The Insider Threat

The Insider Threat

by Terrance A. Roebuck


Insiders are employees, board members, and other internal team members who have legitimate access to information and/or information technology. Insiders have traditionally been the source of most corporate information security breaches and the most expensive breaches. Current cases and statistics are presented to demonstrate that this is still accurate. The concepts of insider and the threat of insider security breach are examined from the perspective of scope, definition, and the complexity of access, knowledge of controls and authorized use of systems. Common characteristics of insiders are discussed, along with cases that demonstrate the rise of the threat potential as these characteristics change. Consideration of current trends and future technology indicates that insider threat to information systems will likely continue to grow.

The Insider Threat: Introduction

Insiders can be defined as:

"Employees, board members, and other internal team members who have legitimate access to information and/or information technology." [1]

Key to this definition is the possession by these actors of "legitimate access to information and/or information technology".

Most employees are in a good position to possess the combination of skills, knowledge, resources, authority and motive that Donn Parker [2] points out as characteristics of the class of actor that poses the greatest potential threats to information systems. This would seem to lead to a simple threat classification of "insider" or "outsider". As Parker also points out "these stereotypes are much too simplistic in this age of worldwide computer networks, contract employees, and mergers and acquisitions that continually change the face of our business partners". [3]

The insider threat to information systems derives from abuse of legitimate access. Not all employees can be considered insiders, though most employees will be. Not all insiders are employees; though most insiders will be. Insiders are those persons who have some amount of legitimate access to information and/or information technology. This wide definition of insider brings into sharp focus some of the complex operational issues facing security and systems managers today. In the past, legitimate access to information systems was almost always restricted to employess. New working environments (like the "home-worker"), new access methods (such as the web), and new computing models (like client server and distributed computing) act together to force a wider definition.

The Insider Threat: Scope

Insider crime is probably the oldest type of computer crime, arguably dating as far back as the early industrial revolution. In France in between 1801-1808, employees secretly opposed to technology were found to be changing pattern specifications (making unauthorized program changes) in the Jacquard loom [4] thus causing failures and economic loss. [5]

Published incidents of abuse of information systems can be found in early writings on computer crime. In the early 1970's, Whiteside [6] tells of a 'trusted' employee who used a scheme based on truncation (verses rounding; so-called salami slicing) to skim millions of dollars based on stealing a few percentages of a cent at a time (the case of "Zwana"). These attacks were in the main successful, partly because of their unique nature and difficulty of detection, but also because prior to the late 1970's, there were no computer crime laws. "The courts had to apply the laws of the physical world to the digital computer world". [7] Thus such thefts as "Zwana" went unpunished when courts were forced to find the defendant "not guilty" on the grounds that there had not been the theft of "an article or thing" (a fraction of a cent was not held in law to be a thing and therefore could not be stolen). [8]

"The largest (known) computer crime in the world occurred in Los Angeles in 1973 and resulted in the destruction of the Equity Funding and Insurance Company, with losses of two billion dollars. The government convicted twenty-two top executives, including two from the firm that audited the company, and sent them off to prison." [9]

Modern examples of attacks (successful or otherwise) by insiders abound. In the largest fraud case ever investigated by the IRS (the "Equity 2" case), the top executive of one of America's large food retailers, a man previously applauded as an entrepreneurial genius, plead guilty to skimming $17 million in sales to avoid paying $6.7 million in taxes. [10] It is asserted that insider activities remain the most common source of intentional disruption to computer systems [11] and "employees are the greatest threat to any computer system". [12]

Of the types of "hackers" identified by the FBI Computer Crime Squad "insiders are the real corporate threat. These often self-motivated hackers are the most dangerous of hackers." "Because of the nature of insider corporate computer crime, these incidents usually go unreported and represent the least number of referrals to law enforcement". [13]

The Insider Threat: Complexity

Insider Characteristics: Common characteristics

Insiders, because they are employees, share many common characteristics (to varying degrees). Examples include access to corporate information systems, knowledge of business operations and procedures, operational skills, knowledge of existing controls, responsibility within the business environment, access to resources, and a common corporate culture. The degree that all employees share these characteristics is often not directly related to the level of the person within the corporate hierarchy or to the scope of their function within the organization. The degree to which these characteristics can be exploited can be considered as a component of the total "insider threat potential" of a position, or individual.

