Consequences of Overstating the Cyber Terrorism Threat

Summary: Chapter 4 of Edwin Covert’s series about cyberterrorism explains the severe penalties enacted since 9/11, their potential for misuse (accidental or deliberate), and how these poorly crafted laws and the public fear that created them both make us less safe. (1st of 2 posts today)

By Edwin Covert

From DarkMatters

16 December 2014

Posted with the author’s gracious permission

In the first installment of this series we examined the concepts behind cyberterrorism as a strategy, and the second article looked deeper into how cyberterrorism is being portrayed by the media, government and academia. The third part of the series examined why cyberterrorism is much more complex than most realize, and this last article in the series takes a look at the potential consequences of overstating the cyberterrorism threat.

There are side effects of the mischaracterization of cyberterrorism by the media and popular culture. In the United States, the Uniting (and) Strengthening America (by) Providing Appropriate Tools Required (to) Intercept (and) Obstruct Terrorism Act of 2001, or PATRIOT Act, was passed in the immediate aftermath of the September 11, 2001 attacks. It has two key provisions designed to counter potential cyberterrorist activity and increase the punishment for computer crimes (US Government, 2001). Section 814 of the PATRIOT Act enumerated specifically the goals of deterring and preventing cyberterrorism.

First, it increased the minimum prison terms for unauthorized access to a computer system, regardless of activity once in the system i.e. mixing criminal activity and cyberterrorism under a cyberterrorism section heading (§ 814.a.4).

Second, the law amended “the Federal sentencing guidelines to ensure that any individual convicted of a violation of section 1030 of title 18, United States Code, can be subjected to appropriate penalties, without regard to any mandatory minimum term of imprisonment” (§ 814.f).

In other words, simply being convicted of unauthorized access to a computer system allowed a federal judge (who most likely was not familiar with the nuances of cyber threats and threat + actors) to assume the worst and lock someone up for a very long time. Outside of the United States, others have made similar decisions regarding cyber threats and the law.

In the United Kingdom, Parliament changed its Terrorism Act so that using a computer system or threatening to use a computer system that interferes or disrupts another computer system is now considered terrorism (Conway, Cyberterrorism: Hype and Reality, 2007, p. 91).

Of concern of course is who makes the determination as to what constitutes disruption. Right now, that falls to Scotland Yard. That leaves a sour taste and no small amount of anxiety for human rights workers and other civil libertarians (p. 91).

Since the advent of the Internet, life has changed remarkable for citizens of the United States and the world. Unfortunately, this pace of change brings fear.

When the legitimate danger terrorists create is married to our dependence on technology, it is understandable how people become concerned. This new sense of panic is the fear of terrorists using the computer systems we depend on against us.

Fortunately, the evidence of cyberterrorism very limited thus far. Of course, an assumption is made that cyberterrorism is properly defined as a non-state organization that creates politically motivated destruction to information, computer systems and/or computer programs leading to violence or the threat of violence (Conway, What is Cyberterrorism?, 2002).

Any implication of state-sponsorship of cyber-attacks is outside the scope of this paper, and could constitute an act of war (Shiryaev, 2012, p. 150). An analysis of the issue has demonstrated that cyberterrorism as a strategy for actual terrorists has been over-hyped through the media, academia, and popular literature. This exaggeration of capabilities has led to several instances of questionable law made by people who do not understand the intricacies involved in launching a cyberterrorist attack. Rather, they acted out of fear and doubt.

More cybersecurity professionals need to counter such sentiments by public and public officials to ensure actual threats are mitigated and unsubstantiated ones are given less priority and fewer resources. Only then can the more important threats be dealt with.

The opinions expressed in this and other contributors’ articles are solely those of the author and do not necessarily reflect those Norse Corporation.

