecution. Cybercrime
           reporting is discussed further in our challenges section.
			  
			  Numerous Public and Private Organizations Have Responsibilities
			  to Protect Against, Detect, Investigate, and Prosecute Cybercrime

           Federal agencies, state and local law enforcement, private
           industry, and academia have responsibilities, based on their
           primary missions or business interests, to protect against,
           detect, investigate, and prosecute cybercrime. Public and private
           sector entities are engaged in these efforts individually and
           through collaborative efforts.
			  
			  Many Public Entities Have Responsibilities for Addressing Cybercrime

           DOJ, DHS, and DOD and the FTC have key roles in addressing
           cybercrime within the federal government, along with the federal
           inspectors general. State and local law enforcement organizations
           also have key responsibilities in addressing cybercrime. Efforts
           range from fighting cybercrime by investigating and prosecuting it
           and improving the protection of systems through raising awareness
           and building relationships.
			  
^21GAO, Technology Assessment: Cybersecurity for Critical Infrastructure
Protection, [45]GAO-04-321 (Washington, D.C.: May 28, 2004).

             Key Department of Justice Organizations

           The key agencies within DOJ that focus on enforcing cybercrime
           violations include the Criminal Division, U.S. Attorneys, and the
           FBI. Table 6 shows key DOJ organizations, suborganizations, and
           activities.

Table 6: Department of Justice's Key Organizations and Activities to
Mitigate Cybercrime

Sources: GAO and DOJ.

  Key Department of Homeland Security Organizations

Three key agencies within DHS have a role in addressing cybercrime
issues--the Secret Service, the Cyber Security and Communications Office's
National Cyber Security Division, and Immigration and Customs Enforcement.
Table 7 shows key DHS organizations, suborganizations, and activities.

Table 7: Department of Homeland Security's Key Organizations and
Activities to Mitigate Cybercrime

Sources: GAO and DHS.

^aThe National Cyber Response Coordination Group is a forum of national
security, law enforcement, defense, intelligence, and other government
agencies that coordinates governmental and public/private preparedness and
response to and recovery from national level cyber incidents and physical
attacks that have significant cyber consequences.

  Key Department of Defense Organizations

Within DOD, the Defense Criminal and Counterintelligence Investigation
Organizations conduct all law enforcement investigations and the Defense
Cyber Crime Center (DC3) can provide forensics support. Table 8 shows key
organizations, suborganizations, and activities.

Table 8: Department of Defense Key Organizations and Activities to
Mitigate Cybercrime

Sources: GAO and DOD.

^aDOD Criminal and Counterintelligence Investigative Organizations include
the Air Force Office of Special Investigations, Army Military
Intelligence, Army Criminal Investigations Command, Naval Criminal
Investigative Service, and Defense Criminal Investigative Service.

  Federal Trade Commission

The FTC was created to prevent unfair methods of competition. Its mission
expanded over time with additional legislation authorizing it to serve as
a protective force for U.S. consumers. The agency has the authority to
file civil enforcement actions either in federal district court or
administratively. Remedies in these civil actions range from orders to
stop the illegal conduct to requiring disgorgement of illegal proceeds or
payment of restitution.

FTC's Bureau of Consumer Protection investigates and enforces matters
related to activities that may be classified as cybercrime. It has several
divisions that focus primarily on different aspects of the FTC's consumer
protection mission. According to FTC staff, the Bureau of Consumer
Protection is composed of six divisions, which target different
substantive areas for enforcement and outreach purposes. The divisions
routinely coordinate initiatives and share resources to most efficiently
and effectively further the consumer protection mission. Its resources
include headquarter staff and staff located at eight regional offices that
investigate and bring a variety of consumer protection and competition
cases and engage in outreach efforts. In addition, the Criminal Liaison
Unit coordinates for all of the Bureau of Consumer Protection's divisions
with criminal law enforcement agencies across the U.S. to encourage the
prosecution of criminal fraud.

  Federal Inspectors General

Federal Inspectors General have a role in preventing, detecting, and
investigating cybercrime within their respective agencies. Specifically,
14 of 19 Inspectors General that provided information to us stated that
they handle cybercrime investigations affecting their respective agency
within their own capabilities. For example, certain Inspectors General
reported having significant efforts in addressing cybercrime, including
those for the Departments of Education, Energy, and Transportation and the
Environmental Protection Agency. Additionally, 11 of the 19 Inspectors
General stated that they perform an education and awareness role within
their respective agencies by conducting training, providing presentations,
and performing activities mandated by the Federal Information Security
Management Act.^22

  State and Local Law Enforcement Organizations

State and local organizations address cybercrime through efforts to share
information, improve expertise, and facilitate cybercrime prosecutions
both nationally and locally. For example, on a national basis, SEARCH, an
organization dedicated to improving state-level law enforcement, has three
cybercrime focused programs related to providing high-tech crime training,
technical assistance, and research on emerging technology nationwide. In
addition, the National Association of Attorneys General has a cybercrime
initiative benefiting state prosecutors. It also hosts a cybercrime
conference that provides training in cybercrime investigative areas,
legislation, case law, and public education tools. The association's
executive working group meets quarterly and shares information on criminal
issues, including cybercrime.

