Cover Image


View/Hide Left Panel
Click for next page ( 199

The National Academies of Sciences, Engineering, and Medicine
500 Fifth St. N.W. | Washington, D.C. 20001

Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement

Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 198
Preventing and Responding to Cybercrime and Terrorism: Some International Dimensions Seymour E. Goodman Georgia Institute of Technology "Cyberspace"i seems well on its way to becoming a new technology-based medium for extensive human activity, joining several others that have been cre- ated and exploited over the last 100 years, including the media built up around aircraft, spaceflight, and the internal combustion engine. In little more than 30 years, cyberspace has become the locus of much of value (notably information and money), a means of passage, and an environment for extended personal and organizational presences and interactions. It has become a locus for many sys- tems that control and manage other more traditional infrastructures, such as those for banking and finance and transportation systems. It is also attracting a great deal of malicious activity ranging from extensive, long-range vandalism, to various types of more serious crimes, to prospective forms of terrorism and nation-versus-nation conflict. Attacks may be directed at parts of the information infrastructure itself, or through the networks against other targets with some presence in this medium. Criminals and terrorists may also value the networks as assets for themselves (e.g., for inexpensive, effective communications or as a source for intelligence gathering).2 The extensive internationalization of the Internet and some of the other networks is a fairly recent phenomenon. By 1984 almost half of the time since the 1969 birth of the Internet as ARPANET under the U.S. Department of De- fense the entire network consisted of only 1000 host computers located in few- er than a half-dozen North Atlantic Treaty Organization (NATO) countries. By 1989, only a few years after most of the network had migrated out of the Depart- ment of Defense and essentially become the Internet, the count had risen to fewer than 20 countries and 100,000 hosts. But the vast majority of those hosts were in the United States. 198

OCR for page 198
CYBERTERRORISM 199 Over the last 8-10 years, international growth has been explosive. There are now about 220 countries and other semisovereign entities (e.g., Hong Kong still retains its own top-level domain name) with full TCP/IP connectivity. World- wide growth has been 50-100 percent per year, and much higher in some years in many countries. More of the Internet is now outside the United States than in- side. As of early 2001, there may have been tens of millions of host computers and 400 million users worldwide, with something like a quarter of the users located outside of the Organization for Economic Cooperation and Development (OECD) countries. Improving technology, declining cost, and the demographics of the world's under-30 population are favoring growth outside the OECD. For example, within the last four to five years, the user populations of China and India have gone from almost negligible numbers to at least 30 million and 6 million, respectively. Several countries (e.g., Turkey and Pakistan) generated a million users or more within a year or two of the start of public access. Such numbers will increase appreciably, especially if there is a massive "second wave" of people with essentially no capabilities in English. In addition to the many positive aspects of this kind of global connectivity, it also is an extraordinary enabler of malicious people. Virtually every connected country can serve as a base for any number of such people, who have any num- ber of motivations, and who can readily acquire technical capabilities to cause harm to others. It is often said that cyberspace is borderless and has in some ways effective- ly erased borders between countries. Conversely, global connectivity has made it possible for attackers to work from almost any country against targets in almost every country, and since all of cyberspace comes to ground somewhere, it has essentially created borders between every pair of countries. Thus, almost every country is, or potentially is, part of the problem of con- cern to us. Most national and local governments are incapable of dealing with, and often are largely unaware of, these problems. It is desirable to help make them part of the solution. Most will be incapable of doing this on their own. Since much of the problem of cybercrime and terrorism is intrinsically transna- tional, some form of international cooperation arguably should be part of the national strategies of most of the governments of the world. The remainder of this short paper will be concerned with international coop- eration to help prevent and respond to cybercrime and terrorism. We will be concerned primarily with acts against cybersystems (e.g., destroying, incapaci- tating, or misusing them).3 We take the view that it is both difficult and unneces- sary to precisely define "cyberterrorism." We are unlikely to get much agree- ment among a wide spectrum of interested parties on such a definition, given the enormous variety of malicious activity possible in this medium and the enor- mous range of possible motivations behind the possible attacks. It is very diffi- cult to distinguish an early stage of an attack as either crime or terrorism. We take the approach of defining serious forms of crimes against information sys-

