Cybercrime: A Reference Handbook.

Vol. 15 No.6 (June 2005), pp.510-512

CYBERCRIME: A REFERENCE HANDBOOK, by Bernadette H. Schell and Clemens Martin. Santa Barbara, CA: ABC-CLIO, 2004. 247pp. Hardcover. $50.00. ISBN: 1-85109-683-3.

Reviewed by Alan Gaitenby, Center for Information Technology and Dispute Resolution, Legal Studies, University of Massachusetts, Amherst. Email: gaitenby@disputes.net .

CYBERCRIME, by Bernadette Schell and Clemens Martin, is a straightforward report on the major areas of criminal intrusions into computer networks, systems, and data bases. This text is presented as a reference handbook, and it succeeds by thoroughly focusing on the topic of illicit systems intrusions, providing a nice glossary of relevant terms, cases, and codes – largely in the American context. Schell and Martin complete the handbook with an enlightening presentation of historical and biographical surveys of the major cybercrime events and cyberspace figures respectively. This text would serve nicely as a backbone or primary resource for an undergraduate course on cyberspace and law with considerable focus on the black letter law of systems intrusions. Similarly, it would be a nice supplementary reference to graduate or law school courses.

Schell and Martin take a largely positivist approach to the topic, which makes the text accessible to the widest possible audience. As such they do not stray from the accepted notions of what constitutes crime and criminal liability in this area. Basically a cybercrime occurs when someone knowingly, and without permission, accesses a system, or data on a system, or they use appropriate access permissions to conduct damaging and prohibited acts to persons or property. A small collection of federal statutes define the wrongs and potential penalties in this area of cyber law, and the authors do an effective job of mapping the terrain. While this is a straightforward and accepted way of approaching the topic, the book would be improved further by taking a broader view, looking beyond system break-ins to a wider range of criminal and civil wrongs facilitated through cyberspace (both by illicit system penetration and otherwise). Additionally, the text focuses considerable attention on the potential for terrorist-inspired cybercrime (e.g. a “CyberChernobyl”) in the form of system intrusions intended to cripple socio-political-economic infrastructure. Clearly, a reasonable inquiry must pay heed to these concerns; however, the attention given here implies that this is the major issue of concern with respect to crime and cyberspace. Statistics and data presented by the authors undercuts this somewhat, showing that much more mundane pursuits and inspirations make up the bulk of cybercrime. Of course, the absence of a cyber terror attack does not mean that it is not a problem, nor can it be assumed to mean that such attacks have been successfully thwarted. It is hard to ascertain causality for the absence of such a shadowy phenomenon.

In addition to illicit systems intrusions and subsequent damaging actions, there remains a need to address some of the other growth areas of cyberspace and [*511] law, areas where perhaps there is greater social and economic impact. The text rightfully reflects the problem of fraud, and certainly illicit systems access as a result of fraud is an appropriate subject. But the authors could have significantly deepened the discussion by spending more time on the rapidly expanding problems of identity theft and online commercial fraud. Identity theft can be the result of illicit systems access, as with the spate of recent reports of stolen personal data of clients / customers of credit corporations and data aggregation operations. Although computer systems access is not essential to identity theft, the subsequent fraud that results from such theft very often has a cyberspace component. Another expanding area of fraud is in online auctions and other commercial exchanges, and companies like eBay expend considerable energy trying to ameliorate the impacts of such behaviors. Despite these sorts of efforts, online fraud continues to grow, people still suffer damages, and many complaints are taken to federal and state agencies. Internet gambling, money laundering, and other potential financial misdeeds may also be legitimately considered within the realm of cyberspace crime – or they soon will be as law makers (i.e., legislators and judges) catch up.

Chapter One presents an overview of the history and types of cybercrime. The authors introduce the basic set of actions they consider cybercrime, consistent with positive notions of damage to property and persons in or via cyberspace. That set includes: Cracking or Hacking into systems inappropriately (and perhaps damaging that system); Pirating data or software without permission; Phreaking, or accessing the phone system to avoid payment for services; Flooding, or accessing a particular system or service rapidly and repeatedly to cause that system to gag on the multiple requests for service; Virus and Worm production and release, causing a variety of individual and system wide problems; Cyberstalking moves harassment and stalking online; Cyberpornography represents the illicit production, manipulation, and possession of prohibited materials including child pornography. Cyberterrorism represents damage to property and persons, as part of a social or political agenda calling for destruction / damage of key information technology infrastructure and related social practices.

Right from the start we are introduced to hackers in “white hats” and “black hats”—good and evil in the world of cyberspace. Hackers or crackers are individuals who illicitly access systems either though social or technological engineering. Social engineering occurs when individuals manipulate a social situation to access information from legitimate system users, and technological engineering refers finding ways into systems through a variety of technical means (e.g. data ports and buffers, email, or web based virus / worm intrusions). While informative about the basics of hacking, the authors perhaps oversimplify reality too much, categorizing hackers as either good and bad, and suggesting that the bad ones often transform ones when caught (or when they mature). Hacking’s social reality is likely more complex than that. In fact, there are probably many varieties and levels to hacking. However, the most significant group are those on the cutting edge who write the viruses and [*512] worms that infect our systems. Thus we need to have gray hats, and perhaps a plethora of other colors to truly reflect reality. The authors keep returning to the potential worst case scenario of the black hats of cyber terrorists, and it remains to be seen if this is an appropriate fixation.

Chapter Two delves deeper into two major topics: the means and methods of systems intrusions, and issues and controversies relative to system vulnerabilities. The first section on systems intrusion is effective, describing the targets, perpetrators, and existing / potential methods. Readers are taken through the landscape of hacking, flooding, viruses and worms, spoofing, phreaking, and the technological, and sometimes socio-legal, defenses crafted for them. This section of Chapter Two closes with a discussion of piracy and intellectual property / copyright, a placement that seems a little odd. While certainly some piracy is the result of illicit systems access, a growing share is facilitated through voluntary exchange of pirated data, the so-called file sharing dilemma now being faced by organizations like the Recording Industry Association of America and being pursued by them through several copyright infringement cases against selected individuals who make massive file sharing possible by hosting pirated info which is then widely available for downloading.

Schell and Martin identify and explore several issues and controversies related to system vulnerability in Chapter Two. Specifically this section looks at the types of attacks on software and systems, patching strategies to deal with technical, as opposed to social, vulnerabilities, and challenges to managing access by system administration posed by users, internet protocol, and domain name issues. Finally, in this section Schell and Martin look at legislative and law enforcement efforts to deal with systems intrusions. The authors are to be commended for raising the issue of “honeypots,” systems purposefully made vulnerable and available in order to watch and perhaps “sting” hackers.

Chapters Three, Four, Five, Six, and Seven respectively present a cyberspace chronology, cyberspace and cybercrime biographies, codes and cases of cybercrime, public and private agencies or organizations working on cybercrime, print and non-print cybercrime resources, and a glossary or relevant terms. These chapters are all useful reference materials for teaching and research in this area.

In sum, this is a nice work that would be most useful at the undergraduate level, and would also have utility for some graduate or professional training purposes. The book’s strength is its focus on traditional notions of crime in cyberspace, and especially as that relates to systems intrusions. Professors and students who read this text will be well situated for academic and other discussions of what is currently understood as cybercrime.

*************************************************