^22The Federal Information Security Management Act was enacted as Title
III, E-Government Act of 2002, Pub. L. No. 107-347, to establish clear
criteria to improve federal agencies' information security programs.
According to the act, information security is defined as protecting
information and information systems from unauthorized access, use,
disclosure, disruption, modification, or destruction in order to maintain
their integrity, confidentiality, and availability.

State-level law enforcement entities have implemented initiatives to
facilitate the investigation and prosecution of cybercrime in the states.
For example, the Commonwealth of Virginia's Office of the Attorney General
has a Computer Crime unit dedicated to investigating criminal cases
violating the Virginia Computer Crimes Act. In addition, Virginia's
Attorney General formed the Virginia Cyber Crime Strike Force that
collaborates with the U.S. Attorneys' Offices, the Virginia State Police,
the FBI and Virginia's Bedford County Sheriff's Office to investigate and
prosecute cybercrime. Other examples of state efforts are the (1)
Washington Attorney General's High Tech Crime Unit, which litigates cases
of cyberfraud, and pursues civil remedies under the state's broad consumer
protection law and (2) Washington State Patrol Computer Crime unit that
serves as a first responder to computer crimes affecting state-funded
institutions such as state and local governments and public schools and
universities.

Private-Sector Entities Focus on Protection and Detection Efforts

The private sector's focus is on the development and implementation of
technology systems to protect against computer intrusions, Internet fraud,
and spam and, if a crime does occur, to detect it and gather admissible
evidence for an investigation. The private entities that focus on these
technological efforts include Internet service providers, security
vendors, software developers, and computer forensics vendors:

           o Internet service providers offer businesses and home users
           various levels of access to the Internet and other
           Internet-related services such as customer support and spam and
           virus protection. Providers also assist law enforcement by
           monitoring and providing information on selected Internet
           activities and provide technical expertise to assist with
           investigations. In addition, providers can pursue civil action
           against users to punish inappropriate behavior.
           o Security vendors such as e-mail security firms can screen
           electronic messages for harmful data and take action to prevent
           such data from reaching the intended target. Vendors also assist
           law enforcement by reporting instances of computer crime,
           providing technical assistance, and pursuing civil action against
           inappropriate behavior.
           o Software developers are improving the quality and security of
           operating system programs to detect and block malicious code.
           o Computer forensics vendors provide private companies with
           computer forensics investigative services to detect the theft of
           trade secrets and intellectual property, detect employee fraud,
           locate and recover previously inaccessible documents and files,
           provide reports on all user activity, and access
           password-protected files. In addition, computer forensic vendors
           develop tools used by law enforcement to investigate cybercrime.
           These tools allow for the analysis of digital media and the
           gathering of evidence that is admissible in court.
			  
			  Numerous Public and Private Partnerships Work to Address Cybercrime

           Numerous partnerships have been established between public sector
           entities, between public and private sector entities, and
           internationally to collaborate and implement effective cybercrime
           strategies. Each of their strategies includes information sharing
           activities and consumer awareness efforts. Table 9 gives brief
           descriptions of key partnerships, their purposes, and primary
           stakeholders.

Table 9: Key Partnerships Established to Address Cybercrime

Source: GAO analysis of various reports and documents.

^aThe National White Collar Crime Center provides a nationwide support
system for agencies involved in the prevention, investigation, and
prosecution of economic and high-tech crimes and to support and partner
with other appropriate entities in addressing homeland security
initiatives, as they relate to economic and high-tech crimes. Through a
combination of training and critical support services, they equip state
and local law enforcement agencies with skills and resources they need to
tackle emerging economic and cybercrime problems.

Public and Private Sectors Face Challenges in Addressing Cybercrime

Numerous challenges impede the efforts of public and private entities to
mitigate cybercrime (see table 10) including (1) reporting cybercrime, (2)
ensuring adequate law enforcement analytical and technical capabilities,
(3) working in a borderless environment with laws of multiple
jurisdictions, and (4) implementing information security practices and
raising awareness.

Table 10: Challenges to Addressing Cybercrime

Source: GAO.

Reporting Cybercrime

Although surveys and studies show that the nation potentially loses both
billions of dollars annually and sensitive information as a result of
cybercrime, definitive data on the amount of cybercrime is not available.
Understanding the impact of cybercrime in the United States is a challenge
because reporting of cybercrime is limited.

When a cybercrime is detected, entities and individuals can choose to
report it to law enforcement or not. They weigh the cost and impact of the
incident with the time and effort needed to support an investigation and
prosecution. In addition, our work and findings of the Congressional
Research Service related to information sharing have shown that businesses
do not always want to report problems because there is a perception that
their information will be disclosed publicly, which could, in turn, cause
harm to their business.^23 Reasons for not reporting a crime to law
enforcement include the following:

           o Financial market impacts. The stock and credit markets and bond
           rating firms react negatively to security breach announcements,
           which could raise the cost of capital to reporting firms. Even
           firms that are privately held and are not active in public
           securities markets can be adversely affected if banks and other
           lenders judge them to be more risky than previously thought.
           o Reputation or confidence effects. Negative publicity damages a
           reporting firm's reputation or brand, and could cause customers to
           lose confidence, giving commercial rivals a competitive advantage.
           o Litigation concerns. If an organization reports a security
           breach, investors, customers, or other stakeholders can use the
           courts to seek recovery of damages. If the organization has been
           open in the past about previous incidents, plaintiffs may allege a
           pattern of negligence.
           o Signal to attackers. A public announcement alerts hackers that
           an organization's cyber-defenses are weak and can inspire further
           attacks.
           o Inability to share information. Some private-sector entities
           want to share information about an incident with law enforcement
           and other entities; however, once the information becomes part of
           an ongoing investigation, their ability to share information may
           be limited.
           o Job security. IT personnel fear for their jobs after an incident
           and seek to conceal the breach from senior management.
           o Lack of law enforcement action. According to private sector
           officials, law enforcement entities have failed to investigate
           cases reported to them, which is a disincentive for them reporting
           crimes in the future.

