THE CYBERTERRORISM THREAT SPECTRUM
"Everything that can be invented has already been invented" (Charles Duell)
Cybercrime can often mutate into cyberterrorism or occur simultaneously, but cyberterrorism by itself is a distinct entity. Terrorist groups can surely find a number of highly talented, intelligent, and computer-literate people who are in agreement with their cause, and even if they can't, the more cash-rich terrorist organizations can surely afford to purchase the resources they need to carry out a cyberterrorist operation. The most talented and cash-rich organizations are likely to be state-sponsored, so this means that cyberterrorism more closely resembles war than crime. The most central, defining characteristics of cyberterrorism (that distinguishe it from do-it-yourself hacking) are that it is advanced, persistent, and targets a national security asset. However, these are all elements of sophistication, and sophistication varies, just as different talents exist at all levels of the cyber-threat spectrum.
People that know how to use computers can unlock doors few of us even know exist. The Internet is analogous to the Wild West (Biegel 2003). Most laws are unwritten and power falls into the hands of those with the best technology. Traditional concepts of privacy are transforming before our eyes. Cybercrime and cyberspace law are very complicated subjects. Cybercrime has many definitions (Wall 2001), but many criminologists believe it will become a very common crime in the future. It's here to stay. It's not just a passing fad. With over one trillion dollars moved electronically every week, the Internet is where the money is. The rates of cybercrime are skyrocketing. The annual "take" by (organized) theft-oriented cybercriminals is estimated as high as $100 billion, and 97% of offenses go undetected (Bennett & Hess 2001). Then, there are those who just abuse the Internet and computer systems -- hackers or hooligans, whatever you want to call them. Their shenanigans result in an average cost of $104,000 per incident in damage, labor, and lost productivity (Brown et al. 2001). In addition, there's corporate espionage, which some experts say is the real problem, with annual losses of proprietary information in the $60 million range. Cyber-extortion is rapidly becoming commonplace in the corporate world. Cyber espionage, which is usually helped by insiders much of the time, generally involves probes for vulnerabilities and implementation of backdoors, much the same as high-level organized crime's interest in computers as a way to expand profits and seek out new markets. And finally, there's cyberterrorism, which most often involves a specific national security target but can easily escalate into a full-scale infrastructure attack on a whole society, depriving inhabitants of electrical power, dam protection from floods, use of emergency services, etc. The full threat spectrum is captured in the following illustration (Bucci 2009):
It is difficult to classify all the possible methods of evil-doing with computers. In criminology, this is dangerous ground because theory and research are weak. A few typologies can be found. Also, one doesn't want to add to any legislative frenzy because there are things here that are criminally wrong, deliberately wrong, accidentally wrong, wrong for all the right reasons, and just plain annoying. Legal systems everywhere are busy finding new ways of dealing with Internet misbehavior, so this arena has become a sort of "test-bed" or "mini-society" where all sorts of symbolic interactions and moral panics play out. Nonetheless, this is the ethereal realm called CYBERSPACE which is somewhat intriguing and full of potential. Barney (2000), among others, says it is full of hope for democracy. Let us hope so.
To become a cybercriminal, it stands to reason that one has to first acquire the skills. To a small number, this may come easy, but for most, they have to work very hard and long at it. It can be argued that most beginners start off as an Internet addict (it used to be they started off as computer afficionatos). "Internet Addiction" (sometimes called being an "onlineaholic" or having the non-insurable diagnosis of "Internet addiction disorder") is controversial. In a world of news feeds, instant messaging, emails, and games, it sometimes seems like Blackberry devices might be called "Crackberry" devices because of their addictive potential. I know it sounds like I'm looking for a mental pathology that starts people off in the wrong direction, but it is irrefutable that Internet addiction is a disorder and as destructive as any obsessive disorder, although one would be hard-pressed to describe the forensic or clinical outlines of it. Specialists estimate that 6 percent to 10 percent of Internet users develop a dependency (e.g., Dr. Hilarie Cash, head of Seattle-based Internet/Computer Addiction Services; Dr. Kimberly S. Young, head of the Center for Online Addiction in Bradford, Pa.; & Dr. Maressa Hecht Orzack, the director of the Computer Addiction Study Center at McLean Hospital in Belmont, Mass., and an assistant professor at Harvard Medical School; but in contrast, Sara Kiesler, professor of computer science and human-computer interaction at Carnegie Mellon University calls it a "fad illness"). Not, not all addicts become cyberterrorists, but the following can be modestly stated -- Internet addiction exacts a toll on health and family life; it aggravates pre-existing disorders; it can lead to further addictions such as gambling or pornography; it can lead to cybercrime involvement; and it can lead to online radical indoctrination in some terrorist ideology. The "hook" involves the ever-present hope of escape that the Internet offers to people who are longing for something. The "hook" for cyberterrorism may well be the sense of nihilism that overcomes the information over-saturated Internet addict.
The intent to do harm will develop once one or more attack scenarios seem appealing. For example, a terrorist or terrorist group may feel grievously injured over the actions of a specific corporation, government, or organization. They may try to overwhelm the cyber defenses of that corporation, government organization, or infrastructure sector and do damage. They could destroy or corrupt vital data in the financial sector, cripple communications over a wide area to spread panic and uncertainty. They could use botnet-driven DDoS attacks to blind security forces at a border crossing point as a means of facilitating an infiltration operation, or a cyber attack in one area of a country could act as a diversion so a "conventional" kinetic terrorist attack can occur elsewhere. They could even conduct SCADA attacks on specific sites and use the system to create kinetic-like effects without the kinetic component. A good example would be to open the valves at a chemical plant near a population center, creating a Bhopal-like event. The permutations are as endless as one's imagination.
THE DEFINITION OF CYBER
First of all, anytime you use the prefix cyber-, you're talking about something moving fast. Motion is always involved. Anything related to the Internet falls under the cyber category. Besides being a prefix, it's also a verb, not a noun. So plugging in some 3D game and donning your goggles to go "cyber" doesn't count. There's always action, movement, evolving motivations, adventure and interaction when you cyber. It's impossible to just be cyber. There's no steady state of being cyber. To cyber means that you are constantly moving across vast amounts of information, lots of information. You are constantly using technology to the max. It's an activity unique to the Information or Knowledge Age we live in, and by its very nature, it involves some unique implications for changes in the way we live.
Cyber activity is very different from the use of computers for traditional activities. In fact, the break from tradition is so great that most criminologists don't grasp this distinction, and would argue that theft is theft regardless of the medium used. However, cyber theft is substantially different, and cyberterrorism is substantially different from terrorism (it may be this distinction which spares us from it). Cybercrime is also substantially different from computer crime. It's like the difference between people who use computers for all they can be versus people who use computers as a tool like a typewriter. In each case, the the action or movement is different. Motives and intents are vastly different. Traditional users limit their motivation. Our criminal law requires certain specific elements of mens rea when it comes to cybercrime motivation, but there are different kinds of glee, elation, and glory involved in cyberspace that don't exist as normal psychological states. For example, ordinary criminal motivation usually functions on the basis of limited information. With cybercrime, the motivation involves an excess of information, not a deficit or "blind spot" of cognitive functioning. Nor are many of the concepts in white-collar criminology of any use, because you're dealing with something more revolutionary than just trying to make money -- you're dealing with cyberspace and technoculture, two concepts that are essential to any definition of cyber. A cybercriminology (if one is ever developed) will most likely have to be created by abandoning many old concepts.
THE NATURE OF CYBERSPACE
Cyberspace is a bioelectronic ecosystem that exists everywhere and nowhere. Technically, it consists of phones, coaxial cables, fiber optic lines, or electomagnetic waves (Dyson 1994). Nobody's really sure how big the Internet is (see CAIDA's map of Internet) for a map), but 135 countries have access, 54 world cities are the major hosts, and 72 million people logon every day. You should get the idea that cyberspace is pretty big, in fact, bigger than anything that's ever happened before in human history, and it's constantly growing, tripling in size every year. There are 13 main servers -- known as "root" servers -- which control all traffic on the Internet, and they are controlled by the U.S. Government (specifically the U.S. Commerce Department). Notice I didn't say "owned" by the government. Those 13 computers are in private hands, but they contain government-approved, master lists of the 260 or so Internet suffixes, such as ".com" and ".org." The master lists serve as the Internet’s master directories and tell Web browsers and e-mail programs how to direct traffic. Internet users around the world interact with them every day, likely without knowing it. If the U.S. government wanted to, it could render a policy decision that in one stroke could make all Web sites ending in a specific suffix essentially unreachable. The history is that in 1998, the Commerce Department selected a private organization with international board members (ICANN, or Internet Corporation for Assigned Names and Numbers) to decide what goes on those lists. Commerce kept veto power, and indicated it would let go of control eventually, and maybe turn control over to an international organization like the U.N. International Telecommunication Union, but in 2005, the U.S. reversed itself and said it would never cede control of the 13 main servers. The U.S. Commerce department does, however, endorse having foreign governments manage their own country-code suffixes, such as “.fr” for France. ICANN, in the meantime, is often hailed as an example of what international organizations would look like when they rule the world (Fukuyama 2006).
|Countries with the Most Hosts:||Fastest Internet Growing Countries:|
8. Hong Kong
Although humans created cyberspace, and are continually expanding it, the real inhabitants are data, information, ideas, and knowledge. This is what is meant by the Information or Knowledge Age. The real estate, or property, is intellectual and public. No one "owns" it, or operates it with any central authority. Politically, it makes governments obsolete. Economically, it can be replicated at zero cost, and unlike an industrial economy where you can only consume so many widgets, the average person in an information economy taps into all the world's knowledge and consumes information as fast as they can. Humans can only benefit from this new medium if they exercise their freedom.
Technoculture is best explained by reference to the CYBERPUNK movement that began in the mid-80s. Hackers, crackers, and phreaks made up the cyberpunk movement. Hackers could make magical things happen with computers, crackers would break into computer systems simply for the pleasure of it, and phreaks would do similar things with telephone systems. Other groups that joined the movement later were cypherpunks, who popularized cryptography to get over on "the System", and ravers, who used computer music, art, and designer drugs at massive all-night dance parties and love-fests in empty warehouses. Literature that glorifies cyberspace and the people on it is called cyberpunk literature. Here's a link to an online Dictionary of Cyberpunk Slang.
THE CHALLENGES OF CYBERLAW
A computer hooked up to the Internet is a publishing company, telephone, television, library, megaphone, and more all rolled into one. This means that any administration of justice for suspected evil-doing with computers is covered by the First Amendment (freedom of speech) as much as the Fourth Amendment (freedom from search and seizure). The traditional approach in this legal area involves thinking in terms of certain protected zones or spheres of privacy. However, cyberspace isn't really a zone or sphere. Nobody really owns it, nobody considers it "home", reasonable people shouldn't expect privacy from it, but not too many people want the government or anybody else sniffing, snooping, or regulating every part of this special place. Those are the First Amendment issues. The Fourth Amendment issues, such as those contained in the Personal Privacy Act (PPA) and Title III of the Electronics Communications Privacy Act (ECPA), involve people, not places, but the distinction between wiretapping unread mail (which law enforcement can freely do) and wiretapping previously read mail (which requires consent via Acceptable Use Policies) is less than perfect. When computer forensics specialists seize and search a hard drive for all its contents, the only Fourth Amendment issues they're concerned about are privileged relationships, work product, documentary materials, and/or whether or not the data was intended for publication or dissemination. If cyberlaw continues evolving in its current direction, we will end up not only criminalizing a special place, but lots of harmless person-based activity. Nobody should want to make it a crime for having too much fun with computers.
