Hackers like to draw a distinction between members of their subculture who exploit and break into systems for personal gain and those who do so for the knowledge. Hackers will often refer to a person of malicious intent as a “cracker”, but whether the intent is good or bad, the mere act of intrusion on an information system is of questionable ethics. In the United States, the law does not look at the individual’s intent, but rather at the action itself. If an individual attempts to break into a secured system, or even an unsecured system to which they are not entitled to access, it is illegal.
A hacker is defined as “a malicious meddler who tries to discover sensitive information by poking around” (Spinello, 2003, pg. 144). In his text, Spinello publishes an interview with a self-proclaimed hacker. Between smug remarks, the hacker is clearly convinced that his activities are good for the world. In fact, he describes the hacker ethic. This is a viewpoint in which “access to computer systems should be unlimited and unrestricted… [a]ll the information should be freely accessible in order to help others learn and develop their skills” (2003, pg. 145). The flaw with this “ethic” is that it does not define a computer system clearly and thus neglects that some systems may contain sensitive personal data which would serve no educational purpose whatsoever.
The Internet is a world without borders. Most nations have some sort of access to it, and it is used to provide access to information systems of multinational companies all around the world. These companies are not headquartered solely in the United States. The global marketplace is huge and growing quickly every year. Since cyber-crime happens not in one specific location, legislation must be drawn up internationally to take appropriate action against cyber-crime. “At the universal level, the United Nations has been called upon to play an important role” (Pocar, 2004, pg. 28).
Michael Vatis summarizes well the scope of the Internet in the world today.
“[A] person with a laptop computer can sit at a coffee shop in London and trade stocks listed on the New York Stock Exchange, transfer funds from a bank account in Zurich to an account in Tokyo, chat on and Internet phone call with a friend in Estonia, check in on his child’s daycare center through a live video feed, upload a video clip of his brother’s stand-up comedy performance onto YouTube, and place a bet with and online casino in Costa Rica.” (2006, pg. 56)
He goes on to point out that a person with malicious intent could use any of the previously mentioned mechanisms to accomplish a number of tasks, such as theft, price rigging, acts of terrorism, kidnapping, and identity theft. So what is to keep a person from acting in such a manner? One would hope that laws and a sense of ethics and morality would prevent someone from committing cyber-crime, but among other things, easy money can be very tempting.
The idea of using technology to reroute someone else’s funds into an account of your own in a protected nation is a romantic view of hacking into banking systems. A more realistic perspective is that with the increase of globalization, international law is working to prevent the use of loopholes to get away with blatant cyber-crime. “[I]t appears that the list of international legal instruments dealing with cyber-crime is rather long. However, it is far from exhaustive for the purposes of covering all aspects of the subject matter concerned” (Pocar, 2004, pg. 31). Aside from the Hollywood version of cyber-crime as a war game (though a distinct possibility during the Cold War era and even on a smaller terror-centric scale today), other cyber-crimes include identity theft, theft of trade secrets, and infrastructure damages.
If a hacker were to target a major point of infrastructure such as electricity, much damage could be done. “An attack that disables electrical power or telecommunications, for instance, would have cascading effects on banks, hospitals, and government operations” (Vatis, 2006, pg. 57). The problem with cyber-attacks is that they are quite inexpensive to initiate. A hacker simply needs a computer of some sort and Internet access and perhaps some software. The software and Internet connection can be obtained for free. The computer could as well in some instances, sometimes through illegal means. The problem is that it costs organizations thousands and millions of dollars to protect and secure their systems from attacks that can be launched for a few hundred dollars.
So how can a hacker be identified? Is it possible to preemptively determine those who are the highest risk of deviant behavior on the Internet and enable some preventative measure? Walking into a Starbuck’s anywhere around the world will show a handful of laptop users at the very least. Automobile drivers are frequently seen talking on cell phones. Executives walk around tied to their email via a Blackberry smart phone. In more traditional settings, libraries have workstations setup with access to the Internet. Educational institutions provide vast amounts of technology to their faculty, staff and students for teaching and learning.
