WASHINGTON - The author of the "ILOVEYOU" virus easily broke the $1 billion ceiling in damage, but it's less clear whether he or she broke the law in all of the countries swept by the malicious computer code.
The Justice Department has been working with Canada, Mexico, and European and Asian countries on cybercrime issues to try and establish benchmarks that would enable hackers to be prosecuted or extradited.
But a March 9 federal report suggests that it may take years before an effective international law enforcement regime is in place to deal with cyber criminals.
"The Electronic Frontier: the Challenge of Unlawful Conduct Involving the Use of the Internet" cites a discouraging example: An effort to track down and arrest Swiss hackers attacking the San Diego Supercomputer Center in 1992 went nowhere because Swiss laws were not being violated.
Investigators in the Philippines are concentrating on two computer-school students who proposed thesis ideas that, when merged, could create ILOVEYOU.
Industry experts testifying Wednesday before Congress said damage estimates from the virus range from more than $950 million in North America to $6 billion around the world.
Rep. Constance Morella, R-Md., chairwoman of the House technology subcommittee, said insurance giant Lloyd's of London estimates more than $15 billion in damages and lost productivity worldwide.
Filipino law enforcement officials had trouble over the weekend obtaining a search warrant in the ILOVEYOU case.
After first saying officials could not find a judge, the director of the National Bureau of Investigation said it was unclear which Philippine laws were violated.
The delays may have led to the destruction of evidence in the case, including the computer and hard drive used to launch the virus, Filipino investigators have said.
The raid Monday at a working-class apartment near Manila and the questioning of the apartment's bank employee tenant took place under a warrant stating that there may have been a violation of the Access Device Act covering theft of codes or passwords.
The ILOVEYOU virus was programmed to steal passwords and deliver them to two Internet accounts in the Philippines.
The virus swept through so many computers around the world - infecting more than 10 million in the United States alone - that the feature feeding back stolen passwords overwhelmed the two Philippine Internet accounts, said Dr. Peter Tippett, chief scientist at ICSA.net in Reston, Va.
Both accounts were removed from service a few hours after the virus was unleashed about 3 a.m. Dallas time Thursday, Dr. Tippett told the House technology subcommittee.
"It took less than four hours for this to become the most destructive computer virus ever," Dr. Tippett said.
The virus swept from the Philippines through more than 20 countries in Asia, Europe and the United States, reaching its peak about 8:30 a.m. Central time.
If Philippine officials make any arrests in the case based on password thefts, U.S. officials could seek to extradite the suspects, charging them with multiple violations of federal law involving damage caused by spreading the virus.
Penalties in the Philippines under the Access Device Act, which was enacted mainly to deal with credit card theft, range from one to 20 years in prison.
U.S. law makes it a felony punishable by five years in prison to infect a computer with a virus, and each computer infected can represent a separate felony offense, said Michael Vatis, deputy assistant FBI director and chief of the National Infrastructure Protection Center.
Harris Miller, president of the Information Technology Association of America, told the science committee that several industry and government efforts to craft cybercrime statutes are underway.
France is hosting a meeting next week of law enforcement officials from France, Germany, Britain, Italy, Japan, Canada, Russia and the United States to discuss cybercrime.
"Cybercrime can be conducted from Kingston or Kiev," Mr. Miller said. "By definition, a national security approach to information security is going to fall short. Global best practices are required as harmonized approaches to law enforcement and jurisprudence."
The Council on Europe, which represents 41 countries including Turkey and Russia, is drafting a "Cybercrime Convention" that would make a violation, such as unleashing a virus, in one country punishable in all the others affected. A U.S. delegation has attended the meetings, and President Clinton could opt to sign the convention, which would then have to be approved by the Senate.
A draft of the convention is expected in December.
The Asia-Pacific Economic Cooperation nations have also discussed cybercrime but are making less progress toward a unified regime.
The Information Technology Association is hosting a global summit on cybercrime in Washington on Oct. 16 and 17.
Such efforts are time-consuming, as the Justice Department's "Electronic Frontier" report makes apparent.
"The solution to the problems stemming from inadequate laws is simple to state, but not as easy to implement: Countries need to reach a consensus as to which computer and technology-related activities should be criminalized," the report concludes.
"Unfortunately, a true international 'consensus' concerning the activities that universally should be criminalized is likely to take time to develop. Even after a consensus is reached, individual countries that lack appropriate legislation will each have to pass new laws, an often time-consuming and iterative process."
Ms. Morella, chairwoman of the House technology subcommittee, said Wednesday that the next global virus attack will take place well before that international consensus is in place.
"What will tomorrow's threat be? I don't know the answer, but I do know that as I speak, someone around the world is probably conjuring up that threat right now," she said.