Cyber terrorism: threats, methods, and countermeasures

¶ … internet and the increased availability of personal computers around the world have increased the vulnerability of critical infrastructure systems. In recent years computers have been used by terrorist to distribute information about terrorist attacks. Now many experts fear that terrorist will use computers to carry out an attack on electricity grid or other systems that are crucial to the operation of a nation's infrastructure. The purpose of this discussion is to investigate the ways in which cybercrimes occur and the how it applies to the criminal justice system approach to dealing with terrorism. Before we began the literature review let us provide an overview of the methodology used to identify and locate sources of information found in the literature review.

Methodology

The sources used in the following literature review are from Academic Journals, books, newspapers, government agencies and articles found on the internet. Many of the Journals used are published by well respected institutions of higher learning. These sources were chosen because they are creditable and provide solid insight into the world of cybercrime as it relates to the development and implementation of legislation.

Analysis/Discussion

According to an article entitled "Computer Crimes," the Department of Justice defines Cybercrime as "any violations of criminal law that involve knowledge of computer technology for their perpetration, investigation, or prosecution (Ditzion et al. pg. 285)." The authors go on to explain that this is a broad definition and that there also exist criminal behaviours that are technology specific (Ditzion et al.). In addition, the Department of Justice places cybercrime into three categories: a computer as an object of a crime, a computer as an instrument used in a crime, and a computer as the subject of a crime (Ditzion et al.). The last category includes such crimes as logic bombs, Trojan horses, viruses and worms (Ditzion et al.).

Indeed cybercrime has been detrimental to businesses and individual and cost billions of dollars each year (Ditzion et al.; Pasley; Arquilla & Ronfeldt). Additionally, in many cases it is difficult to catch the criminals that are the perpetrators of such crimes. This is the case because crimes conducted through the use of a computer are more difficult to trace and because an attack may affect a Canadian business but the person that actually carried out the crime may live in Germany. In some cases it is also difficult to prosecute cyber criminals because laws differ amongst jurisdictions. The authors contend that for this reason there has been a rise in the development of specialized legislation to combat cybercrime (Ditzion et al.).

In the past legislation has been created in an attempt to address the problem of cybercrime. An article found in the Yale Law Journal asserts that

"The first cases of computer crime were heralded as an unprecedented phenomenon that law was not equipped to handle. Scholars and policymakers have since proposed a number of deterrence strategies, from criminal sanctions to tort law and the architecture of the web itself, but none of these methods has proved successful at deterring criminal hacking (Wible Pg 1557)."

The journal article goes on to explain that the Computer Fraud and Abuse Act of 1984 passed by congress was designed to prevent unwarranted intrusions. Along with other issues this and problems associated with prosecution this particular law has not deterred cyber criminals (Wible). In addition, enforcement of such laws has proven difficult under 18 U.S.C. [section] 1030(b). Such laws also necessitate large investments of resources and time, and training for local law enforcement agents (Wible). The article also asserts that factors such as encryption technologies and digital anonymity give those that commit cybercrimes an advantage over law enforcement agencies and existing laws (Wible). In addition, the uncertainties about jurisdictional issues cases that are costly to investigate and that entail sophisticated tracking capabilities, state prosecution is nearly unattainable (Wible).

The journal explains that "Proponents of tort liability for computer crime argue that, as compared to the criminal law, civil actions give targets control over the litigation. (30) The possibility of obtaining damages gives targets, otherwise unwilling to admit electronic vulnerabilities to consumers, an incentive to report (Wible)." The authors explain that even though ISP liability has received the most attention there are four types of tort liability that could be implemented in relation to cyber crimes (Wible). These liabilities include ISP liability, hacker liability, security company liability and liability for victims who do not to take private precautions (Wible).

The authors contend that the criticism of such laws A is that "tort liability does not carry a strong symbolic message condemning illegal hacking. The various tort proposals are unlikely to succeed for specific reasons, too: hackers tend to be judgment proof, (33) holding ISPs liable may actually increase hacking, (34) holding security companies to a high standard of liability may make their products prohibitively expensive and may be less effective than providing incentives to good practice, (35) and making victims bear the cost evinces an overly optimistic faith in the ability of potential targets to safeguard their materials through technological solutions (Wible).