The other challenging legal question is when does Internet activity involve actus reus. In cyberspace, as in virtual reality, it's the impression that what one is experiencing is real. Cyber-action often involves the virtual equivalent of real action. It doesn't require tactile sensation to be virtually raped in a chat room, but the consequences or trauma can be just as real. People can get married in cyberspace, obtain college degrees, and do other things that have real consequences. Plagiarism and copyright infringement is rampant on the web, and companies regularly install cookies and engage in data mining. A lot of Internet content is inappropriate for children. Just how many virtual crimes are possible to commit in cyberspace is difficult to determine, and there's no crime counting system for them. Computer impressions, symbols, and persona do not make for anything more than conspiracy and inchoate offense charges. If and when AI (Artificial Intelligence) systems come online, it will prove difficult who had the thought first -- the person or the machine.
Then, there's the whole problem of jurisdiction. Where exactly does cyberspace begin and end? In general, a government's jurisdiction extends to those individuals who reside within its borders or to transactions or events which occur within those borders. The Internet, like space, doesn't have any borders. A few states have been daring, claiming that the flow of commerce, or financial stream, across their Internet nodes gives them jurisdiction. However, it's unlikely that any state authority would issue a warrant for an overseas offender who has less than minimal physical contact with U.S. soil. The minimal contact requirement usually governs transborder technology-related commerce (International Shoe Co. v. Washington 1945). International law enforcement compacts also require dual criminality, which means that investigative cooperation only exists if the offense has similar meaning in both nations. Sometimes, it's better to prosecute overseas, sometimes locally, sometimes federally, and this leads to a lot of disparities and inequities in the administration of justice.
What and when to seize are also baffling issues. Reactive response to hard drives have become a pattern in law enforcement because they conveniently record voyages in cyberspace. However, it might be easier, and more proactive, to monitor specific bulletin boards, websites, posts, emails, and torrent streams. The computer's role should determine if the machine itself is to be seized or simply searched onsite. If the computer was used to commit a crime, the entire system should be seized. If the computer was used to store information about a crime, the hard drive, printer, and printout should be seized. Other situations might call for a quick copy of the hard drive and all floppies. The independent component doctrine requires that probable cause elements be present before any peripheral devices are seized. Getting ISPs to turn over their log files in a timely fashion, and getting upstream carriers to cooperate, are additional problems.
It must be remembered that this is an area, along with drugs, that helped develop the practice of no-knock warrants. Judges apparently felt that hackers could install time-delay devices or hot keys to permit quick disposal of evidence. A time-delay device destroys evidence if the keyboard is not accessed for awhile, and a hot key program erases data when a certain keystroke combination is depressed. Courts have also dealt with the time element for when a computer search warrant keeps from going stale, which is 3-6 months, the latter being the time when an unread message becomes a stored message, for legal purposes (Becker 2000).
Cyberspace law is a patchwork of loosely-articulated protections, liberally punctuated with loopholes and exceptions. Consider, for example, that there is privacy protection for bank records but not for medical records; protection for videotape rentals, but not magazine subscriptions; credit record protection, but not insurance records. New business practices and new technological developments often make good laws quickly obsolete. It's no wonder that cyberspace is the perfect breeding ground for crime because cyberlaw is such a mess. 48 states have some version of a Computer Fraud and Misuse Act (Title 18, Section 1030 of the Federal Criminal Code). This act was passed into law by Congress in 1986, and has been amended at least five times to touch up the language. There's also the Economic Espionage Act (Title 18, Section Chapter 90). Most cybercrime is prosecuted at the federal level under either of these two acts. Let's take a look at these two laws.
|Computer Fraud and Misuse Act (last amended 1999): "Whoever knowingly accesses a computer without permission...to obtain information...defined as harmful to national defense, foreign relations..., or injury to the United States, intentionally accesses the financial record of a financial institution, any computer of any department or agency of the U.S., any protected computer involved in interstate or foreign communication, any nonpublic computer that conducts affairs for the government...with intent to defraud, extort, or cause damage...shall be punished by fine and imprisonment for five to twenty years."|
|Economic Espionage Act of 1996: "Whoever intentionally or knowingly steals, copies, receives, or conspires to benefit any foreign instrumentality by converting any trade secret related to interstate or foreign commerce shall be subject to criminal and civil forfeiture of all property used or derived from the offense as well a fine from $500,000 to $5,000,000 and imprisonment from ten to fifteen years."|
State laws tend to be written as theft or fraud statutes, the evils being stealing and undermining confidence. One might want to review the common law elements of theft, fraud, and consumer fraud if they are unfamiliar with these offenses. CardCops, a company that tracks and stings fraudulent (stolen) credit card use over the Internet, estimates online fraud at ten times the rate of real world fraud, and on many web sites the seller of something will try to "steer" you toward something which is "fake." Virtual returns of merchandise are almost as costly as virtual purchases, and so-called carders regularly post sniffed credit card numbers in chat rooms and on web sites. In the long run, it's the perception of dangerousness that hurts e-commerce, but in the short run, it's the speed of offending and the slowness of law enforcement that is of concern. The typical state-level cybercrime statute is long, often longer than federal code, and the wording is extremely general, but a short example might be as follows:
|Typical State Cybercrime Statute (circa 2000): "A person commits computer theft or fraud when they knowingly and without authorization access or cause to be accessed any computer or network for obtaining goods, services or information with the intent to permanently deprive the owner of possession or use."|
THE VARIETIES AND TYPES OF CYBERCRIME
Not everything computer-related is cybercrime, and not everything computer-related is computer crime. A person using a stolen telephone code to make free calls, even though the number is processed by a computer, is engaging in toll fraud, not computer crime. A person who embezzles $200 from the ATM of a company they work for still commits embezzlement, not cybercrime. The use of computers as incidental to another offense is not cybercrime. There are plenty of laws on the books already to classify many types of related crime. One way to do this involves thinking along the lines of asset forfeiture, or whether computers make up the fruits or instrumentalities of crime. This is a classification of cybercrime with the computer as target and computer as tool.
