Law 897: Cyberterrorism

November 22, 2010 Class Assignment by Darin See

All of the footnotes in this assignment contain references to material that need not be read, or sources for optional reading and viewing.

What is Cyberterrorism?

It is often said that the person who "defines the issue wins the debate" -- and definitions of cyberterrorism enjoy considerable variance.¹ So what is the debate about? And why isn't the definition of cyberterrorism just an economical way of saying "terrorism that happens on the internet"? Please consider the following definitions:

• For a military perspective, please read pages II-1 & II-2 of the U.S. Army Training and Doctrine Command's "Cyber Operations and Cyber Terrorism" handbook.
  
  
• A former FBI Special Agent, Mark M. Pollitt, is responsible for a popular definition: "Cyberterrorism is the premeditated, politically motivated attack against information, computer systems, computer programs, and data which result in violence against noncombatant targets by subnational groups or clandestine agents."²
  
  
• Bruce Schneier, a cryptologist and security expert, defines cyberterrorism as: "The use of cyberspace to commit terrorist acts. An example might be hacking into a computer system to cause a nuclear power plant to melt down, a dam to open, or two airplanes to collide."³
  
  
• According to James A. Lewis of the Center for Strategic and International Studies, cyberterrorism is "the use of computer network tools to shut down critical national infrastructures (such as energy, transportation, government operations) or to coerce or intimidate a government or civilian population."⁴
  
  
• Other attempts to define cyberterrorism focus on the identity of the individual, the act itself, and the medium through which the act is performed. Please read "Cyberattack, Cybercrime, and Cyberterrorism" and "Definitions for Cyberterrorism" found on pages CRS-3 and CRS-4 of Clay Wilson's Congressional Research Service Report for Congress. Mr. Wilson is a technology and national security specialist with the Federation of American Scientists.

Please adopt a definition (or define cyberterrorism yourself), and be able to explain why your favored definition makes the most sense. Would the following scenarios qualify as cyberterrorism under your definition? Should they?

• A group of students hack a roadsign, diverting traffic.
  
  
• Members of Al Qaeda shut down a nuclear power plant for 3 days, annoying many and hurting none.
  
  
• Unidentified individuals hack into a breakfast-foods plant, changing the recipe for a popular cereal to include an overdose of iron.⁵ Thousands of children are made gravely ill.
  
  

What are the Tools and what are the Vulnerabilities?

Some of the scariest cyberterrorism scenarios involve skilled hackers who would take over critical infrastructures like power stations by compromising the SCADA ("Supervisory Control and Data Acquisition") software that controls them. Hacking, however, isn't necessarily required. Viruses are also capable of shutting down critical services -- even those that run on private networks, unconnected to the internet.⁶ Services that are connected to the internet are vulnerable to collapse via denial of service attacks. The two million computers in the U.S. that are controlled by one strain or another of botnet software⁷ are capable of delivering distributed denial of service attacks on an unprecedented scale.⁸

• Please familiarize yourself with the basic tools (and terms) of the trade.
  
  
• Susan Brenner and Marc Goodman's article, In Defense of Cyberterrorism: An Argument for Anticipating Cyber-Attacks, provides a good look into the many forms that a cyberterrorist attack might take. Please read section III, Cyberterrorism Scenarios, on pages 27-44 (you can also search Westlaw or Lexis for: 2002 U. Ill. J.L. Tech. & Pol'y 1 ).
  
  
• America's Hackable Backbone touches on some notable efforts to control infrastructure by hacking SCADA software.⁹
  
  
• The efforts of Vitek Boden, described briefly in the Forbes article above, are often cited as the only example of a successful SCADA breach where the harm caused was purposeful.¹⁰ As such, Mr. Boden's conviction may also represent the only case against an individual for cyberterrorist-like acts.¹¹
  
  
• The U.S. Government has been testing infrastructure vulnerabilities in cyberspace for years. In "Eligible Receiver," one of the earliest government-conducted tests, a team from the National Security Agency was able to break into the 911 Emergency System, Department of Defense, and Joint Chief of Command networks in fewer than 48 hours.¹² In a more recent test, the Department of Homeland Security was able to destroy a generator as part of a cybersecurity experiment.
  
  
• A worm that actually targets SCADA software, called "Stuxnet," was discovered in 2010.¹³ The U.S. isn't the only country worried about Stuxnet.
  
  

Is the Threat of Cyberterrorism Exaggerated?¹⁴

One thing that most commentators agree on is that the United States has yet to be victimized by an act of cyberterrorism.¹⁵ So what is there to be worried about? Joshua Green, an editor of The Washington Monthly, suggests that "[t]here are many ways terrorists can kill you--computers aren't one of them."¹⁶ Please consider the links below, and adopt a point of view as to whether or not the threat of cyberterrorism has been exaggerated.

• For one view of the cyberterrorist threat, watch Cyber Shockwave (headphones are available on SUB2).
  
  
• Please read pages 43-46 of Professor Dorothy Denning's article, Activism, Hacktivism, and Cyberterrorism: The Internet as a Tool for Influencing Foreign Policy.
  
  
• Watch a brief clip of Professor Jonathan Zittrain's take on the threat of cyberterrorism.
  
  
• Former National Security Agency Director, Mike McConnell, argues that the cyber threat is real (though the op-ed is framed in terms of cyberwar, Mr. McConnell's arguments apply to the threat of cyberterrorism as well).
  
  
• A contributing editor to Wired magazine's "Threat Level" blog, Ryan Singel, responds to Mr. McConnell's op-ed. Mr. Singel contends that the cyber threat has been hyped for another purpose: the destruction of the open internet (again, though the response is framed by the term cyberwar, Mr. Singel's arguments apply just as well to the threat of cyberterrorism.)
  
