VX Heavens

Bibliothek Sammlung Quellcodes Engines Konstruktoren Simulatoren Zusatzprogramme Links Forum
Minimize
Lesezeichen

Rogue Computer Programs - Viruses, Worms, Trojan Horses and Time Bombs: Prank, Prowess, Protection or Prosecution?

Anne Branscomb
Harward University, Program on Information Resources Policy, I-89-3
September 1989

PDFDownload PDF (4.32Mb) (You need to be registered on forum)
[Back to index] [Comments (0)]

Incidental Paper

Anne W. Branscomb
Program on Information Resources Policy
Harward University
Center for Information Policy Research
Cambridge, Massachusetts

An incidental paper of the Program on Information Resources Policy.

Rogue Computer Programs -
Viruses, Worms, Trojan Horses and Time Bombs:
Prank, Prowess, Protection or Prosecution?

Anne W.Branscomb
September 1989, I-89-3

Project Director
Anthony G. Oettinger

The Program on Information Resources Policy ij jointly sponsored by Harvard University and the Center for Information Policy Research

Chairman
Anthony G. Oettinger

managing Director
John C. LeGates

Executive Director
John F. McLaughlin

Executive Director
Oswald H. Ganley

Anne W. Branscomb is a communications lawyer and author associated with the Program.

Incidental papers have not undergone the reviewing process the Program requires for formal publication. Nonetheless the Program considers them to merit distribution.

Copyright © 1989 by President and Fellows of Harward College. Not to be reproduced in any form without prior written consent from the Program on Information Resources Policy, Harvard University, 200 Aiken, Cambridge, MA 02138. (617)495-4114. Printed in the United States of America.

Printing 5 4 3 2 1

Acknowledgments

The author wishes to acknowledge the cooperation and assistance of J. J. BloomBecker, Harvie H. Branscomb, Whitfield Diffie, Thomas Guidobono, Leigh Haddon, Donald G. Ingraham, Phyllis Kahn, Daniel J. Kluth, Daniel Knauf, Larry Martin. Davis McCowan, Ronald Palenski, Marc Rasch,* Douglas Riggs, and Clifford Stoll.

These individuals and the Program's affiliates are not, however, responsible for or necessarily in agreement with the views expressed herein, not should they be blamed for any errors of fact or interpretation.

* mr. Rasch did not comment on the Internet Worm.

Executive Summary
List of Tables

In the late 1980's the computer world has awakened to a new threat to its health - an infestation of various maladies which collectively and sometimes erroneously, have been called "computer viruses". A Hebrew University computer scientist has compiled the characteristics of 58 virus strains [87] (see Appendix A) and ADAPSO, the software trade organization reported a 10-fold increase in viral infections from 3000 in the first two months of 1988 to 30,000 reported during the last two months of the same year. [75]

Lawyers and legislators have become equally concerned whether or not the people responsible for these various electronic malfunctions can be or should be prosecuted under existing statutes. The purpose of this exercise is to review several of the most recent incidents, to review existing state and federal statutes which might cover these sets of facts, and to summarize the bills pending in Congress and considered by several state legislatures m the spring of 1989.

I. Recent outbreaks of rogue computer programs

A. The Internet Worm

A disease, not unlike the bubonic plague of medieval times, struck the computer world on the evening of Wednesday, November 2. 1988. Of a universe of about 60,000 computers which might have been infected by the strange malady, some 6200 (or about 10%) were slowed down to a halt by what computer specialists call a "worm" and the uninitiated term a "virus" because it spreads rapidly from victim to victim [see infra, II, for definitions] Injected into the ARPANET, a computer communications system created for academic users by the Defense Advanced Research Projects Agency (DARPA), the "worm" quickly replicated itself into MILNET, an unclassified network of the Department of Defense and INTERNET, which interconnects some 400 local area networks supported by DARPA and the National Science Foundation. [109] Within a few hours, the electronic highways were so congested with traffic that computer specialists around the country went scurrying to their consoles trying to contain it. [75] Indeed, the rogue computer software, or sorcerer's apprentice [105] multiplied so rapidly that efforts of its creator to impede its growth were not effective [6,74] Eventually major computer centers around the country were involved, including NASA Ames Laboratory, Lawrence Livermore National Laboratory, SRI, MIT, the University of California at both the Berkeley and San Diego campuses, the University of Maryland, Purdue, and the Rand Corporation. It was some 48 hours before calm was restored and the computer networks were back to normal. [41 71,90a]

According to the Computer Virus Industry Association, whose members sell "vaccines" to assist in the rehabilitation of such infestation of computer software, the siege caused an estimated $96 million [19] in labor costs to contain by clearing out the memories of the computers and checking all the software for signs of recovery. Other estimates run as high as $186 million [54]. In the aftermath, more sober minds have calculated that more likely fewer than 2000 computers were affected and the value of the "down time" was closer to $1 million. [105]

According to the experts, no actual damage to the computer hardware or the computer software was inflicted, e.g. no files were destroyed, no software was wrecked, no classified systems were compromised. [111] As a consequence it is not clear that any crime was committed, although a team of investigators went to work immediately to determine whether to indict. It was expected that the INTERNET worm would become the first prosecution under the federal Computer Fraud and Abuse Act. However, there have been two convictions (Mitnick and Zinn) prior to the indictment of the "worm" originator in July 1989. [116] Most computer crime laws require an intent to inflict harm, which was allegedly lacking in this case, [74,109] although some computer scientists purport to identify felonious intent in the subroutines which were encrypted, erased and reconstituted in a manner designed to confuse pursuers on the trail of the intruder. [101]

As the alleged perpetrator was a first year graduate student at Cornell University, there is unlikely any personal source of financial largesse for money damages to be paid under tort law, although his behavior can likely meet the tests of ordinary negligence as well as reckless disregard for the consequences. It is conceivable that some tort action law would lie against Berkeley, where the UNIX program was issued (without charge to other universities) for permitting the imperfections in the software which facilitated the intrusion, to remain uncorrected. However, many computer programmers found this "trap door" [115] a convenience which did not in any way harm ordinary users. Thus it might be difficult to show that the "trap door" per se was either negligent or the proximate cause of the harm which occurred. It is also possible that a suit in tort might lie against one of the universities for failure to exert due supervision over its authorized users, although Cornell has completed an extensive investigation purported to exonerate it from any actionable negligence. [71] The National Center for Computer Crime Data has reported no damage suits filed against computer network or service providers. [27]

Certainly the methodology was clandestine. According to friends, the student entered the virus remotely via a computer at MIT. [56] The program code was encrypted and designed to assume the identity of other users and report back to a remote computer suggesting an audit trail that would lead to other points of entry as the source of the questionable code. [101]

Ironically, the alleged culprit (who reportedly danced on the desk top when he discovered the "trap door" in the Berkeley version of UNIX through which he could insert his computer program) [74] is a bright young 23 year old graduate of Harvard University where he was so trusted that he was given "super user" status on the Aiken Computers in order to assist in their maintenance. [56,111] Friends reported that his motives were to test the vulnerability of the system in order to learn how to make it more secure. [48]

Young Robert T. Morris, Jr., or RTM as he is known for his computer "log-on" ID, is the son of the chief scientist of the National Computer Security Center, a nationally recognized and highly respected expert on computer break-ins, a 26-year veteran of the Bell Telephone Laboratories, and (not entirely coincidentally) one of the three designers of the first known computer virus played as a high tech recreational game (CORE WAR) by computer programmers after hours to hone their skills. [41] Indeed, Robert T. Morris, Sr., testified before Congress several years ago, in an inquiry into the effects of computer viruses, that it would be a good omen if young computer scientists were so skilled as to be able to write such sophisticated programs:

The notion that we are raising a generation of children so technically sophisticated that they can outwit the best efforts of the security specialists of America's largest corporations and or the military is utter nonsense. I wish it were true. That would bode well for the technological future of the country. [111]

Thus the nature of the incident and the identity of the initiator suggest a dilemma as to whether or not criminal punishment is appropriate under the circumstances. Many computer scientists have been reported to predict that the younger RTM will mature and "make important discoveries in the computer field". [93] Indeed, among some of the young computer literati (often referred to as "hackers"), RTM is looked upon as a folk hero. [90] Even among the more seasoned citizenry, many equate RTM's behavior with that of Matthias Rust, the young German, who flew his small plane through the Soviet border controls and landed in Red Square. [48] Some even laud the invasion of the INTERNET worm as precipitating a therapeutic look at the security of the systems, because the incident has sent multitudes of computer professionals to the drawing boards to design more impenetrable network environments. [38,56,73,111]

However, a more secure system may be a deterrent to the flexibility and openness which have characterized the UNIX operating system, originated by AT&T and designed to encourage the open network access which facilitates intercourse among multiple users.

