By lumping hackers in with cyber-terrorists, the government is demonstrating a fundamental inability to understand either group.
Under this legislation, Mafiaboy or Kevin Mitnick would be considered a cyber-terrorist, even though they were not acting against critical national infrastructures
A recent article by Helen Atkinson in the Journal of Commerce begins with comments about ?a virus sent by a 15-year-old boy? that shut down the Web sites of CNN, Amazon, E-bay, and other major sites last year, and wonders about the impact of a ?more coordinated attack? against our computer systems by ?cyber-terrorists.? Atkinson?s article is an example of the kind of ill-informed fear-mongering that surrounds discussions of cyber-terrorism.
As most readers of this column already know, the events of February 2000 were not caused by a ?virus? but a by denial of service tool. Mafiaboy, the fifteen-year-old charged with this attack, was by no stretch of the imagination a ?cyber-terrorist?. Rather, he was an electronic prankster and common criminal looking for bragging rights on IRC. He was certainly not a national security threat, and his incarceration would not make America or the world one bit safer. Unfortunately, incidents like this are given hyped-up media coverage that attempts to justify heavy-handed government reactions, such as the recently signed anti-terrorism bill..
The problem is exacerbated by the fact that there is not a singular definition of a ?cyber-terrorist.? A new crime of "cyber-terrorism? was established in Section 814 of the recent anti-terrorism bill. According to the bill, cyber-terrorism is defined in general terms with a few specific criteria, including that hacking attempts causing damage "aggregating at least $5,000 in value" in one year, any damage to medical equipment or "physical injury to any person." Prison terms for such actions range between five and 20 years.
The nebulous language of section 814 does not clearly differentiate between a computer crime or an electronic prank and an intentional act of terror. Under this legislation, Mafiaboy or Kevin Mitnick would be considered a cyber-terrorist, even though they were not acting against critical national infrastructures (unless, of course, you consider E-bay a national infrastructure!) This is like equating a water-balloon attack with a political assassination.
According to the FBI, terrorism ?is the unlawful use of force or violence against persons or property to intimidate or coerce a government, the civilian population, or any segment thereof, in furtherance of political or social objectives.? By extension, I would posit that cyber-terrorism ?is a premeditated, politically motivated attack against information resources that is intended to create civil fear or unrest in order to gain a political or tactical advantage.?
Nowhere in my definition did I mention ?hacker? or ?electronic? (although that?s certainly part of how one should interpret my proposed definition.) Should the current legislation then be interpreted to mean that using a computer to compromise or deface a Web site could be construed as a ?cyber-terrorism?? Does it mean that a person using a truck bomb to destroy an unmanned telephone facility to shut down regional connectivity would not? The current emphasis seems to be on just that approach. This was implied in Tom Ridge?s remarks on critical infrastructure security when he decreed that if you ?disrupt, destroy, or shut down information networks, you shut down America?.it is a technical challenge, because we must always remain one step ahead of the hackers.?
As a security professional, I believe our leaders spend too much airtime discussing hackers, crackers, and defacers, and overlook other, more damaging and, some might say, more probable, threats to information security. Contrary to popular misconception, one does not need a keyboard and a mouse to become a cyber-terrorist. There are many different threats that could and should be deemed ?cyber-terrorism?, none of which include shutting down highly commercialized e-commerce sites. Remember, my proposed definition means that such events must be identified as contributing to an adversary?s advantage, and are not done merely for ?kicks? or bragging rights. Some such events may include:
- Disrupting or degrading East Coast Internet connectivity by intentionally detonating a railway car in a particular location on the Eastern Seaboard.
- Disrupting or degrading electronic devices through the high-altitude detonation of a nuclear device.
- Utilizing skilled insiders to place exploitable code and other devious items (e.g., logic bombs) in mass-produced software and operating systems, especially during technology emergencies like Y2K.
- Using specially modified software and advanced unconventional thinking, planning, and knowledge to compromise and exploit critical information systems to disrupt ? or more strikingly ? modify data in a manner that may not be clearly evident or easily remedied, such as medical records or pharmacological formulae.
All of these attacks conceivably meet the FBI criteria for terrorism. None of them, however, require hacking. Nor do all hacking attempts, or even a small portion thereof, constitute terrorism according to these criteria.
The lesson here is that current cyber-terrorism assessments by the government suffer from tunnel vision, as they are unjustifiably TCP/IP-based. Such a singular interpretation of this threat only complicates our national efforts to effectively assess, prevent, and respond to potential attacks in this area. A more broad-based, holistic approach to assessing the threats against our critical information resources - one that takes an unconventional view of the matter and goes beyond simple ?hacking? activities - would be beneficial.
The government has continually wrestled with ways to ensure public concerns about Internet security. This is laudable. However, they are currently exploiting the current social and political climate to stigmatize hackers as terrorists, thereby solving a complex, nagging problem in a simplistic, heavy-handed manner.
If we are going to incorporate the term ?terrorism? with information-related criminal activity, we must keep in mind the fundamental goals of terrorists as mentioned in the FBI definition above. A teenager who shuts down a company?s website is not a terrorist. Nor is the creator of the I-LOVE-YOU virus or Code Red worm.
Someone acting on behalf of a state or non-state organization intending to cause fear or public panic by disrupting critical information systems through electronic (or the more likely) physical attack is certainly a cyber-terrorist, and should face the consequences of the law. So should hackers who illegally disrupt the legitimate services of legitimate enterprises; however, they should be treated for what they are, nuisances, annoyances and criminals - not cyberterrorists.
The full text of the recent Anti-Terrorism bill is available here.
The reaction of the Electronic Frontier Foundation (EFF) can be found here.