- Email: [email protected]
Computer hacking, myth or menace, part II
FEATURE
Computer Hacking, Myth or Menace, Part II Clive Blatchford
his article concludes a two part theoretical T study of the problem of hacking, considering strategies of computer crime control, the changing face of social order and policy implications that these generate.
Strategies of crime control The perpetrator. There is no shortage of reports of hacking. Hackers as self publicists have no equal, especially if their efforts are directed at 'socially acceptable' targets within the dysfunctional or deprived society. In 1997, the British Labour and Conservative party Web sites were attacked. Animal Rights activists (the 'Ghost Shirt Factory' group) hacked Kriegsmann, a maker and distributor of fur coats in November 1996. Intelligence and military targets are common victims. Recently, these have included the Pentagon-US Army Intelligence Center (by 'Chameleon') and CIA (by the 'Power Through Resistance' group) via Sweden in Sept 1996). I Any successful arrest and criminal prosecution seems to follow the principle of classical 'draconian' punishments to deter others within the hacking counter-culture. Sentencing thus, does not always appear to be proportionate to the specific crime. Well publicized perpetrators have included: Masters of Deception, a five member group, attacked US Banking and Government Systems. Each received at least one year imprisonment in 1993. •
Kevin Lee Poulson attacked US Airforce and Telecommunications Systems. He also won a
1Archive of Hacked Web Sites, http ://he m. pass age n. se/awesome/book, htm
16
sports car by hacking a Los Angeles radio station. He received a prison sentence of 14 years in 1995. Malcolm Farquharson assisted someone else to hack into the systems of computer vendors. He received six months imprisonment in 1994 for personal gain. Dominic Rymer attacked UK Hospital Operational Systems and amended pharmaceutical records apparently creating false prescriptions. Folk heroes, or devils, depending upon one's perspective in a pluralistic society, such individuals have a strong following within the hacking 'counter culture'. Kevin Mitnick, for example, was one of the most wanted criminals in America from 1992 until he was finally captured in 1995. His many exploits included 'hijacking' the FBI telecoms systems in California to create false identities. Books have been published allowing others to emulate his 'success'. Notwithstanding such well documented incidents, the actual threats by 'outsiders' to most enterprises may be very low. The attacks by privileged insiders/employees may be much more prevalent and dangerous. The media inspired moral panic on hacking continues unabated. The resulting spiral of deviancy has even equated hacking as the ' m u g g i n g of computers'. The legal position in the UK needs to fully reflect the extent of the threat. There are basic differences between the hackers that engage in rational decision making to achieve economic or political advantage, and those with a messianic zeal to 'right an apparent wrong'. Many hackers are now apparently leaving the anti-establishment 'counter culture' to exploit their skills, either in legitimate information security and 'tiger teams' or in publishing security 'cook books'. Others may c o n t i n u e to violate c o m p u t e r s as technical support to 'conventional' criminals. The hacking sub-culture may itself become d y s f u n c t i o n a l from the internal quarrels of
Computer Fraud & Security March 1998 © 1998 Elsevier Science Ltd
FEATURE individuals and groups (e.g. between 'Legion of Doom' and 'Masters of Deception'). This will have long-term implications for those trying to design secure systems as feuding hackers turn their attention away from Establishment targets.