Computer as Target: This kind of activity is the wrongful taking of information or the causing of damage to information. Targeting a computer just to obtain unauthorized access is the hallmark of hacking, and the most serious criminal offense here is theft of information, followed by maliciousness, mischief, and wayward adventuring. Bypassing a password protected website to avoid payment would be theft of services, and foreign intelligence break-ins would be espionage. These are all familiar types of crimes, but hacking is typically done in furtherance of a larger scheme since the hacker wants to exploit all computational and encryption capabilities of a hacked system in order to weave through related computer systems. The activity can range from large-scale disruption to elegant hacking. DNS rerouting and denial of service attacks are the most disruptive. Subtle changes to a web page are elegant. Hackers also generally collect password lists, credit card info, proprietary corporate info, and warez (pirated commercial software). A list of specific offenses in this category might include:
Arson (targeting a computer center for damage by fire)
Extortion (threatening to damage a computer to obtain money)
Burglary (break-ins to steal computer parts)
Conspiracy (people agreeing to commit an illegal act on computer)
Espionage/Sabotage (stealing secrets or destroying competitors records)
Forgery (issuing false documents or information via computer)
Larceny/Theft (theft of computer parts)
Malicious destruction of property (destroying computer hardware or software)
Murder (tampering with computerized life-sustaining equipment)
Receiving stolen property (accepting known stolen good or services via computer)
Computer as Tool: This kind of activity involves modification of a traditional crime by using the Internet in some way. The traditional analogue here is fraud. It can something as simple as the online illegal sale of prescription drugs or something as sophisticated as cyberstalking. Pedophiles also use the Internet to exchange child pornography, pose as a child, and lure victims into real life kidnappings. Laws governing fraud apply with equal force regardless if the activity is online or offline, but a few special regulations apply at the federal level:
Internet fraud (false advertising, credit card fraud, wire fraud, money laundering)
Online child pornography; child luring (sexual exploitation; transportation for sexual activity)
Internet sale of prescription drugs & controlled substances (smuggling; drug control laws)
Internet sale of firearms (firearms control laws)
Internet gambling (interstate wagering laws; lottery laws; illegal gambling businesses)
Internet sale of alcohol (liquor trafficking)
Online securities fraud (securities act violations)
Software piracy & Intellectual Property theft (copyright infringement; trade secrets)
Counterfeiting (use of computer to make duplicates or phonies)
INSIDERS AND OUTSIDERS
Another way of classifying cybercrime is to use a location-based approach that distinguishes between insiders and outsiders. This is the approach the FBI uses, which is also based on an evaluation of societal costs and the capabilities of law enforcement. It is also the approach one is most likely to encounter in the published, scholarly literature (e.g. Nykodym, Taylor & Vilela 2005). Such efforts are merely categorizations and are merely descriptive, but the geographic profiling of hackers has been a law enforcement pastime for quite some time (Taylor 1991), as has criminal profiling in general (Nykodym et al. 2005). Opinions differ over the most effective form of the profiling process, but it's somewhat true that the rest of the country usually follows the lead of the FBI on such matters. If one were to visit the now-defunct National Infrastructure Protection Center (now part of DHS), one could have seen how the problems of joint efforts reflect a changing set of priorities and emphases, but one could also easily see how about half the tips relate to insiders (using e-mail safely within your organization) and half to outsiders (cyberprotests by foreign nationals).
Insider Threats: The disgruntled insider is the principle source of computer crime. As much as 75% of computer crimes are done by employees. This makes cybercrime against business the number one type of cybercrime, and it's growing, with the estimated loss to business running about $500 million per year, in the form of crimes like theft of proprietary information, theft of customer databases, and theft of product databases. Their average age of an insider offender is 29, and they generally hold managerial or professional positions (USDOJ CCIPS data of 2003 puts the age profile like this -- 34% are between 20-29, 36% between 30-35, and 27% over 35). Older offenders generally do more damage. The FBI regards disgruntled employees as motivated by a perception of unfair treatment by management or snubs by co-workers. Another fraction of incidents are caused by blunders, errors, or omissions. The FBI regards the insiders here as incompetent, inquisitive, or unintentional. The difference appears to be in the intent to disrupt. Crimes involving the computer only incidentally are treated as traditional crimes -- theft, for example, if an employee tampers with the payroll system (called "data-diddling"). However, even the FBI is continually surprised, when under the plain view doctrine, they investigate an insider threat and find examples of child pornography, organized crime connections, and even recreational hacking. Employees often waste a lot of company time using their network access to surf, shop, or engage in other instances of lost productivity. It makes sense to profile the typical computer abuser. Every organization has them, and here are some of the signs:
missing computer supplies when the employee is around
missing software when the employee is around
numerous logon sessions, some attempts under different name
sloppy password management
unusual interest in computer system printout
mixes personal equipment with company equipment
Insider profiling (Nykodym et al. 2005) aims to help organizations understand the types of people that are likely to commit net abuse and/or cybercrime. Some common characteristics of such people include: not showing fear from having managers around; inclination to break the rules; and perhaps a keen sports fan (in the case of net abuse by online gambling at work). Such persons are usually fairly secretive, hard to communicate with, and quiet at work. Workplace cybercrime committed by managers at work tends to adhere to the same profile, yet the amount of money "take" at work is higher. Mid-or low-level employees, who commit the majority of cybercrimes at work, tend to have more restricted access and subsequently a lower "take." However, alliances between a manager and employee at work can be a difficult case to investigate (detect and stop) because they are working on different levels of a hierarchy and have more ways to hide the crime.