           To improve the reporting of cybercrime, the numerous
           public/private partnerships (e.g., the National Cyber Forensics
           and Training Alliance, InfraGard, and the Electronic Crimes Task
           Forces), as well as the awareness and outreach efforts of law
           enforcement discussed earlier, are methods for building better
           relationships and understanding between the public and private
           sectors. These efforts may increase trust between the public and
           private sector and encourage better reporting of cybercrimes when
           they occur.
			  
^23GAO, Information Sharing: Practices That Can Benefit Critical
Infrastructure Protection, [57]GAO-02-24 (Washington, D.C.: Oct. 15, 2001)
and GAO, Critical Infrastructure Protection: Challenges for Selected
Agencies and Industry Sectors, [58]GAO-03-233 (Washington, D.C.: Feb. 28,
2003); Congressional Research Service, The Economic Impact of Cyber
Attacks, RL 32331 (Washington, D.C.: Apr. 1, 2004).

           Ensuring Adequate Law Enforcement Analytical and Technical
			  Capabilities

           Efforts by law enforcement to investigate and prosecute cybercrime
           require individuals with specialized skills and tools. According
           to federal, state, and local law enforcement and private sector
           officials, it is a challenge to recruit such individuals from a
           limited pool of available talent, retain them in the face of
           competing offers, and train them to stay up to date with changing
           technology and increasingly sophisticated criminal techniques.
			  
			    Obtaining and Retaining Investigators, Prosecutors, and
				 Cyberforensics Examiners

           Federal and state law enforcement organizations face challenges in
           having the appropriate number of skilled investigators, forensic
           examiners, and prosecutors. According to federal and state law
           enforcement officials, the pool of qualified candidates is limited
           because individuals involved in investigating or examining
           cybercrime are highly trained specialists requiring both law
           enforcement and technical skills, including knowledge of various
           IT hardware and software and forensic tools. According to Defense
           Cyber Crime Center officials, once an investigator or examiner
           specializes in cybercrime, it can take up to 12 months for those
           individuals to become proficient enough to fully manage their own
           investigations. Further, according to state officials, state and
           local law enforcement agencies do not have the resources needed to
           hire the investigators with adequate technical knowledge required
           to address cybercrime.

           Law enforcement organizations also find it difficult to retain
           highly skilled cyberforensic investigators and examiners.
           According to federal and state officials, the private sector
           demands individuals with the same skills and successfully attracts
           them away from their government positions with much higher
           salaries and better benefits. For example, according to an
           Assistant U.S. Attorney, several cybercrime experts, including
           attorneys, federal and state law enforcement agents, and
           cyberforensic examiners, have left their government positions due
           to the higher salaries and benefits offered by the private sector.

           The available pool of experienced federal cybercrime investigators
           is also impacted by FBI and Secret Service rotation policies. For
           example, according to FBI officials, new FBI agents, not initially
           assigned to one of the 15 largest field offices, are required to
           rotate to one of the these large offices after 3 years in order to
           have diversified experiences. According to FBI headquarters and
           field agents, when cybercrime investigators rotate out under this
           policy, they are not necessarily reassigned to cybercrime
           investigations in their new field office, and so their extensive
           cyber background is underutilized. In addition, the agents who
           rotate in to replace experienced cybercrime investigators may have
           little or no cybercrime experience or background. Further,
           according to FBI officials, the pool of experienced senior
           managers is impacted by the FBI's current policy that senior field
           supervisory agents are limited to 5-year terms in their positions
           and then most move to seek further career advancement. This can
           include the movement of experienced cybercrime investigators out
           of senior cybercrime positions. Similarly, according to Secret
           Service officials, most Secret Service agents, including those
           with technical, cybercrime investigation expertise, rotate to a
           protective assignment, which focuses on the protection of the
           President, Vice President, and others and not on the investigation
           of cybercrime. In addition, officials stated that there is an
           investigative career track that allows agents to continue doing
           investigations, including those related to cybercrime; however,
           protective assignments are perceived as higher profile and could
           lead to greater career advancement. FBI and Secret Service
           officials acknowledged that the rotation policies have at times
           resulted in these agencies underutilizing staff with cyber
           expertise.
			  
			    Keeping Up to Date with Current Technology and Criminal Techniques

           The rapid evolution of technology and cybercrime techniques means
           that law enforcement agencies must continuously upgrade technical
           equipment and software tools. Such equipment and tools are
           expensive, and agencies' need for them does not always fall into
           the typical federal replacement cycle. For example, in order for
           investigators to perform cyberforensic examinations and gather the
           evidence required to support a prosecution, the examiners and
           investigators must, in some cases, store and analyze huge amounts
           of digital data. According to federal law enforcement officials,
           the amount of data being collected is growing exponentially.
           However, according to law enforcement officials, state and local
           law enforcement agencies do not always have the resources to
           obtain the equipment necessary to analyze large amounts of data.
			  
