25.1 Your Legal Options After a Break-in
If you suffer a break-in or
criminal damage to your system, you have a variety of recourses under
the U.S. legal system. This chapter cannot advise you on the many
subtle aspects of the law. There are differences between state and
federal law, as well as different laws that apply to computer systems
used for different purposes. Laws outside the U.S. vary considerably
from jurisdiction to jurisdiction; we won't attempt
to explain anything beyond the U.S. system.
However, we should note that the global reach of the Internet may
bring laws to bear that have their origin outside the U.S.
Discuss your specific situation with a competent lawyer before
pursuing any legal recourse. Because there are
difficulties and dangers associated with legal approaches, you should
be sure that you want to pursue this course of action before you go
In some cases, you may have no choice; you may be required to pursue
legal action. For
If you want to file a claim against your
policy to receive money for damages resulting from a break-in, you
may be required by your insurance company to pursue criminal or civil
actions against the perpetrators.
If you are involved with classified data processing, you may be
required by government regulations to report and investigate
If you are aware of criminal activity and do not report it, you may
be criminally liable as an accessory. This is especially true if your
computer is being used for the illegal activity.
If your computer is being used for certain forms of unlawful or
inappropriate activity and you do not take definitive action, you may
be named as a defendant in a civil lawsuit seeking punitive damages.
If you are an executive and decide not to investigate and prosecute
illegal activity, shareholders of your corporation can bring suit
If you believe that your system is at especially high risk for
attack, you should probably speak with your
organization's legal counsel as part of your
security incident pre-planning before you have
an incident. Organizations have different policies regarding when law
enforcement should or should not be involved. By doing your homework,
you increase the chances that these policies will actually be
followed when they are needed.
To provide some starting points for discussion, this section gives an
overview of a few issues you might want to consider.
25.1.1 Filing a Criminal Complaint
You are free to contact law enforcement
personnel any time you believe that someone has broken a criminal
statute. You start the process by making a formal complaint to a law
enforcement agency. A prosecutor may be asked to decide if the
allegations should be investigated and what charges should be filed,
In some cases—perhaps a majority of them—criminal
investigation will not help your situation. If the perpetrators have
left little trace of their activity and the activity is not likely to
recur, or if the perpetrators are entering your system through a
computer in a foreign country, you probably will not be able to trace
or arrest the individuals involved. Many experienced computer
intruders will leave little traceable evidence behind.
If you do file a complaint, there is no guarantee that the agency
that traces your complaint will actually conduct a criminal
investigation. The prosecutor involved (federal, state, or local)
decides which, if any, laws have been broken, the seriousness of the
crime, the availability of trained investigators, and the probability
of a conviction. The criminal justice system is overloaded; new
investigations are started only for severe violations of the law or
for cases that warrant special treatment. A case in which $200,000
worth of data is destroyed is more likely to be investigated than a
case in which someone is repeatedly scanning your home computer
through your cable modem.
If an investigation is conducted, you may be involved with the
investigators or you may be completely isolated from them. You may
even be given erroneous information—that is, you may be told
that no investigation is taking place, even though a full-scale
investigation is in the works. Many investigations are conducted on a
"need to know" basis, occasionally
using classified techniques and informants. If you are told that
there is no investigation and in fact there is one, the person who
gives you this information may be deliberately misinforming you, or
they themselves may simply not have the "need to
know." Under terms of the U.S. PATRIOT Act, some
investigations are to be kept secret, and disclosing that an
investigation is proceeding may itself be criminal.
Investigations can place you in an uncomfortable and possibly
dangerous position. If unknown parties are continuing to break into
your system by remote means, law enforcement authorities may ask you
to leave your system open, thus allowing the investigators to trace
the connection and gather evidence for an arrest. Unfortunately, if
you leave your system open after discovering that it is being
misused, and the perpetrator uses your system to break into or damage
another system elsewhere, you may be the target of a third-party
lawsuit. Cooperating with law enforcement agents is not a sufficient
shield from such liability. Investigate the potential ramifications
before putting yourself at risk in this way.
18.104.22.168 Choosing jurisdiction
One of the first things you must decide
is to whom you should report the crime. Every state and the federal
government currently have laws against some kinds of computer crime,
so you have choices. In some cases, state authorities can even
prosecute under federal statutes.
Unfortunately, there is no way to tell in advance whether your
problem will receive more attention from local authorities or from
federal authorities. Here are some recommendations:
You should first approach local or state authorities, if at all
possible. If your local law enforcement personnel believe that the
crime is more appropriately investigated by the federal government,
they will suggest that you contact them. Unfortunately, some local
law enforcement agencies may be reluctant to seek outside help or
bring in federal agents. This may keep your particular case from
being investigated properly.
Local authorities may be more responsive because you are not as
likely to be competing with a large number of other cases (as
frequently occurs at the federal level). Local authorities are also
more likely to be interested in your problem, no matter how small the
problem may be.
At the same time, although some local authorities are tremendously
well-versed in computers and computer crime, local authorities
generally have less expertise than state and federal authorities and
may be reluctant to take on high-tech investigations. Many federal
agencies have expertise that can be brought in quickly to help deal
with a problem.