Insider cybercrime is generally divided into four (4) main categories (Nykodym et al. 2005): (1) espionage; (2) theft; (3) sabotage; and (4) personal abuse of the organizational network. The espionage-oriented offender is similar to the outsider cybercriminal (discussed below), and generally is after confidential or sensitive information, and usually is part of the management team, sometimes the higher management (very senior) team. Depending upon the race structure of the organization, the cybercriminal would be white or black, but they are usually secretive individuals who do not want to look different, and always try to blend in among others. Theft-oriented cybercriminals are motivated by their own gain (despite what they might say about hate or revenge) with their only goal the selling or using of valuable information for money. Such criminals are usually very comfortable with their position in the organization, and they tend to be young (either male or female) and still, relatively low in the organization's hierarchy. The sabotage-oriented cybercriminal is like the espionage-oriented type (in being influenced by a competitor), but sabateurs are not necessarily employed by the organization, but consist usually of subcontractors, part-timers, and the like, who also usually have one things in common -- they have personal motives, like revenge for some mistreatment they perceive, like a layoff or missed promotional opportunity. Age, race, and sex variation is quite diverse with this type.
Outsider Threats: Hackers are the most common group in this category. Their typical age is between 14 and 19, and they are generally part of the cyberpunk subculture. Hacking for illicit financial gain has been increasing, and less-skilled "script kiddies" (using point-and-click software instead of programming) are increasing in number. Distributed Denial of Service Attacks are also increasing, which plant a tool such as Trinoo, Tribal Flood Net (TFN), TFN2K, or Stacheldraht (German for barbed wire) on a number of unwitting victim systems. Then when the hacker sends the command, the victim systems in turn begin sending messages against the real target system. 2001 was also the Year of the Virus, and several large-scale hacks were accompanied by viruses released in the wild, which led authorities to suspect that hackers and virus writers were uniting. The FBI uses the following typology to classify outsider threats:
industrial espionage - theft of proprietary information or trade secrets
terrorism - attempts to influence or disrupt U.S. policy
national intelligence - attempts by foreign governments to steal economic, political, or military secrets
infowarfare - cyber attacks by anyone on the nation's infrastructure to disrupt economic or military operations
Industrial espionage is a very high-stakes game which U.S. companies play along with everyone else. There is a 1996 Anti-Economic Espionage law which defines "trade secrets" quite broadly, but arrests usually involve sting operations conducted against foreign nationals attempting to bribe somebody. Rarely are American companies stung. It's the perfect example of an exception to the insider-outsider typology because sometimes, the crime originates with an employee who is in a position to sell trade secrets, and other times, the employee is tempted by an outsider.
Terrorists are known to use information technology to formulate plans, raise funds, spread propaganda, and to communicate securely. For example, Ramzi Yousef, mastermind of the first World Trade Center attack, stored detailed plans to destroy United States airliners on encrypted files in his laptop computer. Osami bin Laden was known to use steganography for his network's communications. A website that was known as the Muslim Hacker's Club listed tips for things such as hacking the Pentagon. A hacker known as DoctorNuker has been defacing websites for the last five years with anti-American, anti-Israeli, and pro-Bin Laden propaganda. Other than by using computers to communicate and coordinate, few examples exist of cyberterrorism, or politically motivated attacks on computer systems. In fact, it is advantageous to a terrorist group to keep the Internet working, as a means of communication and outlet for propaganda. The main tools of terrorism remain guns and bombs, not computers. There are a few instances of cyberterrorism, however, such as the 1998 attack on Sri Lankan servers by the Internet Black Tigers, or the Mexican Zapatista movement of the same year, which eventually teamed up with protesters of the World Trade Organization. We have yet to see a significant instance of "cyber terrorism" with respect to widespread disruption of critical infrastructures. However, the FBI and many others, are concerned about the growth of something called hactivism, which is a word that combines hacking and activism. These are politically motivated attacks, but they may also be a form of electronic civil disobedience. Such attacks are usually elegant. For example, the Zapatistas target the URLs of companies they think don't support human rights. The attack is nothing more than adding the phrase "/human_rights" to the end of the URL. The page returns a display that says "human rights not found on this server," which is also found in the server logs. They don't actually flood the server, just enough times to make sure it's noticed in the server logs.
Foreign intelligence services have adapted to using cyber tools as part of their information gathering and espionage tradecraft. In a case dubbed "the Cuckoo's Egg," between 1986 and 1989 a ring of West German hackers penetrated numerous military, scientific, and industry computers in the United States, Western Europe, and Japan, stealing passwords, programs, and other information which they sold to the Soviet KGB. Significantly, this was over a decade ago -- ancient history in Internet years.