Insiders: Strategy, tactics and operations

The methods used by insiders to gain advantage are as varied as the systems in which the insiders work. Almost every attack form can be used; almost any control can be bypassed. Insiders can (and do) use techniques from many threat types (such as hackers, crackers, and criminals, to name a few).

To the Army general, strategy may be to win the battle by taking the town. The general is setting a direction; a high level plan that leaves many of the details of implementation to others. To the captain in the field this is translated to one of a series of related tactics, with other groups, to capture high ground, while to the individual soldier the operation is to climb (and fight) up a particular hill. Each of these viewpoints is different; each viewpoint can provide a differing perspective on the insider threat.

The strategically orientated insider threat can be perceived as "the big picture". Here we could classify the executive level threat, based on their knowledge of target system interactions coupled with traditionally weaker controls on executives and their use of resources (such as [10] the "Equity 2" case). While there may be only a single large transaction involved, such incidents often result in large dollar loss and are usually unique to the particular situation.

The tactical level insider threat may be considered as a middle management approach, perhaps involving collusion to avoid existing controls or to take advantage of a lack of coordinated controls. For example [33] in 1998, charges were filed against four men in California who manipulated computer chips in 140 Mapco Oil gas pumps at 12 different stations. The modified chips controlled pumps to dispense less fuel than meters showed. Over $1 million was skimmed before the insiders were caught. Such tactical level attacks are usually capable of being repeated, with minor modification, by others in similar situations. "I would be amazed if it's not happening at gas pumps in other states" said Los Angeles County District Attorney Gil Garcetti.

The operational level insider threat can be viewed as an exploitation of weakness or lack of control in a single process or work role. This would appear to be the most common, and perhaps the least expensive type of insider threat (on a per instance basis). An individual who becomes aware of a weakness uses that weakness for gain, usually in a repetitive fashion based on the process cycle (such as "salami slicing" [see[6]] or the shifting of data on employee time cards [see [12]]). Another interesting case [34] is a meat plant shipper, who noticed that the shipping system in the plant tracked all boxes of frozen chicken parts by the box size weight (for example, fifty 20-pound boxes of breast). The shipper arranged for new boxes to be made, each marked as 20 pounds, but each actually holding 25 pounds when filled. This allowed the shipper to pack out an additional 25% of "free" meat to selected customers, for which he later received a cash payment. Total losses were estimated at over $1 million. The theft went on for many years because all inventory controls were followed, and constantly checked and audited - and was only uncovered when an angry customer turned in the shipper (for having an affair with the customer's wife).

Insiders: Motive and target potential

Motives for any crime are difficult to determine in advance (of an act), and probably are as varied as the character of the people committing the act. "Psychologists and criminologists warn that it is nearly impossible to create a taxonomy of motives because any such taxonomy would be too complex, and would change continually." [35]

Cases can be found to support all of the traditional criminal motives of love, hate, and greed. Electronic stalking, harassment, revenge, sabotage, theft and many other crimes committed on or through computer systems can usually be traced (in hindsight) to these human frailties.

There are, however, motivations that are relatively unique to computer system attackers. "Cyber criminals often distinguish between the unacceptable practice of doing harm to people and the impersonal acts of doing harm to, or through, computers." [36] "Criminological research has identified a variation of the Robin Hood syndrome: criminals tend to differentiate between doing harm to individual people, which they regard as highly immoral, and doing harm to a corporation, which they can more easily rationalize. Computer systems facilitate these kinds of crimes, as a computer does not show emotion when it is attacked." [37]

Insiders are able to rationalize their illegitimate or illegal information systems activities easier since there are no direct victims. They are not confronted with staff members and friends traumatized by their actions (as may be the case in an armed robbery, for example). The victim has no face. The victim has no feelings. It becomes easier to rationalize that any received benefit of the act (for the perpetrator by attaining their goal of money, revenge or satisfaction) will compensate for the harm that may be done.

