Policy Issues in Connection with Cyberterrorism

Susan Brenner defines cyberterrorism as private citizens using computer technology to engage in terrorist activity.[1] Terrorist activity differs from criminal activity only in its motivation; people engage in terrorism for the purpose of promoting ideological principles, rather than for personal benefit.[2] Terrorist activity differs from warfare in the identity of the perpetrator; civilians engage in terrorism as individuals, not officially on behalf of nation-states.[3]

Throughout the course we have considered the questions of whether certain kinds of cybercrimes cause harm in the “real world,” and whether the harms they inflict warrant governmental intervention and criminal sanctions.  Those questions are easily answered in the case of cyberterrorism, since the object of cyberterrorism is to cause mass, real-world disruption and destruction.  Cyberterrorism is a real-world threat because people now exchange and store so much crucial information digitally.[4] Commentators have predicted that cyberterrorists could:

  • hack into multiple computers at once to disrupt banking and stock market transactions;
  • manipulate air traffic control systems to cause plane crashes;
  • hack into a pharmaceutical company’s system to change the formula of a medication to be toxic or ineffective; or
  • break into a utility company’s computers to change the pressure in a gas lines, potentially causing an explosion.[5]

The following are examples of cyberterrorism attacks that have actually occurred:

• Australia, 2002: A hacker was arrested for hijacking the central control system of a sewage and water treatment plant, and pumping one million liters of sludge into parks and river systems, and onto hotel grounds. This was the first known case of a hacker successfully causing harm to physical infrastructure.[6]

• India and Pakistan, 1999-2001: Hackers on both sides of the Kashmir territory dispute used cyberattacks to disrupt systems and disseminate information. Pro-Pakistani defacement of Indian websites increased from 45 events in 1999 to 275 in the first eight months of 2001.[7]

• Massachusetts, 1996: A hacker claiming to be affiliated with a white supremacist organization disabled an ISP, and destroyed the ISP’s data files. The attack came after the ISP tried to block the hacker’s dissemination of racist e-mail falsely attributed to the ISP.[8]

• Spain, 1998: Spanish activists “spammed” the Institute for Global Communications (IGC)–that is, they flooded the server with thousands of bogus e-mail messages–causing the IGC’s servers to crash. The activists demanded that IGC stop hosting a pro-Basque independence website. IGC finally relented, and closed the website.[9]

• Washington State, 2005: While establishing a “botnet” network, which is a network of compromised computers used to launch simultaneous attacks against other computers,[10] hackers infiltrated a hospital computer network, disabling operating-room doors, damaging computers in the intensive-care unit and affecting doctors’ pagers, thereby threatening patient safety.[11]

• Worldwide, 1997: Beginning in December, the Electronic Disturbance Theater orchestrated several Web sit-ins in support of the Mexican Zapatistas. The sit-ins involved thousands of protestors who, at a prearranged time, simultaneously attacked websites with denial-of-service software.[12]

• Worldwide, 1998: Ethnic Tamil guerrillas spammed Sri Lankan embassies around the world over a two-week period, paralyzing electronic communications.[13]

• Worldwide, 1999: During the Kosovo conflict, “hacktivists” protesting NATO bombings targeted NATO computers with e-mail bombs and “denial-of-service” attacks. Activists in several eastern European countries also sent virus-infected political e-mails to businesses and other organizations, and defaced websites.[14]

• Worldwide, 2002: Powerful “Distributed Denial of Service” (DDoS) attacks were launched at the Internet’s 13 root servers, which direct all traffic around the world between the Internet’s hundreds of millions of users and millions of host computers. Nine of the thirteen root servers were crippled for one hour, causing a dramatic slowdown of service around the world.[15]

• Worldwide, 2003: The worm called “sapphire,” “slammer,” and “SQ hell” inundated systems around the world with as much as 125 megabytes of data per second per system, bringing down five of the Internet’s thirteen root servers.[16]

In addition, in 2007, cyberterrorists who have never been identified used botnets to launch a DDoS attack that shut down Estonia’s largest bank.[17]

