1. Executive Summary

Computer networks have become critical to the success of many businesses. Today approximately 80% of corporate intellectual assets are in digital form somewhere on the network. In addition, the majority of corporate communications take place on these networks. With the expansion of the internet, the computer network and therefore all digital assets and communications of a company, have become accessible by anyone on the planet with a computer and browser. This paper will explore the following three topics:

• Identify some of the key trends and major threats to network security so a manager can identify the major risks applicable to their company.
• Offer some solutions to manage the risks that these threats pose to their computer networks.
• Propose a strategy for implementing a comprehensive electronic security system tailored to a particular company’s needs.

2. Introduction

As few as five years ago, the largest data security and privacy concerns to corporations were theft of physical hardware, or a disaster that eliminated data. Today, the data security and privacy issues are far more serious due to the widespread use of the internet.

While data security and privacy issues affect both business and the consumer, this paper will focus on data security and privacy issues affecting business. It should be noted that any company doing business over the internet must be sensitive to the privacy concerns of the consumer, therefore this paper will address issues and solutions for this topic.

This paper will examine current data security and privacy issues from a high-level management perspective. Due to the increasing usage and importance of the Internet, the majority of this paper focuses on issues relevant to that medium.

3. Security Threats

The first step to managing the security of information resources is to understand the current environment that may foster threats to security as well as to understand some of the more specific threats to security. Once these threats are understood a company can devise an appropriate security solution.

    3.1. Key Trends

The environment in which businesses operate is constantly changing and evolving. There is no field that is changing as fast as information technology. It is first very important to understand the evolution of hackers and the tools used to breach corporate information security. It used to be that most hackers were sophisticated computer users taking advantage of sophisticated tools to break into corporate networks. Now, with the evolution of the internet, there are no particular skills needed to be an attacker. Attack scripts, which are widely available at many internet sites, can easily be downloaded. A user then simply points and clicks to launch an attack (Schneier, p32). It is so easy a 15-year-old can do it, and has. The important point is that computer systems are now more vulnerable to young teenagers with no particular skills and with no real understanding of the ramifications of their actions.

It is also important to understand the geographic scope of security threats. In the offline world companies only have to be concerned about security in the vicinity of their resources. In today’s online world, everyone on the planet can pose a security risk. If a company operates a website, they are opening their computer networks to anyone with access to a computer and a web browser. In fact, in 1998 there were over 200 million internet users in 150 countries increasing at a rate of 150% per year, all with access to a company’s network (Spafford). Compounding this problem is the difficulty of criminal investigation and the complexity of international law. Security is critical.

Finally, it is very important to understand that security threats are not just external. Even though external threats are increasing at a faster rate than internal threats, insiders are still the biggest security threat. Law enforcement officials estimate that 60%-80% of all break-ins are from employees (Sager, p36). These may be disgruntled or dishonest employees with their own agendas. It may also just be naïve employees who get talked out of a password. For example, in 1997 Cadence Design Systems, a $1.2 billion maker of electronic design software, was accused of e-mailing software code to a start-up competitor, Avant Corp. The Avant product in question even included the same designer typos as the Cadence software (Radcliff, p38). The point is that it is much easier for an insider to breach security because they already have access to the network and they know where the assets are located. Information security must be focused on both internal and external users.

    3.2. Attacks on network security

Attacks on network security can take several forms (3Com White Paper):

• Denial of Service – an attack on the availability of information
• Theft of information – an attack on the ownership of information or intellectual property
• Corruption of Data – an attack on the integrity of information

A denial of service attack is a new type of security threat where the attacker disrupts the flow of information by crashing or overloading a critical device such as a server, router, or firewall. This is an attack on the availability of information.

Businesses most at risk from this form of attack are businesses that are highly dependent on their websites for customer interaction. In a denial of service attack the attacker essentially floods a website’s equipment with too many requests for information. This clogs the system, slowing performance and/or crashing the site. Legitimate customers are unable to access the site to transact business, which essentially halts all commerce at the site. It is easy to see that this can easily cost the business huge amounts in sales and reputation among current and potential customers.