Federal officials were, according to published reports, at odds on the nature of the indictment. The U.S. Attorney for the Northern District of New York (where the entry point to the network originated at Cornell) [71] was reported to favor plea bargaining a misdemeanor conviction in exchange for further disclosure of the circumstances surrounding the incident, whereas the Department of Justice lawyers and the Federal Bureau of Investigation reportedly favored felony charges as a deterrent to would be computer hackers, telephone "phreakers" and other assorted pranksters. [1,90]

On the other hand, if criminal laws are not the answer, and tort laws not efficacious, what sanctions are appropriate to deal with reckless drivers on the electronic highways of the future?

B. The Aldus Peace virus

On March 2, 1988, the anniversary of the advent of Apple Computer's Macintosh II and SE models, the following message popped up on the monitors of thousands of Macintosh personal computers in the United States and Canada:

Richard Brandow, the publisher of MacMag, and its entire staff would like to take this opportunity to convey their universal message of peace to all Macintosh users around the world. [106]

Beneath the message appeared a picture of the globe. Brandow, publisher of a computer magazine based in Montreal, Canada, acknowledged in a telephone interview to an Associated Press writer that he had written the message. However, he only intended to show how widespread software piracy had become and expected the "virus" to make its way around a limited perimeter centered on the Montreal area where he had made disks available containing the message in question. The message had been conceived some year or so earlier and previously tested by its designers - a co-worker, Pierre M. Zovile, and Drew Davidson of Tucson. [41,53,57,106] According to Brandow, it was imbedded in a popular game program called "Mr. Potato Head" and left on a Macintosh in the offices of MacMag, a popular gathering place for Macintosh users, for only two days during a Mac users conference. [106]

The message later turned up in Freehand, a program distributed by the Aldus Corporation, a software company based in Seattle, Washington, precipitating the recall of some 5000 copies of the program. [106] This is the first known contamination of off-the-shelf (commercially marketed) software, since it had been assumed in the past that such viruses were distributed in freely exchanged disks or on electronic bulletin boards. [63] The transfer to commercially marketed software was accomplished, without his knowledge, by Marc Canter, President of Macromind, Inc., of Chicago, Illinois, who reviewed the infected disk on a computer which was later used for copying of a self instructional program intended for distribution by the Aldus Corporation. Less than half of the duplicated disks were actually distributed to retailers, but the computer industry has become permeated by fear of viral contamination, as many of the major software companies are customers of Macromind, including Ashton-Tate, Lotus, and Microsoft [63]

Canter claims that Brandow gave him the disk, but Brandow denies doing so, although he admits meeting Canter. Lotus, Microsoft, and Apple claim that none of their products has been contaminated, and Ashton-Tate has declined to comment. However, Apple hastened to design and give away for free on many electronic bulletin boards and networks, a vaccine which would remove hidden code in tainted programs. [106]

According to the best available information, the program was "benign" in that it destroyed no files, interfered with no functions, and erased itself after popping up on the computer screens as triggered by its timing device on March 2, 1988. [57,63]

C. The Pakistani Brain

In the late spring of 1988, Froma Joselow, a reporter for the Providence Journal Bulletin, of Providence, Rhode Island, booted a disk containing the last six months of her work product including the notes for the article she intended to write. After writing the article, she entered "PRINT", but the screen came up blank then displayed the following "advertising message" on her computer monitor [41]:

WELCOME TO THE DUNGEON
©1986 Basit & Amjad (pvt) Ltd.
BRAIN COMPUTER SERVICES
[address and telephone in Lahore, Pakistan]
Beware of this Virus
Contact Us for Vaccination [59]

This was a well designed and cleverly executed device by two Pakistani brothers, Amjad Farooq Alvi (age 26) and Basit Farooq (age 19), who studied physics at Punjab University, taught themselves computer programming, and operated a small computer store in Lahore, Pakistan. According to an interview given to a reporter for The Chronicle of Education, Basit admitted introducing the message, which was well hidden within popular software, such as Lotus 1-2-3 and Wordstar, "for fun". [59] He disavowed any knowledge of how it came to reside in the computers of the Providence Journal Bulletin or on the disks of hundreds of students at the Universities of Pittsburgh, Pennsylvania, Delaware, George Washington, and Georgetown. [53]

Later Amjad admitted that their original intentions had been to protect their own computer software from local pirates who would have to contact them to decontaminate the disks which had been copied rather than purchased. [53] As the program evolved, however, it was deliberately imbedded in commercially available and copyrighted software which the Farooq brothers sold to foreigners, especially Americans. "Because you are pirating, you must be punished", Amjad was quoted as saying, thus admitting to be an accessory to a form of electronic lynching in order to punish foreigners who were contravening their own law while Amjad was selling uninfected disks to his own countrymen. Computer software was not then covered by Pakistani copyright statutes, so it was quite legal, under Pakistani law, to import from abroad expensive issues of computer software and resell copies on the domestic Pakistani market for as little as $1.50. [41]

According to Harold Highland, editor of Computers and Security, the Pakistani Brain virus was very sophisticated and cleverly designed. [59] It never infected a hard disk and was quite media specific, imbedding itself only into DOS formatted disks. One admirer complimented Amjad, "This virus is very elegant. He may be the best virus designer the world has ever seen." [41]

However, this brotherly calling card was quite destructive, attacking the disks primarily of university students and journalists. It was less troublesome systemically, because it did not attack hard disks or main frames or enter any widely used computer networks. However, at least one PhD thesis was destroyed, and various versions continue to erupt in one part of the world or another. For example, a second infestation of the Pakistani Brain virus erupted in November 1988 in the School of Business at the University of Houston, this time in a slightly modified version but with the old copyright notice! [56]

It is difficult to ascertain how many users were affected as the reports vary from a few hundred to more than 100,000 IBM PC disks with an estimated 10,000 at George Washington University alone. [41]

D. The Burleson revenge

On September 21, 1985, an employee of the USPA & IRS, Inc, a brokerage house and insurance company in Fort Worth, Texas, discovered to his dismay that 168,000 of the firm's sales commission records had vanished without a trace. The only clue was an unusual entry into the computer at 3:00 a.m. earlier that morning, a time when no employee should have been operating the system. Working all weekend, the MIS crew restored the records from backup tapes, thinking they had repaired the damage. On the contrary, when other employees reported for work on Monday morning and turned on their computer consoles, the entire system "crashed" and became inoperable. Reconstructing the pathway to this crisis, the audit trail led to an instruction "power down" which was invoked by a simple retrieval command. The computer professionals referred to the intricately designed software as "trip wires and time bombs" designed "to wipe out two sections of memory at random, then duplicate itself, change its own name, and execute automatically one month later unless the memory area was reset." [64] No permanent damage was done to the system and the MIS staff were able to reconstruct the system from scratch including installing a new operating system from IBM. [79]

The breach of security was eventually determined to be the work of an employee, with access to all of the passwords of the company, who had been dismissed three days earlier. Donald Gene Burleson, who was variously described as arrogant, rebellious against authority, and a superbly skilled programmer, was ultimately indicted and convicted of computer abuse under the Texas Penal Code [SS. 33.01-.05] which permits a felony charge to be filed if the damage exceeds $2500 from altering, damaging, destroying data, causing a computer to malfunction or interrupting normal operations. Moreover, the Texas statutes provide for a misdemeanor of using a computer or accessing data without the consent of the owner. Burleson was likely guilty of all of the above. There was no question that there was "malice aforethought" as the "power down" function had a creation date of September 3, almost three weeks before the execution. Burleson's dismissal came not from any lack of skill in the execution of his normal duties; it came from his "misuse" of the company's computers to aid and abet in his philosophical and fanatical opposition to the income tax in his support of the now jailed Irwin Schiff, who propounded its unconstitutionality. [49]

E. Other well-known viral infections

One of the earliest virus outbreaks, which was treated as a hacker's prank, was the program known as "The Cookie Monster". When serious students were busy at their consoles a message would pop up on the screen "I want a cookie!". The message would not go away, thus disabling further work, until the weary student figured out that it was necessary to enter "COOKIE" on the keyboard. [58] In a similar vein is the PAC HAN program, considered by some to be a "delightful hack", which devours the file on the screen and the PING PONG (or Italian) virus which bounces ping pong balls across the screen. [36] Other more deleterious programs devoured all memory then gloated on the screen with a message which said "Arf, arf, Gotcha!" [41]

Most of the earlier "virus" programs were characterized as more or less harmless computer games. These replicated in the electronic environment the not always benign tricks or pranks which college students play on each other. A more devastating prank was a program listed as RCK.VIDEO with an animation featuring the popular singer Madonna which erased all files while she was performing then announced to the bewildered viewer, "You're stupid to download a video about rock stars." [41]