The Corporate victims. M u c h m a i n - s t r e a m 'administrative criminology' is not interested in the individual reasons for hacking, but instead in altering the s i t u a t i o n s in w h i c h o f f e n c e s can occur. Historically, the study of corporate business victims has been a b o u t ' s i t u a t i o n a l c r i m e p r e v e n t i o n ' , implementing security policies and procedures to deter hacking. Designing-out crime in computer systems can be achieved by target hardening. This ranges from an architecture with secure building blocks to better operational administration. An overall c o m p u t e r security 'Meta' architecture should encapsulate the functionality and assurance criteria that maintain service and data confidentiality (privacy), integrity (avoiding unauthorized change or destruction) and availability (avoiding and withholding). Robust operational examples are few. There is some anecdotal evidence, yet to be measured, that improvements in the controls of the major public administrations and m u l t i n a t i o n a l s has r e s u l t e d in s o m e c r i m e 'displacement'. This includes: •
spatial - - hacking against smaller and less prepared enterprises
•
tactical - - alternative attack modes to obtain access privileges
•
targeting - - more 'destruction' of data or service availability, or criminal fraud
Part of the proposed study will review whether or not such anecdotes can support cogent justification for increased levels of security investment. The commercial 'community' will need to adopt similar computer policies, standards and procedures. Any consistent security solution may mean that a gradual harmonization of existing bespoke controls of self-regulation, compliance and policing could prove inadequate. The integration of national legislation,
Computer Fraud & Security March 1998 © 1998 Elsevier Science Ltd
financial and audit codes is increasingly a prerequisite for trusted international trade. 2
Changing social order Information is gradually replacing goods and capital as the source of wealth and power. 'Critical criminology' b e l i e v e s that the ' v i r t u a l e l e c t r o n i c ' w o r l d of information is evolving in a similar way to that of the ' p h y s i c a l ' world u n d e r c a p i t a l i s m . The rapid implementation of computers dictates the necessary re-establishment of social order on a new technical foundation as described by various 'revisionist' historians. The nation state and corporate entities are creating the legal and procedural infrastructure in which to maintain control in an expanding 'Global Information Village'. There is vocal disagreement from many quarters on the limited range of perspectives behind this new control. This new order is seen by many as being driven by the 'moral entrepreneurship' of the IT community and a few key transnational corporations. The c i t i z e n o f this new s o c i e t y m a y not feel adequately represented. Civil libertarians see parallels b e t w e e n the criminalization of computer hacking (the trespass of the 'virtual space' of information system 'domains') and the c o n t e s t e d n a t u r e of c r i m i n a l i z a t i o n of ' p h y s i c a l ' trespass. The possibility of universal identification for example, may facilitate use of telecommunication services, but it can also be used for intrusive tracking of people and situations. The m a i n s t r e a m c l a s s i c a l c r i m i n o l o g i c a l a s s u m p t i o n is that t h e r e is an a d m i n i s t r a t i v e consensus and unified interest in society in relation to the protection of computer information and services. This may be valid for the availability and integrity of 'public' computerized services, but the privacy of much state and corporate information is questioned. Even the Judiciary is living out mixed signals. Some high profile prosecutions on information security violations have resulted in penalties out of 2 "lnternet and the changing way of doing business", Business Week, 14 November 1994.
17
FEATURE proportion to the committed offence. Other cases have f a i l e d b e c a u s e of the s y m p a t h y and discretionary bias within the Judicial System. Situational crime prevention may not be an adequate response to hacking. It is essential that the d i s p o s i t i o n of p o t e n t i a l and actual hackers be understood so that the controls can equate to the risk. If hacking cannot be stopped then some procedural obfuscation may be an operational alternative (for instance, using 'false access and databases routines' to redirect hackers surreptitiously from the important corporate data). Such additional software could be fundamental 'insurance' in our pluralistic world of many differing social perspectives.
Policy implications In the UK, in addition to the Theft Acts, the principal acts of legislation on 'computer crime' are the Police and Criminal Evidence Act (1984), the Data Protection Act (1984) and finally the Computer Misuse Act (1990). The pressure for specific 'hacking' legislation came from the business community, primarily the IT companies. It was bitterly contested by legal and civil liberties groups. The public reaction is currently muted, but is likely to resurface if new legislation is proposed, especially to support electronic commerce. Additional controls may parallel the rapid growth of online retailing, the wide operational implementation of the secure electronic transaction (SET) standards and the 'escrowing' of individual and corporate public key identifiers, as part of the proposed 'Trusted Third Party' process. Criminal legislation can prove counterproductive against the hacker as a 'technical folk hero'. Past offenders are now obtaining lucrative positions within 'security tiger teams' of those very enterprises that originally prosecuted them. This a good example of the gradual changes that take place in a modem, pluralistic society, as those in power appreciate and exploit the benefits of the deviancy of 'others'. The Department of Trade and Industry in the UK continues to extol the virtues of Internet business i n f o r m a t i o n services. In N o v e m b e r 1997 the Enterprise Zone Web site was launched, aimed primarily to revolutionize the way smaller businesses
18
operate within the electronic, online 'marketplace'. The legal context of electronic commerce needs to be considered in the broader laissez-faire of national and i n t e r n a t i o n a l r e l a t i o n s h i p s . The t r a n s n a t i o n a l corporations may have the legal muscle to address specific incidents as they occur; the smaller and medium-sized enterprises will need a legitimate i n f r a s t r u c t u r e that can a c c o m m o d a t e the more sensitive and flexible society in which they have to operate. Critical c r i m i n o l o g i s t s maintain that future electronic legislation and associated controls should only be proposed and implemented following the study of the evolution of private and public information. Fundamental human freedoms could be undermined by the many 'virtual' institutions of supervision or constraint, of covert surveillance and unrelenting coercion. The creation of an efficient yet insidious 'Carceral' Information Society would be manifest from the technologically aided 'Big Brother' of State and Corporation. 3 National policy changes, however, should be considered in the Computer Misuse Act (1990). The issue of criminal intent needs clarification, with differentiation between accidental and intentional access of private, 'unauthorized' information domains. The three existing categories of offence found in the Act - - unauthorized access, unauthorized access with intent and unauthorized modification - - may need redefinition. The concept of sentencing guidelines and fixed 'tariffs', should be avoided; there is sufficient 'reasonable doubt' in many hacking cases to ensure sentencing to remain with the judiciary. The recent UK debate on the need for a Freedom of Information Act must be parallelled by the ability of information users and providers to classify and categorize their information. Good data administration has been preached for 20 years, but many small and medium-sized enterprises have yet to be converted. Corporate self-regulation, in conjunction with c o m p a n y audits, must recognize ' e n f o r c e a b l e ' , m i n i m u m standards of ' G o o d I n f o r m a t i o n 3 Michel Foucault, Discipline and Punish, Allen Lane, London 1997.