Insiders: Trends for the future

Of the traditional motives, greed is arguably the most significant trigger of 'computer crime'. According to folklore, Willie Sutton, the famous bank robber, when asked, "Why do you rob banks?" responded with "Because that's where the money is". In our world of electronic transaction and digital debit, corporate information systems now represent "where the money is". "Virtually every white collar crime has a computer or telecommunications link" says Carlton Fitzpatrick, Branch Manager of the Federal Law Enforcement Training Center's Financial Fraud Institute. [38]

Many of the traditional controls applied to insider access have been either migrated from physical systems (and are proving ineffective or inappropriate for the digital domain) or are becoming better understood and easier to bypass as the degree of expertise available to system users rises. The skills and knowledge required to bypass complex system controls are rapidly becoming available to the layperson; tools and techniques are widely distributed through hacker web sites and discussion groups readily available on the Internet.

Corporations are continually required to re-invest in information systems technology at both the capital and operational level and this in turn is causing continual pressure on information systems professionals to re-tool themselves to new hardware and software standards for both business operations and for security. Workplace pressures will no doubt continue to set the priority on reactive business operations over proactive security concerns. Maintaining an adequate systems security environment is becoming increasingly more important, and increasingly more difficult to do (as the list of threat types and attack methods increases in number, style and complexity).

The business community remains reticent to report incidents of computer misuse. In 1994, the United Nations stated that "based on reports of its member countries (it is) estimated that only 5% of computer crime was reported to law enforcement". [39] United States and Canadian practitioners are more likely to report incidents. Perhaps the most striking result of the 1999 CSI/FBI survey is the dramatic increase in the number of respondents reporting serious incidents to law enforcement: 32% of respondents did so, a significant increase over the three prior years, in which only 17% had reported such events to the authorities. [40]

However, with electronic commerce becoming an increasing force in western society, businesses are likely to continue to refrain from publicly reporting abuse that could potentially exacerbate consumer fears about the financial safety of the process (or the value of the company stock).

Even if reported, the risks associated with computer crime incidence are lower than traditional crime areas. Courts and law enforcement is widely admitted to be lagging in computer crime areas. A 1998 survey of 531 Canadian Police organizations, likely to investigate computer crime incidences because of size and/or mandate reported that "overall their responses paint a bleak picture of inadequate training and resources, slightly tempered with a few success stories". [41] American law enforcement officials echo much the same thoughts, because "crime involving high technology is going to go off the boards" predicts FBI special agent William Tafoya. "It won't be long before the bad guys outstrip our ability to keep up with them". [42]

Insiders: Summary and Conclusions

The insider threat remains a significant issue for information systems security.

The responses of 520 security practitioners to the 1999 CSI Survey indicated a dramatic increase in reported security breaches in 1999. While the growth (and increased awareness) of information threat to systems by outsiders over the Internet for example is real, about half of reported breaches are cited as internal. CSI reported that unauthorized access by insiders rose for the third straight year; 55% of respondents reported incidents. Most breaches involve money, with an estimated $100 billion dollars in quantifiable losses reported. Insider abuse of Internet access privileges (for example, downloading pornography or pirated software or engaging in inappropriate use of e-mail systems) was reported by 97%. [43]

The rise of e-commerce, increased systems dependency by corporations and individuals, increased literacy by many users of information systems coupled with large numbers of neophyte users, easy availability of control bypass tools such as password crackers, over-worked and over-extended systems resources, and weak response capability by law enforcement are just a few of the current trends that will no doubt continue to drive computer security concerns.

Emerging technologies such as integrated voice processing, multimedia, IP telephone services (to name a few) will continue to provide new opportunities for abuse by their users. Attempts to shore up defenses against insider abuse will lead to more sophisticated security applications (like biometrics) which will no doubt mean more sophisticated breaches.

