Computer crime: grappling with a 'high tech' problem
Recent, dramatic ''computer crimes'' may give the impression that banks, brokerage houses, major businesses, and federal agencies are increasingly vulnerable to multimillion-dollar losses.
But, according to International Business Machines Corporation (IBM) standards and data security director L. John Rankine, ''a well-protected computer system can be much better protected than a manual system.''
''The actual, purposeful frontal attack on a computer from the information available to us is way down the scale of what can happen to a machine,'' he adds. When one analyzes many incidents, he says, they turn out to be failures in management or auditing systems rather than true computer crimes. In this view, a solution to the problem is sensible security precautions, backed by a computer's ability to record unauthorized access to or attempts to tamper with data.
Yet critics point to cases such as a phone transfer of $10.2 million from Security Pacific Bank to a Zurich bank account. The money was used to buy diamonds worth $8 million from the Soviet government. Particular concern centers around the federal government's 10,000 computers - used for such purposes as doling out $25 billion for the Defense Department and $80 billion for the Department of Health and Human Services each year.
With an estimated 2 million trained computer operators, programmers, and technicians in the United States who have access to an estimated 3 million business computer terminals and half a million personal computers, the risks of unauthorized access and tampering with computer records seem tremendous.
One approach to the problem comes from Rep. Bill Nelson (D) of Florida. After writing the Florida Computer Crimes Act in 1978, now copied by 14 other states, Mr. Nelson is proposing federal legislation that would define computerized information as property and make misuse of the data a federal offense. According to a congressional staffer working on the Nelson bill, the computer industry opposes any computer-crimes legislation because ''they don't want to admit to their customers that there are problems.
Some industry officials admit that computer technology itself creates problems. Using one computer to ''break into'' another becomes a challenge. Too often, neither the computer criminal nor the bemused public takes a computer crime as seriously as breaking into a bank vault - though the computer crime may involve far larger sums of money.
The computer embezzler may rationalize his action by seeing the transfer of money into his hands as a way of ''keeping score'' in his ''game'' of outwitting a computer. In the case of hardened embezzlers, another industry official admits that ''perhaps computers offer a better tool for an embezzler, because it is quicker and quieter and there's no paper work involved.''
Some industry experts note that a computer's access to a bank's assets, a corporation's trade secrets, or a government's economic and defense programs involves the ''hidden cost'' picking employees more carefully. Such risks underline the need for federal legislation, says Donn Parker, author of a number of Stanford Research Institute (SRI) studies on computer crime. He also sees a need for outlawing even playing games on corporate computers because it constitutes stealing valuable computer time.
Critics of the computer industry often cite one Parker finding that in 1972 ''the average take in a conventional bank fraud or embezzlement was $19,000, whereas the average take in computer-related bank fraud or embezzlement was $450 ,000.''
Mr. Parker says that the SRI studies ''should not be used to imply that any of these figures are actually representative of the real problem. . . . No one has the slightest idea of how much computer crime there is, whether it is increasing, or whether it is decreasing.''
''We do think that computer crime is going up, simply based on the increasing number of computers in use. We think the losses tend to be larger, simply because assets managed by computers are more concentrated and automated. . . . We think we are looking only at the tip of the iceberg.'' he adds.
Parker also thinks that victims of computer crimes may be reluctant to report losses because prosecution under existing law has proved difficult, victims fear losing more from lost business and bad publicity than from the original crime, and reporting a case may encourage other criminals to try the same methods.
But Peter Watkins, senior consultant for Peat, Marwick, and Partners, asserts that the young industry's controls are working remarkably well. ''In comparison with the approximately 350,000 computer installations in the US in 1980,'' he says, ''75 reported cases of computer abuse annually hardly seems excessive. Computer abuse occurs in approximately 0.02 percent of computer installations, or two cases in every 10,000 installations.''