In general, state authorities may be more interested than federal
authorities in investigating and prosecuting juveniles. If you know
that you are being attacked by a juvenile who is in your state, you
will almost certainly be better off dealing with local authorities.
In some cases, you may find that it is better to bypass the legal
system entirely and speak with the juvenile's
parents or teachers (or have an attorney or imposing police officer
speak with them).
22.214.171.124 Local jurisdiction
areas, because the local authorities do not have the expertise or
background necessary to investigate and prosecute computer-related
crimes, you may find that they must depend on your expertise. You may
be involved with the investigation on an ongoing basis—possibly
to a great extent. You may or may not consider this a productive use
of your time. Your participation may also result in contamination of
the case—as the aggrieved party, you could be blamed for
Our best advice is to contact local law enforcement before any
problem occurs and get some idea of their expertise and willingness
to help you in the event of a problem. The time you invest up front
could pay big dividends later on if you need to decide whom to call
at 2:00 a.m. on a holiday because you have evidence that someone is
using your system without authorization.
126.96.36.199 Federal jurisdiction
Although you might often prefer
to deal with local authorities, you should contact federal
authorities if you:
Are working with classified or military information
Have involvement with nuclear materials or information
Work for a federal agency and its equipment is involved
Work for a bank or handle regulated financial information
Are involved with interstate telecommunications
Believe that people from out of the state or out of the country are
involved with the crime
Offenses related to national security, fraud, or telecommunications
are usually handled by the FBI. Cases
involving financial institutions, stolen access codes, or passwords
are generally handled by the U.S. Secret Service. However, other
federal agents may have jurisdiction in some cases; for example, the
Customs Department, the U.S. Postal Service, and the Air Force Office
of Investigations have all been involved in computer-related criminal
investigations. It is expected that the Homeland Security Agency will
have sinilar interests.
Luckily, you don't need to determine jurisdiction on
your own. If you believe that a federal law has been violated, call
the nearest U.S. Attorney's office and ask them who
you should contact. Often that office will have the name and contact
information for a specific agent or an office in which the personnel
have special training in investigating computer-related crimes.
25.1.2 Federal Computer Crime Laws
There are many federal laws that can be
used to prosecute computer-related crimes. Usually, the choice of law
pertains to the type of crime rather than to whether the crime was
committed with a computer, with a phone, or on paper. Depending on
the circumstances, laws relating to wire fraud, espionage, or
criminal copyright violation may come into play. You
don't need to know anything about the laws
involved—the authorities will make that determination based on
the facts of the case.
25.1.3 Hazards of Criminal Prosecution
There are many potential problems in
dealing with law enforcement agencies, not the least of which is
their experience with computers, networking, and criminal
investigations. Sadly, there are still many federal agents who are
not well versed with computers and computer crime. In many local
jurisdictions you will find even less expertise. Unless you are
specifically working with a "computer crime
squad," your case could be investigated by an agent
who has little or no training in computing.
Computer-illiterate agents will sometimes seek your assistance to try
to understand the subtleties of the case. Sometimes they will ignore
your advice—perhaps to hide their own ignorance, or perhaps
because they suspect you may be involved in criminal activity. In
general, it is poor practice for an investigator to accept advice
from the victim without some level of suspicion, and this is no
different in the case of cybercrime.
If you or your personnel are asked to assist in the execution of a
search warrant to help identify material to be searched, be sure that
the court order directs such
"expert" involvement. Otherwise,
you might find yourself complicating the case by appearing to be an
overzealous victim. You may benefit by recommending an impartial
third party to assist the law enforcement agents.
The attitude and behavior of the law enforcement officers can
sometimes cause major problems. Your equipment might be seized as
evidence or held for an unreasonable length of time for
examination—even if you are the victim of the crime. If you are
the victim and are reporting the case, the authorities will usually
make every attempt to coordinate their examinations with you to cause
you the least amount of inconvenience. However, if the perpetrators
are your own employees, or if regulated information is involved
(bank, military, etc.), you might have no control over the manner or
duration of the examination of your systems and media. This problem
becomes more severe if you are dealing with agents who need to seek
expertise outside their local offices to examine the material. Be
sure to keep track of downtime during an investigation as it may be
included as part of the damages during prosecution and any subsequent
civil suit—a suit that may be waged against either your
attacker or, in some cases, against the law enforcement agency
backups can be extremely
valuable in an investigation. You might even make use of your
disaster-recovery plan and use a standby or spare site while your
regular system is being examined.
Heavy-handed or inept investigative efforts may also place you in an
uncomfortable position with respect to the computer community. Many
computer users harbor negative attitudes toward law enforcement
officers—these feelings can easily be redirected toward you if
you are responsible for bringing the
"outsiders" in. Such attitudes can
place you in a worse light than you deserve, and hinder cooperation
not only with the current investigation but with other professional
activities. Furthermore, they may make you a target for electronic
attack or other forms of abuse after the investigation concludes.
These attitudes are unfortunate because there are some very good
investigators, and careful investigation and prosecution may be
needed to stop malicious or persistent intruders. We can report that
this situation seems to have gotten better in recent years, so this
is less of a concern than it was a decade ago. As time goes on, and
as more people realize the damage done by intruders, even those
without malicious intent, we expect to see the antipathy towards law
enforcement fade even more.