"Corporations and government agencies that want to survive in the 'Information Age' simply have to dedicate more resources to staffing and training of information security professionals. Furthermore, information security professionals who want to succeed have to increase their own level of technical acumen in order to face the challenges ahead." [44]

Insider: References and Bibliography

[1] Cohen; Frederick "The Security Database "Insider threat"

[2] Parker, Donn B. " Fighting computer crime : a new framework for protecting information " New York : J. Wiley, c1998.

[3] Parker. Ibid. pg 15

[4] Jacquard, Joseph Marie 1752 -- 1834 Silk-weaver, born in Lyon, France. His invention (1801--8) of the Jacquard loom, controlled by punched cards, enabled an ordinary workman to produce the most beautiful patterns in a style previously accomplished only with patience, skill, and labor. But though Napoleon rewarded him with a small pension and the Ligion d'Honneur, the silk weavers were long opposed to his machine. At his death his machine was in almost universal use, and his punched card system was adopted in the 20th-c as a control and data input system for many office machines and early digital computers.

[5] International Review of Criminal Policy: United Nations Manual on the Prevention and Control of Computer-related Crime; 1994. Paragraph 20

[6] Whiteside, Thomas "Computer capers: Tales of electronic thievery, embezzlement, and fraud" 1st ed. Crowell New York, c1978.

[7] Pipkin, Donald L. "Halting the Hacker; A Practical Guide to Computer Security" Prentice Hall New Jersey, c1997. Pg. 8

[8] Whiteside ibid.

[9] "The largest (known) computer crime in the world occurred in Los Angeles in 1973 and resulted in the destruction of the Equity Funding and Insurance Company, with losses of two billion dollars. The company's management tried to make Equity the funding the fastest growing and largest company in the industry. Unfortunately, they attempted to gain that position by engaging in virtually every type of known business fraud. In the course of their downward spiral into crime, management created 64,000 fake people in their computer systems and insured them with policies that they then sold off to reinsurers. The government convicted twenty-two top executives, including two from the firm that audited the company, and sent them off to prison." Parker. P.65

[10] "Equity 2" In the largest computer fraud case investigated by the IRS, the fraud was committed with a computer--and the computer, in turn, convicted the criminals.

The top executive of one of America's large food retailers, a man previously applauded as an entrepreneurial genius, plead guilty to skimming $17 million in sales to avoid paying $6.7 million in taxes.

What led to the successful conviction of the retailer and other conspirators in this investigation was the discovery of computer software dubbed "Equity" which a programmer developed, maintained, and enhanced at the direction of the store's owner to facilitate the alteration of the store's books and records.

The computer software was programmed to adjust for skimming of the store's profits--allowing all accounts, including bank deposits, to be adjusted within seconds. By permanently altering the books and records to reflect the post-skim sales and bank deposit figures, it not only reduced total sales figures, but reduced sales on an item-by-item basis. The original data was destroyed forever, and the reduced sales data was recorded on the journals from which the tax returns were prepared. The program was designed to leave no trace that it had ever been run; and it was modified numerous times from 1982 to 1991 to accommodate the changing environment at the store.

Through the gathering of evidence and testimony and the interpretation of the seized computer evidence, the formidable CID team was able to determine how the computer program worked and, using the seized computers, was able to operate the program. The CIS would have been capable at trial, if necessary, to demonstrate to the jury exactly how the reduction of sales and deposits was done.

The convicted founder and owner of this retail business was sentenced to four years and four months in prison for his role in using an elaborate computer program to defraud the IRS in the collection of taxes. He was also ordered to pay approximately $15 million in additional taxes owed to the IRS, penalties, and interest. The store's executive vice present was sentenced to three years and five months in prison, and the chief financial officer was sentenced to one year and six months in prison.

