Consequences of Overstating the Cyber Terrorism Threat

Summary:  Chapter 4 of Edwin Covert’s series about cyberterrorism explains the severe penalties enacted since 9/11, their potential for misuse (accidental or deliberate), and how these poorly crafted laws and the public fear that created them both make us less safe. (1st of 2 posts today)

CyberWarrior Obama

.

Consequences of Overstating the Cyber Terrorism Threat

By Edwin Covert

From DarkMatters

16 December 2014

Posted with the author’s gracious permission

.

In the first installment of this series we examined the concepts behind cyberterrorism as a strategy, and the second article looked deeper into how cyberterrorism is being portrayed by the media, government and academia. The third part of the series examined why cyberterrorism is much more complex than most realize, and this last article in the series takes a look at the potential consequences of overstating the cyberterrorism threat.

There are side effects of the mischaracterization of cyberterrorism by the media and popular culture. In the United States, the Uniting (and) Strengthening America (by) Providing Appropriate Tools Required (to) Intercept (and) Obstruct Terrorism Act of 2001, or PATRIOT Act, was passed in the immediate aftermath of the September 11, 2001 attacks. It has two key provisions designed to counter potential cyberterrorist activity and increase the punishment for computer crimes (US Government, 2001). Section 814 of the PATRIOT Act enumerated specifically the goals of deterring and preventing cyberterrorism.

First, it increased the minimum prison terms for unauthorized access to a computer system, regardless of activity once in the system i.e. mixing criminal activity and cyberterrorism under a cyberterrorism section heading (§ 814.a.4).

Second, the law amended “the Federal sentencing guidelines to ensure that any individual convicted of a violation of section 1030 of title 18, United States Code, can be subjected to appropriate penalties, without regard to any mandatory minimum term of imprisonment” (§ 814.f).

In other words, simply being convicted of unauthorized access to a computer system allowed a federal judge (who most likely was not familiar with the nuances of cyber threats and threat + actors) to assume the worst and lock someone up for a very long time. Outside of the United States, others have made similar decisions regarding cyber threats and the law.

In the United Kingdom, Parliament changed its Terrorism Act so that using a computer system or threatening to use a computer system that interferes or disrupts another computer system is now considered terrorism (Conway, Cyberterrorism: Hype and Reality, 2007, p. 91).

Of concern of course is who makes the determination as to what constitutes disruption. Right now, that falls to Scotland Yard. That leaves a sour taste and no small amount of anxiety for human rights workers and other civil libertarians (p. 91).

Since the advent of the Internet, life has changed remarkable for citizens of the United States and the world. Unfortunately, this pace of change brings fear.

 

XKCD: hacking the CIA
XKCD: hacking the CIA

When the legitimate danger terrorists create is married to our dependence on technology, it is understandable how people become concerned. This new sense of panic is the fear of terrorists using the computer systems we depend on against us.

Fortunately, the evidence of cyberterrorism very limited thus far. Of course, an assumption is made that cyberterrorism is properly defined as a non-state organization that creates politically motivated destruction to information, computer systems and/or computer programs leading to violence or the threat of violence (Conway, What is Cyberterrorism?, 2002).

Navy CyberWarriors

Any implication of state-sponsorship of cyber-attacks is outside the scope of this paper, and could constitute an act of war (Shiryaev, 2012, p. 150). An analysis of the issue has demonstrated that cyberterrorism as a strategy for actual terrorists has been over-hyped through the media, academia, and popular literature. This exaggeration of capabilities has led to several instances of questionable law made by people who do not understand the intricacies involved in launching a cyberterrorist attack. Rather, they acted out of fear and doubt.

More cybersecurity professionals need to counter such sentiments by public and public officials to ensure actual threats are mitigated and unsubstantiated ones are given less priority and fewer resources. Only then can the more important threats be dealt with.

The opinions expressed in this and other contributors’ articles are solely those of the author and do not necessarily reflect those Norse Corporation.

References

————————————————–

Edwin Covert

About the Author

Edwin Covert is a cybersecurity professional with over 20 years of cybersecurity and intelligence experience. He works for Booz Allen Hamilton in the Washington, DC metro area. He works with both government and commercial organizations and is an author on a diverse array of cybersecurity topics.

He holds the Certified Information Systems Security Professional (CISSP®) designation from (ISC)²® . He is also a certified Project Management Professional (PMP). He holds two designations from ISACA (previously known as the Information Systems Audit and Control Association): the Certified Information Security Manager (CISM), and the Certified in Risk and Information Systems Controls (CRISC). Additionally, he also has held the GIAC Certified Incident Handler designation from the SANS Institute. He is a member of the Order of the Sword & Shield, a national honor society for homeland security, intelligence, emergency management and other protective security disciplines.

From the Norse Corp website.Cyber-Ninja

Posts in this Series

  1. Cyber Terrorism as a Strategy
  2. Selling Fear: How Cyber Terrorism is Being Portrayed
  3. Unraveling the Complexities of Cyber Terrorism
  4. Consequences of Overstating the Cyber Terrorism Threat

For More Information

Other interesting new articles about cyberattacks:

  1. If Cyberattacks Are Terror, Who’s the Biggest Terrorist?“, Micah Zenko, The National Interest, 7 January 2015.
  2. A Cyberattack Has Caused Confirmed Physical Damage for the Second Time Ever“, Kim Zetter, Wired, 8 January 2015.

See all posts about Information & disinformation, in the new media & the old.

Posts by Marcus Ranum about cyber-espionage and cyberwar:

  1. Obama knows how to lead America by exploiting our fears,  5 June 2009 — About cyberwar
  2. Cyberwar: a Whole New Quagmire.  Part 1: The Pentagon Cyberstrategy, 2 September 2011
  3. “Do as I say, not as I do” shall be the whole of the law, 11 September 2011
  4. Conflating Threats, 14 September 2011
  5. About Stuxnet‏, the next generation of warfare?, 29 September 2011 – Introducing Stuxnet and some of the issues surrounding practical malware-based warfare.
  6. Cyberwar: a Whole New Quagmire – When the Drones Come To Roost, 8 October 2011
  7. About Attribution (identifying your attacker), 21 October 2011
  8. You must Be >this< Tall To Play Cyberwar (has DoD grown enough yet?), 16 December 2011
  9. Parsing Cyberwar – Part 1: The Battlefield, 9 August 2012
  10. Parsing Cyberwar – Part 2: The Logistical Train, 10 August 2012
  11. Parsing Cyberwar – Part 3:Synergies and Interference, 13 August 2012
  12. Parsing Cyberwar – Part 4: The Best Defense is a Good Defense, 20 August 2012
  13. Cyberwar, the Power of Nightmares, 31 August 2012

 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.