The recent attacks on high-profile websites such as Yahoo, Amazon and E-Trade have focused attention on computer crime as never before. Such attacks come at a high price. Some estimates put the cost of protecting institutional networks from attack at 2.5 per cent of world-spending on information technology, which would add up to some $25 billion in 1999.
In the face of this threat, Ireland created several computer crime offences in the Criminal Damage Act 1991. Yet the reality is that convictions for computer crime are the exception and not the rule. Even in the US, computer crime laws appear to be little used.
In 1998, US federal agencies such as the FBI referred some 417 cases of computer fraud for federal prosecution. Only 20 per cent of these were prosecuted, resulting in 47 convictions. In contrast, 50 per cent of the 132,772 criminal cases of all types were referred for federal prosecution.
Considering the attention given to computer crime, the low rate of detection, prosecution and conviction is surprising. One reason may be that computer crime is very difficult to detect. Most offenders want to remain anonymous and their activities may only become obvious when they crash a system.
The victims of computer crime may also be unwilling to publicise the inadequacies of their systems for fear of attracting more attacks, or of frightening their customers. Even where it is suspected that crackers have caused damage, it may be difficult to prove in court.
Software is notoriously unreliable. The US Department of Defence suggests that a typical 1,000 lines of computer code will contain between five and 15 flaws. In any criminal trial the prosecution would have to prove beyond reasonable doubt that damage was caused by the specific actions of an individual and not by one of the "normal" flaws. This may be difficult and expensive.
As a result, attention may be focused on the offence which is easiest to prove, that of "unauthorised access". In Ireland this is made an offence by section five of the Criminal Damage Act 1991, and carries a maximum penalty of a £500 fine or three months' imprisonment. This penalty is relatively slight - faking your Leaving Cert results for instance, could get you up to six months in jail under the Education Act 1998. The law in Ireland is due to be reformed, however, as the Department of Justice has been promising a new Fraud Bill for well over a decade.
Apart from attacks on websites, another persistent problem is the computer virus. Dealing with the virus threat is estimated to have cost the global economy some $12 billion in 1999. The fact that Ireland's computer crime law is contained in an act primarily directed at problems such as vandalism and arson is not a coincidence and section two of the Criminal Damage Act makes it an offence to "damage" data without a lawful excuse.
This offence can be criticised for being too specifically focused on one particular form of criminal activity. Not all crackers or virus creators will want to cause mayhem by altering, corrupting, erasing or moving data. A reform of the law might broaden the offence and make it easier to prove in court.
A reform of the Irish law might also introduce a provision similar to that in the US Computer Fraud and Abuse Act 1991 which makes it an offence to send a computer system "a program, information, code or command" with reckless disregard to the fact that the system may withhold service.
However, the focus of the computer crime debate has shifted. Until recently it was feared that crackers would cause economic chaos by interfering with banking, telecommunications and other systems. Now the fear is that the perceived lawlessness of the Internet may damage the prospects for e-commerce.
The latter would cost money in many ways. E-commerce businesses would have to spend more on security; the dangers of online fraud might be used to justify higher credit card charges to online retailers; and e-commerce growth may slow as consumers be come reluctant to shop in an environment they perceive to be unsafe.
A reform of the law on computer crime will have to take place as part of a wider reform of the law on fraud, a reform last carried out in 1916. As the Irish economy grows and as e-commerce becomes a greater part of that economy, this reform becomes more vital.
Denis Kelleher BL (deniskelleher@ireland.com) is a practising barrister and co-author with Karen Murray BL of IT Law in the European Union, Sweet & Maxwell (London), 1999