As these examples show, cyberterrorism is most definitely capable of inflicting harm in the physical world, and those harms are certainly severe enough to warrant government regulation and criminal sanctions.  Susan Brenner argues that law is a societal tactic to maintain order and prevent chaos, and because cyberterrorism creates chaos, it is well within the proper scope of the law to prevent and punish cyberterrorism.[18] The problem with cyberterrorism law, as we have seen in so many other online contexts, is one of identification and enforcement.  Right now in the U.S., the legal structure in place to respond to cyberterrorism is fragmented and would be ineffective in the event of a major attack.  Kim Taipale of the Stilwell Center for Advanced Studies in Science and Technology Policy tells The Harvard Law Record that the U.S. has no “unified legal regime” in place to respond to cyberterrorist attacks, and that there is a “gap between law-makers and authorities” on the matter. [19] “Whether the military or police should respond, whether it is domestic or foreign is not fully determined.’”[20]

Susan Brenner also identifies this fragmented legal structure as the major obstacle to identifying and responding to cyberterrorism.  She recommends two steps to solve the problem: first, that we allow the military to transmit unclassified information regarding cyberattacks to law enforcement; and second, that we get civilians involved in enforcement efforts.[21] She argues that law enforcement officials do not yet have the technology to scan cyberspace for attacks, while the military already has the technology, training, and budget to do so.  If the military could share information on online terrorist activity with law enforcement, then law enforcement could take action on a local level.[22] Brenner also suggests that civilian internet users could get involved in scanning for cyberthreats either on a voluntary, ad hoc basis, or through creation of a new civilian law enforcement institution, and transmit the information they gather to local law enforcement.[23]

The U.S. government is beginning to take the threat of cyberterrorism more seriously.  President Obama just transferred Leonard Bailey from the Department of Justice’s Computer Crimes and Intellectual Property Division to the National Security Division to spearhead the administration’s cybercrime efforts.[24] Hopefully, this administration will develop a more streamlined legal structure for responding to cyberthreats.

[1] Susan Brenner, Cyberthreats: The Emerging Fault Lines of the Nation State 7, 37 (2009).


[2] Id. at 7.

[3] Id. at 6.

[4] Victoria Baranetsky, What is cyberterrorism? Even experts can’t agree, The Harvard Law Record, Nov. 6, 2009, available at http://www.hlrecord.org/news/what-is-cyberterrorism-even-experts-can-t-agree-1.861186.

[5] Mohammad Iqbal, Defining Cyberterrorism, 22 J. Marshall J. Computer & Info. L. 397, 397(2004) (citing Marc D. Goodman and Susan W. Brenner, The Emerging Consensus on Criminal Conduct in Cyberspace, 2002 UCLA J.L. & Tech. 3, §8 Cyberterrorism).

[6] Kevin P. Cronin and Ronald N. Weikers, Data Security and Privacy Law: Combating Cyberthreats, Data S.P.L. § 1:5 (2009) (citing Barton Gellman, Cyber-Attacks by Al Qaeda Feared (June 27, 2002), at http://www.washingtonpost.com/ac2/wp-dyn/A50765-2002Jun26?).

[7] Id. (citing Cyber Attacks During the War on Terrorism (Sept. 22, 2001), at http://www.ists.dartmouth.edu/ISTS/counterterrorism/cyber_attacks.htm).

[8] Id. (citing Terrorist Threats to the United States: Hearing Before the House Comm. on Armed Services, Special Oversight Panel on Terrorism, 106th Congress (May 23, 2000) (statement of Dorothy E. Denning, Professor, Georgetown University), at http://www.house.gov/hasc/testimony/106thcongress/00-05- 23denning.htm).

[9] Id.

[10] Id. (citing Wikipedia contributors, “Botnet,” Wikipedia, The Free Encyclopedia, http://en.wikipedia.org/w/index.php?title=Botnet&oldid=105581006).

[11] Id. (citing Maureen O’Hagan, 3 Accused of Inducing Ill Effects on Computers at Local Hospital, Seattle Times, Feb. 11, 2006, available at http://seattletimes.nwsource.com/html/localnews/2002798414_botnet11m.html).

[12] Id. (citing Terrorist Threats to the United States: Hearing Before the House Comm. on Armed Services, Special Oversight Panel on Terrorism, 106th Congress (May 23, 2000) (statement of Dorothy E. Denning, Professor, Georgetown University), at http:// www.house.gov/hasc/testimony/106thcongress/00-05-23denning.htm).

[13] Id.

[14] Id.

[15] Id. (citing McGuire and Krebs, Attack On Internet Called Largest Ever, washingtonpost.com (Oct. 22, 2002), at http://www.washingtonpost.com/wp-dyn/articles/A828-2002Oct22.html).