Computer Fraud & Security March 1998 © 1998 Elsevier Science Ltd
FEATURE Management'. These must have a role as evidence in criminal as well as civil litigation. In associated moves, as an example of private versus public information, the unauthorized access and reproduction of information services is a key issue in the success of e l e c t r o n i c c o m m e r c e . There is increasing e m p h a s i s being placed on the legal protection for encrypted services, including pay-TV and interactive tele-shopping over both the Internet and cable TV systems. The CEC in Brussels has p r e p a r e d a draft directive ( f o l l o w i n g a Green Paper-3/96) on copyright rules for the digital age. Individual national implementation will follow any EU approval. International policy should clearly delineate legal j u r i s d i c t i o n over the e m e r g i n g global ' p u b l i c ' networks and sensitive national security, including the issues of 'certified' secure c o m p o n e n t s and encryption. The clandestine control over many security features by the National Authorities is understandable, but not practical over the longer term in the global market. Other international platforms must be established.
Possible problems Marxist-driven concepts and radical 'pluralism' may be in continuous conflict with classical business needs; there is a p p a r e n t l y little s y m p a t h y for large corporations. A coordinated, objective effort to 'explain' the social vulnerabilities to hacking may be a necessary prerequisite to better understanding.
Corporate victims There is no problem of gaining an audience with a representative sample of IT managers and Security m a n a g e r s . I n f o r m a t i o n and service security is recognized as an important factor in electronic commerce by the larger enterprises. The smaller enterprises may have a different set of concerns. The findings from both groups, however, will need critical analysis as any anxiety may be conditioned by media hype. They may ' i n f l a t e ' the adequacy of their controls.
Computer Fraud & Security March 1998 © 1998 Elsevier Science Ltd
Some smaller companies do not fully understand the security weaknesses, especially the vulnerabilities of generic IT product implementation. The technical issues will need cross-checking with selected service suppliers. In addition, incidents of hacking that have resulted in detected fraud and financial loss, are usually hidden, especially from external auditors.
Perpetrators/offenders There is a highly visible and communicative hacking counter-culture on the Internet. Sample problems are likely to include a marked skew on implied technical prowess (most hacking comes from 'trawling for passwords') and inflated conceit over past success. The overt rejection of legal controls against any information access will bias the value of dialogue on application and impact of legislation.
Conclusion National Youth Justice Systems are all trying to reduce the number of young being incarcerated. The UK is no exception. Many 'computer crimes' are committed by the young. Any solution must fully reflect such problems. This can only be achieved by understanding 'hacking' from the perpetrator's/offender's point of view. Does deterrence through punishment achieve its objectives, especially as used as an example against others? Studies are necessary to establish whether the p r o b l e m of h a c k i n g is real or illusory. Many enterprises have a low social profile and probably face little risk. What are the formal mechanisms to track the continuously evolving issues? Investment in security must not become the ultimate determinator in the decision to proceed with new information systems. Modern society is increasingly pluralistic, and alternative social and cultural perspectives will vie for power. Criminologists maintain that 'deviancy' today can become mainstream socially acceptable behaviour tomorrow. Hacking may fall into this category. The proposed hacking study, albeit reflecting a somewhat novel 'critical criminological' bias, may give some useful input for the on-going debate on the level of information security controls.