OCR for page 198
200 HIGH-IMPACT TERRORISM tems under the assumption that most forms of what would be widely considered cyberterrorism would be egregious instances of these crimes. As is the case in other contexts (e.g., safety and security in civil aviation), it is the nature of the attack itself that matters; the motivation of the attacker should not be a determin- ing factor. DEFENSES IN A TRANSNATIONAL ENVIRONMENT We need to define and distinguish between two complementary forms of defense: 1. Passive defense is essentially target hardening. It consists largely of the internal use of various technologies and products (e.g., firewalls, intrusion detec- tion) and procedures (e.g., governing outside dial-in or reconstitution and recov- ery) to protect the information technology (IT) assets owned by an individual or organization. By definition, passive defense does not impose any serious risk or penalty on the attacker. With only passive defensive measures, the attacker is free to continue assaulting the target until he either succeeds or gets bored and looks elsewhere. Given the extensive vulnerabilities of most cybersystems and the low cost of most attacks, a skilled and determined attacker may well be more likely to succeed before getting bored. 2. Active defense by definition imposes serious risk or penalty on the at- tacker. Risk and penalty may include identification of the attacker, investigation and prosecution, stopping an attack in progress, and preemptive or counterat- tacks of various sorts. Note that some actions for example, stopping an attack in progress can be pursued using both passive and active means. Passively, one might plug a vul- nerability hole in real time. Actively, one might try to get at the source of the attack. In a transnational context, passive defense is not without problems (e.g., with regard to liability issues or information sharing). But the pursuit of active defensive measures in an international context is more difficult and will get most of the attention in this paper.4 At the very least, active defense involves gathering intelligence information about the attacker. It can go well beyond that to damaging the attacker's cyber- assets to physically apprehending or otherwise physically incapacitating the at- tacker. All of cyberspace "comes to ground" somewhere (including at sea). So essentially all attackers and their assets are located within the jurisdiction of one or more nation states. For a defender to engage in unilateral active defense, in almost any transnational context, he will very likely covertly reach into comput- ers and other places located outside his legal jurisdiction. Since much of the information infrastructure is owned, operated, and used

OCR for page 198
CYBERTERRORISM 201 by the private sectors around the world, they and their assets are, and will contin- ue to be, primary targets. Many private entities are technically capable of trying to engage in active defense. But they do not have much legal basis for doing so in an international context, and the state of technology is such that there is considerable likelihood that they may incorrectly identify their attackers, cause undesirable collateral damage, or result in some other kind of messy mistake. In so doing, they may become greater and more readily identifiable offenders than their attackers and may be subject to considerable liability, publicity, and crimi- nal penalties. Furthermore, few governments anywhere officially condone any form of vigilantism. Thus, the pursuit of active defense would necessarily fall to governments. Governments are not subject to the liability risks of private entities. A good case can be made to the effect that national governments would be justified in engag- ing in active defense under the international legal principles of proportionality and response-in-kind. But few if any nations would welcome another govern- ment's intrusions into information systems located within their sovereignty, and the intruding government would largely have to do so covertly. Under these circumstances, particularly if the volume of serious cyber-attacks is high, sooner or later this will result in messy and visible misidentifications and collateral damage and would likely generate international friction between governments. The government engaging in active defense would also be at a serious disadvan- tage with regard to apprehending or otherwise physically dealing with the attack- ers. Furthermore, it would seem unwise for any country to establish precedents for aggressive international behavior in this arena.6 The U.S. government, in particular, should have reservations in this regard. Because of presumed technical prowess and other reasons, it will be held to higher standards of accountability and suspicion than other governments when it intrudes. It will suffer serious blame in public opinion and elsewhere when its intrusions inevitably result in undesirable collateral or other damages. The United States is home to far more information systems and hosts much more of the Internet than any other country. It is physically home to a larger number of attackers and is a third-party transit country for more network traffic than any other country. As such, it is likely to be a target of a great many active defensive measures by other countries, and we might expect some large fraction of these to be carried out relatively incompetently. We can be sure that the U.S. government, not to mention the private-sector owners and operators and users of these information systems, will very much resent such intrusions by other governments. FINDING A SUITABLE FRAMEWORK FOR INTERNATIONAL COOPERATION These arguments and constraints lead us to conclude that the ideal interna- tional arrangement would have to look something like the following. First, each