[11] Cohen, Frederick B., Protection and security on the information SuperHighway" New York: Wiley, c1995. Chapter 3 pg.13

[12] Icove, David J. "Computer crime : a crimefighter's handbook / David Icove, Karl Seger, and William VonStorch."; 1st ed. Sebastopol, CA : O'Reilly & Associates, 1995. Pp 118

[13] Kevin Fu; Crime and Law in Cyberspace - DOJ/FBI Training Session; 1996 as reported in Nandonews at

[14] Parker. Ibid. pg 144

[15] Cohen/Insider Threat ibid.

[16] Cohen/Insider Threat ibid.

[17] Cohen/Insider Threat ibid.

[18] Parker. Ibid. pg. 344

[19] International Review of Criminal Policy: United Nations Manual on the Prevention and Control of Computer-related Crime; 1994. Paragraph 100.

[20] International Review; ibid. Paragraphs 100-101

[21] see Cohen; "Protection and security on the information SuperHighway" chapter 3.

[22] Parker; ibid. pg. 143

[23] For example, spoofing e-mail on a company intranet or gaining access to file server data is much easier of you already have access to that part of the intranet (especially when firewall technology is in place) or are already storing data on a common file server

[24] Parker; ibid. 143

[25] from A pharmacist in a small Northwest Florida community thought he had the perfect fraud system--his drug store and lots of customers covered by insurance and Medicaid.

As a patient presented a prescription, the pharmacist recorded the transaction on a computer. Using custom software, the pharmacist typed in the information and the computer printed out the label for the bottle, an invoice, and often an electronic claim for payment. He filled the prescription and the computer "dialed up" the coverage provider and posted the claim. The problem was that the payment system didn't have built in checks to determine whether the claim had been previously filed. The pharmacist decided to take advantage of this vulnerability by changing the dates and re-submitting claims for prescriptions already paid by the Florida Medicaid system.

While the investigation was ongoing, we could not seize the pharmacy's computers. The prescription records were needed to meet patient's requirements for medicine. Therefore, a CIS was called upon to make an exact copy of the computer's hard drive for analysis and evidentiary use.

An extensive history file, showing over one year's claims, generated a report of the total Medicaid claims. The total matched the amount shown by the Florida Medicaid system, to the penny. A separate report showed the patient profile and prescriptions picked up from the pharmacy. As expected, the patient profile represented actual prescriptions, while the Medicaid listing was the total of all claims filed, actual and fraudulent.

Why was this important? Because, at trial, the pharmacist claimed he did not make the claims. He believed that someone else made a backup of the computer's data, took that copy offsite, and made over $1.5 million in fraudulent claims, all without his knowledge.

After the reports of the claims taken from the pharmacy computer were explained and introduced into evidence, the software's author was called. He testified as to the inner workings of the software, how the claims were recorded in the computer's files, and testified that: (a) the claims shown on the pharmacy computer were exactly the same as the total claims shown on the state's system, and (b) since it would not be possible to edit the pharmacy computer files to make them equal, it is not reasonably possible for someone to have transmitted the claims from anywhere else.

The computer evidence in this case performed two major roles: It tied the amount of the false claims from the pharmacy to the state; and it tied the false claims to the pharmacy computer and owner. Convicted for money laundering, this pharmacist is currently serving a sentence of seven years.

[26] from March 19, 1998 Federal Bureau of Investigation 212-384-2715

Eugene E. Kashpureff Pleaded Guilty to Unleashing Software on the Internet That Interrupted Service for Tens of Thousands of Internet Users Worldwide

ZACHARY W. CARTER, United States Attorney for the Eastern District of New York, and LEWIS D. SCHILIRO, Assistant Director in Charge, Federal Bureau of Investigation in New York, today announced the filing of a criminal information and guilty plea of EUGENE E. KASHPUREFF, the owner of AlterNIC, a Washington State-based commercial registration service for Internet domain names associated with Internet Web Sites. KASHPUREFF was charged with violating the federal computer fraud statute, 18 United States Code, Section 1030.