An example of this form of attack is the recent wave of attacks on some of the internet’s most established and popular sites including Yahoo, eBay, Amazon.com, and Buy.com. Buy.com, for example, was paralyzed for approximately 3 hours after experiencing a denial of service attack. During the attack the data hitting their site was over 24 times the normal capacity (Borland). Experts say these kinds of attacks are "so easy, it’s creepy". Here is how these particular attacks happened (Sager, p36).:

STEP 1
An individual or group downloads software that is readily available at many underground web sites specializing in hacker tools. The software is easy to use; it’s all point and click.

STEP 2
They break into scores of computers on the Web and plant a portion of the downloaded program, allowing the hacker to control the machine.

STEP 3
They pick a target, Buy.com for instance. Then they sit back in the privacy of their homes and instruct the computers they’ve hijacked to send requests for information to that site. They send enough requests at the same time to clog or crash the site they are attacking. It is just like dialing the same telephone number constantly so that no one else can get through.

STEP 4
Responding can take hours. Tracing these attackers is difficult because the requests are coming from many different computers. Eventually system administrators can sift through that traffic and identify a general location where the attack commands are originating. After identifying the location the company can write a program to reject the requests from a particular attack.

            3.2.2. Theft of Information

The attacker acquires information that is proprietary to the organization. This is an attack on the ownership of information or intellectual property.

Some types of businesses most at risk from this type of attack may be the manufacturing industry, since they must protect themselves against the theft of their biggest assets, intellectual property. Also, businesses where customer confidence is critical, such as banks, need to consider these threats very seriously. Customer confidence would be seriously compromised if customer credit card numbers were stolen. Recently, a hacker was able to compromise network security at CD Universe. This hacker stole 300,000 credit card numbers and demanded a $100,000 ransom for their return. When the company refused to pay, the hacker posted 25,000 of the stolen numbers to a website. It is believed the hacker resides in Russia (McClure, p64).

There are a number of solutions that a company can use to protect themselves against the theft of information including the following, which are described in detail later in the paper:

Physical protection – Where are you?

User authentication – Who are you?

Access controls – What assets are you allowed to use?

Encryption – What information should be hidden?

Management – What is going on within the network?

            3.2.3. Corruption of data

The attacker destroys or corrupts data stored on disk or while it is being transmitted across a network. This is an attack on the integrity of information. Aside from an active attack, data corruption could be caused by a natural disaster, such as a fire or an earthquake. Security needs to be managed from this aspect as well.

Some types of businesses most at risk from this type of attack are again financial institutions for which customer confidence is critical. The integrity of customer financial information is paramount for financial institutions.

Some of the attack methods used to corrupt or destroy data are through the use of viruses and worms (Summers).

• Viruses – A program that is intentionally written to attach itself to other programs or disk boot sectors and replicate whenever those programs are executed or those infected disks are accessed. Some viruses are programmed to execute when a certain event occurs, such as on a certain date. An example of this is the Michelangelo virus which was programmed to release its destructive code on March 6, Michelangelo’s birthday.
• Worms – Worms are programs that do not attach themselves to programs, but instead worms its way through a computer’s memory and / or disk and alters data. Worms do not require a "host" as do viruses but have the same results. An example of a worm is the recent "I Love You" e-mail that, when opened, deleted all image and music files from the user’s hard drive, and then accessed all of the address books and forwarded itself to every e-mail address listed.

4. Solutions

The previous section defined ways in which data security and privacy can be compromised for a company. This section describes various methods that can be implemented by a company in order to manage data security and privacy.

    4.1. Laws and Regulations

If a company suffers an attack, it is logical to assume that the attacker will be prosecuted in a court of law in the same way that any thief or terrorist would be under U.S. and international laws. Surprisingly, this is not necessarily the case. Due to the international nature of the internet, it is not always easy to find and arrest hackers outside of the U.S. "There are no political or natural boundaries in Cyberspace. Therefore, any crime or action committed in Cyberspace is not necessarily limited to one country or region of the world." (Brenner and Cochran) As this paper is being written, the FBI is waiting to obtain an arrest warrant from a Filipino court to arrest the suspected "I love you" virus creator.