Not quite so benign in its consequences either was the IBM Christmas card which was innocently sent to a friend by a West German Law student through the European Academic Research Network (EARN) in early December of 1987. [85] The message, with a Christmas tree graphic, was sent through an electronic mail system designed to resend itself to all addresses on the addressees' mailing lists. [76] So promptly did this message propagate itself that the entire internal IBM messaging system which reaches 145 countries, was brought to a halt by the runaway Christmas spirit. [53] IBM only acknowledged to its employees on December 14, 1987, that a "disruptive file" entitled "CHRISTMA.EXEC" had produced "an excessive volume of network traffic" and was an inappropriate use of IBM assets. [4]

The "viruses" described above had no special capability to violate security except by discovering and copying names and addresses, passwords, or ID's. Thus it is assumed that no high level secured computers have been compromised by destructive rogue programs. However, much publicity has circulated concerning the antics of members of a computer club in Hamburg, West Germany, called CHAOS, whose presence has been perceived in numerous high level government computers in Europe and the United States. [76] According to Herwart "Wau" Holland (age 36), the club's founder, the entire purpose of the club is creative and benevolent - e.g. to increase the flow of public information which is tightly held and controlled by overly zealous public authorities. [96] Indeed, the group were said to be quite instrumental in keeping the press well-informed concerning the Chernobyl incident, contradicting official reports designed to calm the fears of the population. [53]

Systems managers who have diligently observed the persevering and plodding efforts to crack open the closed computer networks are not so kind in their characterizations of these electronic "break-ins", since it is impossible to tell the difference between voyeurism and espionage. [105] Also unimpressed are security officers of the systems who find that their protective protocols have been penetrated when they discover the "calling cards" left by CHAOS members. So far these have been benign and seem to fall in the category of the "Kilroy was Here" graffiti which adorned many edifices during World War II. The primary vice other than "unauthorized entry" would appear to be publicizing the methods used for "breaking and entering". [28]

Not everyone condemns the activities of the CHAOS Computer Club. Some observers applaud the efforts of these electronic Robin Hoods to disseminate the riches of the information age to the information poor. [70,96,102] As for CHAOS, its leaders disavow any purpose other than to expose excessive government secrecy to a little therapeutic sunlight.

Most of the highly sensitive national security and financial industry systems have either not been breached or those who have suffered viral maladies are not admitting to any harm. However, a number of intracorporate networks have been invaded and recently the Databank System, Ltd., in Wellington, New Zealand, was the first electronic funds transfer system to admit publicly that it had been infected with a virus which read "Your PC is Now Stoned! LEGALIZE MARIJUANA!" [56]

On Friday, January 13, 1989 hundreds of commercial and home computers in the United Kingdom reported what was assumed to be a reappearance of the virus which had been identified in Israel at the Hebrew University before it sprang to life on a previous Friday, May 13, 1988. [2,51] A similar "Friday, the thirteenth, virus" invaded the international network of the Digital Equipment Corporation (DEC) in January of 1989. [90]

The Soviet Union has not escaped infection, as Sergei Abramov, a computer specialist at the USSR Academy of Sciences revealed on Radio Moscow in December 1988. A group of Soviet and foreign school children attending a summer computer camp unleashed the "DOS-62" virus which affected 80 computers at the academy. Prior to August of 1988, there had been no evidence of such infestations, but since then two distinct viruses have turned up in at least five different locations. [82]

Clearly, the virus epidemic is a global problem which cannot be contained merely by state or even national laws but will likely require a considerable amount of coordination at the international level if the electronic highways are to be safe. However, the problem of containment cannot be any more challenging than controlling the highwaymen of medieval times or the pirates of the high seas.

II. Types of afflictions

In order to understand better the analysis of current laws and their efficacy it is useful to distinguish between the terms used to apply to various outbreaks of electronic maladies. These are summarized in Table 1.

Table 1. Case Studies: Types of Rogue Programs

BenignType of rogue program
VirusWormTrojan HorseTime Bomb
Name of Rogue
Pakistani BrainRTM's Great "Hack"Aldus Peace MessageBurleson's revenge
 vv 
Maliciousv  v
Protectivev   
Disruptive v  
Destructive   v
Costly v v
Punitivev   
Prowess vv 
Revengeful   v
Instructive  v 
Prankish  v 

© 1989 President and Fellows of Harvard College. Program on Information Resource Policy.

  1. VIRUS - according to most computer experts, a virus is, like its namesake, a carrier of electronic messages which not only invades other programs but is designed to modify the invaded hosts and to replicate itself. The prosecutors in the Burleson case in Fort Worth, Texas, did not characterize that situation (deliberate destruction of data within the company's mainframe computer) as a virus. However, the expert witness for the defendant did so characterize the program, because it was so designed that it deleted itself once it had finished its monthly rampage. It then erased its trail but not without replicating its destructive capability in another set of programs with a different sequence of names which remained present to become active the following month.
  2. WORMS - take up residence as a separate program m memory thus proliferating and using up storage space which may slow down the performance of the invaded computers and/or bring them to a halt. According to researchers at the Xerox Palo Alto Research Center a worm is "simply a computation which lives on one or more machines" segments of which remain in communication with each other [97a].
  3. TROJAN HORSE - a desirable program which contains a parasite or viral infection within its logic which is undetectable upon casual review.
  4. TIME BOMB (OR "LOGIC BOMB") - an infection intended to launch its attack at a preset time. The Aldus virus was a "time bomb" triggered to display its message on March 2, 1988, whereas the Hebrew University "time bomb" was triggered to go off on every Friday 13th, and the Burleson "time bomb" was designed to destroy the company's files monthly.

III. Motivation of the intruders

An analysis of the purposes for which these rogue programs are written discloses the following, as listed in Table 2:

Table 2. Motivations of Intruders

Motivations
A. Pranks
B. Protection
C. Punitive
D. Prowess
E. Peeping
F. Philosophy
G. Potential sabotage
H. Poverty
I. Power

© 1989 President and Fellows of Harward College. Program on Information Resource Policy.

  1. PRANKS - These would appear to be overwhelmingly the most numerous and, in most cases, benign.
  2. PROTECTION - In many cases, the motivation seems to have been an exercise in understanding how to penetrate systems in order better to protect them. Indeed, such penetration of security systems has demonstrated skills which have led some of the "hackers" into employment as security consultants. Now that the authorities are cracking down on unauthorized entry and use of computer resources, some of the new breed of "hackers" express genuine consternation at the change in expectations.
  3. PROBATIVE AND/OR PUNITIVE - In some cases the purpose has been a self-described posse, as in the case of the Farooq brothers. They originally sought a way to track piracy by forcing the software pirates back into their computer shop to charge them for stealing product which the local law did not protect and ended up imbedding their own deadly poison to punish foreign customers for what they perceived to be unethical purchases of their own countrymen's product.
  4. PROWESS - Much of the unauthorized entry would appear to be accomplished by young computer enthusiasts seeking thrills by exercising their computer skills. This appears to be by far the most prevalent motivation among the so-called "hackers" such as RTM, many of whose young admirers thought he had achieved the "ultimate hack". Indeed, the original use of the word was to describe programmers who were capable of writing elegant code which was the envy of their colleagues. In this respect the "hackers" are not unlike the "hot rodders" of the 1930's who souped up the engines of Model T Fords and learned mechanical skills to which was attributed much of the success of the technical support in World War II. [38]

    Host "hackers" become responsible professionals as they grow older, leave protected and subsidized academic computer networks, and have to earn their own way in the world. However, some of these apprentices have turned their skills to damaging and socially unacceptable behavior. Indeed, the lawyer for Kevin David Mitnick (well known in the computer world by his moniker "Condor" and convicted in early 1989 under the federal computer fraud act), described his miscreant behavior as efforts to achieve self esteem, "an intellectual exercise ... [to] see if he could get in. It's Mt. Everest - because it's there." [83] The director of the Computer Learning Center in Los Angeles, where he was a student, described his skills as quite outstanding. [89] "Hackers", such as Mitnick, can be characterized as "technopaths", a term coined by A.K. Dewdney. [75]

  5. PEEPING - This would appear to constitute a sort of electronic voyeurism. Such unauthorized entries would not qualify as "viruses" unless the voyeur left a "calling card" which contained a self-replicating message.
  6. PHILOSOPHY - Many of the computer "hackers" look upon information as a public good which should not be hoarded; therefore, entry should not be prohibited. They can be characterized as "Information Socialists" who believe that all systems should have open access and their contexts be shared. This view is best expressed by Richard Stallman of MIT's artificial intelligence laboratory, a dedicated lobbyist for this point of view. [102] He claims that the aberrant ones are those who try to fence off information systems and stake out property rights in what should be, like the high seas and outer space, "the common heritage" or "the province of mankind".
  7. POTENTIAL SABOTAGE - There has, as yet, been revealed to the public little evidence of the work product of terrorists invading computer systems, although there have been reports that both the Central Intelligence Agency (CIA) and the National Security Agency (NSA) are experimenting with the use of viruses as a strategic weapon. [86] The Pentagon announced in early December 1988 that it had established a SWAT team to combat invasive programs such as the INTERNET worm. [12a,17] Administered by the Computer Emergency Response Team Coordination Center, the team is on 24-hour alert. [75]

    There is evidence that some of the systems purported to be the most secure in design have been penetrated by voyeurs if not by viruses. The young accomplice of Mitnick who turned him in to the authorities was quoted as saying, "Our favorite was the National Security Agency computer because it was supposed to be so confidential. It was like a big playground once you got into it." [3a] Mitnick, who was well known to law enforcement officers around the country, was called by them "an electronic terrorist" who was addicted to breaking into secure computer systems. [62] Ironically or perhaps justifiably, the last caper (among many for which he was convicted) was theft of a new program designed by Digital Equipment Corporation to help users identify such unwanted invaders as Mitnick himself. [15]

    Many computer scientists and government officials fear that the pranksters and computer professionals who manipulate the software "for fun" or "for fame" may instruct potential saboteurs and terrorists on how to achieve their more destructive purposes. Thus there was a substantial disagreement among computer scientists over the request by the National Computer Security Center (NSSC) for Purdue to keep secret the details of the INTERNET worm's source code, which they decompiled. [13] Many managers of information systems are opposed to such secrecy, because they want to know the internal structure of the offending code in order to better protect their computers from further attack of viral infections.

