Summary: Chapter 4 of Edwin Covert’s series about cyberterrorism explains the severe penalties enacted since 9/11, their potential for misuse (accidental or deliberate), and how these poorly crafted laws and the public fear that created them both make us less safe. (1st of 2 posts today)
By Edwin Covert
16 December 2014
Posted with the author’s gracious permission
In the first installment of this series we examined the concepts behind cyberterrorism as a strategy, and the second article looked deeper into how cyberterrorism is being portrayed by the media, government and academia. The third part of the series examined why cyberterrorism is much more complex than most realize, and this last article in the series takes a look at the potential consequences of overstating the cyberterrorism threat.
There are side effects of the mischaracterization of cyberterrorism by the media and popular culture. In the United States, the Uniting (and) Strengthening America (by) Providing Appropriate Tools Required (to) Intercept (and) Obstruct Terrorism Act of 2001, or PATRIOT Act, was passed in the immediate aftermath of the September 11, 2001 attacks. It has two key provisions designed to counter potential cyberterrorist activity and increase the punishment for computer crimes (US Government, 2001). Section 814 of the PATRIOT Act enumerated specifically the goals of deterring and preventing cyberterrorism.
First, it increased the minimum prison terms for unauthorized access to a computer system, regardless of activity once in the system i.e. mixing criminal activity and cyberterrorism under a cyberterrorism section heading (§ 814.a.4).
Second, the law amended “the Federal sentencing guidelines to ensure that any individual convicted of a violation of section 1030 of title 18, United States Code, can be subjected to appropriate penalties, without regard to any mandatory minimum term of imprisonment” (§ 814.f).
In other words, simply being convicted of unauthorized access to a computer system allowed a federal judge (who most likely was not familiar with the nuances of cyber threats and threat + actors) to assume the worst and lock someone up for a very long time. Outside of the United States, others have made similar decisions regarding cyber threats and the law.
In the United Kingdom, Parliament changed its Terrorism Act so that using a computer system or threatening to use a computer system that interferes or disrupts another computer system is now considered terrorism (Conway, Cyberterrorism: Hype and Reality, 2007, p. 91).
Of concern of course is who makes the determination as to what constitutes disruption. Right now, that falls to Scotland Yard. That leaves a sour taste and no small amount of anxiety for human rights workers and other civil libertarians (p. 91).
Since the advent of the Internet, life has changed remarkable for citizens of the United States and the world. Unfortunately, this pace of change brings fear.
When the legitimate danger terrorists create is married to our dependence on technology, it is understandable how people become concerned. This new sense of panic is the fear of terrorists using the computer systems we depend on against us.
Fortunately, the evidence of cyberterrorism very limited thus far. Of course, an assumption is made that cyberterrorism is properly defined as a non-state organization that creates politically motivated destruction to information, computer systems and/or computer programs leading to violence or the threat of violence (Conway, What is Cyberterrorism?, 2002).
Any implication of state-sponsorship of cyber-attacks is outside the scope of this paper, and could constitute an act of war (Shiryaev, 2012, p. 150). An analysis of the issue has demonstrated that cyberterrorism as a strategy for actual terrorists has been over-hyped through the media, academia, and popular literature. This exaggeration of capabilities has led to several instances of questionable law made by people who do not understand the intricacies involved in launching a cyberterrorist attack. Rather, they acted out of fear and doubt.
More cybersecurity professionals need to counter such sentiments by public and public officials to ensure actual threats are mitigated and unsubstantiated ones are given less priority and fewer resources. Only then can the more important threats be dealt with.
The opinions expressed in this and other contributors’ articles are solely those of the author and do not necessarily reflect those Norse Corporation.
- Ahmad, R., & Yunos, Z. “A Dynamic Cyber Terrorism Framework“, International Journal of Computer Science and Information Security, 2012, 149-158
- Berner, S. “Cyber-terrorism: reality or paranoia?” South African Journal of Information Management, March 2003
- Conway, M. “What is Cyberterrorism?” Current History, 2002, 436-442. Gated.
- Conway, M. (2007). Cyberterrorism: Hype and Reality. In L. Armistead, Information Warfare: Separating Hype from Reality (pp. 72-94). Potomac Books
- Conway, M. “Against Cyberterrorism“, Communications of the ACM, 2011, 26-28. Gated.