David L. Smith, the creator of the "Melissa" virus, pleaded guilty in December of 1999 "…to both federal and state charges of creating the virus. Although Smith said he had included in the virus' design ‘features designed to prevent substantial damage,’ he acknowledged that the e-mail worm has caused $80 million in damages -- the minimum amount needed to trigger the tougher federal sentencing guidelines." Smith was charged with the second degree offenses of interruption of public communication, conspiracy to commit the offense and attempt to commit the offense, third degree theft of computer service, and third degree damage or wrongful access to computer systems. Smith faces a maximum penalty of $480,000 in fines and 40 years in prison. (Policy.com)

While the United States and many other countries have laws against cyber crime, the laws are clearly not serving as a deterrent to computer hackers (refer to Appendix A for US law). Additionally, it is important to note that even if a hacker is caught and charged with a crime, the damage to a company’s computer system has already been done, and the prosecution of the attacker will not restore the integrity of the system. It is imperative, therefore, that a company be proactive in its quest to manage data security and privacy within the organization.

    4.2. Requirements for a Security and Privacy System

It is clear that a company can not rely on the law to act as a deterrent to would-be hackers. Instead, a company must be proactive in establishing a system and methodology for managing its data security and privacy. This section defines the requirements for such a system.

There are several requirements for an effective security and privacy system. The main reason for such a system is to protect a company’s data as well as their customer’s privacy. With all of the security systems available, it can be difficult to strike a balance between security and necessity. What is the correct amount of security? This can only be determined through a thorough investigation of key systems and their vulnerabilities. For example, is it necessary that all of your employees use smart tokens, or would setting up policies for selecting good passwords be sufficient? An implementation team should be set up to determine security needs and how to implement them.

The following are some of the essential elements of an effective security system.

            4.2.1. Security Policy

There are dozens of opinions on what makes up a good security system. However, the notion of a security policy is agreed upon by most. A security policy is the framework of the structure that protects the company and the privacy of its customers. It is a communication tool that explains what must be protected and why.

The security policy should be able to answer the following questions (taken from security.com):

• What are the information assets to be protected?
• What is the value of these assets to the organization?
• Who or what threatens these assets? How likely is the threat to occur?
• How should these assets be protected?

            4.2.2. Firewall

A firewall is used to restrict access to company systems via the Internet. The firewall resides between the company’s internal system and the Internet (see figure 1). Information traveling over a network is placed into a packet. A firewall examines all packets traveling to and from the company. Certain fields in the packet are compared against its rule set. Rejected packets are logged. These logs are examined by an automated system; however, the firewall administrator should also manually examine them.

Figure 1

Rejected packets fall into three categories: inadvertent incoming traffic, desired traffic that is accidentally being blocked, and hostile traffic from hackers. The difficulty with setting up a firewall is allowing access to all, or most, desired traffic while keeping out the hostile traffic. This makes it even more important to examine the logs. The most common hacker activity comes from individuals trying to map the network and scan for well-known ports. Companies connected to the Internet should be receiving regular scans of this type. If the logs don’t reflect this, the firewall is not functioning properly.

A firewall has several limitations. As mentioned above, it is difficult to strike the balance between allowing in all desired traffic and keeping out hostile traffic. This is because firewalls don’t protect a system from hackers. They work to block certain data and requests. By doing this, it works to block most of what hackers can do.

            4.2.3. Encryption

Encryption is a necessary component for protecting data that travels over third-party networks (such as the Internet). It prevents the eavesdropping and stealing of data. Encryption renders the data unreadable while it is traveling over the lines. Data is encrypted (or encoded) before it is sent and then decrypted once it is received.