19
Computer Hacking, Myth or Menace, Part II Clive Blatchford
his article concludes a two part theoretical T study of the problem of hacking, considering strategies of computer crime control, the changing face of social order and policy implications that these generate.
Strategies of crime control The perpetrator. There is no shortage of reports of hacking. Hackers as self publicists have no equal, especially if their efforts are directed at 'socially acceptable' targets within the dysfunctional or deprived society. In 1997, the British Labour and Conservative party Web sites were attacked. Animal Rights activists (the 'Ghost Shirt Factory' group) hacked Kriegsmann, a maker and distributor of fur coats in November 1996. Intelligence and military targets are common victims. Recently, these have included the Pentagon-US Army Intelligence Center (by 'Chameleon') and CIA (by the 'Power Through Resistance' group) via Sweden in Sept 1996). I Any successful arrest and criminal prosecution seems to follow the principle of classical 'draconian' punishments to deter others within the hacking counter-culture. Sentencing thus, does not always appear to be proportionate to the specific crime. Well publicized perpetrators have included: Masters of Deception, a five member group, attacked US Banking and Government Systems. Each received at least one year imprisonment in 1993. •
Kevin Lee Poulson attacked US Airforce and Telecommunications Systems. He also won a
1Archive of Hacked Web Sites, http ://he m. pass age n. se/awesome/book, htm
16
sports car by hacking a Los Angeles radio station. He received a prison sentence of 14 years in 1995. Malcolm Farquharson assisted someone else to hack into the systems of computer vendors. He received six months imprisonment in 1994 for personal gain. Dominic Rymer attacked UK Hospital Operational Systems and amended pharmaceutical records apparently creating false prescriptions. Folk heroes, or devils, depending upon one's perspective in a pluralistic society, such individuals have a strong following within the hacking 'counter culture'. Kevin Mitnick, for example, was one of the most wanted criminals in America from 1992 until he was finally captured in 1995. His many exploits included 'hijacking' the FBI telecoms systems in California to create false identities. Books have been published allowing others to emulate his 'success'. Notwithstanding such well documented incidents, the actual threats by 'outsiders' to most enterprises may be very low. The attacks by privileged insiders/employees may be much more prevalent and dangerous. The media inspired moral panic on hacking continues unabated. The resulting spiral of deviancy has even equated hacking as the ' m u g g i n g of computers'. The legal position in the UK needs to fully reflect the extent of the threat. There are basic differences between the hackers that engage in rational decision making to achieve economic or political advantage, and those with a messianic zeal to 'right an apparent wrong'. Many hackers are now apparently leaving the anti-establishment 'counter culture' to exploit their skills, either in legitimate information security and 'tiger teams' or in publishing security 'cook books'. Others may c o n t i n u e to violate c o m p u t e r s as technical support to 'conventional' criminals. The hacking sub-culture may itself become d y s f u n c t i o n a l from the internal quarrels of
Computer Fraud & Security March 1998 © 1998 Elsevier Science Ltd
FEATURE individuals and groups (e.g. between 'Legion of Doom' and 'Masters of Deception'). This will have long-term implications for those trying to design secure systems as feuding hackers turn their attention away from Establishment targets.