Infowarfare usually involves foreign military forces against another foreign military force. We know that several nations are already developing information warfare doctrine, programs, and capabilities for use against each other and the United States. China and Taiwan have been at infowar for years. Foreign nations interested in such programs feel they cannot defeat the United States in a head-to-head military encounter and believe that information technology is our Achilles Heel and their best bet. Infowar is a classic example of cyberterrorism because it is always advanced and persistent. In fact, there is a neat term for it called AFT (Advanced Persistent Threat) which refers to the capability and intent to persistently and effectively target a specific entity such as the way the Stuxnet worm in 2010 targeted Siemens industrial software to disrupt the Iranian nuclear program. The "advanced" in AFT refers to the capability to compromise a target and maintain access to it. The "persistent" in AFT refers to a "low-and-slow" approach in the opportunistic motivation to seek greater amounts of information. An AFT usually targets national security information, is often attached to an authorized user, and firewalls don't stop it. Following in the footsteps of Stuxnet (and sharing some of the same code) are two new pieces of 2011 malware called Duqu (which targets European manufacturing) and Nitro (which targets chemical companies, defense contractors, and other elements critical to national security in the UK, USA, and Bangladesh).
Cyberextortion is an outsider threat designed to obtain money, products, or favorable considerations from an organization or an organization's individual employees using illegal means of persuasion related to a computer intrusion or threatened computer intrusion that would make it impossible or difficult for that organization to do business. The method of attack is most typically a Denial of Service (DoS) although theft of data or public ridicule (web defacement) are also common. The crime takes advantage of the tendency for most businesses to NOT want their infrastructure vulnerability made public. The target is typically a company that is involved heavily in e-commerce, and there is some tendency for targets to be companies that outsource their help desk function to places like India and Pakistan.
This crime is a good example of a transnational crime. While it can occur within the boundaries of a single nation (Japanese businesses, for example, tend to be cyberextorted by Japanese criminals), it is more commonly found in the form of Russian or Eastern European hackers, hired or coerced by some organized crime group into finding American and European companies to break into. Banking organizations are a particular target. The Bank victim is threatened with having all or most of their customer's PIN numbers placed on the Internet somewhere, and a suprising number of victims "pay up" rather than report the problem to law enforcement. Cyberextortion, in its organized crime variety, also represents an interesting division of labor among criminals since the hackers do specialized, technical work and their "handlers" do specialized, nontechnical work.
A TYPOLOGY OF HACKERS
At the heart of cybercrime are the hackers. These people are the ones with the skills to commit the crimes, and an interesting way to look at them is to focus upon the lifestyles and personalities of hackers. Take it for what it's worth. None of these personality characteristics have been validated by any empirical tests. The first typology comes from Maxfield (1985):
Pioneers -- those who are fascinated by evolving technology and explore it without knowing exactly what they are going to find
Scamps -- hackers with a sense of fun who intend no overt harm
Explorers -- hackers motivated by a delight in breaking into computer systems. The more geographically distant, or more secure the target it, the greater the delight
Game players -- those who enjoy defeating software or system protection, with hacking seen as a sort of game itself
Vandals -- those who cause damage for no apparent gain
Addicts -- nerds who are literally addicted to hacking and computer technology
A second typology (Coutourie 1989) describes the relationship of a hacker to their computer:
Playpen -- in which the computer is seen as a toy
Fairyland -- where cyberspace is an unreal world where wrong cannot be done
Land of opportunity -- where there's nothing wrong with exploiting a vulnerable system
Tool box -- in which the computer is just a way to get other things done
Cookie jar -- with the computer as a place to go borrow things now and again
War game -- where hostile feelings are vented against machines rather than people
There have been no known attempts to apply
these typologies to real-life case studies, although allow me to give you some
cases, and let you see if you can apply anything yourselves:
Case Studies of Hackers
|"Captain Crunch"||In 1972, "Capt. Crunch" aka John Draper, realized that by blowing the whistle that came in Capt. Crunch cereal boxes, he could replicate the tones necessary to place free long-distance phone calls. He spent some time on probation and in prison, then went to work for Apple Computer.|
|Kevin Mitnick||In 1994, Mitnick was the world's most wanted hacker for breaking into Digital Equipment's computers and stealing source codes. He served some years in prison, then became a book author.|
|Kevin Poulsen||In 1995, Poulsen, a friend of Mitnick's, broke into FBI computers. He spent some years in prison, and is now a computer security journalist.|
|"Mafiaboy"||In 2000, this Canadian boy launched denial-of-service attacks on CNN, Yahoo, and other major websites. He ended up under house arrest and was restricted from using the Internet.|
|Onel DeGuzman||In 2000, this Filipino computer science student unleashed the "ILOVEYOU" virus on the Net. He went unpunished because the Philippines had no law covering the crime.|
HACKERS AS TERRORISTS
Regardless of whether cyberterrorism will become the future's most prevalent form of terrorism (a debatable issue in many circles, and dependent mainly upon whether the field of terrorism studies ever figures out whether the "status" or demographics of the perpetrator is as equally important as the "nature" of the act), it can be safely said that hackers, like terrorists, tend to work in asymmetric, non-hierarchical formation, which means that they do not have organizations like gangs and so forth. The concept of netwar (Arquilla & Ronfeldt 2001) might or might not be useful at explaining these new kinds of formations. Although the concept of netwar is at odds with traditional forms of organization, criminal networks tend to have the following types of members, which can be compared to the components of a terrorist cell:
Membership Roles/Components of Hacking/Terrorist Networks
|Organizers -- core members who steer group||Leadership -- charismatics who lead group|
|Insulators -- members who protect the core||Bodyguards -- members who protect leaders|
|Communicators -- pass on directives||Seconds in command -- pass on orders|
|Guardians -- security enforcers||Intelligence -- and counterintelligence agents|
|Extenders -- recruiters of new members||Financiers -- fund raisers & money launderers|
|Monitors -- advisors about group weaknesses||Logistics -- keepers of safe hourses|
|Members -- those who do the hacking||Operations -- those who commit the terror|
|Crossovers -- people with regular jobs||Sleepers -- members living under deep cover|
Netwar is the most likely way cyberterrorists would operate. They have an interest in getting their message and/or demands across, so therefore would use the Internet to disseminate information or misinformation. A number of terrorist groups already have websites, and more can be expected. Hackers also seem to be evolving more in the direction of hactivism. It is unlikely that terrorists will ever give up their traditional weapons. The most likely scenario is a traditional attack that is simultaneously accompanied by a PsyOp-like netwar. The definition of netwar is as follows:
|NETWAR refers to information-related conflict at a grand level between nations or societies. It means trying to disrupt or damage what a target population knows or thinks it knows about itself and the world around it. A netwar may focus on public or elite opinion, or both. It may involve diplomacy, propaganda and psychological campaigns, political and cultural subversion, deception of or interference with local media, infiltration of computer networks and databases, and efforts to promote dissident or opposition movements across computer networks (Arquilla & Ronfeldt's RAND archives).|
Cyberterrorism does not need to deploy forces by ship, plane, or truck. There are no logistical delays or the usual indicators and warnings. Cyber attacks could be used to disable defenses and blind intelligence capabilities in preparation for a devastating kinetic strike. These methods can slow the reactions of defenders by clouding their operation picture or fouling their communications means. Cyber attacks could bring down key command and control nodes altogether, paralyzing any response to the attack.
Cybercrime and cyberterrorism are not coterminous. Cyberspace attacks must have a 'terrorist' component in order to be labelled cyberterrorism. The likelihood of a cyberterror attack increases every day, as every day the Internet and countless other computer systems are under increasing attack and/or used by terrorists in various ways. "Use" by itself does not normally comprise cyberterrorism, just "use" which borders on "offensive use" or "misuse" at least according to Kent Anderson's article on Politically Motivated Computer Crime, pdf, however, thought on the offensiveness of "supporter websites" is still evolving (Weimann 2006), and many groups of cybervigilantes now have a good set of experts who analyze the websites of terrorist organizations and supporters. In 1999, Time magazine reported that 12 of the 30 terrorist groups designated as FTOs had websites, but by 2005, a majority of these same groups had an online presence, some of which are hosted by American site hosting companies. A determined attacker (or attackers) will soon learn what works and what doesn’t, where the vulnerabilities are, how responses are patterned, and what methods are used for detection, apprehension, and prosecution. Cyberterrorism is not a matter of if, but when. Some definitions are given below:
|CYBERTERRORISM is the premeditated use of disruptive activities, or the threat thereof, against computers and/or networks, with the intention to cause harm or further social, ideological, religious, political or similar objectives, or to intimidate any person in furtherance of such objectives. (Source: Kevin Coleman's 2003 article)|
|Cyberterrorism refers to premeditated, politically motivated attacks by sub-national groups or clandestine agents against information, computer systems, computer programs, and data that result in violence against non-combatant targets" (Pollit n.d.)|
|Cyberterrorism is the convergence of cyberspace and terrorism. It refers to unlawful attacks and threats of attacks against computers, networks and the information stored therein when done to intimidate or coerce a government or its people in furtherance of political or social objectives. Further, to qualify as cyberterrorism, an attack should result in violence against persons or property, or at least cause enough harm to generate fear. Attacks that lead to death or bodily injury, explosions, or severe economic loss would be examples. Serious attacks against critical infrastructures could be acts of cyberterrorism, depending on their impact. Attacks that disrupt nonessential services or that are mainly a costly nuisance would not. (Denning 2000 & 2001)|
Cyberterrorism prevention requires an international effort, and that is precisely the purpose of IMPACT (The International Multilateral Partnership Against Cyber-Terrorism), a coalition of twenty-six countries that have united to form a global cyber-security group headquartered out of Malaysia. Interpol belongs to this group, as does the controversial North Korea, but it is a good thing to see less developed countries take some initiative because there should be no "safe haven" for cyber-terrorists and cyber-terrorism is NOT something confined to developed countries. The 2007 cyber-terrorism attack on Estonia proved that.
Arquilla, J. & D. Ronfeldt. (2001). Networks and netwars. Santa Monica:
Author Unknown (n.d.) What are Al Qaeda’s Cyberterrorism Capabilities? from http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/vulnerable/alqaeda.html.
Ballard, J., Hornik, J, & McKenzie, D. (2002). Technological facilitation of terrorism: Definitional, legal, and policy issues. American Behavioral Scientist 45(6):989-1016.
Barney, D. (2000). Prometheus wired. Chicago: Univ. of Chicago Press.
Becker, R. (2000). Criminal investigation. Gaithersburg, MA: Aspen.
Bennett, W. & K. Hess. (2001). Criminal investigation. Belmont, CA: Wadsworth.
Biegel. S. (2003). Beyond our control. Cambridge, MA: MIT Press.
Brown, S., F. Esbensen & G. Geis. (2001). Criminology. Cincinnati: Anderson.
Bucci, S. (2009). "The confluence of cyber crime and terrorism." Heritage Insider, June 12.