In pleading guilty, KASHPUREFF has admitted that on two occasions in July 1997, he unleashed software on the Internet that interrupted service for tens of thousands of Internet users worldwide. KASHPUREFF, a self-described "webslinger," designed a corruption of the software system that allows Internet-linked computers to communicate with each other. By exploiting a weakness in that software, KASHPUREFF hijacked Internet users attempting to reach the Web Site for InterNIC, his chief commercial competitor, to his AlterNIC Web Site, impeding those users' ability to register Web Site domain names or to review InterNIC's popular "electronic directory" for existing domain names.

Since 1993, the National Science Foundation has designated InterNIC as the exclusive registrar for all Internet domain names containing the generic abbreviations ".com" (for commercial entities), ".org" (for non-profit organizations), ".edu" (for educational institutions), ".net" (for computer networks and Internet Service Providers) and ".gov" (for government entities). InterNIC currently administers over 1.2 million domain names, and its Web Site is visited over the Internet approximately 1 million times per day. InterNIC also administers the popular "WHOIS" directory, which identifies names and addresses on the Internet.

KASHPUREFF worked to perfect this DNS corruption over a one-year period, under the name "Operation DNS Storm." As a result of KASHPUREFF's actions, between July 10 and 14, 1997, and again between July 21 and 24, 1997, thousands of Internet users throughout the world trying to reach InterNIC were involuntarily rerouted to AlterNIC's Web Site, and were impeded from registering or updating the registration of domain names.

After launching his Internet attacks, KASHPUREFF boasted to the media about the effects of his scheme, claiming that he could divert all communications destined for China, the 100 most visited Web Sites in the world, and the White House Web Site.

On September 12, 1997, a criminal complaint and warrant for KASHPUREFF's arrest were obtained. After discovering that KASHPUREFF had left the United States and was residing in Canada, the government initiated extradition proceedings with the Canadian Department of Justice. Canadian authorities arrested KASHPUREFF in Toronto where he remained in custody for almost two months while he resisted extradition to the United States. On December 24, 1997, after waiving extradition, KASHPUREFF was turned over by Canada to United States authorities and arraigned on charges in Brooklyn.

In announcing today's guilty plea, MR. CARTER expressed his appreciation to the FBI and in particular to its New York Computer Crime Squad, for its invaluable contribution to the case. MR. CARTER also thanked the Canadian Department of Justice for its assistance in the extradition proceedings brought against KASHPUREFF.

KASHPUREFF pleaded guilty today before United States District Judge Allyne Ross. He faces a maximum sentence of five years and a maximum fine of $250,000. The case was prosecuted by Assistant United States Attorneys Joel M. Cohen and Jo Ann Navickas.

[27] Icove et. al. ibid. pg. 49

[28] see [10] for details; the perpetrator occupied the position of President of the company

[29] see Former Chief Computer Network Program Designer Arraigned for Alleged $10 Million Computer "Bomb"

1998-02-17 -- Lloyd, Timothy -- Indictment -- News Release NEWARK -- A former chief computer network program designer from Delaware was arraigned this morning for allegedly unleashing a $10 million programming "bomb" 20 days after his dismissal that deleted all the design and production programs of a New Jersey-based manufacturer of high-tech measurement and control instruments used by NASA and the U.S. Navy, U.S. Attorney Faith S. Hochberg announced.

The case is believed to be one of the most expensive computer sabotage cases in U.S. Secret Service history, according to C. Danny Spriggs, special agent in charge of the U.S. Secret Service's Philadelphia Office.

Timothy Allen Lloyd, (DOB 1967-10-16), of Wilmington, a former computer network programmer for Omega Engineering Corp. ("Omega"), a Bridgeport, Gloucester County, New Jersey corporation with offices in Stamford, Connecticut, and branches around the world, was arraigned before U.S. District Judge William H. Walls.

Judge Walls scheduled Lloyd's trial for April 20. 1998 and set a $25,000 secured bond, according to Assistant U.S. Attorney V. Grady O'Malley.

A two-count Indictment, returned Jan. 28, 1998 by a Camden Federal Grand Jury, alleges that, on July 30, 1996, Lloyd intentionally caused irreparable damage to Omega's computer system by activating a "bomb" that permanently deleted all of the company's sophisticated software programs.

