Law 897: Cyberterrorism
November 22, 2010 Class Assignment by Darin See
All of the footnotes in this assignment contain references to material that need not be read, or sources for optional reading and viewing.
What is Cyberterrorism?
It is often said that the person who "defines the issue wins the debate" -- and definitions of cyberterrorism enjoy considerable variance. So what is the debate about? And why isn't the definition of cyberterrorism just an economical way of saying "terrorism that happens on the internet"? Please consider the following definitions:
- For a military perspective, please read pages II-1 & II-2 of the U.S. Army Training and Doctrine Command's "Cyber Operations and Cyber Terrorism" handbook.
- A former FBI Special Agent, Mark M. Pollitt, is responsible for a popular definition: "Cyberterrorism is the premeditated, politically motivated attack against information, computer systems, computer programs, and data which result in violence against noncombatant targets by subnational groups or clandestine agents."
- Bruce Schneier, a cryptologist and security expert, defines cyberterrorism as: "The use of cyberspace to commit terrorist acts. An example might be hacking into a computer system to cause a nuclear power plant to melt down, a dam to open, or two airplanes to collide."
- According to James A. Lewis of the Center for Strategic and International Studies, cyberterrorism is "the use of computer network tools to shut down critical national infrastructures (such as energy, transportation, government operations) or to coerce or intimidate a government or civilian population."
- Other attempts to define cyberterrorism focus on the identity of the individual, the act itself, and the medium through which the act is performed. Please read "Cyberattack, Cybercrime, and Cyberterrorism" and "Definitions for Cyberterrorism" found on pages CRS-3 and CRS-4 of Clay Wilson's Congressional Research Service Report for Congress. Mr. Wilson is a technology and national security specialist with the Federation of American Scientists.
Please adopt a definition (or define cyberterrorism yourself), and be able to explain why your favored definition makes the most sense. Would the following scenarios qualify as cyberterrorism under your definition? Should they?
- A group of students hack a roadsign, diverting traffic.
- Members of Al Qaeda shut down a nuclear power plant for 3 days, annoying many and hurting none.
- Unidentified individuals hack into a breakfast-foods plant, changing the recipe for a popular cereal to include an overdose of iron. Thousands of children are made gravely ill.
What are the Tools and what are the Vulnerabilities?
Power generator being destroyed in cybersecurity test.Image by U.S. Department of Homeland Security.(Originally appears at NOC Designs)
Some of the scariest cyberterrorism scenarios involve skilled hackers who would take over critical infrastructures like power stations by compromising the SCADA ("Supervisory Control and Data Acquisition") software that controls them. Hacking, however, isn't necessarily required. Viruses are also capable of shutting down critical services -- even those that run on private networks, unconnected to the internet.
Services that are connected to the internet are vulnerable to collapse via denial of service attacks. The two million computers in the U.S. that are controlled by one strain or another of botnet software
are capable of delivering distributed denial of service attacks on an unprecedented scale.
- Please familiarize yourself with the basic tools (and terms) of the trade.
- Susan Brenner and Marc Goodman's article, In Defense of Cyberterrorism: An Argument for Anticipating Cyber-Attacks, provides a good look into the many forms that a cyberterrorist attack might take. Please read section III, Cyberterrorism Scenarios, on pages 27-44 (you can also search Westlaw or Lexis for: 2002 U. Ill. J.L. Tech. & Pol'y 1 ).
- America's Hackable Backbone touches on some notable efforts to control infrastructure by hacking SCADA software.
- The efforts of Vitek Boden, described briefly in the Forbes article above, are often cited as the only example of a successful SCADA breach where the harm caused was purposeful. As such, Mr. Boden's conviction may also represent the only case against an individual for cyberterrorist-like acts.
- The U.S. Government has been testing infrastructure vulnerabilities in cyberspace for years. In "Eligible Receiver," one of the earliest government-conducted tests, a team from the National Security Agency was able to break into the 911 Emergency System, Department of Defense, and Joint Chief of Command networks in fewer than 48 hours. In a more recent test, the Department of Homeland Security was able to destroy a generator as part of a cybersecurity experiment.
- A worm that actually targets SCADA software, called "Stuxnet," was discovered in 2010. The U.S. isn't the only country worried about Stuxnet.
Is the Threat of Cyberterrorism Exaggerated?
One thing that most commentators agree on is that the United States has yet to be victimized by an act of cyberterrorism. So what is there to be worried about? Joshua Green, an editor of The Washington Monthly, suggests that "[t]here are many ways terrorists can kill you--computers aren't one of them." Please consider the links below, and adopt a point of view as to whether or not the threat of cyberterrorism has been exaggerated.
- For one view of the cyberterrorist threat, watch Cyber Shockwave (headphones are available on SUB2).
- Please read pages 43-46 of Professor Dorothy Denning's article, Activism, Hacktivism, and Cyberterrorism: The Internet as a Tool for Influencing Foreign Policy.
- Watch a brief clip of Professor Jonathan Zittrain's take on the threat of cyberterrorism.
- Former National Security Agency Director, Mike McConnell, argues that the cyber threat is real (though the op-ed is framed in terms of cyberwar, Mr. McConnell's arguments apply to the threat of cyberterrorism as well).
- A contributing editor to Wired magazine's "Threat Level" blog, Ryan Singel, responds to Mr. McConnell's op-ed. Mr. Singel contends that the cyber threat has been hyped for another purpose: the destruction of the open internet (again, though the response is framed by the term cyberwar, Mr. Singel's arguments apply just as well to the threat of cyberterrorism.)
- Please read Joshua Green's "The Myth of Cyberterrorism."
- Finally, take a brief look at Significant Cyber Incidents Since 2006.
So, what is the Solution?
In a line from his
Memoirs of the life and writings of Benjamin Franklin that has been paraphrased many times in the last decade, Mr. Franklin states that "[t]hey who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety."
How would you balance liberty and safety, or liberty and security, in order to address cyberterrorism? Do any of the solutions address cyberterrorism as you've defined it? Is there no problem at all?
Back to Law 897 Syllabus