The Corporate victims. M u c h m a i n - s t r e a m 'administrative criminology' is not interested in the individual reasons for hacking, but instead in altering the s i t u a t i o n s in w h i c h o f f e n c e s can occur. Historically, the study of corporate business victims has been a b o u t ' s i t u a t i o n a l c r i m e p r e v e n t i o n ' , implementing security policies and procedures to deter hacking. Designing-out crime in computer systems can be achieved by target hardening. This ranges from an architecture with secure building blocks to better operational administration. An overall c o m p u t e r security 'Meta' architecture should encapsulate the functionality and assurance criteria that maintain service and data confidentiality (privacy), integrity (avoiding unauthorized change or destruction) and availability (avoiding and withholding). Robust operational examples are few. There is some anecdotal evidence, yet to be measured, that improvements in the controls of the major public administrations and m u l t i n a t i o n a l s has r e s u l t e d in s o m e c r i m e 'displacement'. This includes: •
spatial - - hacking against smaller and less prepared enterprises
•
tactical - - alternative attack modes to obtain access privileges
•
targeting - - more 'destruction' of data or service availability, or criminal fraud
Part of the proposed study will review whether or not such anecdotes can support cogent justification for increased levels of security investment. The commercial 'community' will need to adopt similar computer policies, standards and procedures. Any consistent security solution may mean that a gradual harmonization of existing bespoke controls of self-regulation, compliance and policing could prove inadequate. The integration of national legislation,
Computer Fraud & Security March 1998 © 1998 Elsevier Science Ltd
financial and audit codes is increasingly a prerequisite for trusted international trade. 2
Changing social order Information is gradually replacing goods and capital as the source of wealth and power. 'Critical criminology' b e l i e v e s that the ' v i r t u a l e l e c t r o n i c ' w o r l d of information is evolving in a similar way to that of the ' p h y s i c a l ' world u n d e r c a p i t a l i s m . The rapid implementation of computers dictates the necessary re-establishment of social order on a new technical foundation as described by various 'revisionist' historians. The nation state and corporate entities are creating the legal and procedural infrastructure in which to maintain control in an expanding 'Global Information Village'. There is vocal disagreement from many quarters on the limited range of perspectives behind this new control. This new order is seen by many as being driven by the 'moral entrepreneurship' of the IT community and a few key transnational corporations. The c i t i z e n o f this new s o c i e t y m a y not feel adequately represented. Civil libertarians see parallels b e t w e e n the criminalization of computer hacking (the trespass of the 'virtual space' of information system 'domains') and the c o n t e s t e d n a t u r e of c r i m i n a l i z a t i o n of ' p h y s i c a l ' trespass. The possibility of universal identification for example, may facilitate use of telecommunication services, but it can also be used for intrusive tracking of people and situations. The m a i n s t r e a m c l a s s i c a l c r i m i n o l o g i c a l a s s u m p t i o n is that t h e r e is an a d m i n i s t r a t i v e consensus and unified interest in society in relation to the protection of computer information and services. This may be valid for the availability and integrity of 'public' computerized services, but the privacy of much state and corporate information is questioned. Even the Judiciary is living out mixed signals. Some high profile prosecutions on information security violations have resulted in penalties out of 2 "lnternet and the changing way of doing business", Business Week, 14 November 1994.
17
FEATURE proportion to the committed offence. Other cases have f a i l e d b e c a u s e of the s y m p a t h y and discretionary bias within the Judicial System. Situational crime prevention may not be an adequate response to hacking. It is essential that the d i s p o s i t i o n of p o t e n t i a l and actual hackers be understood so that the controls can equate to the risk. If hacking cannot be stopped then some procedural obfuscation may be an operational alternative (for instance, using 'false access and databases routines' to redirect hackers surreptitiously from the important corporate data). Such additional software could be fundamental 'insurance' in our pluralistic world of many differing social perspectives.
Policy implications In the UK, in addition to the Theft Acts, the principal acts of legislation on 'computer crime' are the Police and Criminal Evidence Act (1984), the Data Protection Act (1984) and finally the Computer Misuse Act (1990). The pressure for specific 'hacking' legislation came from the business community, primarily the IT companies. It was bitterly contested by legal and civil liberties groups. The public reaction is currently muted, but is likely to resurface if new legislation is proposed, especially to support electronic commerce. Additional controls may parallel the rapid growth of online retailing, the wide operational implementation of the secure electronic transaction (SET) standards and the 'escrowing' of individual and corporate public key identifiers, as part of the proposed 'Trusted Third Party' process. Criminal legislation can prove counterproductive against the hacker as a 'technical folk hero'. Past offenders are now obtaining lucrative positions within 'security tiger teams' of those very enterprises that originally prosecuted them. This a good example of the gradual changes that take place in a modem, pluralistic society, as those in power appreciate and exploit the benefits of the deviancy of 'others'. The Department of Trade and Industry in the UK continues to extol the virtues of Internet business i n f o r m a t i o n services. In N o v e m b e r 1997 the Enterprise Zone Web site was launched, aimed primarily to revolutionize the way smaller businesses
18
operate within the electronic, online 'marketplace'. The legal context of electronic commerce needs to be considered in the broader laissez-faire of national and i n t e r n a t i o n a l r e l a t i o n s h i p s . The t r a n s n a t i o n a l corporations may have the legal muscle to address specific incidents as they occur; the smaller and medium-sized enterprises will need a legitimate i n f r a s t r u c t u r e that can a c c o m m o d a t e the more sensitive and flexible society in which they have to operate. Critical c r i m i n o l o g i s t s maintain that future electronic legislation and associated controls should only be proposed and implemented following the study of the evolution of private and public information. Fundamental human freedoms could be undermined by the many 'virtual' institutions of supervision or constraint, of covert surveillance and unrelenting coercion. The creation of an efficient yet insidious 'Carceral' Information Society would be manifest from the technologically aided 'Big Brother' of State and Corporation. 3 National policy changes, however, should be considered in the Computer Misuse Act (1990). The issue of criminal intent needs clarification, with differentiation between accidental and intentional access of private, 'unauthorized' information domains. The three existing categories of offence found in the Act - - unauthorized access, unauthorized access with intent and unauthorized modification - - may need redefinition. The concept of sentencing guidelines and fixed 'tariffs', should be avoided; there is sufficient 'reasonable doubt' in many hacking cases to ensure sentencing to remain with the judiciary. The recent UK debate on the need for a Freedom of Information Act must be parallelled by the ability of information users and providers to classify and categorize their information. Good data administration has been preached for 20 years, but many small and medium-sized enterprises have yet to be converted. Corporate self-regulation, in conjunction with c o m p a n y audits, must recognize ' e n f o r c e a b l e ' , m i n i m u m standards of ' G o o d I n f o r m a t i o n 3 Michel Foucault, Discipline and Punish, Allen Lane, London 1997.
