Summary: Chapter 4 of Edwin Covert’s series about cyberterrorism explains the severe penalties enacted since 9/11, their potential for misuse (accidental or deliberate), and how these poorly crafted laws and the public fear that created them both make us less safe. (1st of 2 posts today)
Consequences of Overstating the Cyber Terrorism Threat
By Edwin Covert
16 December 2014
Posted with the author’s gracious permission
In the first installment of this series we examined the concepts behind cyberterrorism as a strategy, and the second article looked deeper into how cyberterrorism is being portrayed by the media, government and academia. The third part of the series examined why cyberterrorism is much more complex than most realize, and this last article in the series takes a look at the potential consequences of overstating the cyberterrorism threat.
There are side effects of the mischaracterization of cyberterrorism by the media and popular culture. In the United States, the Uniting (and) Strengthening America (by) Providing Appropriate Tools Required (to) Intercept (and) Obstruct Terrorism Act of 2001, or PATRIOT Act, was passed in the immediate aftermath of the September 11, 2001 attacks. It has two key provisions designed to counter potential cyberterrorist activity and increase the punishment for computer crimes (US Government, 2001). Section 814 of the PATRIOT Act enumerated specifically the goals of deterring and preventing cyberterrorism.
First, it increased the minimum prison terms for unauthorized access to a computer system, regardless of activity once in the system i.e. mixing criminal activity and cyberterrorism under a cyberterrorism section heading (§ 814.a.4).
Second, the law amended “the Federal sentencing guidelines to ensure that any individual convicted of a violation of section 1030 of title 18, United States Code, can be subjected to appropriate penalties, without regard to any mandatory minimum term of imprisonment” (§ 814.f).
In other words, simply being convicted of unauthorized access to a computer system allowed a federal judge (who most likely was not familiar with the nuances of cyber threats and threat + actors) to assume the worst and lock someone up for a very long time. Outside of the United States, others have made similar decisions regarding cyber threats and the law.
In the United Kingdom, Parliament changed its Terrorism Act so that using a computer system or threatening to use a computer system that interferes or disrupts another computer system is now considered terrorism (Conway, Cyberterrorism: Hype and Reality, 2007, p. 91).
Of concern of course is who makes the determination as to what constitutes disruption. Right now, that falls to Scotland Yard. That leaves a sour taste and no small amount of anxiety for human rights workers and other civil libertarians (p. 91).
Since the advent of the Internet, life has changed remarkable for citizens of the United States and the world. Unfortunately, this pace of change brings fear.