The sabotage occurred on or about July 30, 1996. Lloyd had been terminated from Omega on July 10, after working for the company for approximately 11 years. The Indictment also reflects that the sabotage resulted in a loss to Omega of at least $10 million in sales and contracts.

Lloyd is also charged, in Count Two of the Indictment, with transporting interstate approximately $50,000 worth of computer equipment stolen from Omega to his Delaware residence.

Lloyd faces a maximum of five years in federal prison on Count One and 10 years on Count Two. Each count carries a maximum fine from $250,000 to twice the loss or gain from the crime. If convicted, Lloyd could also be ordered to make restitution.

An Indictment is a formal charge made by a grand jury, a body of 16 to 23 citizens, Hochberg noted. Grand jury proceedings are secret, and neither persons under investigation nor their attorneys have the right to be present. A grand jury may vote an Indictment if 12 or more jurors find probable cause to believe that the defendant has committed the crime or crimes charged.

Despite Indictment, every defendant is presumed innocent, unless and until found guilty beyond a reasonable doubt following a trial at which the defendant has all of the trial rights guaranteed by the U.S. Constitution and federal law.

Under the Sentencing Guidelines, Judge Walls would, upon conviction, determine the actual sentence based upon a formula that takes into account the severity and characteristics of the offense and the defendant's criminal history, if any, Hochberg said.

Hochberg credited Special Agents of the Secret Service in Philadelphia under the direction of Spriggs, for developing the case against Lloyd.

The Government is represented by Assistant U.S. Attorney O'Malley, senior litigation counsel in the U.S.Attorney's Criminal Division in Newark.

[30] Cohen ibid. p17/33 ch. 3

[31] Constable R. D. Ferguson; Saskatoon, Saskatchewan Canada; as cited by the author from a personal interview in 1999

[32] Overview of IT Security Issues: Report of the ITSS Legal Issues Working Group; Justice Dept Govt. of Canada 1995.

[33] Prosecutors claim altered computer chips bilked motorists out of $1 million Los Angeles (October 8, 1998) Associated Press as quoted by (

[34] Interview with Cst. R. D. Ferguson. ibid.

[35] Parker ibid. pg. 138

[36] Parker ibid. pg. 143.

[37] International Review of Criminal Policy: United Nations Manual on the Prevention and Control of Computer-related Crime; 1994. Paragraph 59.

[38] U.S. News and World Report. "Cops want more power to fight cyber-criminals" January 23, 1995

[39] Colloquium on Computer crime and Other Crimes Against Information Technology: Wurzburg Germany; 5-8 October 1992 as quoted in the International Review of Criminal Policy: United Nations Manual on the Prevention and Control of Computer-related Crime; 1994. Paragraph 27.

[40] Cyber attacks rise from outside and inside corporations Dramatic increase in reports to law enforcement

SAN FRANCISCO -- The Computer Security Institute (CSI) announced today the results of its fourth annual "Computer Crime and Security Survey." The "Computer Crime and Security Survey" is conducted by CSI with the participation of the San Francisco Federal Bureau of Investigation (FBI) Computer Intrusion Squad. The aim of this effort is to help raise the level of security awareness as well as determine the scope of computer crime in the United States.

Highlights of the "1999 Computer Crime and Security Survey" include the following: Corporations, financial institutions and government agencies face threats from outside as well as inside. System penetration by outsiders increased for the third year in a row; 30% of respondents report intrusions.

Those reporting their Internet connection as a frequent point of attack rose for the third straight year; from 37% of respondents in 1996 to 57% in 1999.

Meanwhile, unauthorized access by insiders also rose for the third straight year; 55% of respondents reported incidents.

Other types of cyber attack also rose. For example, 26% of respondents reported theft of proprietary information.

Perhaps the most striking result of the 1999 CSI/FBI survey is the dramatic increase in the number of respondents reporting serious incidents to law enforcement: 32% of respondents did so, a significant increase over the three prior years, in which only 17% had reported such events to the authorities.

