The MacNeil/Lehrer Report; Computer Crime

ROBERT MacNEIL: You don`t need a gun or a mask or a getaway car to rob a bank these days. All you need is access to its computer, and knowledge of the numbers that control it. Such knowledge is an open sesame to the newest form of white-collar crime: stealing by computer, already taking a toll of billions of dollars -- and growing.

Good evening. The average bank robber gets $11,000, and usually gets caught. The average bank robber by computer gets half a million dollars, is much harder to catch, and if caught may not get reported. A few more fascinating figures. There are now 350,000 computers doing business in this country, storing or transferring valuable information or money in a split second around the nation or the world. The number has nearly doubled in the last five years, and will nearly double again in the next five. The last time anybody counted, more than two million Americans were working directly with computers. And it`s already obvious that for some there`s an irresistible temptation to make these marvelous machines commit the most ingenious crimes man ever designed, crimes that go by all the old familiar names--fraud, theft, larceny, embezzlement, extortion, espionage and malicious mischief -- but requiring a sophistication that makes them very hard to detect. Tonight, the menace of computer crime, and how to bust it. Jim?

JIM LEHRER: Robin, the ways a computer can be used for ill-gotten gain are apparently limitless and depend mostly on the skilled would-be thief`s imagination. Some of the more gaudy examples which have hit the headlines include: two supervisors at a well-known computer firm allegedly used $144,000 worth of the boss` programming time to print complicated musical arrangements, which they then sold to music stores and bands. A head teller at a savings bank embezzled $1.5 million by programming his bank`s computer to juggle funds from one account to another, finally in to his own. A student on the West Coast managed to plug his way into a large telephone company computer, instructed it to ship him one million dollars` worth of phone equipment, which he sold. The largest scandal on record thus far, of course, is the two-billion-dollar Equity Funding caper. Here a number of employees were charged with using a computer to invent some 64,000 fake policies, which they then sold off. And there`s the man in Pennsylvania charged with wiring his own home computer to his telephone so he could make free long-distance phone calls. As I said, the only limit is one`s imagination. Robin?

MacNEIL: One of the leading authorities on computer crime in this country is Donn Parker, author of the book Crime B Computer. Mr. Parker is senior information processing officer at the Stanford Research Institute. Mr. Parker, just how are computer crimes committed? Is there a basic principle common to all of it?

DONN PARKER: Yes, there certainly is, because of its focus on the computer. We could say that computers play four different roles in computer crime. The computer can be the object of the attack; four cases where computers have been shot with guns, for example, or blown up -- this type of thing. Where the computer is the subject or creates a unique environment or a unique form of assets -- electronic money. Third, the computer can be used as the instrument, or the tool, by which it is conducted. And fourth, the computer can be the symbol for intimidation or deception.

MacNEIL: What are some of the typical crimes?

PARKER: Well, it takes a whole spectrum of problems, all the way from what I refer to as "data diddling," where you`re merely changing the data before it goes into the computer and after it comes out of the computer, all the way to the other extreme of very sophisticated crimes using Trojan horses, logic bombs, salamis, data leakage, superzapping...

MacNEIL: Let`s just go back over it a moment. What are Trojan horses?

PARKER:A Trojan horse technique is where you put secret code into somebody else`s program. That program is then run in the computer system, performing its correct functions but also performing your secret functions, unknown to the owner of the program but in his protected domain, to do all sorts of unauthorized acts with his data and he doesn`t know about it.

MacNEIL: What about salami? What`s that?

PARKER: Salami is a truly automated crime. It`s taking small slices over a period of time. It`s taking very small amounts of money from very large numbers of accounts, say in a bank savings system, and transferring them automatically into a favored account, from which it is legitimately drawn out. And so there`s no real evidence of its having been done, there are no victims who have lost enough money so that they even would complain about it.

MacNEIL: And what was the bomb you called...?