References

Ahmad, R., & Yunos, Z. “A Dynamic Cyber Terrorism Framework“, International Journal of Computer Science and Information Security, 2012, 149-158
Berner, S. “Cyber-terrorism: reality or paranoia?” South African Journal of Information Management, March 2003
Conway, M. “What is Cyberterrorism?” Current History, 2002, 436-442. Gated.
Conway, M. (2007). Cyberterrorism: Hype and Reality. In L. Armistead, Information Warfare: Separating Hype from Reality (pp. 72-94). Potomac Books
Conway, M. “Against Cyberterrorism“, Communications of the ACM, 2011, 26-28. Gated.
Corrin, A. “Frequency, costs of cyberattacks on the rise“, Federal Computer Week, 8 October 2013
MAE East Colocation Birdseye. Cryptome. 13 February 2006
Gable, K. A. Cyber-Apocalypse Now: Securing the Internet Against Cyberterrorism and Using Universal Jurisdiction as a Deterrent. Vanderbilt Journal of Transnational Law, 6 July 2012
Hildebrandt, M. “Legal Protections by Design: Objections and Refutations”, Legisprudence, 5(2) – 2011, 223-248
Hoffman, B. (2006). Inside Terrorism. Columbia University Press
Jones, G. Cyber terror threat is growing, says Reid. The Telegraph, 26 April 2007
Lenzner, R., & Vardi, N. The Next Threat. Forbes, 20 September 2004
Lewis, J. A. “Assessing the Risk of Cyber Terrorism Cyber War and Other Cyber Threats“, Center for Strategic and International Studies, December 2002
Malone, M. S. “Silicon Insider: Fighting Cyberterror“, ABC News, 18 August 2005
Mueller, R. (Director of the FBI), Prepared Remarks at RSA Cyber Security Conference. San Francisco, 1 March 2012
Nacos, B. “Accomplice or Witness? The Media’s Role in Terrorism“, Current History, 2000, 174-178. Gated.
Global Terrorism Database of the National Consortium for the Study of Terrorism and Responses to Terrorism. (2012). University of Maryland
Nyugan, R. “Navigating Jus Ad Bellum in the Age of Cyber Warfare“, California Law Review, 104 #4 (2013), 1079-1129
Panetta, L “Defending the Nation from Cyber Attack“, speech to the Business Executives for National Security, NYC, 11 October 2012
Saint-Claire, S. Overview and Analysis of Cyber Terrorism. School of Doctoral Studies (European Union) Journal, 2011, 85-98
Shiryaev, Y. “Cyberterrorism in the Context of Contemporary International Law“, San Diego International Law Journal, Fall 2012, 139-192
Two arrested for cyber terror support. UPI, 24 August 2006
DoD Operations Security (OPSEC) Program. Defense Technical Information Center, 20 June 2012
Country Reports on Terrorism. Bureau of Counterterrorism, US Department of State, 30 May 2012
Critical Infrastructure Protection, Presidential Decision Directive 63, 22, May 1998
USA Patriot Act. US Government. 26 October 2001
Verton, D. (2003). Black Ice: The Invisible Threat of Cyber-Terrorism. McGraw-Hill/Osbourne
Weber, R. H. “Internet of things – Governance quo vadis?“, Computer Law and Security Review, August 2013, 341-347. Gated.
Witty, D. M. “Attacking al Qaeda’s Operational Centers of Gravity“, Joint Forces Quarterly, Q1 2008, 98-103

————————————————–

About the Author

Edwin Covert is a cybersecurity professional with over 20 years of cybersecurity and intelligence experience. He works for Booz Allen Hamilton in the Washington, DC metro area. He works with both government and commercial organizations and is an author on a diverse array of cybersecurity topics.

He holds the Certified Information Systems Security Professional (CISSP^®) designation from (ISC)²^® . He is also a certified Project Management Professional (PMP). He holds two designations from ISACA (previously known as the Information Systems Audit and Control Association): the Certified Information Security Manager (CISM), and the Certified in Risk and Information Systems Controls (CRISC). Additionally, he also has held the GIAC Certified Incident Handler designation from the SANS Institute. He is a member of the Order of the Sword & Shield, a national honor society for homeland security, intelligence, emergency management and other protective security disciplines.

From the Norse Corp website.