 Strategic Cyber Security Module 10, Cyber Crime and the Law. Once you have completed the readings, lecture, activity and assessment, you will be able to describe why cyber crime investigations are more problematic than traditional crimes. Articulate why the CFAA is criticized for being overly broad. Welcome to Strategic Cyber Security Module 10. The last module focused on the difficulty in determining attribution and computer intrusions. This module takes that topic a step further, considering the challenges of constructing laws to deal with such criminal activity. When motivated, a cyber criminal can easily register a web address under a false name to make tracking of his or her identity quite difficult. Thus, identification of cyber criminals is one of the greatest issues in stopping cyber crime. Even if the criminal actor is identified, collecting evidence and prosecuting the criminal may be much more difficult than in traditional crimes due to such problems as determining attribution beyond a reasonable doubt. The readings for this module introduced criminals based in Nigeria referred to as 419 fraudsters, named after the section of the Nigerian Criminal Code that deals with fraud. Their scheme involved cold calling potential victims with a fraudulent offer to gain millions of dollars in exchange for assistance in moving money out of Nigeria. Before the money could be moved out of the country, however, the victims would need to wire money of their own into Nigeria so that the caller who posed as a corrupt government official could bribe other government officials. Ironically, the criminals posed as criminals in the Nigerian government likely as an effort to appear authentic and gain trust from their victims. If you fell victim to such a scheme, you would likely call the police to report the crime. The obvious problem is that the crime originated in Nigeria and neither local nor federal police in the United States, including the Federal Bureau of Investigation, would have the jurisdiction to immediately help you. If enough U.S. citizens were victims, the FBI may potentially work through its system of legal attaché offices or legats to try to persuade the Nigerian government to investigate. However, unless a country has an unusually close relationship with the United States, that country will not likely be motivated to investigate and expose the issue to negative press. When foreign governments are willing to investigate, they usually run into problems with, as we noted earlier, determining attribution and ultimately tracking the criminals down. Unlike traditional crimes that place the criminal near the crime scene, computer crimes leave no physical evidence, no surveillance cameras to catch a glimpse of the criminal, no hair follicles with DNA remains, no physical evidence to assist in tracing that crime to a particular person. When cybercriminals are based in the United States, these issues are not as profound, but additional challenges make fair and proper prosecution of computer crimes difficult. As an example, although laws exist, they may be too broad for proper enforcement. The Computer Fraud and Abuse Act, or CFAA, passed by Congress in 1986, was one of the first laws to address computer crimes. Essentially, the Act prohibits the access of governmental computer systems or computer systems used in interstate or foreign commerce by unauthorized persons with the intent to damage, defraud, or extort. This law against cybercrime has been criticized by many legal scholars as being too broad. One of the most notorious instances reflecting such potential weakness in the law occurred in January 2011 when Jason Swartz, a Harvard University research fellow, was arrested for unlawfully accessing a university computer and downloading multiple academic journal articles. Using the provisions in the law, an overly aggressive federal prosecutor indicted Swartz in federal court on several counts under the CFAA. Swartz was subsequently arrested and later released on bond. However, while a plea deal was being negotiated to keep Swartz out of prison, he committed suicide. Although the Swartz case was unusual, it highlights the challenges of properly constructing laws to deal with rapidly changing technology that most lawyers and judges don't understand. The law has been amended more than half a dozen times, but a movement continues to further amend the CFAA to make it more appropriate for crimes lacking physical or economic harm. Quiz Question 1. Which of the following best describes why cybercrime investigations are more challenging than traditional crimes? A. Cybercrime investigations are generally more labor-intensive than traditional crimes. B. Cybercriminals are generally more intelligent and savvy than traditional criminals. C. Cybercriminals do not have to be physically close to their victims. D. Cybercrimes are generally more expensive to investigate than traditional crimes. The answer is C. Cybercriminals do not have to be physically close to their victims. Quiz Question 2. True or false? The Computer Fraud and Abuse Act CFAA is criticized for being too broad because it states that accessing a computer without or in excess of proper authorization is a crime. The answer is true. The activity for this module asks that you download and read the Computer Fraud and Abuse Act. Write a one-page reflection on your impressions of the law. Do you feel that it is too broad, or do you feel that it is appropriate? What if any modifications, additions, or deletions would you make to this law in order to make it more specific to cybercrime? Quiz Question 3. True or false? The Computer Fraud and Abuse Act CFAA is criticized for being too broad, or do you feel that it is appropriate? The answer is C. Cybercrimes do not have to be physically close to their victims. The answer is C. Cybercrimes do not have to be physically close to their victims. The answer is C. Cybercrimes do not have to be physically close to their victims.