PARKER: Logic bomb. Well, if you were going to rob a Brink`s armored car, you wouldn`t do it on Monday, Tuesday; you`d do it on Friday, because that`s the day it`s carrying a payroll. Same thing in a computer system; the computer is now the vault of today. And so what you want to do is get your Trojan horse in there so that it executes at the time at which there is the most money available and the perpetrator is in the safest position.

MacNEIL: What`s the potential for crime as we entrust, you and I, more and more of our personal money to computers in banks or to electronic money transfers, fund transfers?

PARKER: Well, I would have to say this, that we are ambivalent about it. In one respect our money is far safer and we are served far more safely the more computers are used to serve us; because the computer is an ideal device for detecting any deviations from normal activity, we`re getting very good at security of that level of activity. On the other hand, in electronic fund transfer systems and automated banking, the real problem that we don`t have good solutions for yet is the very sophisticated crime that could be done that would involve massive losses to and cause the complete failure of an entire banking system.

MacNEIL: How much of an expert does the computer criminal have to be?

PARKER: Anything from a clerk who has only transaction access to the computer, where all he`s doing is filling out data forms, and very little knowledge, all the way to these most sophisticated things that could only be done by the knowledge of a systems programmer with a degree in computer science.

MacNEIL: How much computer crime do you think is undetected at the moment? Do you have a sense of it?

PARKER: Only in very vague ways. I mean, what`s the answer to how much undetected is there?

MacNEIL: Sure.

PARKER:I have 650 reported cases in my research files since 1958. Now, that`s a very small sample of what`s going on. But I show my cases, for example, to certified public accountants, and they say, "Gee, Parker, you`ve got a lot of good cases, none of them that I know about. I can`t tell you about them because they are confidential to my client, but I can assure you that you are only looking at a piece of the top of the iceberg of what is going on."

MacNEIL: You mean there are institutions against whom computer crimes have been committed who don`t like to disclose it.

PARKER: They certainly don`t, because they can lose more from the bad publicity when this gets onto every front page of every newspaper in the country. Also, there is a problem today with prosecution. Some victims will take these to the prosecutor, and the prosecutor says, I don`t know anything about computer technology; go away. And so that poses a problem for us. And it is very embarrassing to the victim to have this happen, and they look at what`s happened and they see that they cannot prevent anyone else from doing the same thing.

MacNEIL: Well, we`ll come back. Thank you. Obviously, one answer to all this is to try and build more security into the computers themselves or to improve security in the way they`re used. John O`Mara is executive director of the Computer Security Institute, a company which specializes in that very problem. Mr. O`Mara, what`s the biggest security problem facing computer users?

JOHN O`MARA: There`s a very real problem today, and that`s management`s lack of awareness of a problem, indeed. We see that this problem is becoming less severe; there are encouraging signs. However, there is no dramatic change on the horizon...

MacNEIL: You mean people using computers just aren`t aware that the sort of things that can be done to them that you`ve just heard about, can be done to them?

O`MARA: Well, keep in mind that senior managers today have not had the practical experience working with computers. Most of them rose up through the ranks not having access to or working with computers in school or on the job. There is a very real lack of understanding of the computer, there`s a definite mystique involved; they have not gotten as close to the data processing function as they have in other functions -- in marketing and finance and so forth. So what has resulted is a lack of awareness, a lack of concern, and an inability to use the same evaluative standards in this function as they have applied elsewhere. This lack of knowledge has of course precipitated a lack of good controls over the data processing function.

MacNEIL: Before we go into that, what are people who are aware doing about it? How are they making it more secure to prevent crime?

O`MARA: Within most large organizations they certainly are aware of problems, but keep in mind that the data processing function is turning out a product. They are providing the information needs of the organization. Security historically has not been a major concern. Without the pressure from above, there has been no incentive for them to install adequate safeguards. And we`re talking about significant assets here. We`re talking about the complete information-processing requirements, but in addition to that obviously the computers, in many of the larger and medium sized companies, are controlling the assets.

MacNEIL: Now, can you make a computer itself secure? Can you do things to it so that somebody can`t come along and steal from it or through it?