According to a book entitled Governing the Internet: The Emergence of an International Regime asserts that the global use of the internet has greatly impacted legal jurisdiction in civil and criminal matters. The impact has been so dramatic because

"materials on the Internet can be composed or uploaded anywhere in the world and sent and downloaded anywhere else, an almost infinite number of legal questions and cases can be imagined when trying to determine which nation's law applies in any particular case when laws are allegedly violated. Particularly in its early years, a number of people involved in the creation of the Internet or among its most enthusiastic users argued that the decentralized, heterogeneous, and diverse nature of Internet architecture would make it impossible for sovereign nation-states to either use existing law to govern Internet activity or enact enforceable new law. It has also frequently been argued that legal controls over the Internet by sovereign states are either undesirable or illegitimate (Franda & Rienner pg 146)."

The authors go on to state that in recent years law enforcement agencies in nation states have attempted to develop new laws that take into account the unique variables that become apparent when addressing cybercrime (Franda & Rienner). In addition, some existing laws have been modified to include cybercrimes (Franda & Rienner). There have even been attempts to establish cross border procedures, international arbitration programs and regional cooperative mechanisms (Franda & Rienner).

However the author asserts that the most practical and effective way to gain legal authority is to gradually adapt the current laws of nation states as new problems come to the forefront (Franda & Rienner). The authors report that in the United Sates both statutes and case law concerned with jurisdiction on the internet are increasing at the state and local levels (Franda & Rienner). These statutes and case laws exist even though the Supreme Court has not decided to rule on matters of jurisdiction on the internet (Franda & Rienner).

The authors explain further that threshold test used by many courts to decide jurisdiction is if a defendant has knowingly availed a forum's laws. On this kind of basis cases involving cybercrime could be placed in three categories. These categories include

1. Purposeful availment which occurs when "a defendant clearly does business over the Internet" with clients from a particular jurisdiction, usually by entering into contracts that require the "knowing and repeated transmission of computer files over the Internet [into that same jurisdiction] (Franda & Rienner). "

2. Interactive websites which to some extent is a less clear area for jurisdiction where a user is able to swap information with the host computer however no contract exist (Franda & Rienner).

3. Passive websites, where defendants have posted information on the internet that is available to users in foreign jurisdictions (Franda & Rienner).

As it relates to cyber terrorism there is a great deal that is still unknown because a major cyber attack caused by terrorists and designed to attack the government and the nation's infrastructure has not yet occurred. According to a report published by the Center for Strategic & International Studies Cyber-terrorism is defined as "the use of computer network tools to shut down critical national infrastructures (such as energy, transportation, government operations) or to coerce or intimidate a government or civilian population (Lewis pg 1)."

The author explains that the theory behind cyber terrorism is that as nations and critical infrastructure are more reliant on computer networks for their operation, new vulnerabilities are arise to create "a massive electronic Achilles' heel (Lewis)." The author contends that an antagonistic nation or terrorist group could take advantage of these vulnerabilities to infiltrate a weakly secured computer network and disable or even shut down critical functions (Lewis).

The report further explains that protecting the critical infrastructure of the nation is problematic because the factors involved vary greatly from those of physical security (Lewis). For instance, when securing such infrastructure law enforcement agency have to focus on civilian and commercial systems and services (Lewis). In addition, the magnitude of the new problems that are being confronted depends on how national security is defined and how thresholds for acceptable damage are set (Lewis). The report also points out that

From a legal or public safety perspective, no country will accept even a single attack on infrastructure or interruption of services. If the goal is to prevent cyber-attacks from costing a single day of electric power or water service, we have set a very high standard for security. However, from a strategic military perspective, attacks that do not degrade national capabilities are not significant. From this perspective, if a cyber-attack does not cause damage that rises above the threshold of the routine disruptions that every economy experiences, it does not pose an immediate or significant risk to national security. It is particularly important to consider that in the larger context of economic activity, water system failures, power outages, air traffic disruptions and other cyber-terror scenarios are routine events that do not affect national security (Lewis)."