    Thus one question for legislators and educators is how to provide a challenging electronic playground in which young apprentice programmers can cut their teeth without wreaking havoc on the nation's privileged and/or proprietary strategic, financial, and commercial networks.

  8. POVERTY - Many of the perpetrators in the electronic environment, as m the physical environment, simply want something they don't have and use whatever means are available to them to acquire what they desire.
  9. POWER - Some unauthorized entry is motivated merely by a desire to exert control over the environment in which the entrant has some skills which are superior to others operating in the same environment. They can be characterized as the "bullies" of the playground. The difference is that their playground is an electronically mediated rather than a physically contained "playground".

IV. Perpetrators

Table 3. Types of Perpetrators of Rogue Programs

Perpetrators
A. Employees
B. Software distrbutors
C. Pranksters
D. Professionals
E. "Cyberpunks"
F. Saboteurs and terrorists

© 1989 President and Fellows of Harward College. Program on Information Resource Policy.

From a review of the above cases, it would appear that a there are a variety of perpetrators, some of whom can easily be characterized as maliciously motivated but many of whom cannot. These include the following, summarized in Table 3:

  1. EMPLOYEES - Most of the devastating incidents are caused by authorized employees acting outside the scope of their employment for their own benefit or to the detriment of the organization. Certainly this was the case with Donald Gene Burleson, the first person convicted under a state law for behavior characterized by his own expert witness as inserting a computer virus. The number of such incidents is unknown, since it is thought to be information tightly held by the companies afflicted. Indeed, in one known case the employee was dismissed quietly but given a lavish going away party to disguise the nature of his exodus from the company. [53]
  2. SOFTWARE DEVELOPERS - Developers of software initially turned to protected disks which performed not at all or badly when copied without authorization. These contained "bugs" or malfunctions deliberately written into the software code in order to prevent piracy. This was the case with the Pakistani Brain Virus. There is likely to be less of this type of situation as the major software firms discovered that sales were inhibited by substantial user abhorrence of this technique.

    However, it is well known that some software programs have imbedded, within their code, logic sequences designed to disable use of the programs at the termination of a lease. Thus laws designed to reach secret messages entered without notifying the user might overreach their intended purpose and catch in their net practices considered by the industry as both efficacious and desirable.

  3. PRANKSTERS - The word pranksters is used more aptly than "hackers" to describe young computer users, mostly in their teens, attempting to develop their computer skills and deliberately, but usually not maliciously, entering systems purportedly closed to them. Damage, when it occurs, is usually characterized by ineptness rather than intent, since their intent is merely to "beat the system" to prove how clever they are. This type of incident is characterized by the so-called "Milwaukee Microkids" who ran rampant through many of the major computer systems of the U.S. government and played havoc with the monitoring systems of cancer patients in a New York city hospital in 1983. The FBI took concerted and coordinated action against the "microkids", seizing the computers of a number of these youngsters, in order to send a message of disapproval to all potential pranksters. [11]
  4. PROFESSIONALS - In this category should be included the so-called "hackers", a term which originally applied only to skilled computer programmers who genuinely felt that computer systems should be open. Such "hackers" believed the effort to improve computer software was an ongoing process in which all the "cognoscenti" should be able to participate, and they were committed to designing advanced computer hardware and software. [70] The Cornell report carefully avoids using the word "hacker" pejoratively. [71]

    Because of the detrimental consequences of some of the "hacking", the term has been used in the press to mean skilled computer professionals or students with an intent to perpetrate an antisocial act of theft, embezzlement, or destruction. Thus "professionals" fall into three categories: those with criminal intent, those who are apprentices attempting to improve their skills, and those who are deliberately attempting to break into closed systems in order to test their vulnerability and increase awareness of the defects. The latter case is much like the antic efforts of Nobel laureate physicist, Richard Feynman, at Los Alamos, who broke into the safes of his colleagues leaving only an amusing "calling card" to prove his successful entry, thereby proving that they were quite vulnerable to spies. [44a, 45] So-called "tiger teams" have been organized by several government agencies to provide a similar service to stimulate better security measures. [86]

  5. "CYBERPUNKS" - This is a term which has come to be used in describing computer-skilled but anti-social individuals who deliberately disrupt computer systems merely for the joy and personal satisfaction which comes from such achievement. The term is derived from a popular science fiction genre which describes such "cyberpunks" as engaged in sophisticated high technology games. They constitute a form of outlaw society akin to the gangs or teenagers who roani the poverty-stricken areas of inner cities, where young people have nothing better to do to satisfy their egos than take control over their areas of habitation. To some extent the "cyberpunks" are motivated also by a desire to take control over their electronic environment.
  6. SABOTEURS OR TERRORISTS - So far there have been no publicly disclosed incidents of entries resulting in deliberate destruction or interruption of service attributed to terrorists groups, although there have been incidents of espionage. However, there is much apprehension among computer security officials that terrorists are capable of acquiring sophisticated computer programming skills and may apply them to the many networks upon which international commerce, finance, and industry have come to rely. [53a]

Coverage of state statutes

Although only one of the 50 states (Vermont) does not have some kind of computer crime or computer abuse law, the Burleson case is the first conviction under one of them for inserting into a computerized environment what has been characterized by some (but not by others) as a computer virus. Thus its implications have created much interest among law enforcement officers and computer professionals concerning this new threat to computer integrity. Unfortunately, the case does not offer much insight into the applicability of other state laws to computer virus cases. It was a rather clean cut fact situation in which the perpetrator was a disgruntled employee who had been dismissed but retained access to the security codes of the company. His retaliation was easily proved to be maliciously inspired. Moreover, the prosecution was conducted by a young prosecutor who was skilled and understood the nature of the behavior which was offered in evidence in the trial. However, the brightest spot in retrospect is that the jury disclaimed any difficulty in following the case or in reaching its conclusions. [79]

The long delay of the prosecutors deliberating whether to indict RTM in the INTERNET worm case demonstrates the difficulty in proving beyond a reasonable doubt that criminal behavior has occurred without an admission on the part of the perpetrator that such was his or her intent. [56,71] In this case, the audit trail would uncover that the point of entry of the virus into the system was an MIT source and that the program code required the virus to report back to a Berkeley node whenever it succeeded in invading another host. Thus, without the surrounding circumstances of a telephone call to a friend in the Aiken Laboratory at Harvard University warning, that "his virus had kind of gotten loose", [109] and the software designer's error in the code which never reported back to the Berkeley computer, an intended saboteur might easily have caused the disruption within the nation's academic networks without leaving a trace of the actual origin.

It can be concluded, from a review of state laws, that they cover a variety of circumstances and fall into several different categories. The Burleson case might have easily been prosecuted under the majority of state laws, because files were destroyed and most of the state laws use the words "alter, damage or destroy". However, it is not so clear that the INTERNET worm situation falls within the ambit of more than a few of the state statutes, since the damage which resulted was loss of memory and inability of the computer networks to accommodate their users in the manner to which they had become accustomed to expect.

The state statutes cover at least 11 distinct categories of offenses which will be discussed sequentially. They are as follows:

A. Definition of property expanded

Typical of the first type are the Massachusetts and Montana statutes. Montana merely defines "property" as including "electronic impulses, electronically processed or produced data or information, ... computer software or computer programs, in either machine- or human-readable form, computer services, any other tangible or intangible item of value relating to a computer, computer system, or computer network, and any copies thereof." [S. 45-2-101(54)(k)]. The Massachusetts statute [chapter 266 S.30(2)] is even more succinct, defining "property" as including "electronically processed or stored data, either tangible or intangible, data while in transit...".

Although the statutes define property as including computer-mediated information, this does not necessarily resolve the problem of a conviction under larceny or theft. Usually the requirement for a conviction is a "taking" with the intent to deprive the owner of the possession or use thereof. Voyeurism with no intent to deprive or harm and/or viruses which have benign consequences, such as the Aldus virus, do not deprive the owner or user of access to or use of any computer files or computer services, except perhaps momentarily while an unwanted message appears on the screen. In the United States, however, unwanted messages are tolerated in many media, e.g. direct mail and television. Thus it must be the apprehension of harm which is the objectionable consequence. Costs are incurred to verify that no damage has been done, and recent legislative efforts are beginning to address this problem. [e.g. Oklahoma, S.1096, Sec.4-C]

B. Unlawful destruction

Many of the state statutes contain the legal words of art "alter, damage, delete, destroy". This would appear to be the most common form of computer abuse statute and sufficient to cover the most dangerous forms of activities. Presumably viral code requires some alteration of the sequences in the computer memory in order to function, but it appears that a worm can be inserted by an authorized user without altering any existing files or the operating system.

On the other hand, the Illinois statute [S.16D-3 and 4] seems to be written more broadly, referring to the crime of "computer tampering". However, this offense includes more particularly disruption of vital services of the state, as well as death or bodily harm resulting from the tampering. This would presumably include modification of medical records which were the proximate cause of death or resulted in the negligent treatment of patients.

C. Use to comit, aid, or abet comission of a crime

Most of the state laws clearly cover use of a computer to commit a crime. Typical of this is the Arizona statute [S. 13-2316] which penalizes the use or alteration of computer programs with the intent to "devise or execute any scheme or artifice to defraud or deceive, or control property or services".

D. Crimes against intellectual property

The Mississippi statutes [S. 97-45-9] provide for a specific prohibition of "offenses against intellectual property" defined as:

Although the act requires that such acts be intentional and not accidental, it does not require that they be malicious or harmful. Thus the most innocent voyeurism, even though no actual damage occurred, could be "accessing" within the meaning of the act. Nonetheless, the magnitude of the penalty is related to the malice or harm.

E. Knowing unathorized use

The Nevada statute [S.205.4765] is typical of this group of statutes which broadly define "unlawful use" to include "modifies, destroys, discloses, uses, takes, copies, enters", although this does not specifically include the prevention of authorized use by others as in the case of the INTERNET worm. However, the Nebraska statute [28-1347], which contains the phrase "knowingly exceeds the limits of authorization", would likely cover the RTM behavior if it were proved to be as is currently reported.

The Ohio statute prohibits the "unauthorized use of property" [S.2913.04] which is defined to include "computer data or software" [S.2901.(J)(1)] and has what appears to be the broadest prohibition of "...any use beyond the scope of the express or implied consent of, the owner..." [S.2913.04 (D)]. The New Hampshire statute [IV (a)] refers to "causes to be made an unauthorized display, use or copy in any form". These two statutes are surely broad enough to encompass the Aldus virus, which was benign yet disturbing, because users were not assured that it was benign when it popped up on their screens.

F. Unauthorized copying

The New York statute prevents both unauthorized duplication [S.156.30] as well as receipt of goods reproduced or duplicated in violation of the Act. [S.156.35] Very few of the states have included provisions of this type.

G. Prevention of authorized use

About a fourth of the states refer to interfering with or preventing normal use by authorized parties. This presumably would cover the existence of a worm, such as the INTERNET worm, which allegedly did no actual damage to files, software, or equipment but occupied so much space in memory that it exhausted the computers' capacities and prevented normal functioning of the networks. Typical of this type of statute is the Wyoming statute [S.6-3-504] which describes "crimes against computer users" as either "knowingly and without authorization" accessing computer files or denial of services to an authorized user.

H. Unlawful insertion

The Connecticut statute, which is probably the most comprehensive of the state laws, provides for "intentionally makes or causes to be made an unauthorized display, use, or copy in any form of data..." [S.53a-251 (e)]. The Delaware statute also refers to interrupting or adding data [S.935 (2)(b)] and the Mississippi statute includes "insertion" of material without authorization as a specifically prohibited act [S.97-45-9]. It would appear that no harm need occur for these offenses to be committed, although the Delaware statute does key the penalty to the amount of harm resulting. Moreover, a prosecutor may fail to prosecute if the penalty does not seem to fit the nature of the crime. Thus overreaching statutes may not be objectionable, if they are rationally administered. However, the risk is incurred that an overzealous prosecutor might jail a bunch of gifted pranksters, thus jeopardizing the development of a computer-skilled work force.

I. Voyeurism

A few of the statutes cover unauthorized entry for the purpose only of seeing what is there. Thus the Missouri statute [S.569.095 (5)] refers to "intentionally examines information about another person" as a misdemeanor, thus recognizing a right of electronic privacy. On the other hand, the Kentucky statute [S.434.845] specifically excludes from criminal behavior accessing a computerized environment "only to obtain information and not to commit any other act proscribed by this section"; thus mere voyeurism is excluded from prosecution.

J. "Taking possession of"

Several of the statutes refer to taking possession of the computer. It is not clear whether or not this term is intended to cover the kind of anti-social behavior described above as that of "cyberpunks", although actual theft of the computer itself would surely be covered under the normal definition of theft of physical property, so it must be assumed that some other meaning was intended by the drafters. The Wisconsin statute [S.943.70 (2) 4.] prohibits willfully, knowingly, and without authorization taking "possession of data, computer programs or supporting documentation".

It is not clear what behavior constitutes "taking possession of" the computer, or network, memory or files. Perhaps the program known as "the cookie monster" is an apt example of this aberrant behavior. [105] If prosecution is to proceed under such a statute, the aid of computer scientists will be required to describe more particularly what anti-social behavior should be proscribed.

K. Compensatory or punitive damages

Only a few statutes provide for either compensatory or punitive damages resulting from the prohibited offenses, e.g. Arkansas, California, Connecticut, Delaware, Illinois, and Virginia. Arkansas provides [S. 5-41-106(a)] for recovery "for any damages sustained and the costs of the suit... 'damages' shall include loss of profits". Restitution for damages such as sustained by Aldus for the disks infected with the Peace Virus could presumably be claimed under this statute.

Connecticut provides for a fine "not to exceed double the amount of the defendant's gain from the commission of such offense" [S.53a-257], and California permits a civil suit to be brought for "compensatory damages, including any expenditure reasonably and necessarily incurred by the owner or lessee to verify that a computer system, computer network, computer program, or data was or was not altered, damaged, or deleted by the access." [S.502(e)(1)] This provision would seem to cover the Aldus virus. Although the Aldus virus caused no direct harm which might be the subject of litigation, software developers whose products were suspected to be contaminated did incur substantial expenses in verifying that no harm had occurred. However, for those companies whose products, networks, or software were not "accessed" this avenue for relief might not be adequate.

In summary, state laws seem to be quite varied (see Appendix B for analysis state by state), perhaps too diverse, for an electronic environment in which computerized networks are interconnected both nationally and transnationally. Only a few of the states seem to have addressed the question of venue (e.g. Connecticut S.53a-260; Delaware S.938; Georgia S.16-9-94; Kentucky S.434.860; South Carolina S.16-16-30; Mississippi S.97-45-11; New Hampshire S.638.19; Tennessee S.39-3-1405; Virginia S.18.1-152.10). Georgia seems to have the most comprehensive, granting jurisdiction to "any county from which, to which, through which, any access to a computer or computer network was made". The number of potentially harmful occurrences which straddle two or more jurisdictions is very likely to increase with greater computer connectivity. Thus liberalized venue statutes and jurisdictional harmonization seem highly desirable. Of the cases used herein as examples, only the Burleson case neatly falls within the jurisdiction of only one state, and several involve multiple countries; e.g. the Pakistani Brain, the Aldus Peace Virus, the Computer Chaos Club, the IBM Christmas card.

At a minimum, state legislation can be improved substantially to harmonize the behavior which is considered objectionable and to minimize the likelihood that harmful insertion of viruses will escape prosecution. Yet such legislation needs to be carefully drawn. Otherwise it may sweep up in its net the legitimate experiments of the computer novices whose ambitions to improve their skills need to be encouraged and who would benefit from access to a legitimate "electronic playground" (e.g. Mitnick never owned a computer). [62]

Overly restrictive legislation may handicap the computer professionals who need a reasonably open environment in which to develop new software and to modify it for their own purposes. Such legislation may inhibit needlessly the efforts of computer software companies to provide technological protection. Host lamentable may be the suppression of the very openness and ease of communication which computer networking has made possible. Just as the telephone system becomes more valuable with larger numbers of telephones connected, so it is with computer networks that openness is a virtue to be sought rather than to be prevented. As Clifford Stoll, who stalked the German intruders, has so eloquently stated:

An enterprising programmer can enter many computers, just as a capable burglar can break into many homes. It is an understandable response to lock the door, sever connections, and put up elaborate barriers. Perhaps this is necessary, but it saddens the author, who would rather see future networks and computer communities built on honesty and trust. [104]

Some computer scientists [38] believe that more robust computer systems can be designed which will withstand the invasions of rogue computer programs without diminishing the user friendliness of the electronic environment.

The current challenge is whether or not adequate laws can be written to prohibit behavior which endangers the integrity of computer networks and systems without inhibiting the ease of use which is so desirable.

VI. Federal statutes

According to published reports, federal prosecutors considered many possible offenses for which the perpetrator of the INTERNET worm might have been indicted under Title 18 of the U.S. Code. These included among others:

Section 1029 defines an "access device" to include "other means of account access that can be used to obtain money, goods, services, or any other thing of value..." but the device must be used "knowingly and with intent to defraud".

The expectation had been that Section 1030 would be the appropriate statutory authority. The Computer Fraud and Abuse Act is directed primarily toward unauthorized and intentional access to classified government data, financial data, or interference with the use of federal agency computers. Section 1030(a)(4) requires an intent to defraud by unauthorized use of a "federal interest" computer (defined to include computers accessed from more than one state). Section 1030(a)(5) provides coverage in the case of intentionally preventing or interfering with authorized use of a federal interest computer but couples that with a "loss" of $1000 or more. This was the only section of the act cited m the indictment of RTM. [117] Careful analysis still suggests that it may be difficult to prove "beyond a reasonable doubt" either intent, direct damage, or exceeding authorized use.

Many computer scientists and some lawyers now conclude that releasing a computer virus is per se malicious. Indeed, Congressman Herger, in announcing his sponsorship of H.R. 55, described a virus as "a malicious program that can destroy or alter the electronic commands of a computer". The media has contributed to this conception by defining a computer virus as "an agent of infection, insinuating itself into a program or disk and forcing its host to replicate the virus code." [92]

On the other hand, others argue that a virus not only can be benign in its consequences - as for example, the Aldus peace virus, which "merely appeared on the screen and then destroyed itself - but also that one can produce a virus with both good intentions and good effects. For example one could imagine a self-replicating program intended to update the FBI's 10 most wanted list in all files existing for that purpose, while deleting outmoded material and not affecting any other files or applications. In this mode a "virus" becomes an automatic tool for "broadcasting" file updates to all members of a user set of unknown size, with user consent to this behavior. Hebrew University used a computer virus to identify and delete the Friday, the thirteenth virus, which was detected there prior to the date on which it was to release its killer capabilities. [41]

Furthermore, the Xerox Corporation at its Research Park in Palo Alto has been experimenting with benign uses of computer viruses for some years. [110] Several types of worm programs were developed which could harness the capabilities of multiple computers linked by communications lines into extended networks, thereby coordinating the operations, maximizing the efficiency, and increasing the output of the network. [96a] In effect, the sum of the whole could be greater than its parts, according to computer consultant John Clippinger. In the words of John Shoch, who coordinated the research for Xerox, new programming techniques were developed which could "organize complex computations by harnessing multiple machines." The various utilitarian applications included bulletin boards which distributed graphics, e.g. a cartoon a day to ALTO computer users, alarm clock programs which scheduled wake up calls or reminders, multiple machine controllers, and diagnostic worms which would seek out available computers and load them with test programs. [97a] Thus the placement of a rogue program into a computer network or operating system or program is not necessarily done with malicious intent.

Section 1346 was enacted to insure that a scheme or artifice to defraud includes depriving "another of the intangible right of honest services" which would cover the behavior of the INTERNET worm. Yet the scheme must still have been devised with intent to defraud, which is not easily established by incontrovertible evidence.

Section 1362 is directed toward willful or malicious injury to or destruction of property including "other means of communication" controlled by the U.S. government and including "obstructs, hinders, or delays the transmission over any such line..."

Section 2510 adds "electronic communication" after "wire" and defines electronic communication as (12) "...any transfer of signs, signals, writing, images, sounds data, or intelligence of any nature..." and electronic communications service as "...any service which provides to users the ability to send or receive... electronic communications". Rogue programs, such as the INTERNET worm, if inserted either without authorization or in excess of authorized use, arguably could constitute a prohibited invasion of electronic privacy m an electronic mail system. [85a]

The delay by federal prosecutors of more than six months after the INTERNET worm incident prior to an indictment suggests considerable difficulty in determining whether or how to proceed. There are a number of possibilities which justify their lengthy deliberations. These include:

  1. disagreement among the federal lawyers on the appropriate statutes under which the indictment should fall,
  2. a reluctance to prosecute a bright student,
  3. difficulty m assembling credible evidence that would withstand challenge,
  4. a doubt that intent can be proven,
  5. difficulty in proving that RTM was exceeding his authorized use,
  6. loss or destruction of crucial evidence connecting the accused with the activity prohibited, [71]
  7. lack of priority for the allocation of scarce human resources to take the case to court, given the attention demanded by drug traffic and other serious crimes,
  8. the challenge of collecting data and testimony from diverse locations or merely,
  9. extreme care in piecing together the puzzle before indicting a suspect.

Nonetheless, the delay leads thoughtful observers to deduce that the current state of the law may not be adequate to satisfactorily allay fears that electronic highways may not be safe.

VII. Proposed federal legislation

The Herger Bill, H.R. 55 - The Computer Virus Eradication Act of 1989 (see Appendix C), is intended to plug the gap m legislation which clearly did not anticipate viruses as one of the maladies then being addressed. The bill contains the word "virus" in the title, but does not use the word withm the operative clauses. The prohibited behavior is "knowing or having reason to believe that such information or commands may cause loss, expense, or risk to health or welfare". Perhaps, after the INTERNET worm, one can no longer argue that entering a "virus" into a computer network is possible without the knowledge of almost certain harm, disruption of service, or loss of time to the operators of the system.

The operative prohibition is coupled with a clause (Paragraph B) which penalizes the perpetrator only if the program is inserted without the knowledge of the recipient. This is intended to relieve from liabilities persons who include a "time bomb to self destruct at the end of a license period and use of viruses for study or for benign purposes known to system users. Perhaps the two phrases should have been connected with OR rather than AND. If they are coupled in this manner, however, a deleterious virus program could be inserted into a computer network with the collusion of a recipient "person". Thus the circumstances which are most prevalent might not be covered (e.g. insertion of an infectious program into a network and/or unforeseen disastrous consequences affecting third parties), although the transfer of an infected disk to an innocent party would certainly fall within the ambit of the proposed legislation.

Furthermore, there is a certain justified apprehension that disclosure to the recipient of all potential harmful consequences would, in effect, impose strict liability upon software developers to completely "debug" their software before issue or carry sufficient insurance to ward against all eventualities. Such a requirement might hamstring an industry which has been characterized by rapid innovation and close the door to small entrepreneurs who could not enter a market overburdened with burdensome insurance costs.

The MacMillan Bill, H.R. 287 (see Appendix D), entitled the Computer Protection Act of 1989, essentially addresses willful sabotage and authorizes appropriate compensatory damages to be sought. However, the proposed language does not specify what constitutes "sabotage". Thus the language may be too restricted to include such more benignly intended program "pranks" as the Aldus virus, yet may be too vague to withstand constitutional challenge.

There is more legislation to come, as William Sessions, Director of the Federal Bureau of Investigation promised to submit recommendations to Senator Patrick Leahy (Dem.-VT) at a Senate hearing held on May 15, 1989. According to Sessions, who said the agency has trained more than 500 agents for investigation of computer crimes, a team is being organized to concentrate on computer worms and viruses, for which there is no specifically applicable federal statute. [50]

VIII. Newly enacted and proposed state legislation

According to the best information available m mid July of 1989, several states have enacted new computer abuse legislation or are considering new computer abuse legislation. These include Alaska, California, Illinois, Maine, Maryland, Massachusetts, Michigan, Minnesota, New Mexico, New York, Oklahoma, Oregon, Pennsylvania, Rhode Island, Texas, Vermont, and West Virginia. [27]

A. Minnesota

The original Minnesota bill would have revised S.609.87 by adding a subdivision 11 with respect to a "destructive computer program" defined as including a "virus", a "trojan horse", a "worm" and a "bacterium". The phrase "bacterium" has not, heretofore, been used extensively in the computer science literature on the subject of rogue programs, although a few computer scientists find it a more suitable comparison with medical terminology than "virus". [34,38] Moreover, the definition of a "worm" includes the intention to "disable or degrade performance", but it is not at all obvious that the designer of the INTERNET "worm" intended to disable the networks. Rather it was the reported intention to inject a slowly self-replicating "worm" whose presence would not be obvious or easily detected, or damage other programs existing within the network. However, the definition of "destructive products" includes "producing unauthorized data that make computer memory space unavailable for authorized computer programs", thus was clearly intended to cover precisely the situation that occurred.

