25.1 Your Legal Options After a Break-in

If you suffer a break-in or criminal damage to your system, you have a variety of recourses under the U.S. legal system. This chapter cannot advise you on the many subtle aspects of the law. There are differences between state and federal law, as well as different laws that apply to computer systems used for different purposes. Laws outside the U.S. vary considerably from jurisdiction to jurisdiction; we won't attempt to explain anything beyond the U.S. system.^[1] However, we should note that the global reach of the Internet may bring laws to bear that have their origin outside the U.S.

^[1] A more extensive, although dated, discussion of legal issues in the U.S. can be found in Computer Crime: A Crimefighter's Handbook (O'Reilly), and we suggest you start there if you need more explanation than we provide in this chapter. The book is out of print, but used copies are available.

Discuss your specific situation with a competent lawyer before pursuing any legal recourse. Because there are difficulties and dangers associated with legal approaches, you should be sure that you want to pursue this course of action before you go ahead.

In some cases, you may have no choice; you may be required to pursue legal action. For example:

• If you want to file a claim against your insurance policy to receive money for damages resulting from a break-in, you may be required by your insurance company to pursue criminal or civil actions against the perpetrators.

• If you are involved with classified data processing, you may be required by government regulations to report and investigate suspicious activity.

• If you are aware of criminal activity and do not report it, you may be criminally liable as an accessory. This is especially true if your computer is being used for the illegal activity.

• If your computer is being used for certain forms of unlawful or inappropriate activity and you do not take definitive action, you may be named as a defendant in a civil lawsuit seeking punitive damages.

• If you are an executive and decide not to investigate and prosecute illegal activity, shareholders of your corporation can bring suit against you.

If you believe that your system is at especially high risk for attack, you should probably speak with your organization's legal counsel as part of your security incident pre-planning before you have an incident. Organizations have different policies regarding when law enforcement should or should not be involved. By doing your homework, you increase the chances that these policies will actually be followed when they are needed.

To provide some starting points for discussion, this section gives an overview of a few issues you might want to consider.

25.1.1 Filing a Criminal Complaint

You are free to contact law enforcement personnel any time you believe that someone has broken a criminal statute. You start the process by making a formal complaint to a law enforcement agency. A prosecutor may be asked to decide if the allegations should be investigated and what charges should be filed, if any.

In some cases—perhaps a majority of them—criminal investigation will not help your situation. If the perpetrators have left little trace of their activity and the activity is not likely to recur, or if the perpetrators are entering your system through a computer in a foreign country, you probably will not be able to trace or arrest the individuals involved. Many experienced computer intruders will leave little traceable evidence behind.^[2]

^[2] Although few computer intruders are as clever as they believe themselves to be.

If you do file a complaint, there is no guarantee that the agency that traces your complaint will actually conduct a criminal investigation. The prosecutor involved (federal, state, or local) decides which, if any, laws have been broken, the seriousness of the crime, the availability of trained investigators, and the probability of a conviction. The criminal justice system is overloaded; new investigations are started only for severe violations of the law or for cases that warrant special treatment. A case in which $200,000 worth of data is destroyed is more likely to be investigated than a case in which someone is repeatedly scanning your home computer through your cable modem.

If an investigation is conducted, you may be involved with the investigators or you may be completely isolated from them. You may even be given erroneous information—that is, you may be told that no investigation is taking place, even though a full-scale investigation is in the works. Many investigations are conducted on a "need to know" basis, occasionally using classified techniques and informants. If you are told that there is no investigation and in fact there is one, the person who gives you this information may be deliberately misinforming you, or they themselves may simply not have the "need to know." Under terms of the U.S. PATRIOT Act, some investigations are to be kept secret, and disclosing that an investigation is proceeding may itself be criminal.

