Home | Databases | WorldLII | Search | Feedback Australian Law Reform Commission - Reform Journal

Grabosky, Peter; Stohl, Michael --- "Cyberterrorism" [2003] ALRCRefJl 3; (2003) 82 Australian Law Reform Commission Reform Journal 8

Reform Issue 82 Autumn 2003

This article appeared on pages 8 - 13 of the original journal.

Cyberterrorism

By Peter Grabosky and Michael Stohl*

Few terms in contemporary conventional discourse are used as loosely as ‘cyber’ and ‘terrorism’. Not surprisingly, their use together is hardly a guarantor of conceptual rigour. In this brief contribution, we seek to spell out what cyberterrorism is, and how it might be regulated.

To some, the term ‘cyber’ is synonymous with digital technology generally. This is increasingly unhelpful given the pervasiveness of digital technology in contemporary society. As kitchen appliances increasingly become ‘wired,’ almost everything will be digital. For present purposes, let us use the term cyber to refer to those technologies commonly referred to as the internet and the world wide web.

The term terrorism has been grossly abused, and means many things to many people. To some, it has almost become synonymous with anything evil. Since the cold war, the adage ‘one person’s terrorist is another’s freedom fighter’ has become hackneyed. The term terror was first used to describe the systematic use of violence and the guillotine by the Jacobin and Thermidorean regimes in France;¹ that is, as an instrument of state control. Subsequent use of terror was discussed as an element of totalitarian dictatorships of the left and right.² The systematic use of violence by non-state actors over the past two centuries has led to a broadening of the term. Today, the term is used to refer to an act or threat of violence to create fear and/or compliant conduct in a victim or wider audience for the purpose of achieving political ends.³

What, then, is cyberterrorism? For present purposes, let us accept Dorothy Denning’s definition of cyberterrorism: “unlawful attacks against computers, networks and the information stored therein when done to intimidate or coerce a government or its people in furtherance of political or social objectives.”⁴

The key elements here are coercion and intimidation. One need only look to acts of ‘conventional’ terrorism to get a sense of what they entail. The September 11 attacks, the Bali bombing, the Sarin gas attacks in the Tokyo subway, and the recent Palestinian suicide bombings in Israel all involved dramatic use of violence. Is there a cyber equivalent?

To be sure, cyberspace is full of ones and zeroes designed to harass and annoy. Some readers would have seen examples of defaced websites of which the CIA’s may be the most notorious example.⁵ But US government websites are not unique targets of defacement. Pro-Pakistan defacements of Indian websites, and pro-Palestinian attacks on Israeli websites, are not uncommon.⁶ But this is hardly terrorism.

Most readers will have experienced some inconvenience as a result of the viruses such as ILOVEYOU, Melissa, and Code Red, or would have heard about the distributed denial of service attacks against Amazon.com, Yahoo, and other prominent e-commerce sites in February 2000. These activities were more than an inconvenience to some; collective losses to businesses around the world exceeded hundreds of millions of dollars. But harassment and annoyance, or indeed, financial loss, is not coercion and intimidation. Can there be a cyber equivalent of the death and destruction produced by acts of terrestrial terrorists?

Attacks on critical infrastructure

In the digital age, it has become trite to suggest that everything depends on software. Much of the infrastructure on which modern societies depend, communications, electric power, water, transportation, financial systems, depend on digital technology.

More and more commercial activity occurs online. The increasing connectivity of computing and communications has increased our capacity to do good, and to impose harm. While some elements of critical infrastructure are connected to the internet, others are not. To the extent that they are connected, they are more vulnerable to attack.

One of the distinctive characteristics of internet and web-based technologies are the tremendous capacities they place in the hands of ordinary individuals. A person with ordinary computer skills can now communicate with millions of others, instantaneously, and at negligible cost. A teenager can halt commercial activity, and manipulate the price of shares traded on the stock exchange; the distributed denial of service attacks discussed above were the work of a 15 year old Canadian who called himself ‘Mafiaboy’.

In western industrial societies generally, and increasingly around the world, much national infrastructure is privately owned, which usually precludes centralised national control. Regardless of ownership, infrastructure connected to the internet is potentially accessible to skilled hackers. What this means is that some systems that support essential services in advanced industrial societies are vulnerable to attack. Although such attacks have yet to occur on a sustained and widespread basis, we have seen examples of significant damage occasioned by isolated attacks. In addition to the aforementioned viruses and distributed denial of service attacks, the annals of cybercrime include various acts of electronic theft where financial institutions have been victimised.⁷ A Massachusetts teenager succeeded in disabling communications to the air traffic control tower at Worcester Regional Airport in 1997.⁸

Not all attacks are the work of ‘outsiders’. Systems are also vulnerable to subversion by disgruntled employees, former employees, or contractors, for a variety of motives. It is important to emphasise that the CSI/FBI Computer Crime and Security Survey between 1996 and 2000 found that insiders topped the list of ‘likely sources’ of cyberattack with more than 80% of respondents citing them as a likely source. In the 2000 survey, 71% of the respondents reported insider unauthorised access incidents.⁹ In 2001 a person was convicted of hacking into the computerised waste management system of Maroochy Shire, Queensland, causing millions of litres of raw sewage to spill out into local rivers and parks.¹⁰ Although the individual in question appears to have been acting alone, to the extent that other ‘insiders’ are able and willing to act in concert with ‘outsiders’ (potential terrorists or otherwise), vulnerabilities may be greater.

If the potential to do harm in cyberspace were harnessed, concerted and concentrated on the critical infrastructure of one nation, one could envisage a scenario the consequences of which would approximate the effects of terrorism. Risk assessments have identified these contingencies as plausible, but to date, such an event has not occurred. As Denning suggests, for the time being, terrorists continue to prefer truck bombs over logic bombs.¹¹

While attacks on critical infrastructure alone might not be regarded as terrorism, they could, when combined with traditional tactics, enhance the overall intimidating and coercive effect of a terrorist attack. For example, the detonation of a bomb, combined with a disruption of electric power supplies, air traffic control systems, or telephone services, would highlight multiple vulnerabilities and thus appear more fearsome.

Ancillary uses of cyberspace in furtherance of terrorism

While digital technology may not be the primary instrument of terrorists, they do use it for ancillary purposes. The internet is a wonderful medium of communications, fast and cheap. It is available to the vicious as well as to the virtuous. Terrorists can and do communicate with each other with great efficiency, and depending upon their ability to exploit the technology, their communications may be very difficult to detect and trace.

In addition to communications among themselves, terrorists can use the internet and web-based technologies to disseminate messages about their objectives. This expression can be symbolic (as in the case of website defacement), or it can be used in furtherance of propaganda, recruitment or fund raising.

Prevention

The first line of defence against terrorism, whether terrestrial or through cyberspace, is prevention. In the early days of Australian Federation, one could enter government buildings freely. Now the occupants of these buildings are required to display photo identification, and visitors usually must be escorted. Security is a design feature of public (and many private) buildings.

So it is with information systems. Even those organisations that have a large public clientele (such as those in the business of e-commerce or electronic banking) are well advised to safeguard systems, just as they would secure the front doors to the bank and the department store after business hours. An ideal system has firewalls and other filtering technologies to render it less vulnerable to cyber-attack. It has audit routines to assess vulnerabilities, alarms that identify anomalous on-line behaviour, and systems administrators to ‘mind the store’. An ideal system for critical infrastructure and critical information also ‘air gaps’ the sensitive cybersystem by physically disconnecting it from the internet, making it inaccessible to outside hackers. Green argues that the US Department of Defense, the CIA’s classified computers and the FBI’s entire computer system are all ‘air gapped’ and that the Federal Aviation Administration receives high marks for separating its administrative and air traffic control systems and strictly air gaps the latter.¹² A number of Australian systems are similarly protected.

Information systems are also vulnerable because of human factors. Negligent or malicious use of an organisation’s information system by employees can contribute significantly to the organisation’s vulnerability. A comprehensive information security system will entail careful staff selection and systematic training, including such mundane matters as password management and unauthorised use of the organisation’s information systems.

Systems vulnerability may also arise from less than impregnable software, much of which is designed for user-friendliness and convenience rather than for security. The common industry response is for manufacturers to structure their license conditions to avoid potential liability, then to make ‘patches’ available as vulnerabilities become apparent later on. Whether market forces will eventually drive the widespread development of ‘bullet-proof’ software remains to be seen.