There was apprehension among lawyers representing computer software companies who reviewed the proposed bill that the attempt to enumerate types of rogue programs so specifically might create more problems than it solved. [33] As a consequence, the legislation, as enacted, (H.F. 647 amending Sections 609.87 and 609.88; see Appendix E) was written more broadly to describe the unacceptable consequences rather than the miscreant programs themselves:

"Destructive computer program" means a computer program that performs a destructive function or produces a destructive product. A program performs a destructive function if it degrades performance of the affected computer, associated peripherals or a computer program; disables the computer, associated peripherals or a computer program; or destroys or alters computer programs or data. A program produces a destructive product if it produces unauthorized data, including data that make computer memory space unavailable; results in the unauthorized alteration of data or computer programs; or produces a destructive computer program, including a self replicating program. (Subd. 11)

B. Maryland

The Maryland amendment (House Bill 1065 amending Article 37, Section 146) signed into law by the governor on May 25, 1989 [Chapter 7-22] refers to "harmful access to computers" and adds two new sections: (1) "cause the malfunction or interrupt the operation of" and (2) "alter, damage, or destroy data or a computer program". The latter phrase merely extends coverage to offenses which most of the other states already prohibit. The first term appears to be broader than the majority of the states now include and seems to cast a wide enough net to capture the INTERNET worm and the Aldus virus, as well as the Pakistani Brain.

C. West Virginia

The West Virginia legislature has enacted in the 1989 legislative session its first computer abuse law. (Enrolled Senate Bill no. 92, see Appendix F.) According to sponsors of the legislation, enactment puts West Virginia at the forefront of states most hospitable to the computer software industry. [43] Specifically covering the introduction of a virus "that destroys the intellectual integrity of that program", it also addresses tampering and tapping as well as invasions of privacy. The bill permits equipment that is used in the commission of a crime to be confiscated and turned over to the West Virginia educational system. It also holds corporate officers accountable for illegal activities within their organizations. Thus West Virginia is one of the first states to tackle the thorny problem of reluctance of affected organizations to report to law enforcement authorities circumstances which contravene the law. However, existing statutes in Georgia [Ch.16-9-95] and Utah [Ch.76-6-705] do impose a duty to report knowledge of prohibited computer-related activities.

D. Texas

In Texas the Burleson case was successfully prosecuted under that state's computer crime legislation. A minor amendment was proposed to permit the confiscation of computer equipment, a sanction which is considered to be sufficiently appropriate to fit the crime to deter teenage "hackers" who cruise the computer networks looking for excitement. [80]

However, the Texas legislature passed legislation which was far more comprehensive, both defining computer viruses and prohibiting their introduction into a "computer program, computer network, or computer system". [HB 2312, passed by House on May 15 and Senate on May 25, 1989; amending Section 33.01 (9) and Section 33.03 (a) (6) of the Penal Code]. The new Texas statute also liberalizes the venue requirements [Section 13.24 (b)] and authorizes a civil right of action for damages incurred. [Section 143.001 (a)]

E. Illinois

The Illinois General Assembly Legislative Research Unit has issued a report "Computer Viruses and the Law" which finds the substantive law adequate in its definitions but suggests amending Illinois statutes to reenact a now-superseded civil right of action for miscreant computer behavior in a computerized environment. [27]

The proposed legislation [AB 1153 introduced 4-7-89] offers a new offense of inserting or attempting to insert a program "knowing or having reason to believe" that it may damage or destroy.

F. Pennsylvania

The Pennsylvania legislature's research report recommends that the proscribed behavior should be better defined and that the penalties prescribed should bear a better relationship to the severity and nature of the damages sustained. [61] The proposed legislation [S. 17, as amended] is arguably overreaching in its thrust as it is intended to prohibit all insertions of computer viruses into computer memories, networks, or systems, thus proscribing utilitarian as well as deleterious programs designed to replicate themselves. A computer virus is broadly defined as "a program or set of computer instructions with the ability to replicate all or part of itself..." [S. 17 amending Title 17, Section 3933 (d)].

G. New York

The New York bills [S.3560, S.5999, A.5738] purport to increase the maximum fines and years of incarceration to more nearly approximate the magnitude of the damages inflicted. These would liberalize the criteria of intent necessary for a conviction to include a reasonable knowledge that damage would result. [69] This provision would likely ease one of the problems under the federal legislation which does not take into consideration behavior considered in reckless disregard of the consequences.

H. Massachusetts

There were four bills introduced in Massachusetts in early 1989 [H.2008, H.4337, S.232, S.1701], one of which was designed explicitly to cover computer viruses. [S. 1701] The bill distinguishes between "computer larceny" comprised of "knowingly" releasing a computer virus that "destroys or modifies data" and "computer breaking and entering" which covers a computer virus which "does interfere with the user's ability to the use of the computer" but neither destroys nor modifies data. There are three levels of fines and imprisonment offered according to the level of interference (maximum $500 and/or not more than one year), modification ($750 and/or not more than one year), or destruction of data ($25,000 and/or up to 10 years.)

The other three bills are general purpose computer crime and abuse statutes which would bring Massachusetts into line with the majority of the other states which have such coverage.

I. California

The California legislature received four bills between January and March 1989 [A.1858 and A.1859, S.304 and S.1012]. S.1012 was intended to increase the penalties for existing infringements of the law which include "tamper", "damage" and "access without authorization". A.1858 was addressed to extradition, expanding the circumstances under which extradition could be requested and adding Section 1548.4 which includes the following:

However, the demand or surrender on demand may be made even if the person whose surrender is demanded was not in the demanding state at the time of the commission of the crime and has not fled from the demanding state... or at the time of the commission of the crime was in the demanding state.

This was clearly intended to cover the situations involved with computer networks where the perpetrator of the act which injures parties or equipment within the demanding state was m another jurisdiction at the time of the act in question.

S. 304 and A. 1859 are companion bills designed to cover the computer rogue programs which are generically referred to as "computer contaminants". The operative language [Section 502(a)(10)] reads as follows:

"Computer contaminant" means any set of computer instructions designed to modify, damage, destroy, record, or transmit information within a computer, computer system or computer network without the intent or permission of the owner of the information. Computer contaminants include, but are not limited to, a group of computer instructions commonly called "viruses" or "worms" that are self replicating or self propagating and are designed to consume computer resources, modify, destroy, record or transmit data or in some other fashion usurp the normal operation of the computer, computing system, or computer network.

The act prohibited is knowingly introducing a computer contaminant into a computer network or system without the specific approval of the proprietor. [Section 502(c)(8)].

Other more questionable provisions provide for exclusion from employment with computers [Section 502(e)(3)] and suspending the awarding of degrees by California colleges and universities [Section 502(e)(4)], a sanction also proposed in New York [S.599 adding a new section 156.55]. Moreover, the amendment proposes to impose a duty on those knowledgeable about acts related to computer abuse within their purview to report such violations to law enforcement authorities. [Section 502(1)] This would eliminate a major problem which is the failure of employers to bring incidents to the attention of the authorities.

J. New Mexico

In New Mexico, a greatly expanded Computer Virus Act is under consideration [S.482 amending Chapter 215]. In addition to a more comprehensive coverage of "unauthorized computer use", the major thrust is toward forfeiture of equipment used to accomplish the prohibited acts. As effective as this may be in deterring miscreants who own their equipment, it would have no impact on "hackers" such as RTM or "technopaths" such as Mitnick who used computer resources belonging to third parties.

IX. Trends in recent legislative activity

The spate of legislative initiatives taken in states with a preponderance of economic activity in the computer equipment and software industries, especially California, Massachusetts, New York, and Minnesota, suggests that existing statutes are not seen to be entirely satisfactory for the prosecution of perpetrators of destructive rogue computer programs. Even in states where the statutes may be presently adequate, such as California, refinements are sought to make infringements which endanger the health of computer networks and systems easier to prosecute.

A. Definitions

The most important trend is in defining more precisely the activities to be prohibited. These include such terms as:

B. Intent

The showing of express intent to do harm has proven elusive in many of the incidents involving rogue computer programs, which, however unintentionally, do inflict economic costs even upon those who must verify that no harm has been done. Thus the tendency to substitute or add "knowingly" or "willfully exceeds the limits of authorization". However, it is not clear what the difference is between "knowingly" and "intentionally" since either can be interpreted to be with knowledge that harm may result, and "reckless disregard for the consequences" may imply an intent to disregard the harm which may be caused by the act in question.

C. Making the punishment fit the crime

In several instances we have seen an increase in the fines to be levied or the imprisonment to be imposed. New York has proposed the most stringent limits with a sliding scale which measures the punishment according to the amount of damage incurred. Thus "computer tampering in the first degree" involves damages exceeding $1 million from altering or destroying data or programs [new Section 156.28] in which case the judge can order reparations up to $100 thousand. [Section 6 (a) of S.3560 and A.5738]

The authorization for confiscation of equipment used to commit an offense would appear to be designed to deter teenage offenders whose activities are primarily pranks or voyeurism.