           Law enforcement organizations also find that maintaining a current
           understanding of new criminal techniques and technologies can be
           difficult. For example, law enforcement agents are required to
           extract forensic data from IT devices that have only been on the
           market for months. They also must keep up with innovative criminal
           techniques and approaches. For example, techniques for assembling
           and controlling botnets are becoming increasingly sophisticated
           and difficult to trace, making it difficult to identify certain
           spamming and phishing schemes. In addition, criminals are
           increasing their use of encryption techniques.^24 This requires
           law enforcement to continue to research and develop appropriate
           countermeasures. Training can help to keep investigators' skills
           current, but relevant courses are limited, costly, and
           time-consuming, and take agents away from the cases that they are
           investigating.

           Federal and state law enforcement organizations are taking steps
           to improve their analytic and technical capabilities. For example,
           the Secret Service has developed training programs for federal,
           state, and local law enforcement and DOD's Defense Cyber Crime
           Center has a cyberforensic training program for DOD investigators
           and other law enforcement officials. Further, the FBI's Cyber
           Action Teams rapidly provide technical expertise to cybercrime
           investigations worldwide, when needed. To overcome shortfalls in
           equipment and electronic storage, the FBI is sponsoring regional
           computer forensics laboratories to serve the needs of an entire
           region's law enforcement. In addition, public/private
           partnerships, like the FBI's Infragard and National Cyber
           Forensics Training Alliance and the Secret Service's Electronic
           Crimes Task Forces, provide ways to share expertise between law
           enforcement, the private sector, and academia. Although it will
           continue to be a challenge to keep current with the rapid
           evolution of technology and cybercrime techniques, these DOD, FBI,
           and Secret Service efforts are positive steps to attempt to keep
           up with techniques and technology for investigations.
			  
	  			  Working in a Borderless Environment with Laws of Multiple Jurisdictions

           Law enforcement organizations face the challenge of investigating
           and prosecuting cybercrime that crosses national and state
           borders, and working with laws, legal procedures, and law
           enforcement entities from multiple jurisdictions. Working in this
           environment complicates most cyber investigations.

           Private sector, individual, and law enforcement efforts are
           complicated by the borderless nature of cybercrime. As discussed
           earlier, cybercriminals are not hampered by physical proximity or
           regional, national, or international borders. Cybercriminals can
           be physically located in one nation or state, direct their crime
           through computers in multiple nations or states, and store
           evidence of the crime on computers in yet another nation or state.
           This makes it difficult to trace the cybercriminals to their
           physical location. In addition, cybercriminals can take steps to
           remain anonymous, making it difficult, if not impossible, to
           attribute a crime to them.
			  
^24Encryption is the process of encoding a message so that it can be read
only by the sender and the intended recipient.

           Similar to efforts addressing traditional crime, efforts to
           investigate and prosecute cybercrime are complicated by the
           multiplicity of laws and procedures that govern in the various
           nations and states where victims may be found, and the conflicting
           priorities and varying degrees of expertise of law enforcement
           authorities in those jurisdictions. Laws used to address
           cybercrime differ across states and nations. For example, not all
           U.S. states have antispam laws or antispyware laws. In addition,
           an act that is illegal in the United States may be legal in
           another nation or not directly addressed in the other nation's
           laws. Developing countries, for example, may lack cybercrime laws
           and enforcement procedures.

           Further, jurisdictional boundaries can limit the actions that
           federal, state, and local law enforcement can take to investigate
           cybercrime that crosses local, regional, and national borders. For
           example, state and local officials may be unable to pursue
           investigations outside of their jurisdiction, so when a cybercrime
           goes beyond their jurisdiction, they may need to rely upon
           officials of other jurisdictions to further investigate the crime.
           Additionally, extradition between states can be complicated
           depending on the laws of the state where the suspect is located
           and the knowledge of the states' law enforcement and judiciary
           regarding cybercrime. In addition, the United States does not have
           extradition arrangements with all nations, which makes it
           impossible to extradite a cybercriminal from certain nations.
           Extradition from nations having an extradition agreement with the
           United States can be complicated or impossible if the nation's
           laws do not make the action illegal or its magistrate is not
           knowledgeable about cybercrime. Also, state and local officials
           are unable to extradite persons from other nations without federal
           law enforcement assistance.

           Conflicting priorities also complicate cybercrime investigations
           and prosecutions. Cybercrime can occur without physical proximity
           to the victim, and thus a cybercriminal can operate without
           victimizing a citizen in the jurisdiction or federal judicial
           district in which the crime originated. With no negative impact on
           the citizens in that district, there may be no incentive for the
           local citizens to press their law enforcement officers to
           investigate the crime. According to state officials, it is
           difficult to commit resources to crimes where the victims are
           outside their state or jurisdiction, although the suspected
           cybercriminal may be prosecuted in the jurisdiction where the
           victim is located.

           Federal and state law enforcement organizations are taking steps
           to help them work in the borderless environment within which
           cybercriminals operate. For example, federal, state, and local law
           enforcement organizations participate in cybercrime task forces
           that combine a region's law enforcement capabilities to
           investigate and prosecute cybercrime in the most advantageous way.
           To address transnational jurisdiction, investigation, and
           prosecution issues, DOJ and the State Department have established
           agreements with more than 40 nations through the G-8 High Tech
           Crime Working Group to address cybercrime cooperatively. The
           Council of Europe's Cybercrime Convention is a similar
           international effort. These and other efforts are essential to
           addressing the transborder nature of cybercrime and enhancing the
           ability of law enforcement to capture, prosecute, and punish
           cybercriminals.
			  
			  Implementing Information Security Practices and Raising Awareness

           A major challenge in mitigating cybercrime is improving
           information security practices on the part of organizations and
           individual Internet users. Raising awareness about criminal
           behavior and the need to protect information and systems is a key
           activity in addressing cybercrime.
			  
			    Protecting Information and Information Systems

           Criminals often take advantage of poor computer security
           practices, which makes maintaining a strong information security
           posture vital to efforts to stop cybercrime. However, individuals
           allow easy access for criminals to their personal computers and
           electronic devices by not enabling security on those devices.
           Without adequate information security, critical systems and
           sensitive data are more susceptible to criminal access, theft,
           modification, and destruction. Further, our audits have shown that
           federal agencies do not adequately protect the information systems
           that the government relies upon to deliver services to its
           customers. In addition, over the last several years, we have
           identified the challenges associated with the federal government's
           efforts to coordinate public and private sector efforts to protect
           the computer systems that support our nation's critical
           infrastructures. As a result, federal information security has
           been on GAO's list of high-risk areas since 1997 and cyber
           critical infrastructure protection since 2003.^25 In addition, we
           have made numerous recommendations to enhance the security of
           federal information systems and cyber critical infrastructure
           protection efforts. Implementation of these recommendations is
           essential to protecting federal information systems.
			  
^25GAO, High-Risk Series: An Update, [59]GAO-07-310 (Washington, D.C.:
January 2007).

             Raising Awareness about Criminal Behavior

           A major challenge is educating the public in how to recognize
           cybercrime when it is occurring. Criminals prey on people's
           ignorance and susceptibility to ruses. For example, attackers
           create e-mail and Web sites that appear legitimate, often copying
           images and layouts of actual Web sites. Some cybercrime techniques
           also take advantage of combinations of vulnerabilities. For
           example, phishing entices users to provide the sensitive
           information desired. However, phishers also use technical methods
           to exploit software and system vulnerabilities to reinforce users'
           perceptions that they are on a legitimate Web site.

           Despite efforts by public and private entities to raise awareness
           about the importance of information security and the techniques
           used by criminals, users continue to not understand the need for
           protecting their personal information and to recognize unusual
           requests that could be criminal activity. The types of cybercrime
           that the media highlight, such as child pornography cases and
           major companies being hacked, do not tend to undermine people's
           trust in the Internet. For example, there continue to be reports
           of people falling victim to well-known scams such as the Nigerian
           4-1-9 fraud.^26 In addition, even as awareness grows, practices
           are not easily changed. Further, the issues of adequate awareness
           apply to law enforcement. State and local law enforcement may not
           be aware of the cybercrime problem that could be impacting their
           citizens.

           There are numerous steps being taken to improve security of
           information systems and raise user awareness. For example, as
           discussed earlier, information security vendors provide software
           and services; software developers are attempting to improve the
           quality and security of their products; public and private
           entities are working together to identify and mitigate risks,
           including criminal activities; and federal organizations, such as
           the FBI, the Secret Service, FTC, and DHS, sponsor programs and
           organizations to raise user awareness about securing their
           information and not becoming a victim of cybercrime. These are
           positive steps to improve security and raise awareness.
			  
			  Conclusions

           The actual and potential harms that result from cybercrime attacks
           in the United States are significant. Although the precise amount
           of economic loss due to cybercrime is unknown, its impact is
           likely billions of dollars. In addition, nation-state and
           terrorist adversaries are seeking ways to attack our nation's
           critical infrastructures and steal our sensitive information.

           While numerous public and private entities--federal agencies,
           state and local law enforcement, industry, and academia--have
           responsibilities to address these threats, they face challenges in
           protecting against, detecting, investigating, and prosecuting
           cybercrimes. These challenges include reporting cybercrime,
           ensuring adequate law enforcement analytical and technical
           capabilities, working in a borderless environment with laws of
           multiple jurisdictions, and implementing information security
           practices and raising awareness.
			  
^26The Nigerian 4-1-9 fraud is an advance fee scam where criminals deceive
victims into the payment of a fee by persuading them that they will
receive a very large benefit in return. Through the Internet, businesses
and individuals around the world have been, and continue to be, targeted
by perpetrators of this scam.

           Public and private entities are working to address these
           challenges by expanding public/private partnerships to increase
           the trust between entities, to improve the quality and quantity of
           shared information, and to leverage resources and technologies
           across public and private boundaries. In addition, law enforcement
           organizations have formed task forces and international agreements
           to foster working in a borderless environment with laws from
           multiple jurisdictions. Continued expansion of these efforts is
           essential. Additionally, more can be done to assure an adequate
           pool of individuals with the skills needed to effectively combat
           cybercrime. Although law enforcement agencies must be sensitive to
           a number of organizational issues and objectives in their human
           capital programs, current staff rotation policies at key law
           enforcement agencies may negatively impact the agencies'
           analytical and technical capabilities to combat cybercrime.
			  
			  Recommendation for Executive Action

           We recommend that the Attorney General direct the FBI Director and
           the Secretary of Homeland Security direct the Director of the
           Secret Service to assess the impact of the current rotation
           approach on their respective law enforcement analytical and
           technical capabilities to investigate and prosecute cybercrime and
           to modify their approaches, as appropriate.
			  			  
           Agency Comments and Our Evaluation

           We received written comments on a draft of this report from the
           FBI (see app. II). In the response, the Deputy Assistant Director
           from the FBI's Cyber Division stated that the FBI Director had
           approved rotational policies after careful consideration of the
           viable alternatives provided by analysis and study conducted by
           the Human Resources Division. Further, he stated that the FBI
           Director had endorsed the establishment of five distinct career
           paths for both new and veteran special agents, including a
           specific designation for cyber matters. According to the Assistant
           Director, this career path will ensure the FBI recruits, trains,
           and deploys special agents with the critical cyber skill set
           required to maintain the FBI on the cutting edge of computer
           technology and development, and positioned to counter the
           constantly evolving cyber threat. Despite these efforts to assess
           and expand analytical and technical capabilities, the current
           rotational policies may adversely affect the FBI's use of staff
           with cyber expertise; therefore, it is important to continually
           reassess the rotational policies that impact the FBI's ability to
           address the cyber threat.

           In addition, we received written comments on a draft of this
           report from the Secret Service (see app. III). In the response,
           the Assistant Director, Office of Inspection, stated that agents
           who complete the Electronic Crimes Special Agent Program's
           computer forensics training course are required to serve a minimum
           of four years in the program. In addition, he stated that the
           Secret Service is expanding its Electronic Crimes Special Agent
           Program and will have approximately 770 trained and active agents
           by the end of fiscal year 2007. He also stated that the rotation
           of the Electronic Crimes Special Agent Program agents does not
           have a detrimental impact on the agency's cyber investigative
           capabilities because Secret Service field offices send additional
           agents through the program prior to a trained agent's departure,
           and because the Electronic Crimes Task Forces allow the agency to
           draw on state and local law officials trained in cyber
           investigations and computer forensics. While we agree that
           expanding the Electronic Crimes Special Agent Program and
           leveraging the relationships and capabilities of the Electronic
           Crimes Task Forces is important to adequately addressing
           cybercrime, the current rotational policy may adversely affect the
           Secret Service's use of staff with cyber expertise; therefore, it
           is important for the Secret Service to continually reassess the
           rotational policies that impact its ability to address the cyber
           threat.

           DOD, DOJ, DHS, state and local government, and other officials
           also provided technical corrections that have been incorporated in
           this report as appropriate.

           As agreed with your office, unless you publicly announce the
           contents of this report earlier, we plan no further distribution
           until 30 days from the report date. At that time, we will send
           copies of this report to interested congressional committees, the
           Attorney General, the Secretaries of Defense and Homeland
           Security, the Chairman of the Federal Trade Commission, and other
           interested parties. We also will make copies available to others
           upon request. In addition, this report will be available at no
           charge on GAO's Web site at http:// [46]www.gao.gov .

           If you or your staff has any questions about this report, please
           contact David Powner at (202) 512-9286, or [47][email protected] ;
           or Keith Rhodes at (202) 512-6412, or [48][email protected] .
           Contact points for our Offices of Congressional Relations and
           Public Affairs may be found on the last page of this report. Major
           contributors to this report are listed in appendix IV.

           David A. Powner
			  Director, Information Technology Management Issues

           Keith A. Rhodes
			  Chief Technologist Director, Center for Technology
           and Engineering
			  
			  Appendix I: Objectives, Scope, and Methodology

           Our objectives were to (1) determine the impact of cybercrime on
           our nation's economy and security; (2) describe key federal
           entities, as well as nonfederal and private-sector entities,
           responsible for addressing cybercrime; and (3) determine
           challenges being faced in addressing cybercrime.

           To determine the impact of cybercrime on the U.S. economy and
           security, we analyzed various government and private-sector
           reports, surveys, and statistics related to cybercrime and
           conducted interviews with experts from law enforcement, academia,
           and information technology and security companies to verify,
           clarify, and gain a greater understanding of cybercrime's impact.
           Further, we interviewed officials and staff at key federal
           agencies, including the Departments of Defense, Justice, and
           Homeland Security; and the Federal Trade Commission; and obtained,
           through structured interview questions, information from 19
           federal Office of Inspectors General about the number and
           frequency of cybercrimes experienced at their respective agencies
           and the subsequent cost associated with addressing these
           incidents, among other things.

           To identify the key public and private-sector entities that work
           to mitigate and investigate computer crime and prosecute cyber
           criminals, we analyzed reports, surveys, and studies related to
           cybercrime. In addition, we held interviews with cybercrime
           experts from government and the private sector to identify
           entities and verify the entities identified as being important. To
           verify information and determine relevant activities, we performed
           document analysis, held site visits, conducted structured
           interviews, and received written responses to structured interview
           questions. The entities contacted during the course of our work
           include the following:

           o Department of Justice: Computer Crime and Intellectual Property
           Section; Bureau of Justice Statistics; United States Attorneys,
           including the Pittsburgh and Seattle Computer Hacking and
           Intellectual Property units; FBI's Cyber Division, including the
           Computer Intrusion Section and the Innocent Images National
           Initiative unit; FBI's National Cyber Forensics and Training
           Alliance; FBI's Cyber Initiative and Resource Fusion Unit; FBI's
           Internet Crime Complaint Center; and FBI's Pittsburgh and Seattle
           Field Office units.
           o Department of Homeland Security: Special Agent in Charge of the
           Secret Service's Criminal Investigative Division; the National
           Cyber Security Division's Deputy Director of the Law Enforcement
           and Intelligence Section and Deputy Director of the United States
           Computer Emergency Readiness Center.
           o Department of Defense: Defense Cyber Crime Center; Joint Task
           Force for Global Network Operations; Defense Criminal
           Investigative Service; Air Force Office of Special Investigation,
           Army Military Intelligence, and the Naval Criminal Investigative
           Service.
           o Federal Trade Commission: Officials from the Divisions of
           Advertising Practices, Enforcement, and Marketing Practices. In
           addition, members of the team attended sessions of a Federal Trade
           Commission sponsored conference that focused attention on
           cybercrime.
           o Office of Inspectors General: Department of Education's Computer
           Crime Division/Office of Inspector General; written responses from
           structured interview questions from officials from the Inspectors
           General of the Small Business Administration, Department of
           Defense, Nuclear Regulatory Commission, Health and Human Services,
           National Science Foundation, Department of Veterans Affairs,
           General Services Administration, Department of Labor, Department
           of Transportation, Agency for International Development, Office of
           Personnel Management, Department of the Treasury, Department of
           Justice, Housing and Urban Development, Social Security
           Administration, Department of Energy, Department of the Interior.
           o Private Sector: Counterpane Internet Security; Cyber Security
           Industry Alliance; CypherTrust; Guidance Software; InfraGard;
           Information Technology-Information Sharing and Analysis Center;
           Microsoft; Postini; SEARCH; Symantec; and other cybercrime
           experts.
           o State and Local Entities: Office of the Attorney General of
           Washington; Washington State Highway Patrol's Computer Crime Unit;
           Office of the Attorney General of Virginia--Computer Crime Unit;
           and the National Association of Attorneys General.

           We also met with representatives from the State Department to
           discuss the department's role in addressing cybercrime. However,
           after meeting with representatives from the department's Bureau of
           Resource Management, Political-Military Affairs, International
           Narcotics and Law Enforcement, and others, we determined that the
           department's cybercrime responsibilities were outside the scope of
           our engagement. In addition, State Department representatives
           stated that they work closely with the Department of Justice's
           Computer Crime and Intellectual Property Section on cybercrime
           issues and that Justice officials would be a better source to
           determine the impact of cybercrime on the United States and
           international efforts to address cybercrime.

           To determine the challenges being faced in addressing cybercrime,
           we gathered and analyzed relevant documents, interviewed key
           government and private-sector officials regarding challenges to
           fighting cybercrime, and conducted Internet and media research.
           Based on the information received and our knowledge of the issues,
           we determined the major challenges impeding efforts to address
           cybercrime.

           To observe operations of cybercrime related entities and interview
           relevant federal, state, and local government and private-sector
           officials, we performed our work between June 2006 and May 2007 in
           the Washington, D.C., metropolitan area; Pittsburgh, Pennsylvania;
           Seattle, Washington; and Fairmont, West Virginia; in accordance
           with generally accepted government auditing standards.
			  
			  Appendix II: Comments from the Federal Bureau of Investigation

           Appendix III: Comments from the U.S. Secret Service

           Appendix IV: GAO Contacts and Staff Acknowledgments

           GAO Contacts


           David A. Powner, (202) 512-9286, or [49][email protected] Keith A.
           Rhodes, (202) 512-6412, or [50][email protected]
			  
			  Staff Acknowledgments

           In addition to the individuals named above, Barbara Collier, Neil
           Doherty, Michael Gilmore, Steve Gosewehr, Barbarol James, Kenneth
           A. Johnson, Kush K. Malhotra, Amos Tevelow, and Eric Winter made
           key contributions to this report.
			  
			  GAO's Mission

           The Government Accountability Office, the audit, evaluation and
           investigative arm of Congress, exists to support Congress in
           meeting its constitutional responsibilities and to help improve
           the performance and accountability of the federal government for
           the American people. GAO examines the use of public funds;
           evaluates federal programs and policies; and provides analyses,
           recommendations, and other assistance to help Congress make
           informed oversight, policy, and funding decisions. GAO's
           commitment to good government is reflected in its core values of
           accountability, integrity, and reliability.
			  
			  Obtaining Copies of GAO Reports and Testimony

           The fastest and easiest way to obtain copies of GAO documents at
           no cost is through GAO's Web site ( [51]www.gao.gov ). Each
           weekday, GAO posts newly released reports, testimony, and
           correspondence on its Web site. To have GAO e-mail you a list of
           newly posted products every afternoon, go to [52]www.gao.gov and
           select "Subscribe to Updates."
			  