Even in those countries where much infrastructure is privately owned, governments work hard to encourage cybersecurity. In Australia, the National Office for the Information Economy (NOIE) has developed an awareness program for owners of critical infrastructure.¹³ In the United States, the President’s Critical Infrastructure Protection Board has developed a National Strategy to Secure Cyberspace.¹⁴

Despite these safeguards, it is generally acknowledged that most nations suffer from a lack of a comprehensive knowledge base regarding breaches of information security. Organisations in the private sector are often reluctant to share their experiences of cyberattacks, for fear of adverse publicity.

To overcome this understandable reluctance to report one’s vulnerability, it has been suggested that ‘reporting’ communities be created within industry sectors. These ‘communities of trust’ would develop appropriate reporting routines, using software that makes the ‘location’ of the attack anonymous but immediately reports the attack to the community security managers who can provide immediate warning to the IT security people at the other locations. The establishment of such a trusted information-sharing network was announced by the Australian Government in 2002.¹⁵ There is still a lot of trust-building to be done, however, and legislation may be required in order to overcome legal impediments to such cooperation within industry.

The adequacy of legal safeguards

Is the law adequate to combat cyberterrorism? Most technologically advanced nations have now criminalised those categories of conduct that would serve as the vehicle for a cyberterrorist attack. In Australia, the Cybercrime Act 2001 (Cth) created a number of offences relating to computer systems, including:

• unauthorised access, modification or impairment to commit a serious offence;

• unauthorised modification of data to cause impairment;

• unauthorised impairment of electronic communication;

• unauthorised access to or modification of restricted data;

• unauthorised impairment of data held in a computer disk, credit card or other data storage device;

• possession of data with intent to commit a computer offence; and

• production, supply or obtaining of data with intent to commit a computer offence.

The law is sufficiently broad to embrace both ‘ordinary’ cyber- criminality (such as hacking, the release of viruses, etc) and the more serious manifestations of crime that might attract the label of cyberterrorism. Importantly, the Act extends jurisdiction to situations where the conduct constituting the offence occurs wholly or partly in Australia or on board an Australian ship or aircraft, or where the result of the conduct constituting the offence occurs wholly or partly in Australia or on board an Australian ship or aircraft.

In the United States, the National Information Infrastructure Protection Act of 1996 protects the confidentiality, integrity, and availability of systems and information. These amendments to The Computer Fraud and Abuse Act, 18 U.S.C. § 1030 strengthened the law prohibiting computer intrusion, trespass, communication of threats, and occasioning damage.¹⁶

Whether procedural laws are in place that would permit expeditious real-time investigation of a cyber-terrorist attack may be another matter. Australia, the nations of the G-8, and a few other countries have all established 24/7 contact points, where law enforcement specialists can obtain assistance from their counterparts in participating countries at any time of the day or night without having to go through formal (and very time consuming) processes of mutual assistance. The problem is compounded when attacks are routed through servers in a number of different nations.

Whether these measures function imperfectly or not at all, some interesting legal issues exist. Assume a critical system is under attack. The attack apparently originates in a country whose authorities are (for whatever reason) not available to assist. To what extent can Australian authorities remotely access the computers in self-defence or in furtherance of an investigation? The legality of such arrangements may not always be clear. To send a team of investigators without authorisation to ‘Country B’ to conduct a criminal investigation or to interdict a criminal enterprise, would constitute a violation of ‘Country B’s’ sovereignty. This principle would appear to apply to investigations in cyberspace no less than on the ground.

Government agencies are limited by law in their conduct of investigations. While the Australian Security Intelligence Organisation (ASIO) has powers to remotely access computers (under the authority of a warrant signed by the Attorney-General of Australia), the ASIO Act explicitly forbids deletion or alteration of data, or “the doing of any thing, that interferes with, interrupts or obstructs the lawful use of the target computer by other persons, or that causes any loss or damage to other persons lawfully using the target computer.”¹⁷

Australian law nevertheless offers some protection to certain authorised investigators. The Cybercrime Act 2001 created a new section of the Criminal Code (s 476.5(1)) under which a staff member of the Australian Secret Intelligence Service (ASIS) or the Defence Signals Directorate (DSD) is not subject to any civil or criminal liability for any computer related act done outside Australia if the act is done in the proper performance of a function of the agency.¹⁸

In most jurisdictions, response by a private citizen to an attack by ‘counter-hacking’ is discouraged because the true originator of the attack may have masked his or her identity or, indeed, assumed the identity of an innocent third party. Counter-hacking, in other words, risks substantial collateral damage. Nevertheless, one imagines that considerable thought is being given to the use of digital technology in pre-emptive or ‘hot pursuit’ situations by authorised government agents. In February 2003, it was reported that President Bush had signed a secret order allowing the US government to develop guidelines for cyberattacks against foreign computer systems.¹⁹

The legality of remote, cross-border searches or retaliatory activity in response to apparent cyberterrorism, or even in response to more conventional cybercrime, is an area of law that remains muddy. It will be fertile ground for law reformers.