Investigations can place you in an uncomfortable and possibly dangerous position. If unknown parties are continuing to break into your system by remote means, law enforcement authorities may ask you to leave your system open, thus allowing the investigators to trace the connection and gather evidence for an arrest. Unfortunately, if you leave your system open after discovering that it is being misused, and the perpetrator uses your system to break into or damage another system elsewhere, you may be the target of a third-party lawsuit. Cooperating with law enforcement agents is not a sufficient shield from such liability. Investigate the potential ramifications before putting yourself at risk in this way.

25.1.1.1 Choosing jurisdiction

One of the first things you must decide is to whom you should report the crime. Every state and the federal government currently have laws against some kinds of computer crime, so you have choices. In some cases, state authorities can even prosecute under federal statutes.

Unfortunately, there is no way to tell in advance whether your problem will receive more attention from local authorities or from federal authorities. Here are some recommendations:

• You should first approach local or state authorities, if at all possible. If your local law enforcement personnel believe that the crime is more appropriately investigated by the federal government, they will suggest that you contact them. Unfortunately, some local law enforcement agencies may be reluctant to seek outside help or bring in federal agents. This may keep your particular case from being investigated properly.

• Local authorities may be more responsive because you are not as likely to be competing with a large number of other cases (as frequently occurs at the federal level). Local authorities are also more likely to be interested in your problem, no matter how small the problem may be.

• At the same time, although some local authorities are tremendously well-versed in computers and computer crime, local authorities generally have less expertise than state and federal authorities and may be reluctant to take on high-tech investigations. Many federal agencies have expertise that can be brought in quickly to help deal with a problem.

• In general, state authorities may be more interested than federal authorities in investigating and prosecuting juveniles. If you know that you are being attacked by a juvenile who is in your state, you will almost certainly be better off dealing with local authorities. In some cases, you may find that it is better to bypass the legal system entirely and speak with the juvenile's parents or teachers (or have an attorney or imposing police officer speak with them).

25.1.1.2 Local jurisdiction

In many areas, because the local authorities do not have the expertise or background necessary to investigate and prosecute computer-related crimes, you may find that they must depend on your expertise. You may be involved with the investigation on an ongoing basis—possibly to a great extent. You may or may not consider this a productive use of your time. Your participation may also result in contamination of the case—as the aggrieved party, you could be blamed for falsifying evidence.

Our best advice is to contact local law enforcement before any problem occurs and get some idea of their expertise and willingness to help you in the event of a problem. The time you invest up front could pay big dividends later on if you need to decide whom to call at 2:00 a.m. on a holiday because you have evidence that someone is using your system without authorization.

25.1.1.3 Federal jurisdiction

Although you might often prefer to deal with local authorities, you should contact federal authorities if you:

• Are working with classified or military information

• Have involvement with nuclear materials or information

• Work for a federal agency and its equipment is involved

• Work for a bank or handle regulated financial information

• Are involved with interstate telecommunications

• Believe that people from out of the state or out of the country are involved with the crime

Offenses related to national security, fraud, or telecommunications are usually handled by the FBI. Cases involving financial institutions, stolen access codes, or passwords are generally handled by the U.S. Secret Service. However, other federal agents may have jurisdiction in some cases; for example, the Customs Department, the U.S. Postal Service, and the Air Force Office of Investigations have all been involved in computer-related criminal investigations. It is expected that the Homeland Security Agency will have sinilar interests.

Luckily, you don't need to determine jurisdiction on your own. If you believe that a federal law has been violated, call the nearest U.S. Attorney's office and ask them who you should contact. Often that office will have the name and contact information for a specific agent or an office in which the personnel have special training in investigating computer-related crimes.

25.1.2 Federal Computer Crime Laws

There are many federal laws that can be used to prosecute computer-related crimes. Usually, the choice of law pertains to the type of crime rather than to whether the crime was committed with a computer, with a phone, or on paper. Depending on the circumstances, laws relating to wire fraud, espionage, or criminal copyright violation may come into play. You don't need to know anything about the laws involved—the authorities will make that determination based on the facts of the case.

