Read an Excerpt

CYBERFRAUD IS
HERE TO STAY

In the old days when computer crimes were being committed by programmers, analysts, data entry clerks, and hackers, the general public showed no great concern or alarm. But even then, data security managers saw a far more serious risk looming as computer technology became cheaper and simpler and as information systems became more accessible to more people.

The computer frauds discovered in earlier days were sometimes ingenious but rarely expensive from the cash point of view. New buzzwords entered the criminal lexicon to describe these high tech crimes, terms like trap doors, Trojan horses, salami-slicing and superzapping. Still, the public showed no great concern. A few (poorly drafted) computer crime laws were passed and everyone hoped that now the problem of high-technology crime would go away.

But the problem hasn't died down or gone away, nor is it likely to stop anytime soon. Cybercrime is here to stay. Why? Because there is a lot of money to be made in it and the probability of being caught is very low.

Theoretically, there are several layers and types of control that are intended to deter and detect high-tech crimes (i.e., audit controls and organizational controls). They rest on the theory that general managers and accountants are more knowledgeable about defenses to fraud, theft, and embezzlement than designing, corrupt, or incompetent employees are knowledgeable about offensive methods to compromise systems of control. Experience and logic suggest the opposite. Defense follows offense; the criminal mind always has a lead point of time. The critical question is: Has the application of modern technology to accounting systems provided more lead time to the criminal? If so, the social threat today from cybercrime is greater than at any time in the past.

Look at a couple of computer crimes of the past for perspective. The granddaddy of computer-related crimes is the Equity Funding case, a situation in which an insurance company deceived its stockholders for many years by falsely representing its revenues and profits. Both were grossly over-inflated; revenues were over-inflated to the tune of $200,000,000. The technique used to inflate revenues was simple enough. The company merely stated it had sold more insurance policies than it had in fact. The ploy used to deceive company auditors consisted of generating fictitious policies on fictitious people. This went on for five years and involved a total of 200 company employees, including top managers, most of the data processing staff, and even an outside auditor.

Why was the fraud so difficult to detect? With a conspiracy of such large and diverse proportions, how could any mortal auditor discover the fraud? In fact, the fraud was brought to a head only when a disgruntled employee left the firm and blew the whistle to an investment advisor whose clients had a fair-sized stake in the company. The auditor, in turn, advised the Securities Exchange Commission (SEC).

Other reasons for the difficulty in detecting the fraud were:

• Audit tools then available were inadequate.
• Auditors were not knowledgeable enough about auditing in a computerized accounting environment.
  
• Auditors were inadequately trained by their firms and poorly educated by their colleges.
  
• Auditors were not equipped to deal with the fast-changing world of financial services.

These are rather serious charges, but Equity Funding took place in the late 1960s and early 1970s. We've come a long way since then, right? Yes, we have, but so has computer technology. Unfortunately, the gap between computer technology and audit, accounting, and management controls hasn't shrunk at all. If anything, the gap has grown.

Take as another example, the Volkswagen case, where it appears that some person or persons inside Volkswagen and perhaps outside the firm, manipulated its accounting records to cover up trading losses on foreign currencies to the tune of $259 million. The losses occurred in 1984 but went undiscovered until late 1986 or early 1987. How was this possible? Again, how sophisticated was its accounting system? Was it audible? How well-educated and -trained were its auditors? And the critical question, "Did technology inspire the crime?" While the facts indicate that this case involved incompetence or bad luck more than it did an evil intention to steal money from the company, technology provided a method to cover up the fraud.

Political terrorists, extremists, and protest groups often have common traits, such as tactical use of violence, attempted media manipulation, ideologies, causes, and enemies. But these similarities often can be superficial and misleading.

Most radical groups of the past adopted a revolutionary ideology derived from left-wing socialism or communism. Right-wing groups lean toward fascist or neo-nazi ideas. Today's radical protester is often part of a "social justice movement." He or she may be in an animal rights or an earth-liberation group. Members at the fringe of these groups have earned the moniker "eco-terrorists" by destroying labs that use animals in experiments or burning down a ski resort that might destroy a habitat for endangered species. Free software advocates have their fringe members who may be inclined to attack information systems.

Political or social terrorism is a strategy of intimidation and coercion--through the tactical use of, or threat to use, illegitimate force (such as sabotage)--to influence the political, social, or commercial behavior of an opponent or to provoke fear or respect from the general population. Terrorism is not mindless violence, nor is it irrational, though it often seems so. Terrorists have objectives for their actions.

In the dramaturgy of terror there must be a transgressor/victim, terrorist, and audience. Terrorists distinguish between violent (it used to be called armed) propaganda and regular propaganda. With violent propaganda, the act of terror itself is the vehicle that carries the message to the audience.

Terrorists usually have one or more objectives behind their propaganda:

• To advertise the existence of a group
• To publicize the group's cause
• To create an atmosphere of disorientation, fear, and alarm
• To portray their acts as the lesser evil (e.g., destroy a specific piece of property vs. allowing the destruction of a habitat)
  
• To extort specific concessions from a specific target--stop abortions, get off the land, provide publicity for a manifesto

Many extremists have accepted the premise that violent and unlawful threats and acts are justified if they promote their program to change society--for the better, of course. Extremists and protest groups must propagandize--usually by deed--if they are to gain active or tacit support for their cause. Today's radical has a wealth of past experience and information to draw on, regarding strategy, tactics, or practical advice. As long as there is television and other news media, there will be radicals who will manipulate it to their purposes.

More and more companies, large and small, are deploying Web-based, electronic commerce applications for competitive advantage and a good return on investment. These systems must be customer-friendly, with service centers providing access for order entry, inventory status, shipping instructions, or delivery schedule. The challenge for a market-driven system is controlling costs/increasing profits vs. protecting proprietary information.

Fifteen Reasons Why Cyberfraud Is Here to Stay

1. Growing use of personal computers and communications devices connected with computers make security measures difficult.

2. Valuable proprietary information has become more vulnerable to theft with the move away from protected mainframes to less secure decentralized networks of personal computers.

3. Current popular software is designed primarily for ease of use; security was not seen as a desired feature.

4. Computer hackers have new tools--data dictionaries and hacking software to uncover computer access passwords stored in a system.

5. Information and communications systems change rapidly, making security upgrades costly and often difficult to implement.

6. New or upgraded computer systems often take a productivity toll and alienate employees.

7. The importance of compliance with information protection policies and measures is often poorly communicated to employees.

8. A business strategy rooted in constant productivity sees security as slowing down the job.

9. As information technology systems get more complex, security also becomes complicated and layered with slower authorization procedures, thus wasting a lot of high-paid time.

10. Practices of open management and teams call for access to and sharing of proprietary information among employees, increasing potential important information losses.

11. Many employees are not willing to follow security procedures, preferring routine and convenience.

12. At a small company, the atmosphere regarding computer crime is often "it can't happen to us."

13. There will always be disaffected people and some will surely find reasons to see a company's computer system as the cause of their problem and take destructive retaliation against the company.

14. New generations of cyberpunks will see the computer system as a complex security labyrinth waiting to be invaded.

15. Business ethics appear to be eroding.

Cyberfraud will continue to grow until we shift from a crisis mode of audit and control to a prevention mode. Prevention means awareness, education, training, early involvement of auditors in design of new systems, and an effort to make these security systems an integral part of the computing infrastructure.

Even doing all of the above won't solve cyberfraud completely. It will, however, minimize the potential for the occurrence of cyberfraud and maximize the potential of the perpetrator being caught.