* Professor Peter Grabosky is based at the Research School of Social Sciences at the Australian National University. Professor Michael Stohl is a professor of communications at the University of California, Santa Barbara.

Endnotes

1. M Stohl, “Demystifying Terrorism: The Myths and Realities of Contemporary Political Terrorism” in M Stohl (ed), The Politics of Terrorism, (3rd ed), (1988), Marcel Decker, New York.

2. C Friedrich and Z Brzezinski, Totalitarian Dictatorship and Autocracy, (1965), Harvard University Press, Cambridge MA.

3. M Stohl, ibid.

4. D Denning, ‘Cyberterrorism’ Testimony before the Special Oversight Panel on Terrorism, Committee on Armed Services, U.S. House of Representatives, 23 May 2000, Terrorism Research Center, <http://www.terrorism.com/documents/denning-testimony.shtml> , 7 January 2003, 10.

5. <http://www.unc.edu/courses/jomc191/cia/cia.html> , 7 January 2003.

6. M Vatis, Cyber Attacks During the War on Terrorism: A Predictive Analysis, (2001), Institute for Security Technology Studies, Dartmouth College, Hanover New Hampshire.

7. P Grabosky, R Smith and G Dempsey, Electronic Theft: Unlawful Acquisition in Cyberspace (2001) Cambridge University Press, Cambridge UK.

8. CNN, ‘Teen hacker faces federal charges: Caused computer crash that disabled Massachusetts airport’ 18 March 1998, <http://www.cnn.com/TECH/computing/9803/18/juvenile.hacker/> , 10 January 2003.

9. R Power, Tangled WEB: Tales of Digital Crime from the Shadows of Cyberspace, (2000), Indianapolis: Que, a division of Macmillan, USA, 179.

10. L Tagg, ‘Aussie hacker jailed for sewage attacks’ Iafrica.com, 1 November 2001, <http://cooltech.iafrica.com/technews/archive/november/837110.htm> , 19 February 2003.

11. D Denning, ‘Cyberwarriors: Activists and Terrorists Turn to Cyberspace’ (2001) 23(2) Harvard International Review 70-75.

12. J Green, ‘The Myth of Cyberterrorism’ Washington Monthly Online, Jan/Feb 2003, <http://www.washingtonmonthly.com /features/2001/0211.green.html> , 19 February 2003.

13. <http://www.noie.gov.au/projects/confidence/Protecting/index.htm> , 15 February 2003.

14. <http://www.whitehouse.gov/pcipb/cyberspace_strategy.pdf> , 15 February 2003.

15. D Williams and R Alston, ‘Protecting Australia’s Critical Infrastructure’ Media Release, 29 November 2002, <http://nationalsecurity.ag.gov.au/www/attorneygeneralHome.nsf/Web+Pages/E078BAC9BA04FEBCCA256C800012C461?OpenDocument> , 16 February 2003.

16. Computer Crime and Intellectual Property Section, US Department of Justice, ‘Legislative Analysis of the 1996 National Information Infrastructure Protection Act’ (1997) 2 Electronic Information Policy & Law Rep 240, 240.

17. Australian Security Intelligence Organisation Act 1979 (Cth), s 25A(5).

18. Department of the Parliamentary Library, ‘Intelligence Services Bill 2001’ (2001), Bills Digest No.11, 2001-02, <http://www.aph.gov.au/library/pubs/bd/2001-02/02bd011.pdf> , 17 February 2002.

19. Associated Press, ‘Bush order OKs attacks on foreign computers: Defense Department cleared for cyber war’ Knox News, 10 February 2003, <http://www.knoxnews.com/kns/tech/article/0,1406,KNS_8976_1733748,00.html> , 15 February 2003.