The amount of protection that encryption provides depends on the strength of the encryption algorithm. Different algorithms have a different amount of possible keys (see table 1). For example, if a brute-force attack was able to try 245 billion keys per second, a hacker could try all possible 56-bit keys in 81 hours (hitting the correct code in an average of 40 hours). If the encryption code is found, the integrity is lost.

Table 1: Number of Possible Encryption Keys Is a Function of Key Size
 

Key Size	Number of Keys
32 bits = 232	4.3 * 109 keys
56 bits = 256	7.2 * 1016 keys
112 bits = 2112	5.2 * 1033 keys
128 bits = 2128	3.4 * 1038 keys
168 bits = 2168	3.7 * 1050 keys

            4.2.4. Content Monitoring

Most security systems have limited potential against network-based threats. Content monitoring can be utilized to assist with this deficiency. Content monitoring breaks the message content into pieces and examines them. It recognizes that the threat of an object isn’t purely associated with form, such as an ".exe" file. Products, such as MIMEsweeper, monitor email traffic and minimize the harmful threat. Content monitors can search for embedded viruses, confidentiality breaches, offensive content, and email spam. They use both virus scanning and text scanning to look for possible threats. Content monitors, however, can also filter out desired email. As with firewalls, it is difficult to reach a balance between desired and undesired email.

            4.2.5. User Authentication

User authentication continues to be one of the most important network security issues. It allows the computer system to give appropriate information and access to a properly identified user. There have been a few new enhancements in this area. A smart token is one such advance.

A token is a hardware device with associated software. It decreases the vulnerability of software-only solutions. For example, consider a common Internet exchange. When making a purchase, people usually enter their credit card number directly into the computer. Without user authentication, the merchant has no way to know whether the person who typed in the number is the authorized cardholder. The customers are only protected by a password, which can be guessed or obtained in some other way.

Smart tokens can be used to alleviate some of these concerns. A smart token is a portable device about the size of a credit card. It performs special-purpose operations for the user, identifying the user to a larger computer system. Since smart tokens usually require a password, they provide more assurance that the person using the card is authorized to do so. In order to use someone else’s account, the perpetrator would have to have possession of both the smart token and the user’s password.

Smart tokens can be used to:

• Restrict access to a remote computer system
• Act as a physical key for digital signatures
• Make Internet purchases
• Meter application software
• Act as a document that can not be copied
• Access digital subscriptions
• Hold secret user data

            4.2.6. Intrusion Detection System

An intrusion detection system continually monitors the computer network for inappropriate activity. Many new systems can be run in real-time. This means that the network does not have to be taken offline to perform updates. Intrusion detection systems can monitor such things as multiple attempts to determine passwords. They can alert your key experts if someone is trying to penetrate the system. However, intrusion detection systems can be very expensive. The initial cost can be high and they require a lot of upkeep, such as continually updating them with the latest virus protection.

            4.2.7. Backup and Data Recovery

Backups of computer hard drives and corporate servers should be made frequently (daily for critical data). This will protect data assets from both active hacker attacks as well as acts of god. The backups should be done after scanning for viruses to make sure you have a clean copy of data files. Tape backups are the most popular method. Once a backup tape is made at the end of the day the tapes should be stored in a secure location, preferably offsite. Clear, step-by-step backup and data recovery procedures are critical to a sound information security system.

            4.2.8. Anti-virus software

There are several software packages that are available to identify and eliminate viruses and worms. All corporate networks should be protected using anti-virus software. Just installing the software is not enough, the software data files used to identify viruses need to be updated frequently (a weekly update is suggested) to ensure that new viruses can be identified. One of the most widely used anti-virus packages is Norton Anti-virus although many others are available.

    4.3. Implementation Strategy

In this section, we will refer to the issue of security in terms of e-security. E-security refers to "the complex interaction of multiple computer environments, communication protocols, system infrastructures, policies and procedures that together comprise a trusted means of communicating over public and private networks" (IDC White Paper). In order to implement an adequate e-security system, an organization needs to construct a comprehensive strategy. Prior to developing the strategy (outlined below), the organization needs to bear in mind that:

• There is no such thing as a "perfect" e-security system.
• Whether implemented internally or by an e-security provider, the strategy phases apply.
• Requirements (explained above) need to be met and customized to fit within the overall organization’s business structure.