For the third straight year, financial losses due to computer security breaches mounted to over a $100,000,000. Although 51% of respondents acknowledge suffering financial losses from such security breaches, only 31% were able to quantify their losses. The total financial losses for the 163 organizations that could put a dollar figure on them add up to $123,779,000.

The most serious financial losses occurred through theft of proprietary information (23 respondents reported a total of $42,496,000) and financial fraud (27 respondents reported a total of $39,706,000).

Summary data for responses to all 1999 survey questions and a table displaying financial losses due to various types of security breaches reported in 1997, 1998 and 1999 accompany this press release.

Although these survey results indicate a wide range of computer security breaches, perhaps the most disturbing trend is the continued increase in attacks from outside the organization. This trend was reinforced by other survey results. For example, of those who acknowledged unauthorized use, 43% reported from one to five incidents originating outside the organization, and 37% reported from one to five incidents originating inside the organization.

Further evidence of increased system penetration from the outside can be gleaned from a series of questions on WWW sites and electronic commerce that were asked for the first time this year. Ninety-six percent of respondents have WWW sites, 30% provide electronic commerce services. Twenty percent had detected unauthorized access or misuse of their WWW sites within the last 12 months (disturbingly, 33% answered "don't know.")

Of those who reported unauthorized access or misuse, 38% reported from two to five incidents, and 26% reported 10 or more incidents. Thirty-eight percent reported that the unauthorized access or misuse came from outside. Several types of attack were specified: 98% reported vandalism, 93% reported denial of service, 27% reported financial fraud, 25% reported theft of transaction information. Only 12 of the 95 respondents who had their WWW sites attacked could quantify their financial losses. The total losses for the 12 respondents totaled $2,383,000 (an average of $198,583 in financial losses for each respondent.)

Based on responses from 521 security practitioners in U.S. corporations, government agencies, financial institutions and universities, the findings of the "1999 Computer Crime and Security Survey" confirm trends established over the last three annual surveys. It is clear that computer crime and other information security breaches pose a growing threat to U.S. economic competitiveness and the rule of law in cyberspace. It is also clear that the financial cost is tangible and alarming.

Sixty-two percent of respondents reported computer security breaches within the last twelve months.

The breaches detected by respondents include a diverse array of serious attacks, several of which rose in the number of reports from 1998 to 1999; for example, system penetration by outsiders, unauthorized access by insiders and theft of proprietary information as mentioned above.

Here are some other examples.

Denial of service attacks were reported by 32%.

Sabotage of data or networks was reported by 19%.

Financial fraud was reported by 14%.

Insider abuse of Internet access privileges (for example, downloading pornography or pirated software or engaging in inappropriate use of e-mail systems) was reported by 97%.

This increase indicates that the danger of entanglement in civil liability suits is also on the rise.

Virus contamination was reported by 90%.

Laptop theft was reported by 69%.

Patrice Rapalus, CSI director, suggests that organizations pay more attention to information security staffing and training. "It is interesting to note that while many respondents answered 'yes' to the use of sophisticated security technologies, serious breaches continue to increase. It is also significant that so many respondents answered 'don't know' to whether or not their WWW sites had been attacked. Corporations and government agencies that want to survive in the 'Information Age' simply have to dedicate more resources to staffing and training of information security professionals. Furthermore, information security professionals who want to succeed have to increase their own level of technical acumen in order to face the challenges ahead."

Michael A. Vatis, Director of the National Infrastructure Protection Center, FBI headquarters, Washington, D.C., observed that "this year's CSI/FBI study confirms the need for industry and government to work together to address the growing problem of computer intrusions and cyber crime generally. Only by sharing information about incidents, and threats, and exploited vulnerabilities can we begin to stem the rising tide of illegal activity on networks and protect our nation's critical infrastructure from destructive cyber attacks."

[41] "Investigating Computer Crime" Canadian Police Chief, May 1998.

[42] U.S. News and World Report January 23, 1995

[43] CSI 1999 survey. Ibid.

[44] CSI 1999 survey. Ibid.