Computer Fraud & Security March 1998 © 1998 Elsevier Science Ltd
FEATURE Management'. These must have a role as evidence in criminal as well as civil litigation. In associated moves, as an example of private versus public information, the unauthorized access and reproduction of information services is a key issue in the success of e l e c t r o n i c c o m m e r c e . There is increasing e m p h a s i s being placed on the legal protection for encrypted services, including pay-TV and interactive tele-shopping over both the Internet and cable TV systems. The CEC in Brussels has p r e p a r e d a draft directive ( f o l l o w i n g a Green Paper-3/96) on copyright rules for the digital age. Individual national implementation will follow any EU approval. International policy should clearly delineate legal j u r i s d i c t i o n over the e m e r g i n g global ' p u b l i c ' networks and sensitive national security, including the issues of 'certified' secure c o m p o n e n t s and encryption. The clandestine control over many security features by the National Authorities is understandable, but not practical over the longer term in the global market. Other international platforms must be established.
Possible problems Marxist-driven concepts and radical 'pluralism' may be in continuous conflict with classical business needs; there is a p p a r e n t l y little s y m p a t h y for large corporations. A coordinated, objective effort to 'explain' the social vulnerabilities to hacking may be a necessary prerequisite to better understanding.
Corporate victims There is no problem of gaining an audience with a representative sample of IT managers and Security m a n a g e r s . I n f o r m a t i o n and service security is recognized as an important factor in electronic commerce by the larger enterprises. The smaller enterprises may have a different set of concerns. The findings from both groups, however, will need critical analysis as any anxiety may be conditioned by media hype. They may ' i n f l a t e ' the adequacy of their controls.
Computer Fraud & Security March 1998 © 1998 Elsevier Science Ltd
Some smaller companies do not fully understand the security weaknesses, especially the vulnerabilities of generic IT product implementation. The technical issues will need cross-checking with selected service suppliers. In addition, incidents of hacking that have resulted in detected fraud and financial loss, are usually hidden, especially from external auditors.
Perpetrators/offenders There is a highly visible and communicative hacking counter-culture on the Internet. Sample problems are likely to include a marked skew on implied technical prowess (most hacking comes from 'trawling for passwords') and inflated conceit over past success. The overt rejection of legal controls against any information access will bias the value of dialogue on application and impact of legislation.
Conclusion National Youth Justice Systems are all trying to reduce the number of young being incarcerated. The UK is no exception. Many 'computer crimes' are committed by the young. Any solution must fully reflect such problems. This can only be achieved by understanding 'hacking' from the perpetrator's/offender's point of view. Does deterrence through punishment achieve its objectives, especially as used as an example against others? Studies are necessary to establish whether the p r o b l e m of h a c k i n g is real or illusory. Many enterprises have a low social profile and probably face little risk. What are the formal mechanisms to track the continuously evolving issues? Investment in security must not become the ultimate determinator in the decision to proceed with new information systems. Modern society is increasingly pluralistic, and alternative social and cultural perspectives will vie for power. Criminologists maintain that 'deviancy' today can become mainstream socially acceptable behaviour tomorrow. Hacking may fall into this category. The proposed hacking study, albeit reflecting a somewhat novel 'critical criminological' bias, may give some useful input for the on-going debate on the level of information security controls.
19