            4.3.1. Assessment

Assessment of the traditional e-security methods in comparison to the new e-security technologies gives an organization an indication of relative advantages and their impact on driving business trends. Such an assessment should include:

• Identifying user and client categories of authentication and authorization.
• Re-evaluating existing e-security systems to eliminate those out-of-date and improving others that can be utilized in conjunction with the new system.
• Defining what data to protect and assessing potential risks and threats.
• Conducting a cost-effective study to show how the new e-security system will have its impact on improving business processes.
• Choosing the right e-security solution based on how tasks are being conducted within the organization.
• Depending on the size of the organization, the sensitivity of data, and the technical resources available within the organization, the committee should decide whether an internal implementation is feasible or if an e-security provider is required.

This phase focuses on having the users and the executive management involved with the implementation process in such a way that:

• Users are made aware of the importance of the security system and its impact on their daily tasks, which will guarantee their full cooperation with the implementation.
• An implementation committee is formed from various sections/departments of the organization along with the IS department to be in charge of implementation.
• A second committee, evaluation committee, is formed and to be composed of executive managers to oversee the whole implementation process and to ensure that the implementation is being conducted in a timely manner.
• The committee should also decide on the level of e-security for each potential risk channel. There are mainly three potential channels:
• Intranet: refers to internal data and automated methods of exchanging and processing of such data. Within the organization, employees should have different levels of access to data.
• Extranet: refers to network links to other partners where business is being conducted cooperatively through same partial systems. Links to other business partners should have strict separation between relevant and irrelevant activities.
• Internet: refers to the organization’s data available on the web, especially if it is conducting web-based business. Untrusted sites visited by employees constitute threats to the corporation’s confidential data. Exposing the organization’s data to the outside world (www) is another threat.
• Within each step of progress, the committee should seek the top management’s blessing.

• Scalability and interoperability of the system to support a wide range of users and environments and to cope with the future development of the infrastructure of the organization.
• Hierarchy of authentication and authorization for users. Users in charge of more critical tasks should have a tighter level of authentication than others.
• Central management of data exposed to the outside world such as web-based databases.

Once the system is ready to be installed, the evaluation committee should be responsible for ensuring that a thorough testing of the new system has been conducted and fully meets the requirements. The committee should also ensure that users are trained on the new features of the e-security system. Finally, the committee should verify that the management has accepted the new system.

            4.3.4. Internal implementation vs. contracting an e-security provider

One of the main early decisions that must be made when implementing an e-security system is whether to use internal resources or to contract an outsourced vendor (e-security provider). There are a number of factors that determine such a decision:

• Size of the Organization: For large organizations where there is an IS department with qualified full-time experts in the field of electronic security and sufficient resources, implementing such a system is feasible. For smaller firms, contracting an e-security provider is more cost-effective.
• Sensitivity of data: for organizations where data security is crucial especially if exposed to the internet, such as large financial organizations (e.g. American Express), a security system is more likely to be implemented internally. In contrast, firms merely conducting basic processes, such as accounting, payroll and studies are better off making the burden of such implementation on customizable packages or a specialized e-security provider.
• Complexity of work: for organizations with multiple fields of activity, such as a system combining travel agencies, hotels and car rentals, implementation may be best performed by having an e-security provider working in conjunction with internal IS experts.

• Quality: high quality products.
• Experience: number of customers and their level of satisfaction.
• Alliances and Partnerships: how integrated the product is with other vendors’ technologies.
• Continuous Global Support: 24-hour, 7-day technical support.
• Commitment: continuous improvement of products and services.

5. Bibliography

3Com. "Enhancing Enterprise Security". 3Com White Papers. http://www.3com.com/technology/tech_net/white_papers/503023.html

Borland, John and Sandoval, Greg. "Attack knocks out Buy.com". CNET News.com. February 8, 2000 http://news.cnet.com/news/0-1007-200-1544910.html?tag=st.ne.1002.