- Corrin, A. “Frequency, costs of cyberattacks on the rise“, Federal Computer Week, 8 October 2013
- MAE East Colocation Birdseye. Cryptome. 13 February 2006
- Gable, K. A. Cyber-Apocalypse Now: Securing the Internet Against Cyberterrorism and Using Universal Jurisdiction as a Deterrent. Vanderbilt Journal of Transnational Law, 6 July 2012
- Hildebrandt, M. “Legal Protections by Design: Objections and Refutations”, Legisprudence, 5(2) – 2011, 223-248
- Hoffman, B. (2006). Inside Terrorism. Columbia University Press
- Jones, G. Cyber terror threat is growing, says Reid. The Telegraph, 26 April 2007
- Lenzner, R., & Vardi, N. The Next Threat. Forbes, 20 September 2004
- Lewis, J. A. “Assessing the Risk of Cyber Terrorism Cyber War and Other Cyber Threats“, Center for Strategic and International Studies, December 2002
- Malone, M. S. “Silicon Insider: Fighting Cyberterror“, ABC News, 18 August 2005
- Mueller, R. (Director of the FBI), Prepared Remarks at RSA Cyber Security Conference. San Francisco, 1 March 2012
- Nacos, B. “Accomplice or Witness? The Media’s Role in Terrorism“, Current History, 2000, 174-178. Gated.
- Global Terrorism Database of the National Consortium for the Study of Terrorism and Responses to Terrorism. (2012). University of Maryland
- Nyugan, R. “Navigating Jus Ad Bellum in the Age of Cyber Warfare“, California Law Review, 104 #4 (2013), 1079-1129
- Panetta, L “Defending the Nation from Cyber Attack“, speech to the Business Executives for National Security, NYC, 11 October 2012
- Saint-Claire, S. Overview and Analysis of Cyber Terrorism. School of Doctoral Studies (European Union) Journal, 2011, 85-98
- Shiryaev, Y. “Cyberterrorism in the Context of Contemporary International Law“, San Diego International Law Journal, Fall 2012, 139-192
- Two arrested for cyber terror support. UPI, 24 August 2006
- DoD Operations Security (OPSEC) Program. Defense Technical Information Center, 20 June 2012
- Country Reports on Terrorism. Bureau of Counterterrorism, US Department of State, 30 May 2012
- Critical Infrastructure Protection, Presidential Decision Directive 63, 22, May 1998
- USA Patriot Act. US Government. 26 October 2001
- Verton, D. (2003). Black Ice: The Invisible Threat of Cyber-Terrorism. McGraw-Hill/Osbourne
- Weber, R. H. “Internet of things – Governance quo vadis?“, Computer Law and Security Review, August 2013, 341-347. Gated.
- Witty, D. M. “Attacking al Qaeda’s Operational Centers of Gravity“, Joint Forces Quarterly, Q1 2008, 98-103
About the Author
Edwin Covert is a cybersecurity professional with over 20 years of cybersecurity and intelligence experience. He works for Booz Allen Hamilton in the Washington, DC metro area. He works with both government and commercial organizations and is an author on a diverse array of cybersecurity topics.
He holds the Certified Information Systems Security Professional (CISSP®) designation from (ISC)²® . He is also a certified Project Management Professional (PMP). He holds two designations from ISACA (previously known as the Information Systems Audit and Control Association): the Certified Information Security Manager (CISM), and the Certified in Risk and Information Systems Controls (CRISC). Additionally, he also has held the GIAC Certified Incident Handler designation from the SANS Institute. He is a member of the Order of the Sword & Shield, a national honor society for homeland security, intelligence, emergency management and other protective security disciplines.
From the Norse Corp website.
Posts in this Series
- Cyber Terrorism as a Strategy
- Selling Fear: How Cyber Terrorism is Being Portrayed
- Unraveling the Complexities of Cyber Terrorism
- Consequences of Overstating the Cyber Terrorism Threat
For More Information
Other interesting new articles about cyberattacks:
- “If Cyberattacks Are Terror, Who’s the Biggest Terrorist?“, Micah Zenko, The National Interest, 7 January 2015.
- “A Cyberattack Has Caused Confirmed Physical Damage for the Second Time Ever“, Kim Zetter, Wired, 8 January 2015.
See all posts about Information & disinformation, in the new media & the old.
Posts by Marcus Ranum about cyber-espionage and cyberwar:
- Obama knows how to lead America by exploiting our fears, 5 June 2009 — About cyberwar
- Cyberwar: a Whole New Quagmire. Part 1: The Pentagon Cyberstrategy, 2 September 2011
- “Do as I say, not as I do” shall be the whole of the law, 11 September 2011
- Conflating Threats, 14 September 2011
- About Stuxnet, the next generation of warfare?, 29 September 2011 – Introducing Stuxnet and some of the issues surrounding practical malware-based warfare.
- Cyberwar: a Whole New Quagmire – When the Drones Come To Roost, 8 October 2011
- About Attribution (identifying your attacker), 21 October 2011
- You must Be >this< Tall To Play Cyberwar (has DoD grown enough yet?), 16 December 2011
- Parsing Cyberwar – Part 1: The Battlefield, 9 August 2012
- Parsing Cyberwar – Part 2: The Logistical Train, 10 August 2012
- Parsing Cyberwar – Part 3:Synergies and Interference, 13 August 2012
- Parsing Cyberwar – Part 4: The Best Defense is a Good Defense, 20 August 2012
- Cyberwar, the Power of Nightmares, 31 August 2012