25.1.3 Hazards of Criminal Prosecution

There are many potential problems in dealing with law enforcement agencies, not the least of which is their experience with computers, networking, and criminal investigations. Sadly, there are still many federal agents who are not well versed with computers and computer crime.^[3] In many local jurisdictions you will find even less expertise. Unless you are specifically working with a "computer crime squad," your case could be investigated by an agent who has little or no training in computing.

^[3] However, we have noticed a distinct improvement since the first edition of this book was released. federal authorities have recognized the need for more training and resources, and have been working to improve the average skill set for their agents. Special courses and training now exist, and dedicated computer crime squads and labs are now commonplace.

Computer-illiterate agents will sometimes seek your assistance to try to understand the subtleties of the case. Sometimes they will ignore your advice—perhaps to hide their own ignorance, or perhaps because they suspect you may be involved in criminal activity. In general, it is poor practice for an investigator to accept advice from the victim without some level of suspicion, and this is no different in the case of cybercrime.

If you or your personnel are asked to assist in the execution of a search warrant to help identify material to be searched, be sure that the court order directs such "expert" involvement. Otherwise, you might find yourself complicating the case by appearing to be an overzealous victim. You may benefit by recommending an impartial third party to assist the law enforcement agents.

The attitude and behavior of the law enforcement officers can sometimes cause major problems. Your equipment might be seized as evidence or held for an unreasonable length of time for examination—even if you are the victim of the crime. If you are the victim and are reporting the case, the authorities will usually make every attempt to coordinate their examinations with you to cause you the least amount of inconvenience. However, if the perpetrators are your own employees, or if regulated information is involved (bank, military, etc.), you might have no control over the manner or duration of the examination of your systems and media. This problem becomes more severe if you are dealing with agents who need to seek expertise outside their local offices to examine the material. Be sure to keep track of downtime during an investigation as it may be included as part of the damages during prosecution and any subsequent civil suit—a suit that may be waged against either your attacker or, in some cases, against the law enforcement agency itself.

Your site's backups can be extremely valuable in an investigation. You might even make use of your disaster-recovery plan and use a standby or spare site while your regular system is being examined.

Heavy-handed or inept investigative efforts may also place you in an uncomfortable position with respect to the computer community. Many computer users harbor negative attitudes toward law enforcement officers—these feelings can easily be redirected toward you if you are responsible for bringing the "outsiders" in. Such attitudes can place you in a worse light than you deserve, and hinder cooperation not only with the current investigation but with other professional activities. Furthermore, they may make you a target for electronic attack or other forms of abuse after the investigation concludes.

These attitudes are unfortunate because there are some very good investigators, and careful investigation and prosecution may be needed to stop malicious or persistent intruders. We can report that this situation seems to have gotten better in recent years, so this is less of a concern than it was a decade ago. As time goes on, and as more people realize the damage done by intruders, even those without malicious intent, we expect to see the antipathy towards law enforcement fade even more.

We do encourage you to carefully consider the decision to involve law enforcement agencies with any security problem pertaining to your system.

In most cases, we suggest that you carefully consider whether you want to involve the criminal justice system at all unless a real loss has occurred, or unless you are unable to control the situation on your own. In some instances, the publicity involved in a case may be more harmful than the loss you have sustained.

Once you decide to involve law enforcement, avoid publicizing this fact. In some cases the involvement of law enforcement will act as a deterrent to the attackers, but in other cases it may make you the subject of more attacks.

Also be aware that the problem you spot may be part of a much larger problem that is ongoing or beginning to develop. You may be risking further damage to your systems and the systems of others if you decide to ignore the situation.