O`MARA: There is a whole host of things that can be done to improve the security of the data process...

MacNEIL: Just tell us a couple of them.

O`MARA: Well, for example, usually the first things that our members do is evaluate the physical security of their facility; that is ...

MacNEIL: Who can get to it.

O`MARA: Yeah; how do we prevent unauthorized access to the facility. Things like fire protection, anything that can disrupt the data processing function. Those are physical security considerations. We are seeing now products being developed that increase the reliability that unauthorized people will not gain access. There are such systems as fingerprint identification.

MacNEIL: You mean if I wanted to use a computer I would have to show it my fingerprints and it would decide whether I was the right person to use it or not -- that kind of thing?

O`MARA: That`s right. Previously you have provided the computer with the information that defines your characteristics and would compare that.

MacNEIL: We have to move on, but basically would you say at the moment that people who are using computers are not nearly enough aware of the security risk that they pose?

O`MARA: I would say they are more aware, the users of computers, the data processing people, than senior management; but the real problem is, senior management is not as much aware as they should be.

MacNEIL: Well, thank you. Jim?

LEHRER: Right now there is no federal statute making crime by computer a crime. Those caught and charged must be prosecuted in other ways. Looking back on those cases I went through at the beginning: those two accused of swiping computer time to compose music scores were charged, convicted and are now awaiting sentence for mail fraud. The head teller who got away with $1.5 million; well, he pleaded guilty to grand larceny and served fifteen months of a twenty-month sentence. The student on the West Coast with the telephone equipment was convicted of grand theft. He served forty days of a sixty-day sentence. And in the Equity Funding case the specific charges ranged from conspiracy to embezzlement.

There is now a bill before Congress that will change all of this by making crime by computer a crime. The bill was introduced by Senator Abraham Ribicoff, Democrat of Connecticut, chairman of the Senate Governmental Affairs Committee. Philip Manuel is a staff investigator for the Committee`s investigation subcommittee. Mr. Manuel concentrates on matters involving white-collar crime and helped draft the Ribicoff bill.

First, as those cases I just ran through indicate, it is now possible to prosecute people under larceny, embezzlement, mail fraud statutes. Why is a special computer crime law needed?

PHILIP MANUEL: It`s true that federal prosecutors have had some laudable successes and have sent some people to jail. However, the fact of the matter is that computer technology has really outstripped the ability of both investigators and prosecutors to attack many of the exotic situations which Mr. Parker described earlier. For example, the wire fraud statute, which is now the main government weapon against computer fraud, was written in 1934, long before the first computer was ever used, and certainly did not envision a lot of the technological advances that we see now. The reality of the situation is that computer technology has to this point outstripped the ability of prosecutors to keep up with it.

LEHRER: All right; now, the Ribicoff bill, the law that is now before Congress: first of all, would it make penalties more severe than are now available under these other statutes?

MANUEL: Yes, it would. The Ribicoff bill calls for penalties up to -- and I stress "up to" -- fifteen years in jail for certain crimes, and a fine which would, at a judge`s discretion, be in the amount of two and a half times the amount of the fraud or the theft.

LEHRER: Is it your position that this is the way it should be? In other words, a crime by computer should be more severely dealt with than, say, a normal mail fraud case or a normal embezzlement case?

MANUEL: In those cases where you have a gigantic rip-off -- a ten million- dollar theft, for example -- we definitely do feel that the penalties should be higher, and they should be higher for the reason that it will serve as a deterrent against crimes which are very difficult to detect.

LEHRER: In the broad sense, the broadest terms, what kind of crimes -- computer crimes -- does this bill specifically cover?

MANUEL: This bill covers all types of computer crimes. First of all, let me say that the jurisdiction of the bill is directed, or it covers, those computer systems which are owned or operated by the federal government, it covers computer systems that are owned or operated by financial institutions and certain other entities that operate or affect interstate commerce. Now, the bill makes it a crime to access a computer for the purpose of devising a scheme to defraud or for obtaining money, property or services through false pretenses or promises. So within that scope it covers almost every type of computer crime possible against those systems.