Brenner, Susan and Cochran, Rebecca. University of Dayton School of Law. Copyright 1998, 1999 http://cybercrimes.net/International/International.html

Cornell School of Law. US Code. http://www4.law.cornell.edu/cgi-bin/htm_hl?DB=uscode&STEMMER=en&WORDS=18+us+code+1030+&COLOUR=Red&STYLE=s&URL=/uscode/18/1030.html#muscat_highlighter_first_match

FindLaw.com. "Cyberterrorism Hacking and Info Warfare". FindLaw.com. http://cyber.findlaw.com/criminal/cyber_ter.html

Graham, Robert. "Advisor Answers." Internet Security Advisor Apr. 2000: 28-35.

Hartly, Dr. Bruce V. "Use Policy-Based Security to Protect Your e-Business." Internet Security Advisor Apr. 2000: 45-49.

International Data Corporation (IDC). "eSecurity: the Essential eBusiness Enabler". IDC White Paper. http://www.rsasecurity.com/go/idc/index.html

Jenislawski, Sarah. "'Melissa' Virus Writer Admits $80 Million in Damage". Policy.com. Dec. 13, 1999 http://www.policy.com/news/dbrief/dbriefarc439.asp

Jesdanun, Anick. "Web Sites Face Child Policy Changes". April 16, 2000, http://dailynews.yahoo.com/htx/ap/20000416/tc/internet_children_1.htm

Klein, Karen E. "Computer Security: Don’t Leave Open a ‘Back Door’ into Your Business." Business Week Sept. 28, 1999. Business Week Online http://www.businessweek.com/smallbiz/news/coladvice/ask/sa990928.htm

McClure, Stuart and Scambray, Joel. "SECURITY WATCH". InfoWorld. Jan 24, 2000, v22 i4 p64. http://www.infoworld.com/articles/op/xml/00/01/24/000124opswatch.xml

Radcliff, Deborah. "Three Industries, Three Security Needs". ComputerWorld. Nov 29, 1999 p38. http://www.computerworld.com/home/print.nsf/all/991129CEA2

Rapoza, Jim. "How to Guard Against Hack Threat. PCWeek. Feb 14, 2000 p18.

Sager, Ira. "Cyber Crime". Business Week. Feb 21, 2000, i3669 p36. http://www.businessweek.com/2000/00_08/b3669001.htm

Schneier, Bruce. "Foil the Hackers? A Security Maven Discusses the Impossible". Business Week. March 6, 2000, i3671 p32. http://www.businessweek.com/2000/00_10/b3671089.htm

Securify. "Security Policy." http://www.securify.com/products-services/isg/security_policy.html

Spafford, Gene. Purdue University. Why Technology is Not Enough. October 26, 1998. http://www.cerias.purdue.edu/homes/spaf/presents.html

Sullivan, Dan. "Close Holes and Discover Problems." Internet Security Advisor Apr. 2000: 12-15.

Summers, Wayne. New Mexico Highlands University, http://jaring.nmhu.edu/notes\security.htm#VIRUS

Vacca, John. "New Advancements in User Authentication." Internet Security Advisor Apr. 2000: 22-27.
 

6. Appendix A

US Code as of: 01/05/99

Sec. 1030. Fraud and related activity in connection with computers

Whoever –

having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y. of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it;

(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains–

information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602(n) of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);

information from any department or agency of the United States; or

information from any protected computer if the conduct involved an interstate or foreign communication;

(3) intentionally, without authorization to access any nonpublic computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects that use by or for the Government of the United States;

(4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;

(5)

knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;

intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or

intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage;

(6) knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information through which a computer may be accessed without authorization, if -

such trafficking affects interstate or foreign commerce; or

such computer is used by or for the Government of the United States;

(7) with intent to extort from any person, firm, association, educational institution, financial institution, government entity, or other legal entity, any money or other thing of value, transmits in interstate or foreign commerce any communication containing any threat to cause damage to a protected computer; shall be punished as provided in subsection (c) of this section.
 