Clifford, R. (2001). Cybercrime: The investigation, prosecution and defense of a computer-related crime. Durham: Carolina Academic Press.
Collin, B. (1996). "The future of cyberterrorism." Paper presented at the 11th Annual International Symposium on Criminal Justice Issues, University of Illinois at Chicago, at http://afgen.com/terrorism1.html.
Coutourie, L. (1989). "The computer criminal." FBI Law Enforcement Journal 58: 18-22.
Denning, Dorothy. (2000). "Activism, Hacktivism, and Cyberterrorism: The Internet as a Tool for Influencing Policy." Georgetown Univ. Workshop paper.
Denning, D. (2000). "Cyberterrorism: Testimony before the Special Oversight Panel on Terrorism." U.S. House of Representatives, Comm. Armed Services (23 May) http://www.cs.georgetown.edu/~denning/infosec/cyberterror.html.
Denning, D. (2000). "Cyberterrorism," Global dialogue (Autumn), http://www.cs.georgetown.edu/~denning/infosec/cyberterror-GD.doc.
Denning, D. (2001). "Is cyber terror next?" New York: U.S. Social Science Research Council, at http://www.ssrc.org/sept11/essays/denning.htm.
Deutch, J. (1996). "Statement Before the U.S. Senate Governmental Affairs Committee, Permanent Subcommittee on Investigations" (25 June), at http://www.nswc.navy.mil/ISSEC/Docs/Ref/InTheNews/fullciatext.html.
Dyson, Esther et al. (1994). Cyberspace and the american dream. EFF [article website]
Embar-Seddon, A. (2002). Cyberterrorism: Are we under seige? American Behavioral Scientist 45(6):1033-43.
Fukuyama, F. (2006). America at the crossroads. New Haven, CT: Yale Univ. Press.
Garfinkel, S. (2004). "The FBI's cyber-crime crackdown," Pp. 21-25 in J. Victor & J. Naughton (eds.) Annual Editions: Criminal Justice 04/05. Dubuque, IA: Dushkin.
Institute for Advanced Study of Information Warfare
Johnson, T. (Ed.) (2005). Forensic computer crime investigation. Boca Raton, FL: CRC Press.
Kalathil, S. & Boas, T. (2003). Open networks, closed regimes. Washington DC: Brookings.
Kopelev, S. (2000). "Cracking computer codes" Law Enforcement Technology 27(1): 60-67.
Lessig, L. (1999). Code and other laws of cyberspace. NY: Basic Books. [author's website]
Lipschultz, J. (1999). Free expression in the age of the internet. Boulder, CO: Perseus Books.
Loader, B. & D. Thomas. (2000). Cybercrime, law enforcement, security and surveillance. London: Routledge.
Maxfield, J. (1985). "Computer bulletin boards and the hacker problem." The Electric Data Processing Audit, Control and Security Newsletter. Arlington: Automation Training Center, October.
Mena, J. (2004). Homeland security techniques and technologies. Hingham, MA: Charles River Media.
Meyer, J. & C. Short. (1998). "Investigating computer crime" Police Chief 65(5): 28-35.
Moore, R. (2005). Cybercrime: Investigating high-technology computer crime. Cincinnati: LexisNexis Anderson.
Nelson, B. et al. (1999). Cyberterror: Prospects and Implications. Monterey, CA: Center for the Study of Terrorism and Irregular Warfare. [pdf version]
Nykodym, N., Taylor, R. & Vilela, J. (2005). "Criminal profiling and insider cyber crime." Digital Investigation 2(4): 261-267.
Parker, T., Sachs, M., Shaw, E., Stroz, E. & Devost, M. (2004). Cyber adversary characterization. NY: Syngress.
Piper, T. (2002) "An uneven playing field: The advantages of the cybercriminals vs. law enforcement." SANS Reading Room, http://www.sans.org/rr/legal/uneven.php.
Pollitt, M. (n.d.) "Cyberterrorism: Fact or Fancy?" http://www.cs.georgetown.edu/~denning/infosec/pollitt.html.
Power, R. (2000). Tangled web: Tales of digital crime from the shadows of cyberspace. Indianapolis: Que.
Prof. Rob Kling's Social Informatics web page
Riem, A. (2001). "Cybercrimes of the 21st Century." Computer Fraud & Security 4: 12-15.
Rose, L. (1995). Net law: Your rights in an online world. NY: McGraw Hill.
Speer, D. (2000). "Redefining borders: The challenges of cybercrime." Crime, Law & Social Change 34:259-73.
Sullivan, S. (1999). "Policing the internet" FBI Law Enforcement Bulletin 68(6): 18-21.
Taylor, R. (1991). "Computer crime" in C. Swanson, N. Chamelin & L. Teritto, Criminal Investigation. NY: Random House.
U.S. Dept. of Justice Cybercrime Section
Wall, David. (Ed.) (2001). Crime and the internet. NY: Routledge.
Weimann, G. (2004). How modern terrorism uses the internet, http://www.usip.org/pubs/specialreports/sr116.html.
Weimann, G. (2006). Terror on the internet: The new arena, the new challenges. Dulles, VA: Potomac Books.
Whine, M. (1999). "Cyberspace." Studies in Conflict and Terrorism 22:231-245.
Last updated: Nov 03, 2011
Not an official webpage of APSU, copyright restrictions apply, see Megalinks in Criminal Justice
O'Connor, T. (2011). "Cyberterrorism", MegaLinks in Criminal Justice. Retrieved from http://www.drtomoconnor.com/3400/3400lect06a.htm accessed last on Oct. 14, 2011.