LEHRER: Does it make it a crime just to get information out of a computer in an unauthorized way?

MANUEL: Yes, it does. And we`re very concerned about the privacy implications of computer systems, and we definitely feel that some protection is needed and some legal sanction for those who would abuse privacy information in computers and steal it, in effect, by electronic manipulation or otherwise.

LEHRER: Is this law -- assuming that it`s enacted into law -- going to make any difference in terms of actually cutting down the incidence of computer crime?

MANUEL: We think it will, in many significant ways. We think that this bill will serve as a catalyst for computer managers and top managers in both government and private industry to start thinking about computer security. This is a problem that Mr. O`Mara just mentioned a little while ago. And we feel that, faced with the penalties that are inherent in this bill for certain types of activities, people are going to start thinking about it; and consequently, computer crime is going to be reduced. And moreover, of course the main purpose is to give our prosecutors and our investigators a good tool to work with and one where they can go into court and get some convictions, and we feel that this will have a deterrent effect as well.

LEHRER: All right; Mr. Manuel, thank you. Robin?

MacNEIL: Is this bill necessary, Mr. Parker?

PARKER: It most certainly is, for many of the reasons that Mr. Manuel mentioned. It is going to have, I think, a very significant deterrent effect, and it certainly is going to allow us to prosecute people for the crimes they commit.

MacNEIL: I`d just like to get Mr. O`Mara`s reaction: is this bill necessary?

O`MARA: We believe it is necessary.

MacNEIL: Now, how is it going to improve the detection of these crimes -- which is apparently the major problem?

PARKER: That`s right. It`s going to encourage the victims to report this kind of crime; the fact that we have a law will focus attention on the prosecutors -- the U.S. attorneys in states, and district attorneys -- and I think it will increase their motivation to learn more about how to prosecute and how to advise potential victims in their jurisdictions to detect this kind of thing in a way in which it can be prosecuted.

MacNEIL: Do you agree with that?

O`MARA: Yes. One of the problems that we`ve experienced is the historical background. Data processing has operated in almost a vacuum; that is, really not the same standards apply to data processing people, apparently, as do to the rest of us. I know Donn has indicated that you would probably be spending forty years in jail at this point if the tests that are being talked about as far as penalizing would be prosecuted. What I`m saying is, for example, the use of the computer for fun and games; there really hasn`t been much of a penalty involved here. It was sort of accepted by management that these kinds of things happen. However, this is not a healthy situation, and obviously legislation being passed will help eliminate some of these problems.

MacNEIL: Mr. Manuel, what does this bill do, if anything, for banks and other institutions that have a lot of money controlled by computer that do not cross state lines?

MANUEL: The computers do not cross...?

MacNEIL: Whose activities do not involve interstate commerce.

MANUEL: Well, if the particular financial institution were regulated by a federal government agency such as the Federal Reserve system or the Federal Deposit Insurance Corporation or the Office of the Comptroller of the Currency, they would be covered under the jurisdiction of this bill.

MacNEIL: I see. So most banks would be covered.

MANUEL: Most banks would be covered. All those regulated by the federal government.

MacNEIL: Mr. O`Mara`s pointed out that management has not been terribly aware of the danger up till recently. What about law enforcement? Senator Percy, I read, who`s one of the co-sponsors of your bill, said that law enforcement in this area had been woefully inadequate. Is that your impression?

MANUEL: I think that`s essentially true; at least, it has been true in the past. Again, I think that computer technology has probably far outstripped the ability of conventional law enforcement to deal with the problem. However, I must say that I think the FBI, for example, is now making a concentrated effort to train its agents in this type of white-collar crime, and I think federal law enforcement is improving all the time in this area.

MacNEIL: Well, thank you. Jim?

LEHRER: Mr. Parker, the Justice Department said in a report to Senator Ribicoff that computer crime was virtually unstoppable, that it could only be minimized. Do you agree with that?