[16] Id. (citing Massive DDoS Attacks All Over U.S. (Jan. 24, 2003), at http://forums.military.com/1/OpenTopic?a=tpc&s=78919038&f=409192893&m=4551982416.)

[17] Brenner, supra note 1, at 1-4.

[18] Id. at 8.

[19] Baranetsky, supra note 4.

[20] Id.

[21] Brenner, supra note 1, at 246-47.

[22] Id. at 247.

[23] Id. at 254.

[24] Baranetsky, supra note 4.

~ by cstockard on November 16, 2009.

6 Responses to “Policy Issues in Connection with Cyberterrorism”

  1. What scares me so much about cyber-terrorism is the anonymity. The only link thing that can be traced about the cyber-terrorist is the IP address. The tools and knowledge for the acts are also distributed through the internet. It’s obvious that this is a growing problem, but a solution will not be so obvious. Even if jurisdiction is not an issue, I think it would be difficult to track everything down.

  2. I absolutely agree that there needs to be regulation and prevention of cyberterrorism. This, of all the topics we have studied so far, is the most dangerous, in my opinion because we have seen that cyberterrorists are capable of doing so much harm, in the real world. I would never even have thought, on my own, of some of the terrifying examples given such as hacking into a computer to change a pharmaceutical formula. These actions can have a major effect on people and they are even more dangerous because they can go undetected for so long and be anonymous. My major concern with monitoring the Internet for cyberterrorism is the infringement of privacy of individuals. How will the Internet be monitored? How can we really catch cyberterrorists without monitoring what everyone is doing on the Internet on a daily basis (something that in and of itself would be very difficult)?

  3. Truly terrifying stuff…I feel like prevention is key, making it harder for hackers to commit the offenses in the first place. As Sam already pointed out, the only traceable link once the crime is committed is the IP, and if cyberterrorists are able to commit these acts with cybercafe-level computers without any specialized hardware or software, then having the IP after the crime may not be enough. I find the idea of essentially ‘deputizing’ civilians as volunteer white-hats interesting, but have to wonder at the level of interest that would be displayed…maybe this is just me, but I’d probably want compensation for that kind of time or work.

  4. It is a frightening proposition to consider the fact that terrorism is constantly evolving to achieve ideological goals that disrupt mainstream society. In the shadows of improvised explosive devices are new forms of terrorism that affect a larger segment of society, potentially on the home front. For years America has ‘taken the fight to the terrorists’ so we do not have to fight the terrorist on our moist soil. However, with cyberterrorism, the battles are fought at home and on our work computers alike. Cyberterrorists have the capability to quickly disrupt utility companies, banks, and financial institutions which can lead to severe breakdown in day to day activities in our society. The fact that terrorists now have the capability to expose hundreds of thousands of people to hazards via hacking websites is a scary proposition. In addition to our soldiers battling improvised explosive devices on the dirt roads a world away are the computer technicians protecting internet servers in financial institutions and banks on the home front.

  5. As everything is controlled through computers these days, there is little doubt that cyberterrorism can be far more destructive than anything somebody does in person. Besides creating havoc in the financial markets, cyberterrorism has the real potential of killing people. There is no question that we have to do what we can in order to protect ourselves from cyberterrorism. The real question is how far we are willing to go to protect ourselves.

    The way computers work now, civilians are actually in a position where they may be more advanced than the government. Computer hackers are constantly improving their methods and computer programs at a speed that the government cannot hope to match. While the government may have the most modern stealth bombers, tanks, and machine guns; this is an area of security where the government is frightfully exposed.

    Because of the government is not adequately prepared to prevent a large-scale cyberterrorism incident, and there is such huge potential for devastating losses, I am afraid that the government may try to heavily regulate the use of the Internet in the near future. It is hard for me to visualize how this can work, but I’d imagine governments can potentially treat computers as they do dangerous weapons; force users to obtain licenses and prevent users from obtaining the most powerful computers. While I hope this is just a paranoid dream, the threat of cyberterrorism is real, and I’d imagine that once there are victims, governments will come down on the Internet with an iron fist.

  6. […] on issues in connection with cyber terrorism you can visit an article posted in 2009 on this site (https://virtualcrimlaw.wordpress.com/2009/11/16/policy-issues-in-connection-with-cyberterrorism/). Some serious threats to consider are things that could disrupt society immediately; they may […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: