DynoTech Software Logo Interesting Articles about Popular Topics

  Article Index

 
Homeland Security Discussions
Dave Carlson - January 2, 2007


Evaluate whether government agencies and the private sector are effectively implementing counterterrorism measures for cyberterrorism.

Government agencies and the private sector are not effectively implementing counterterrorism measures for cyberterrorism. The problem was identified by Senator Schumer in 2000, but by 2005 the FBI confirmed the U.S. was still unprepared.

During a speech in April 2000, Senator Charles Schumer (Columbia University, 2000) told a group of students and faculty at Columbia University that the U.S. government and private industry need to work together to increase efforts to combat the threat of cyberspace attacks on key infrastructures such as power grids, telecommunications, transportation, and financial systems (Para. 1).

Five years later an FBI study concluded that “the United States is not yet adequately prepared to deal with cybercrime and terrorism” (Aeilts, 2005, p. 21). They added that “the significant cost of cybercrime, coupled with the difficulty of identifying it, is of national concern, and the law enforcement profession should align agencies and resources to address these issues” (Aeilts, 2005, p. 21).

The President's Information Technology Advisory Committee (2005) acknowledged there is an unresolved problem. They reported to the president that “current capabilities to investigate cyber crime, identify perpetrators, gather and present evidence, and convict criminals are woefully inadequate” (p. 43). “There also are no clear benchmarks of what level of cooperation has been achieved with state and local governments or with the private and civil sectors” (Cordesman, 2002, p. 83).

RESOURCES:

Aeilts, T. (2005, January). Defending against cybercrime and terrorism. FBI Law Enforcement Bulletin, 74(1), 14-21. Retrieved December 26, 2006 from http://www.fbi.gov/publications/leb/2005/jan2005/jan2005.htm#page14

Columbia University. (2000). U.S. Government And Private Industry Must Step Up Efforts To Combat Cyberspace Attacks, Says Senator Schumer. Columbia University News. April 20, 2000. Retrieved December 26, 2006 from http://www.columbia.edu/cu/pr/00/04/schumer.html

Cordesman, A. H. (2002). Cyber-threats, information warfare, and critical infrastructure protection: Defending the U.S. homeland. Westport, CT: Praeger.

President's Information Technology Advisory Committee. (2005). Cyber security: A crisis of prioritization. [Electronic version]. Arlington, VA: National Coordination Office for Information Technology Research and Development. Retrieved December 26, 2006 from http://www.nitrd.gov/pitac/reports/20050301_cybersecurity/cybersecurity.pdf



Analyze the practicality of US legal requirements and computer forensics in addressing cyberterrorism.

A practical limitation to legal requirements is their ineffectiveness as a deterrent to a terrorist. It is unlikely that anyone listed on the FBI’s most wanted terrorist list (http://www.fbi.gov/wanted/terrorists/fugitives.htm) would be concerned about a possible fine or jail sentence imposed by a conviction for violating a cyberterror law.

A practical limitation to legal requirements is the difficulty in proving guilt. Computer forensics frequently follows a constantly moving target as computer systems change. “Computer systems under investigation evolve more rapidly that [sic] the tools to examine them” (Stacy, 2006, p. 9). Additionally, Cordesman (2002) points out that “the perpetrators can be anywhere in the world and unless there is international cooperation it is very difficult to arrest and prosecute the attacker” (p. 8). Cordesman (2002) also quotes Richard D. Pethia the Director of the Computer Emergency Response Team (CERT) to illustrate the impracticality of trying to regulate cyber crimes, including cyberterrorism. “The difficulty of criminal investigation of cyber-crime coupled with the complexity of international law mean that successful apprehension and prosecution of computer criminals is unlikey, and thus little deterrent value is realized” (p. 48).

However, in April 2004, The National Security Agency (NSA) offered a ray of hope showing there may be some effectiveness in current legal requirements. An intercepted e-mail message led to the arrest of nine men from two different countries (United Kingdom and Canada) on charges of facilitating a terrorist act. “This was the first time that the American regular monitoring of e-mail traffic led to an arrest” (Weimann, 2006, p. 182).

A practical limitation to developing policies and legal requirements to counter cyberterrorism is the fact that “not everyone subscribes to the belief that cyber terrorists will attack our nation” (Johnson, 2005, p. 210). Some security experts maintain there is no concrete evidence that cyber terrorism is a threat. They assert that many leaders have overreacted to a perceived risk to critical infrastructure (Johnson, 2005, p. 210).

A practical limitation to developing policies and legal requirements to counter cyberterrorism is in the definition of the crime. Olivenbaum (1997) suggested that most cyber crimes already are covered by other legislation (p. 575). Disruption of a public infrastructure system is a crime irrespective of the tool used to disrupt the system. Whether a terrorist uses a computer or a truck bomb to cause the damage, the results are the same. “To the extent that they [laws] are drafted in ‘technology-specific’ language, the pace of technological change and the ingenuity of computer-literate criminals guarantee that those statues will be obsolete almost as soon as they are enacted” (Olivenbaum, 1997, p. 575). To mitigate the threat of obsolescence, law-writers “would likely have to include computer crimes that would be written broadly enough to encoumpass the inevitable advances in technology” (Aldrich, 2000, p. 41).

RESOURCES:

Aldrich, R. W. (2000). Cyberterrorism and computer crimes: Issues surrounding the establishment of an international legal regime. INSS Occassional Paper 32. Retrieved December 18, 2006 from http://www.usafa.edu/df/inss/OCP/ocp32.pdf

Cordesman, A. H. (2002). Cyber-threats, information warfare, and critical infrastructure protection: Defending the U.S. homeland. Westport, CT: Praeger.

Johnson, T. A. (Ed). (2005). Forensic computer crime investigation. Boca Raton, FL: CRC Press.

Olivenbaum, J. M. (1997) Rethinking federal computer crime legislation. Seton Hall Legislative Review, 27, 574-576.

Stacy, H. (2006). Computer forensics for law enforcement. [Electronic version.]. Unpublished paper. Retrieved December 13, 2006 from http://www.infosecwriters.com/text_resources/pdf/Forensics_HStacy.pdf

Weimann, G. (2006). Terror on the Internet: The new arena, the new challenges. Washington, DC: United States Institute of Peace.



Analyze the “A Duty of Care in Cyberspace” and how it relates to cyberterrorism.

This article advocates legislation to hold a computer owner liable for unknown use of the system to cause some kind of damage (Henderson, 2002, p. 14). The relationship to cyberterrorism is that if a terrorist remotely accesses someone’s computer (either directly or through some type of malware), the owner of the computer could be found guilty as an accomplice.

I have not studied law extensively and I am not clear about the relationship between civil and criminal issues. This article appears to focus on civil liability rather than criminal guilt. It does not appear that this type of legislation to determine criminal guilt would be constitutional. My understanding is that civil liability would be determined by “preponderance of the evidence,” while criminal guilt is determined by “beyond reasonable doubt” (Director, unk, para. 22). I do not know if the U.S. legal system can support the criminal aspects of finding an unknowing and unwilling victim guilty of being an accomplice to a terrorist act.

Cordesman (2002) addresses the dilemma in determining true liability, because of a multitude of gray areas where the federal government implies some responsibility. He suggests the federal government “may be incapable of effective action and practical responsibility” (p. 53). He further suggests that “criminal and civil liability for the failure to create effective defenses may have to be assumed by state and local officials, the private sector, and private individuals” (p. 53).

Additionally, Cordesman (2002) argues that the federal government “does not owe any private entity protection beyond routine law enforcement effort, and their survival is unimportant to homeland defense” (p. 155). He further states that “the collapse or destruction of companies and NGOs that fail to take effective self-protection measures may ultimately be a key factor forcing other to improve” (p. 155). I agree. Encouraging the courts to compensate an organization for damage caused by its own lack of adequate protection is not the job of the federal government.

RESOURCES:

Cordesman, A. H. (2002). Cyber-threats, information warfare, and critical infrastructure protection: Defending the U.S. homeland. Westport, CT: Praeger.

Director. (unk). Civil legal remedies for crime victims. Retrieved December 26, 2006 from http://www.ncjrs.gov/txtfiles/clr.txt

Henderson, S. E. (2002, Winter). Suing the Insecure?: A Duty of Care in Cyberspace. New Mexico Law Review, 32(1), 11-25. Retrieved December 18, 2006 from FirstSearch, WilsonSelectPlus database.



Identify and explain the international efforts to combat cyberterrorism.

Cyberterrorism is not limited to a single country. A terrorist “armed with a computer and a connection has the capability to victimize people, businesses, and governments anywhere in the world” (Keyser, 2003, p. 325). Anyone, located anywhere on the planet, with a communication connection has the potential ability to reach out and disrupt almost any system connected to the Internet (Gabrys, 2002a, p. 23).

The most extensive attempt by the international community to combat cyberterrorism is the ratification of the “Convention on Cybercrime” by the Council of Europe in January 2004 (http://conventions.coe.int/Treaty/Commun/QueVoulezVous.asp?NT=185&CM=11&DF=12/18/2006&CL=ENG). Article 5, System Interference, of the Convention of Cybercrime can be used to address a terrorist cyber attack to disrupt critical infrastructure systems. Additionally, Article 6, Misuse of Devices, is a catch-all provision for the misuse of computer systems.

Gabrys (2002b) highlights the Convention on Cybercrime suggestion that participating countries develop laws that create the ability to support extradition efforts of other countries, even if a specific cybercrime is not defined in their own country (p. 26). This cooperation would allow a country suffering from a cyber attack originating from another country to prosecute perpetrators of such attacks.

Cordesman (2002) concludes that open source information does not present a clear picture of the vulnerabilities or controls implemented by other countries to combat cyberterrorism (p. 164). He also points that there are significant issues related to international mergers and acquisitions involving U.S. domestic companies (p. 165).

RESOURCES:

Cordesman, A. H. (2002). Cyber-threats, information warfare, and critical infrastructure protection: Defending the U.S. homeland. Westport, CT: Praeger.

Gabrys, Ed. (2002a, SEP/OCT). The international dimensions of cyber-crime, part 1. [Electronic version]. Information Systems Security, 11(4), 21-32.

Gabrys, Ed. (2002b, NOV/DEC). The international dimensions of cyber-crime, part 2. [Electronic version]. Information Systems Security, 11(5), 24-32.

Keyser, M. (2003, Spring). The council of Europe convention of cybercrime. [Electronic version]. Journal of Transnational Law & Policy, 12(2), 287-326. Retrieved December 26, 2006 from http://www.law.fsu.edu/journals/transnational/vol12_2/keyser.pdf



Identify what measures state and local governments are utilizing to combat cyberterrorism.

Local governments are concerned about the threat of cyberterrorism. The National League of Cities surveyed 725 cities in 2003 and discovered that cyberterrorism ranked near the top of a list of city officials' fears, surpassed only by concerns about biological and chemical weapons (Weimann, 2004, Para. 17).

Caruson and MacManus (2005) assert that Florida is the best location to “test the impact of intergovernmental mandates on local governments” (p. 25). In addition to a state government, Florida is comprised of 67 county governments, 406 municipalities, and more than 1,000 special districts (Caruson & MacManus, 2005, p. 25).

Local security threat assessments in Florida revealed that cyber-terrorism was the number one concern of county officials. The two areas requiring the greatest effort to combat local cyber-terrorism concerns are funds for overtime and interoperable equipment (Caruson & MacManus, 2005, p. 27).

Local governments in Florida are putting their efforts into identifying threats to emergency services equipment and facilities, specifically their 911 emergency responder radio systems. Additionally, local governments are improving control and monitoring systems for public water supplies (Caruson & MacManus, 2005, p. 28).

Burkhammer (2006) observed that increased communication and cooperation between state and local governments would greatly increase the effectiveness of the fight against cyberterrorism (p. 35). Local officials are expanding firewalls and intrusion detection systems, installing anti-malware software, beefing up regular system audits, and increasing log checks (Burkhammer, 2006, p. 33).

Cordesman (2002) observed that “there is, as yet, no clear definition of the boundaries between the kinds of attack where the federal government should play a role and those where states, localities, the private sector, and private individuals must assume responsibility for their own defense” (p. 53). It also is difficult to determine who should be responsible for the additional costs associated with this defense. Additionally, the GAO acknowledged in 2000 that “critical infrastructure protection is not exclusively, even largely, within the province of the federal government, and, as a result, the federal government is limited in what is can do to protect critical infrastructures” (p. 81).

RESOURCES:

Burkhammer, L. (2006, March). The virtual enemy. [Electronic version]. The American City & County, 121(3), 32-35.

Caruson, K. and MacManus, S. A. (2005, Spring). Homeland security preparedness: Federal and state mandates and local government. Spectrum, 78(2), 25-28. Retrieved December 13, 2006 from ProQuest database.

Cordesman, A. H. (2002). Cyber-threats, information warfare, and critical infrastructure protection: Defending the U.S. homeland. Westport, CT: Praeger.

Weimann, G. (2004, December). Cyberterrorism: How real is the threat? United States Institute of Peace, Special Report No. 119. Retrieved January 2, 2007 from http://www.usip.org/pubs/specialreports/sr119.html



Identify what measures private industry is utilizing to combat cyberterrorism.

“The fight against cyber crime [including cyberterrorism] has to be a team game. There is nothing of greater importance than the effort to forge effective partnership between law enforcement and industry: (Hynds, 2004, p. 28). Hynds (2004) suggests that an effective sharing of responsibility is for law enforcement to research and provide information about specific threats, while industry assesses risks and works with law enforcement to develop specific measures to counter or mitigate those threats. Industry follows up to implements the identified counter measures (p. 28).

When they hear cyberterrorism, many industry managers conjure up thoughts of notorious hackers from Evilistan breaking into computer systems to steal trade secrets. Even though the hacker threat warrants adequate attention, a greater threat often goes unnoticed -- company employees. Kirkpatrick (2006) highlights credible research identifying internal sources as significant aids to cyberterrorist activities. “Without meaning to (or even really knowing what happened), employees can and do expose critical information to social engineers clever enough to ask for it in just the right way” (Kirkpatrick, 2006, p. 66).

Kirkpatrick (2006) suggests the most effective method for combating internal security issues is awareness and education (p. 66). Best practice includes training about what information is considered internal and confidential, proper disposal methods for documents, and careful use of remote-system access (p. 66).

The finance industry (including banks, investment firms, and insurance companies) is an excellent example of industry responding to cyber threats. Banks and other financial institutions are constantly evaluating their cyber security systems, since a cyberterrorist attack on financial institutions could cripple the country’s economic stability. Specific industry responses are “increasing security staffing, increasing budgets, and using new technology” (Powell, 2005, p, 6). “When compared to firms in other countries, financial firms in the U.S. are early adopters and generally better prepared for cyber attacks than foreign competitors” (Powell, 2005, p, 14).

RESOURCES:

Kirkpatrik, (2006, February 9). Protect your business against dangerous information leaks. Machine Design, 78(3). 66. Retrieved December 13, 2006 from EBSCOhost Research Databases.

Hynds, L. (2004, May/June). Policing the digital frontier. British Journal of Administrative Management, 41, 28-29. Retrieved December 13, 2006 from EBSCOhost Research Databases.

Powell, B. (2005). Is cybersecurity a public good? Evidence from the financial services industry. Independent Institute Working Paper Number 57. The Independent Institute. Retrieved January 2, 2007 from http://www.independent.org/pdf/working_papers/57_cyber.pdf



Identify what cyber protection measures are being used at the International level that you believe could be effective here in the US.

A specific cyber protection measure used at the International level that could be effective in the US is a law that would allow for extradition of individuals suspected of cyber crimes. Gabrys (2002b) suggests that it would be good for countries to develop laws that create the ability to support extradition efforts of other countries, even if a specific cybercrime is not defined in their own country (p. 26). This cooperation would allow a country suffering from a cyber attack originating from another country to prosecute perpetrators of such attacks.

Gabrys (2002a) cites a specific instance where someone who caused billions of dollars worth of damage through the release of a computer worm could not be prosecuted for his offense (p. 28-29). The I LOVEYOU computer worm released from the Philippines in May 2000 caused significant damage in the United States. However, US officials were unable to extradite the guilty individual because his offense was not illegal under Philippine law and no extradition treated existed between Philippines and the United States to cover the offense.

Having a law which allowed extradition, even for offenses not covered in the originating country, would provide an additional deterrent and a method for prosecuting cyber criminals. It may not be a perfect solution, but it is a step in the right direction.

Of course, the danger is the possibility that “people can potentially be subject to all sorts of national laws besides their own” (Weimann, 2006, p. 181). Fighting cyber terrorism certainly will involve balancing many civil liberties and privacy issues. Although, the law could specify which information can be used to prosecute someone -- creating a retroactive protection from illegal search and seizure. Information related to terrorism can be used to prosecute, where other criminal information would be subject to normal reasonable cause rules.

RESOURCES:

Gabrys, Ed. (2002a, SEP/OCT). The international dimensions of cyber-crime, part 1. [Electronic version]. Information Systems Security, 11(4), 21-32.

Gabrys, Ed. (2002b, NOV/DEC). The international dimensions of cyber-crime, part 2. [Electronic version]. Information Systems Security, 11(5), 24-32.

Weimann, G. (2006). Terror on the Internet: The new arena, the new challenges. Washington, DC: United States Institute of Peace.

 

  Article Index




Copyright © 2016, DynoTech Software, All Rights Reserved.