PARKER: Well, I think you have to say that like you do with any kind of crime; you can`t stop it one hundred percent. And we have to realize that computer systems -- commercially available computer systems -- are not adequately secure, from a technical point of view; we do not know how to make them secure; and research at SRI indicates that it will be another eight to ten years before we have adequately secure computer systems.

LEHRER: Mr. O`Mara, you`re in the security end of it. Do you agree we`re eight to ten years away from really establishing secure systems?

O`MARA: I wouldn`t even try to put a number on the number of years that we are away from it. It is a question of users making it known that they are not satisfied with the products that are being made available to them right now. You`re talking about increased costs, and most computer manufacturers are just not willing to build in cost...

LEHRER: Yes, but what I`m asking you is, let`s say that a client comes to you and says, "Look, Mr. O`Mara, I`m aware of the problem. I`ve got all the money in the world; make my computer system secure." Could you do it, now?

O`MARA: We can add on -- we certainly will never reach total security, for sure -- we can increase the physical security, enhance the physical security, enhance the procedures that are being used, certainly; but it`s not the most efficient way of incorporating security into our systems.

LEHRER: What is the most efficient way?

O`MARA: Designing it into the systems.

LEHRER: From the very beginning.

O`MARA: That`s correct.

LEHRER: Did your committee consider that in terms of setting up some kind of security system at the very beginning with the computer companies? Did you take any testimony along that line?

MANUEL: Well, we made definite recommendations as far as the federal government is concerned, their physical security problems and what not, but I`d like to add just one thing into this whole talk about security. Personnel security is really an important factor here. You can have all the secure computer systems in the world, and if you still have a dishonest employee or a dishonest official who is in a position to play games with that computer, you`re going to have computer crime. So I`d like to stress - - putting my two cents` worth -- to say that I think that personnel security is a very important part of this, and until we get better personnel security -- and I`ll speak for the federal government -- we`re going to have some problems.

LEHRER: But is that any different for people working on computers than it is for any other job?

MANUEL: No. It remains a people crime, but I`d just like to put that in perspective, that people run computers and people commit the crimes. So along with physical security implementation you should al so think about who you`ve got at the controls.

LEHRER: Mr. Parker, back to you. That Justice Department report that I referred to also said that the manipulation or destruction of computer systems by evil people -- that`s my term, not theirs -- could cause havoc in our society if something`s not done soon. Is that kind of dire warning justified?

PARKER: I certainly think it is.

LEHRER: Could you give me an example?

PARKER: Certainly the two-billion-dollar Equity Funding insurance fraud, where one part of the fraud at least involved a use of a computer in a massive fraud; there`s the $40-million inventory fraud in Chicago; the $39- million insurance fraud in Philadelphia; the $14-million gasoline inventory fraud in San Juan, Puerto Rico. And we can go on and on naming these massive frauds. As we put more and more of our assets -- and records of these assets -- inside of our computers and connect them together in networks, the potential for doing massive harm is growing very rapidly.

LEHRER: Mr. Manuel, is the government concerned also on a national security basis in terms of access to government computers? Not to money, but just to information.

MANUEL: Sure. I`m sure they are, and they`re taking steps every day to secure their computer systems in that regard.

LEHRER: Is it a serious problem in the federal government?

MANUEL: I think potentially it is. I don`t think any computer system is absolutely one hundred percent secure, and certainly there are many national security considerations involved in computer operations.

Our main criticism about government computers, or the security of government computers, was more directed to those systems which hold privacy information or which spin off millions of dollars in taxpayers` money, or which hold otherwise valuable economic data. We didn`t find too much to complain about as far as the security of those systems dealing with national security are concerned.

LEHRER: All right; thank you. Robin?

MacNEIL: Thank you, Mr. Manuel; Mr. O`Mara, Mr. Parker. And good night, Jim.

LEHRER: Good night, Robin.

MacNEIL: That`s all for tonight. Go home and lock up your computers We`ll be back tomorrow night. I`m Robert MacNeil. Good night.