We want to stress the positive. Law enforcement agencies are aware of the need to improve how they investigate computer crime cases, and they are working to develop in-service training, forensic analysis facilities, and other tools to help them conduct effective investigations. In many jurisdictions (especially in high-tech areas of the country), investigators and prosecutors have gained considerable experience and have worked to convey that information to their peers. The result is a significant improvement in law enforcement effectiveness over the last few years, with many successful investigations and prosecutions. You should definitely think about the positive aspects of reporting a computer crime—not only for yourself, but for the community as a whole. Successful prosecutions may help prevent further misuse of your system and of others' systems.

25.1.4 The Responsibility to Report Crime

Finally, keep in mind that criminal investigation and prosecution can occur only if you report the crime. If you fail to report the crime, there is no chance of apprehension. Not only does that not help your situation, it leaves the perpetrators free to harm someone else. Remember that the little you see may only be one part of a huge set of computer crimes and acts of vandalism. Without investigation, it isn't possible to tell if what you have experienced is an isolated incident or part of a bigger whole.

A more subtle problem results from a failure to report serious computer crimes: it leads others to believe that there are few such crimes being committed. As a result, insufficient emphasis is placed on budgets and training for new law enforcement agents in this area, little effort is made to enhance the existing laws, and little public attention is focused on the problem. The consequence is that the computing milieu becomes incrementally more dangerous for all of us.

Playing It Safe . . . Here is a summary of recommendations for avoiding possible abuse of your computer. Most of these are simply good policy whether or not you anticipate break-ins: Put copyright and/or proprietary ownership notices in your source code and datafiles. Do so at the top of each and every file. If you express a copyright, consider filing for the registered copyright—this version can enhance your chances of prosecution and recovery of damages. Be certain that your users are notified about what they can and cannot do. If it is consistent with your policy, make all users of your system aware of what you may monitor. This includes email, keystrokes, and files. Without such notice, monitoring an intruder or a user overstepping bounds could itself be a violation of wiretap or privacy laws! Keep good backups in a safe location. If comparisons against backups are necessary as evidence, you need to be able to testify as to who had access to the media involved. Having tapes in a public area will probably prevent them from being used as evidence. If something happens that you view as suspicious or that may lead to involvement of law enforcement personnel, start a diary. Note your observations and actions, and note the times. Run paper copies of log files or traces and include those in your diary. A written record of events such as these may prove valuable during the investigation and prosecution. Note the time and context of each and every contact with law enforcement agents as well. Try to define in writing the authorization of each employee and user of your system. Include in the description the items to which each person has legitimate access (and the items each person cannot access). Have a mechanism in place so each person is informed of this description and can understand his limits. Tell your employees explicitly that they must return all materials, including manuals and source code, when requested or when their employment terminates. If something has happened that you believe requires law enforcement investigation, do not allow your personnel to conduct their own investigation. Doing too much on your own may prevent some evidence from being used or may otherwise cloud the investigation. You may also aggravate law enforcement personnel with what they might perceive to be interference in their investigation. Make your employees sign an employment agreement that delineates their responsibilities with respect to sensitive information, machine usage, email use, and any other aspect of computer operation that might later arise. Make sure the policy is explicit and fair, and that all employees are aware of it and have signed the agreement. State clearly that all access and privileges terminate when employment does, and that subsequent access without permission will be prosecuted. Be prepared with a network- and/or keystroke-monitoring system that can monitor and record all information that is sent or received by your computer. If you suspect a break-in, start monitoring and recording immediately; do not wait to be given instructions by law enforcement. In some cases, law enforcement agencies cannot give you such instructions without first obtaining a court order because, by acting upon their instructions, you would be acting as an extension of the law. Make contingency plans with your lawyer and insurance company for actions to take in the event of a break-in or other crime, the related investigation, and any subsequent events. Identify law enforcement personnel who are qualified to investigate problems that you may have ahead of time. Introduce yourself and your concerns to them in advance. Having at least a cursory acquaintance will help if you later encounter a problem that requires you to call on law enforcement for help. Consider joining societies or organizations that stress ongoing security awareness and training. Work to enhance your expertise in these areas.