			  Order by Mail or Phone

           The first copy of each printed report is free. Additional copies
           are $2 each. A check or money order should be made out to the
           Superintendent of Documents. GAO also accepts VISA and Mastercard.
           Orders for 100 or more copies mailed to a single address are
           discounted 25 percent. Orders should be sent to:

           U.S. Government Accountability Office 441 G Street NW, Room LM
           Washington, D.C. 20548

           To order by Phone:
			  Voice: (202) 512-6000
			  TDD: (202) 512-2537
			  Fax: (202) 512-6061
			  
			  To Report Fraud, Waste, and Abuse in Federal Programs

           Contact:

           Web site: [53]www.gao.gov/fraudnet/fraudnet.htm
			  E-mail: [54][email protected]
			  Automated answering system: (800) 424-5454 or (202) 512-7470
			  
			  Congressional Relations

           Gloria Jarmon, Managing Director, [55][email protected] (202)
           512-4400 U.S. Government Accountability Office, 441 G Street NW,
           Room 7125 Washington, D.C. 20548
			  
			  Public Affairs

           Paul Anderson, Managing Director, [56][email protected] (202)
           512-4800 U.S. Government Accountability Office, 441 G Street NW,
           Room 7149 Washington, D.C. 20548

(310820)

www.gao.gov/cgi-bin/getrpt?GAO-07-705.

To view the full product, including the scope
and methodology, click on the link above.

For more information, contact Dave Powner at (202) 512-9286 or
[email protected].

Highlights of GAO-07-705, a report to congressional requesters

June 2007

CYBERCRIME

Public and Private Entities Face Challenges in Addressing Cyber Threats

Computer interconnectivity has produced enormous benefits but has also
enabled criminal activity that exploits this interconnectivity for
financial gain and other malicious purposes, such as Internet fraud, child
exploitation, identity theft, and terrorism. Efforts to address cybercrime
include activities associated with protecting networks and information,
detecting criminal activity, investigating crime, and prosecuting
criminals.

GAO's objectives were to (1) determine the impact of cybercrime on our
nation's economy and security; (2) describe key federal entities, as well
as nonfederal and private sector entities, responsible for addressing
cybercrime; and (3) determine challenges being faced in addressing
cybercrime. To accomplish these objectives, GAO analyzed multiple reports,
studies, and surveys and held interviews with public and private
officials.

[60]What GAO Recommends

GAO recommends that the Attorney General and the Secretary of Homeland
Security help ensure adequate law enforcement analytical and technical
capabilities. In written comments on a draft of this report, the FBI and
the U.S. Secret Service noted efforts to assess and enhance these
capabilities.

Cybercrime has significant economic impacts and threatens U.S. national
security interests. Various studies and experts estimate the direct
economic impact from cybercrime to be in the billions of dollars annually.
The annual loss due to computer crime was estimated to be $67.2 billion
for U.S. organizations, according to a 2005 Federal Bureau of
Investigation (FBI) survey. In addition, there is continued concern about
the threat that our adversaries, including nation-states and terrorists,
pose to our national security. For example, intelligence officials have
stated that nation-states and terrorists could conduct a coordinated cyber
attack to seriously disrupt electric power distribution, air traffic
control, and financial sectors. Also, according to FBI testimony,
terrorist organizations have used cybercrime to raise money to fund their
activities. Despite the estimated loss of money and information and known
threats from adversaries, the precise impact of cybercrime is unknown
because it is not always detected and reported (cybercrime reporting is
discussed further in GAO's challenges section).

Numerous public and private entities have responsibilities to protect
against, detect, investigate, and prosecute cybercrime. The Departments of
Justice, Homeland Security, and Defense, and the Federal Trade Commission
have prominent roles in addressing cybercrime within the federal
government, and state and local law enforcement entities play similar
roles at their levels. Private entities such as Internet service providers
and software developers focus on the development and implementation of
technology systems to detect and protect against cybercrime, as well as
gather evidence for investigations. In addition, numerous cybercrime
partnerships have been established between public sector entities, between
public and private sector entities, and internationally, including
information-sharing efforts.

Entities face a number of key challenges in addressing cybercrime,
including reporting cybercrime and ensuring that there are adequate
analytical capabilities to support law enforcement (see table). While
public and private entities, partnerships, and tasks forces have initiated
efforts to address these challenges, federal agencies can take additional
action to help ensure adequate law enforcement capabilities.

Challenges to Addressing Cybercrime

Source: GAO.

References

Visible links
  42. http://www.cybercrime.gov/juvenileSentboston.htm
  43. http://www.cybercrime.gov/ivanovSent.htm
  44. http://www.gao.gov/cgi-bin/getrpt?GAO-05-434
  45. http://www.gao.gov/cgi-bin/getrpt?GAO-04-321
  46. http://www.gao.gov
  47. mailto:[email protected]
  48. mailto:[email protected]
  49. mailto:[email protected]
  50. mailto:[email protected]
  51. http://www.gao.gov/
  52. http://www.gao.gov/
  53. http://www.gao.gov/fraudnet/fraudnet.htm
  54. mailto:[email protected]
  55. mailto:[email protected]
  56. mailto:[email protected]
  57. http://www.gao.gov/cgi-bin/getrpt?GAO-02-24
  58. http://www.gao.gov/cgi-bin/getrpt?GAO-03-233
  59. http://www.gao.gov/cgi-bin/getrpt?GAO-07-310
*** End of document. ***