Law is not tough enough for hackers

ONCE a computer is connected to the Internet its users gain access to a system which allows cheap and convenient communication…

ONCE a computer is connected to the Internet its users gain access to a system which allows cheap and convenient communication all over the world. Unfortunately, this connection may also allow hackers to access that computer without authorisation. In 1995 the US Defence Department logged 250,000 attempts to hack (or break into) their computers, two thirds of which were successful at obtaining some form of access.

Last January hackers allegedly broke into the computers of the defence team of Timothy McVeigh - who recently went on trial accused of the Oklahoma bombing - and a copy of a confession supposedly made by McVeigh to his lawyers was then published on the World Wide Web.

A spectacular crime was committed by a group of Russian hackers who transferred over $10 million to themselves from the accounts of an American bank. At least one alleged member of the group was arrested and is currently in England awaiting extradition to the US. Banks and other major companies, fearing bad publicity, seldom admit to such breaches of security. In this case their fears were justified - the bank lost its top 20 customers to rivals who claimed to have better security. As a result it is difficult to view this problem clearly, but the fact that North American companies are estimated to have spent $6 billion on network security in 1996 should suggest the problem's size.

Like many other countries, Ireland has legislation specifically enacted to deal with backers, the Criminal Damage Act (1991). This contains two basic computer offences:

READ MORE

. the offence of using a computer to access data without authorisation (punishable by up to six months in prison);

. the offence of damaging data by adding to, altering, corrupting, erasing or moving data or to make an omission causing damage to data (punishable by up to 10 years imprisonment).

The prosecution of crimes such as these is very difficult and there has never been a conviction in Ireland for a computer crime under this Act. Hackers are adept at retaining anonymity, destroying evidence of their crimes and disguising the location from which they are working.

The international nature of the Internet creates its own difficulties - there is nothing unusual about a Russian hacker breaking into a computer in the US or an English backer breaking into a computer in the US and using that access point to break into a computer in South Korea. While committing an international computer crime may be comparatively easy to do, deciding questions of international jurisdiction and applying for extradition are long and costly processes.

These difficulties could be exacerbated by deficiencies in the Criminal Damage Act itself. Absent from it are definitions of important terms such as "computer" or "data", which may make it difficult to decide whether the Act has any application to a particular case. Even if prosecutors can establish that a certain person accessed a computer and damaged data held on it, they will also have to establish that it was done "without lawful excuse".

The Act makes every use of a computer a potential offence; however, owners of computers and anyone that they allow use their computer such as their friends or employees will escape prosecution as they will be deemed to have a "lawful excuse". So although the Act has a very broad scope, it also has very wide loopholes.

Computer crime law might be reformed by stipulating that security measures must be overcome before an offence is committed. This would limit the scope of the Act but it would have the benefit of encouraging the use of security measures. The Internet's infrastructure is currently not protected from acts such as "Denial of Service" attacks which overload a computers communications by sending it thousands of messages. Holding passwords to which a user is not entitled might also be made an offence.

It may seem unrealistic to suggest reforming the Criminal Damage Act after only six years - Ireland is extremely bad at law reform. Irish frauds are likely to be prosecuted under legislation which predates the foundation of the State, if not from the last century. Yet the reality is that the Criminal Damage Act is poorly designed to deal with computer crime.

Ireland is increasingly reliant on the computer industry - and on other service industries which rely on computers such as telesales - for economic growth and new jobs. The computer systems which underpin those industries should be protected by modern legislation specifically designed to deal with their problems.