  
• Please read Joshua Green's "The Myth of Cyberterrorism."
  
  
• Finally, take a brief look at Significant Cyber Incidents Since 2006.
  
  

So, what is the Solution?

In a line from his Memoirs of the life and writings of Benjamin Franklin that has been paraphrased many times in the last decade, Mr. Franklin states that "[t]hey who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety."¹⁷ How would you balance liberty and safety, or liberty and security, in order to address cyberterrorism? Do any of the solutions address cyberterrorism as you've defined it? Is there no problem at all?

• Policy.
  The U.S.'s purported "leave the internet alone policy" has come to an end.¹⁸ For a brief look at the Obama Administration's approach to securing cyberspace, please read Remarks by the President on Securing Our Nation's Cyber Infrastructure from the line that reads "Today I'm releasing a report on our review," to the end.
  
  
• Legislation.
  
  • Section 18(6) of S.773, the Cybersecurity Act of 2009,¹⁹ would have given a sitting U.S. President the power to "order the disconnection of any Federal Government or United States critical infrastructure information systems or networks in the interest of national security." Section 18(2) would enable the President to "declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network." Please read the Electronic Frontier Foundation's take on the bill. Does the power envisioned by the bill overreach, considering the cyberterrorist threat?
    
    
  • The "internet kill switch" language has been removed from the Cybersecurity Act in its 2010 revision, and other like-minded bills omit similar language. Please read sections 248 & 249 of S.3480 Protecting Cyberspace as a National Asset Act of 2010. Some argue that the new bill still leaves room for an "internet kill switch," just through a different office, and with different language. Watch Senator Leiberman's response to the criticism. Talking Points Memo Associate Editor, Megan Carpentier, argues that the bill contains no such provision at all.
    
    
• Technology.
  Is the internet itself the problem? Please read Do We Need a New Internet? Among the many issues considered by the Stanford Clean Slate Project (mentioned in Mr. Markoff's article) is whether or not a new internet should use network addressing that refers to people, instead of hardware.²⁰ Take a look at Jonathan Zittrain's blog post, weighing in on the "new internet" solution.
  
  
• International Law.
  Please read pages 99-108 of Professor Kelly Gable's article, which advocates for the use of universal jurisdiction to prosecute cyberterrorists.
  
  
• Military.
  Please read pages 311-318 of Natasha Solce's argument for the creation of a new military branch: The Cyber Force (you can also search Westlaw or Lexis for: 18 Alb. L.J. Sci. & Tech. 293 ). The establishment of such a force in the U.S. may already be well on its way.
  
  

Back to Law 897 Syllabus

1. Mohammad Iqbal, Defining Cyberterrorism, 22 J. Marshall J. Computer & Info. L. 397 [back]
2. Cyberterrorism - Fact or Fancy?, Mark M. Pollitt, FBI Laboratory. [back]
3. Bruce Schneier's blog post on Cyberwar includes suggested definitions for cyberwar, cyberterrorim, cybercrime, and cybervandalism. [back]
4. James A. Lewis, Assessing the Risks of Cyber Terrorism, Cyber War and Other Cyber Threats, Center for Strategic and International Studies. [back]
5. For this and other cyberterrorism scenarios, see Barry Collin, The Future of Cyberterrorism, Crime and Justice International. The plausibility of Mr. Collin's example is also quoted in Dorothy Denning's Activism, Hackivism, and Cyberterrorism: The Internet as a Tool for Influencing Foreign Policy at 44. [back]
6. Kevin Poulsen, Slammer worm crashed Ohio nuke plant network, Security Focus. [back]
7. Two million US PCs recruited to botnet, BBC News. Wikipedia's "botnet" entry provides a thorough look at what botnets are, how they work, and how they can turn a profit for their owners (by renting the services of the botnet to a spammer... or others). [back]
8. Scott Berinato, Attack of the Bots, Wired Magazine. [back]
9. For more, see Frank Dickman's Hacking the Industrial Network in Industry Week. [back]
10. For example, Bruce Schneier's blog posting, The Risks of Cyberterrorism. [back]
11. If you're interested, you can read Mr. Boden's appeal before the Supreme Court of Queensland, Australia. [back]
12. Military and Cyber-Defense: Reactions to the Threat; DoD News Briefing, Thursday, April 16, 1998; Issues in Terrorism and Homeland Security: Selections from CQ; U.S. Electrical Grid Compromised? [back]
13. You can learn more about Stuxnet at Bruce Schnier's blog which contains an unedited copy of an article he wrote for Forbes magazine on the topic. [back]
14. This title borrows from a debate entitled "The Cyber War Threat has been Grossly Exaggerated?" The debate has much to add to a conversation about cyberterrorism, and includes an all-star panel: Marc Rotenberg, Bruce Schneier, Mike McConnell, and Jonathan Zittrain. You can see or hear the debate at Intelligence Squared US. [back]
15. For example, Susan W. Brenner, Marc D. Goodman, In Defense of Cyberterrorism: An Argument for Anticipating Cyber-Attacks, U. Ill. J.L. Tech. & Pol'y, Spring 2002, 44. [back]
16. Joshua Green, The Myth of Cyberterrorism, The Washington Monthly. [back]
17. Memoirs of the life and writings of Benjamin Franklin [back]
18. Kieren McCarthy, US government rescinds 'leave internet alone' policy, The Register. [back]
19. S.773 Cybersecurity Act of 2009 [back]
20. See page 8 of the Clean Slate Project's whitepaper for more. [back]