The report asserts that if we view cyber attack on a national level in which several different systems supply critical infrastructure services, failure is expected and even a routine occurrence in some locations (Lewis). Therefore, cyber-terrorists would have to attack many different targets in tandem for long periods if their want to create terror, accomplish strategic goals or to have any clear effect (Lewis). The author further states that "For most of the critical infrastructure, multiple sustained attacks are not a feasible scenario for hackers, terrorist groups or nation states (particularly for nation states, where the risk of discovery of what would be universally seen as an act of war far outweigh the limited advantages gained from cyber attacks (Lewis)."

It is believed that some of the aforementioned laws can be enforced to prosecute some cyber terrorism. However, many point out that the best way to confront cybercrime that is related to terrorism is to prevent is all together, because once it occurs law enforcement agencies will have a difficult time finding those that are responsible.

In addition, such a crime carried out in addition into some other terrorist attack could be catastrophic. An article entitled "The Global War on Terrorism: Assessing the American Response" asserts that "the terrorist acts of September 11 would have been worse had they occurred in tandem with a sustained cyber attack on political institutions of the U.S. government and its supporting infrastructures (Davis pg vii)."

In fact several states and the federal government have attempted to create laws that address this issue. According to an article entitled "Cyber Terrorism: No Longer Fiction; the Threat of Cyber Terrorism Became Much More Real after Sept. 11. Here's How States Are Trying to Reduce the Risks" attempting to prevent this crime is extremely difficult. Part of the difficulty lies in the fact that some terrorism experts refuse to refer to crimes carried out by terrorists as cyber terrorism. For instance, the Washington Monthly magazine reported that "There is no such thing as cyber terrorism --no instance of anyone ever having been killed by a terrorist or anyone else using a computer (Boulard)." In addition, the chairman of the President's Critical Infrastructure Protection Board, Howard Schmidt, argues that

"The simple fact of the matter is that none of us really knows what the motivation is behind an act," says Schmidt, "I like to joke that a cyber attack could come from the Middle East or the Midwest. Who knows what the motivation is behind it ... But whatever name it goes by, the invasion of any computer system, insists Schmidt, is a "very serious thing. And we would be very wrong not to treat it as such (Boulard)."

The article further states that an attack on a government agency would be truly catastrophic because many government agencies are now interconnected (Boulard). The author points out that even at the state level none of the agencies are autonomous and therefore a cybercrime that affects one system has the potential to affect all of the systems (Boulard). As a result the article asserts that states must begin to address cyber terrorism in the same way that they address physical security (Boulard). In other words protecting computer systems should be one in the same with physical security and should be monitored as such (Boulard). In addition, the article asserts that there must be some preparation made in case a cyber attack does occur.

There needs to be planning for what needs to be done in the event of a major cyber attack," says Vatis. "What do you do if a critical part of your system has been knocked out or you're left without a major part of your communications?" Only through such exercises, which should include a "central state entity" for analysis and response, adds Vatis, "can we understand in advance what should happen, the role that law enforcement will play and how we should respond if a cyber terrorist attack proves successful ... Some people think that all of the preparations for Y2K were pointless because nothing happened," says Denning. "But the opposite is true -- nothing happened because of all of the preparations (Boulard)."

The article asserts that legislator in 16 states have developed laws created to fortify security as it relates to information technology and Cyber crime (Boulard). According to the article in Michigan such legislation introduces felony penalties for those convicted of using the internet to interrupt critical infrastructures (Boulard). South Carolina has introduced the Omnibus Terrorism Protection and Homeland Defense Act under which introducing a virus or a worm to a system a crime (Boulard). In addition, in Virginia the legal definition of terrorism is inclusive of electronic threats in the commission of an act of terrorism (Boulard).