We do encourage you to carefully consider the decision to involve law
enforcement agencies with any security problem pertaining to your
In most cases, we suggest that you carefully consider whether you
want to involve the criminal justice system at all unless a real loss
has occurred, or unless you are unable to control the situation on
your own. In some instances, the publicity involved in a case may be
more harmful than the loss you have sustained.
Once you decide to involve law enforcement, avoid publicizing this
fact. In some cases the involvement of law enforcement will act as a
deterrent to the attackers, but in other cases it may make you the
subject of more attacks.
Also be aware that the problem you spot may be part of a much larger
problem that is ongoing or beginning to develop. You may be risking
further damage to your systems and the systems of others if you
decide to ignore the situation.
We want to stress the positive. Law enforcement agencies are aware of
the need to improve how they investigate computer crime cases, and
they are working to develop in-service training, forensic analysis
facilities, and other tools to help them conduct effective
investigations. In many jurisdictions (especially in high-tech areas
of the country), investigators and prosecutors have gained
considerable experience and have worked to convey that information to
their peers. The result is a significant improvement in law
enforcement effectiveness over the last few years, with many
successful investigations and prosecutions. You should definitely
think about the positive aspects of reporting a computer
crime—not only for yourself, but for the community as a whole.
Successful prosecutions may help prevent further misuse of your
system and of others' systems.
25.1.4 The Responsibility to Report Crime
Finally, keep in mind that
criminal investigation and prosecution can occur only if you report
the crime. If you fail to report the crime, there is no chance of
apprehension. Not only does that not help your situation, it leaves
the perpetrators free to harm someone else. Remember that the little
you see may only be one part of a huge set of computer crimes and
acts of vandalism. Without investigation, it isn't
possible to tell if what you have experienced is an isolated incident
or part of a bigger whole.
A more subtle problem results from a failure to report serious
computer crimes: it leads others to believe that there are few such
crimes being committed. As a result, insufficient emphasis is placed
on budgets and training for new law enforcement agents in this area,
little effort is made to enhance the existing laws, and little public
attention is focused on the problem. The consequence is that the
computing milieu becomes incrementally more dangerous for all of
Here is a summary of
recommendations for avoiding possible abuse of your computer. Most of
these are simply good policy whether or not you anticipate break-ins:
Put copyright and/or
proprietary ownership notices in your source code and datafiles. Do
so at the top of each and every file. If you express a copyright,
consider filing for the registered copyright—this version can
enhance your chances of prosecution and recovery of damages.
Be certain that your users
are notified about what they can and cannot do.
If it is consistent with your policy, make all users of your system
aware of what you may monitor. This includes email, keystrokes, and
files. Without such notice, monitoring an intruder or a user
overstepping bounds could itself be a violation of wiretap or privacy
Keep good backups in a safe
location. If comparisons against backups are necessary as evidence,
you need to be able to testify as to who had access to the media
involved. Having tapes in a public area will probably prevent them
from being used as evidence.
If something happens that
you view as suspicious or that may lead to involvement of law
enforcement personnel, start a diary. Note your observations and
actions, and note the times. Run paper copies of log files or traces
and include those in your diary. A written record of events such as
these may prove valuable during the investigation and prosecution.
Note the time and context of each and every contact with law
enforcement agents as well.
Try to define in writing the authorization of each employee and user
of your system. Include in the description the items to which each
person has legitimate access (and the items each person cannot
access). Have a mechanism in place so each person is informed of this
description and can understand his limits.
Tell your employees explicitly that they must return all materials,
including manuals and source code, when requested or when their
If something has happened that you believe requires law enforcement
investigation, do not allow your personnel to conduct their own
investigation. Doing too much on your own may prevent some evidence
from being used or may otherwise cloud the investigation. You may
also aggravate law enforcement personnel with what they might
perceive to be interference in their investigation.
Make your employees sign an employment agreement that delineates
their responsibilities with respect to sensitive information, machine
usage, email use, and any other aspect of computer operation that
might later arise. Make sure the policy is explicit and fair, and
that all employees are aware of it and have signed the agreement.
State clearly that all access and privileges terminate when
employment does, and that subsequent access without permission will
Be prepared with a network- and/or keystroke-monitoring system that
can monitor and record all information that is sent or received by
your computer. If you suspect a break-in, start monitoring and
recording immediately; do not wait to be given instructions by law
enforcement. In some cases, law enforcement agencies cannot give you
such instructions without first obtaining a court order because, by
acting upon their instructions, you would be acting as an extension
of the law.
Make contingency plans with your lawyer and
insurance company for
actions to take in the event of a break-in or other crime, the
related investigation, and any subsequent events.
Identify law enforcement personnel who are qualified to investigate
problems that you may have ahead of time. Introduce yourself and your
concerns to them in advance. Having at least a cursory acquaintance
will help if you later encounter a problem that requires you to call
on law enforcement for help.
Consider joining societies or organizations that stress ongoing
security awareness and training. Work to enhance your expertise in