D. Damages

Rather than or perhaps in addition to fines and imprisonment there is a trend toward authorizing restitution to the victim, compensatory and punitive damages, measuring the damages by loss of profits and adding the costs of verification that no damage has occurred. [e.g. Virginia, 18.2-152.12]

E. Extradition

Modifying the extradition statutes to permit requests of offenders even though they have no direct involvement within the state's boundaries seems a likely trend as computer networking proliferates throughout the United States and abroad. Indeed, extradition treaties may need to be amended to reflect the realities of criminal offenses which originate in one country but have their ultimate effects perceived far beyond the country of origin.

F. Venue

The jurisdiction within which a case may be tried is determined by the venue statutes which require a substantial relationship to the place where the prohibited behavior occurred. Although modifying the venue statutes, as in Georgia, to cover network behavior which has deleterious consequences withm the jurisdiction, does not solve the problem of gaining service upon an offender, it does facilitate forum shopping to determine where best to litigate an interstate infraction of the laws. In three of the cases analyzed, (all except the "Burleson revenge"), interstate or international implications were evident. In the "Pakistani Brain" case the perpetrators were in Pakistan and the victims were primarily in the United States. In the "Aldus Peace Virus" case, the perpetrators were in both Canada and the United States, the victims in both and the injured companies in two different states within the United States.

A substantial number of states already have enacted liberal venue statutes to encompass computer networks. [Arkansas 5-41-105, Georgia 16-9-94, Kentucky 434.860, New Hampshire 638.19, New Jersey 2A:38A-6, Mississippi 97-45-11, South Dakota 43-43B-8, Tennessee 39-3-1405, and Virginia 18.2-152.10]

G. Exemptions

Just as Kentucky recognized in its exemption of unauthorized access by voyeurs who caused no damage, some states are beginning to see the implications of excessive criminalization. For example, Massachusetts [S. 232 Section 8.3] exempts employees who purloin time using computers or programs outside the scope of their employment if no injury occurs and the value of the time is less than $100.00. West Virginia has specifically excluded those who have reasonable ground to believe they had the authority or right to do what otherwise would be an offense. [Section 61-3C J(v)]

X. Problems encountered

There are a number of problems which will be encountered as legislators and lobbyists confront the amendment of existing statutes or try to fashion new ones applicable to the computer rogue programs.

  1. Whether to be generic or specific m the description of the afflictions?
  2. How to avoid overreaching prohibitions which may inhibit innovation?
  3. How to assess damages, especially in instances where the perpetrators are judgment proof?
  4. Whether to impose strict liability upon the providers of computer systems, services, and networks?
  5. Whether to impose strict accountability to employers to report their experiences with rogue programs and to identify perpetrators?
  6. Whether the imposition of too strict criminal sanctions will encourage a "user unfriendly" environment and discourage the use of computer systems and networks?
  7. How to handle litigation involving multiple jurisdictions?

XI. Alternatives to criminal statutes

There are, of course, alternatives to the enactment of criminal statutes. These include:

  1. Establishment of higher standards of ethical values within the user communities.
  2. Better computer security - e.g. passwords, protocols, closing of "trap doors".
  3. Strict liability of providers of computer services established by contract.
  4. Product liability laws applied to software.
  5. More anti-viral software - at least 25 companies produce "vaccines" at the present time. [21]
  6. Compulsory insurance or pooled insurance to compensate for unanticipated losses.
  7. Increased use of encryption, but this increases operating costs and inhibits the very ease of use which has characterized the systems.
  8. Licensing of computer professionals [90] - but this might risk First Amendment challenge m the same way that licensing of journalists raises questions of "chilling free speech", as the medium in which the programmers and users are operating is intended for communications. Perhaps the time has come to establish what constitutes yelling "FIRE" in a crowded theater as applied to computer communities.

XII. Conclusions

Computer viruses present new challenges to law enforcement officers and legislators, as well as computer executives, scientists, programmers, and network managers. Assuming that tighter state and federal legislation offers at least one possible antidote, there are several components to be addressed:

  1. The boundaries of technological protection through encryption, protected gateways, and viral detection mechanisms.
  2. The need for legal enhancement through criminal or tort laws and at which levels - state or federal or global?
  3. What kinds of audit trails are necessary to track computer misuse and abuse? And what skills are needed to conduct the audits?
  4. What evidence is required to prove a case in court, assuming that a litigable event has taken place?
  5. What level of insurance should be adequate to guard against unforeseen disasters and whether there should be some kind of federally insured scheme similar to the Federal Deposit Insurance Corporation?
  6. What standards of care should be exercised by operators or providers of computer equipment, networks, and services? Should such standards be established by private groups or by state or federal law?

In summary, it is difficult to determine strategies since it cannot be ascertained whether the rogue programs are a transient problem which will go away as "hackers" develop a different ethical standard, whether they are a drop in the bucket of problems which may arise as the criminally motivated become more computer literate, or whether they are like the common cold, afflictions which come with the use of computers with which we must learn to live.

APPENDICES

Appendlx A. Viruses which Affect PC-DOS/MS-DOS

NamesMinimum No. of StrainsType *First Appearance
1. Brain, Pakistani7Boot sector1/86
2. Meritt, Alameda, Yale7Boot sector4?/87
3. South African, Friday 13th2COM D1987
4. Lehigh2COMMAND.COM11/87
5. Vienna, Austrian2COM D 64812?/87
6. Israeli, Friday 13th, Jerusalem9COM/EXE R 1813/180812/87
7. Apnl-1-Com1COM R 8971/88
8. Apnl-1 Exe1EXE R 14881/88
9. Ping-Pong, Bouncing Ball, Italian2Boot sector3/88
10. Dos-62, Unesco2COM D4/88
11. Manjuana, Stoned, New Zealand, Australian2Boot sector; partition record on hard diskearly 1988
12. Cascade, Autumn, Blackjack6COM R 1701/17049/88 (1987?)
13. Agiplan1COM 153610/88
14. Oropax, Music1COM RD 2756 to 28062/89
15. Venezuelan, Den Zuk, Search6Boot sectorearly 1989?
16. dBASE1COM/EXE R3/89
17. DataCrime2?COM D 1168(1280?)3/89
18. Missouri1?4/89
19. Nichols2?Boot sector?
20. 4051COM DO 4054?/89
Total number of strains58  

* "Type" column definitions: R = Resident in RAM; D = Direct (saarches disks for uninfected files to infect); O = Overwrite (the virus overwrites the beginning of the file). The number(s) after the R or D indicate the number of bytes the virus extends the files; the number after the O is the number of bytes overwritten.

Source: Y. Radai, Hebrew University of Jerusalem, Dockmaster. May 16, 1989.

Appendix B. State Laws on Computer Crime and/or Computer Abuse

 Use Without AuthorityAlterDamageDestroyBlock UseCopy FilesDisclose InformationTakesUse for CrimeTake Possession
Alabamav  v  vvv 
Alaska  v    v  
Arizonavvv       
Arkansasvvvvv   v 
Californiavvvvv   v 
Coloradovvvv    v 
Connecticutvvvvvvvv  
Delawarevvvvvvvv  
Florida v vv vvv 
Georgia vvv    v 
Hawaiivvvv    v 
Idahovvvv    v 
Illinoisvvvv   vv 
Indianavvv       
Iowav vv    v 
Kansasvvvv vv vv
Kentuckyvvvv    v 
Louisianavv vvvvv  
Mainev         
Marylandv         
Masaachusans       v  
Michigan vvv    v 
Minnesotav vv   vv 
Mississippi vvvvvvvv 
Missourivv vv vv  
Montanavv v    v 
Nebraskavvvvv  v  
Nevadavv vvvvv  
New Hampshirevvvvvvvv  
New Jerseyvvvv   v  
New Mexicovvvv    v 
New Yorkvv v v vv 
North Carolinavvvvv   v 
North Dakotavvvvvvvvvv
Ohiov       v 
Oklahoma vvv vv vv
Oregonvvvv    v 
Pennsylvania vvvv   v 
Rhode Island vvv   vv 
South Carolinavvvv    vv
South Dakotavv v    v 
Tennesseevvvv    v 
Texasvvvvv     
Utah vvvv   v 
Virginiavv vvv vv 
Washingtonv       v 
West Virginiavvvvv  vv 
Wisconsinvvvv vv  v
Wyomingv vvv     

© 1989 president and Fellows of Harvard Collegs. Program on Information Resources Policy.

Appendix C. The Herger Bill, H.R. 55: The Computer Virus Eradication Act of 1989

Appendix D. The MacMillan Bill, H.R. 287: The Computer Protection Act of 1989

Appendix E. H.F. 647 amending Minnesota Statutes 1988, Sections 609.87 anf 609.88

Appendix F. West Virginia Computer Crime and Abuse Act, Senate Bill No. 92

References

[Back to index] [Comments (0)]
deenesitfrplruua