 

(b) Whoever attempts to commit an offense under subsection (a) of this section shall be punished as provided in subsection (c) of this section.

(c) The punishment for an offense under subsection (a) or (b) of this section is -

(1)

a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(1) of this section which does not occur after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph; and

a fine under this title or imprisonment for not more than twenty years, or both, in the case of an offense under subsection (a)(1) of this section which occurs after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph;

(2)

a fine under this title or imprisonment for not more than one year, or both, in the case of an offense under subsection (a)(2), (a)(3), (a)(5)(C), or (a)(6) of this section which does not occur after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph; and

a fine under this title or imprisonment for not more than 5 years, or both, in the case of an offense under subsection (a)(2), if -

the offense was committed for purposes of commercial advantage or private financial gain;

the offense was committed in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or of any State; or

the value of the information obtained exceeds $5,000;

a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(2), (a)(3) or (a)(6) of this section which occurs after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph; and

(3)

a fine under this title or imprisonment for not more than five years, or both, in the case of an offense under subsection (a)(4), (a)(5)(A), (a)(5)(B), or (a)(7) of this section which does not occur after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph; and

a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(4), (a)(5)(A), (a)(5)(B), (a)(5)(C), or (a)(7) of this section which occurs after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph; and

(d) The United States Secret Service shall, in addition to any other agency having such authority, have the authority to investigate offenses under subsections (a)(2)(A), (a)(2)(B), () The United States Secret Service shall, in addition to any of the United States Secret Service shall be exercised in accordance with an agreement which shall be entered into by the Secretary of the Treasury and the Attorney General.

(e) As used in this section-

the term ''computer'' means an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device;

the term ''protected computer'' means a computer -

exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or

which is used in interstate or foreign commerce or communication;

the term ''State'' includes the District of Columbia, the Commonwealth of Puerto Rico, and any other commonwealth, possession or territory of the United States;

the term ''financial institution'' means -

an institution, with deposits insured by the Federal Deposit Insurance Corporation;

the Federal Reserve or a member of the Federal Reserve including any Federal Reserve Bank;

a credit union with accounts insured by the National Credit Union Administration;

a member of the Federal home loan bank system and any home loan bank;

any institution of the Farm Credit System under the Farm Credit Act of 1971;

a broker-dealer registered with the Securities and Exchange Commission pursuant to section 15 of the Securities Exchange Act of 1934;

the Securities Investor Protection Corporation;

a branch or agency of a foreign bank (as such terms are defined in paragraphs (1) and (3) of section 1(b) of the International Banking Act of 1978); and

an organization operating under section 25 or section 25(a) of the Federal Reserve Act.

the term ''financial record'' means information derived from any record held by a financial institution pertaining to a customer's relationship with the financial institution;

the term ''exceeds authorized access'' means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter;

the term ''department of the United States'' means the legislative or judicial branch of the Government or one of the executive departments enumerated in section 101 of title 5; and

the term ''damage'' means any impairment to the integrity or availability of data, a program, a system, or information, that -

causes loss aggregating at least $5,000 in value during any 1-year period to one or more individuals;

modifies or impairs, or potentially modifies or impairs, the medical examination, diagnosis, treatment, or care of one or more individuals;

causes physical injury to any person; or

threatens public health or safety; and

the term ''government entity'' includes the Government of the United States, any State or political subdivision of the United States, any foreign country, and any state, province, municipality, or other political subdivision of a foreign country.

(f) This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States.

(g) Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief. Damages for violations involving damage as defined in subsection (e)(8)(A) are limited to economic damages. No action may be brought under this subsection unless such action is begun within 2 years of the date of the act complained of or the date of the discovery of the damage.

(h) The Attorney General and the Secretary of the Treasury shall report to the Congress annually, during the first 3 years following the date of the enactment of this subsection, concerning investigations and prosecutions under subsection (a)(5).