In any society, there will always be people who do not act in a manner that is good for others, and sometimes not even in a manner that is good for themselves as defined by the culture. “There will always be hackers who deviate from the rules of society” (Spinello, 2003, pg. 145). Some of this can be attributed to lack of social skills and a subculture that preys upon the lack of self-esteem displayed by some hacker types. While it is true that a person can “grow out of” the habit of hacking, it can be an addicting habit that some may find impossible to break. The perceived benefits are often greater than the alternatives available to the hacker. In the interview with a hacker, “Ed Jones” states, “it’s OK to look around some corporate or government system, but you shouldn’t steal data and try to profit from it” (2003, pg. 147).
So how does one “look around” on a system and forget the information that they do come across? It is not always easy to resist the temptation of using information for personal gain. Companies have decided to mitigate the risk of dealing with an individual’s ethics or lack thereof through their security system implementations. “Of 320 Fortune- 500 companies surveyed, 30 per cent claimed that they had installed software capable of launching counterattacks on security breaches” (Overill, 2003, pg. 165). Of course, this method of reaction to attacks has its flaws. First of all, the ethics of a counterattack are dubious. It can be justified as a consequence of malicious action, but what about counterattacks that target an innocent individual? Since information systems are never perfect and frequently have bugs, companies cannot guarantee that the countermeasures are targeted at the correct person.
Overill discusses the tactic of IP spoofing as a method for tricking counterattacks into targeting the wrong individual. He also makes another good point about countermeasures. “Automated and concerted use of strategically contrived false positives and IP spoofing by an attacker may convince a reactive network-based defence that an entire network sub-domain is currently under attack and thereby subvert it into blocking legitimate network traffic, closing innocent network connections, or even shutting down the entire network sub-domain” (2003, pg. 165).
A more sinister attack on information systems is the kind that occurs from inside the organization. Companies must deal with employees carefully and can only provide a set of ethical behavior standards to follow. It is assumed that all employees will abide by the code of ethics set forth by the company, lest they risk unemployment, but sometimes the rewards for unethical behavior are greater for the individual and worth the risk. In other cases, former disgruntled employees can be a dangerous enemy.
In a case discussed by Ramim and Levy, a network administrator is fired and a new employee is assigned to assume the former employees duties. The new employee, however, had no background in network administration. “Although the former network administrator, Mr. Perez, had provided the administrator account usernames and passwords to Mrs. Rodriguez, no effort had been made to remove them from the systems - to change passwords or alter access permissions on the systems…[t]he log files also confirmed the suspicion that the user of the ‘admin’ account had uninstalled the e-learning system application remotely… it was concluded that Mr. Perez, the former network administrator, was associated with the intentional cyber attack” (Ramim, 2006, pg. 30).
It is not practical to assume that every employee is a risk to the organization, but it is poor security to leave systems unchanged when individuals with access leave the organization. Individuals have a responsibility to behave in an ethical manner, but humans do not always follow the rules. To protect our systems against ourselves, we spend great amounts of money and invest much time in securing them. Should businesses be held liable and accountable for lapses in individual ethical behavior if they do not take proper security measures when an employee leaves?
References
- Overill, R. E. (2003). Reacting to cyber-intrusions: The technical, legal and ethical dimensions. Journal of Financial Crime, 11(2), 163-167.
- Pocar, F. (2004). New challenges for international rules against cyber-crime. European Journal on Criminal Policy and Research, 10(1), 27-37.
- Ramim, M. and Levy, Y. (2006). Securing e-learning systems: A case of insider cyber attacks and novice IT management in a small university. Journal of Cases on Information Technology, 8(4), 24-34.
- Spinello, R. (2003). Case Studies in Information Technology Ethics, Second Edition. Upper Saddle River, NJ: Prentice Hall.
- Vatis, M. (2006). The next battlefield: The reality of virtual threats. Harvard International Review, 28(3), 56-61.