OCR for page 198
202 HIGH-IMPACT TERRORISM of the governments of the world would have considerable competence to deal with the problem. This includes capabilities and policies in passive defense to provide substantial security for those portions of cyberspace within its purview. Second, all of the connected countries would share a common baseline percep- tion of what constitutes serious (felony) criminal behavior in this new medium. One of the manifestations of this shared perception would be in the form of a similar set of laws defining such behavior in each country. Third, each country would have some substantial capability in active defense and a competent na- tional authority for engaging in active defense. Finally, international responses to transnational attacks would be covered under a near-universal umbrella con- vention that would permit timely action, among any combination of countries, under established procedures. Under these ideal circumstances, we might expect the following standard scenario if a serious cyber attack is launched from country X against targets in country A. The victims in A immediately seek help from government A. Gov- ernment A determines that there is reason to suspect that the attack originates from, or at least passes through, X. Under the umbrella international convention, it immediately contacts the competent authority in X, where the attack is equally viewed as a crime. Government A can count on government X being willing and able to investigate the extent to which the attack is taking place from X. The competent authority in X will act in a timely manner to help stop the attack and proceed with other forms of defense in essentially the same way that government A would if it had the jurisdictional authority to do so itself. Because of all the ideal commonalities under the near-universal arrange- ment just described, this procedural scenario scales. So, for example, it extends in a straightforward manner if the attack is simultaneously launched from coun- tries X, Y. and Z against targets in countries A and B. and the attack is routed through M, N. P. and Q. As far as we can determine, this is the only unambiguously legal way to handle active defense on the global scale of the Internet and other large transna- tional networks. It is also the only way we can conceive of avoiding what is potentially an enormous amount of essentially covert actions on the parts of governments against systems and citizens in other countries. It would tend to minimize the errors, collateral damage, and other forms of friction that might arise between nations as a result of all that covert activity. The present reality is very far from this ideal situation. Perhaps most impor- tantly, the great majority of the governments of the roughly 220 countries or other semisovereign entities with Internet connectivity have very little aware- ness, and far less capability, in this area. So how may we try to proceed from the current reality to something closer to the ideal international situation? We would argue that we should start to think about the desired structure and content of such an international convention. The time scale associated with conducting and dealing with malicious cyber-activi-

OCR for page 198
CYBERTERRORISM 203 ties varies from months (e.g., the time for new tactical attack modes to emerge) to the comparatively glacial time scales for building extensive and effective international agreements. So it is necessary to start thinking about the long and iterative process of the latter, even though it is too early to expect solutions to some specific problems and questions. We might look to a framework that builds in an expectation and means for dealing with the detailed problems of changing technology, et cetera, over an essentially unbounded time into the future, as well as one intended to help build the capabilities of weaker nations. So what might be included as necessary top-level features in such an inter- national convention? We would suggest the followings The focus should be on serious crimes against computer networks. The primary concern is protecting the infrastructure, both the IT-based infra- structure itself and the other infrastructures that may be accessed and damaged or manipulated through IT-based control structures. This is not the place to ad- dress content crimes (e.g., pornography or intellectual property rights). There should be a harmonization of laws. Each State Party to the con- vention must adopt a complete set of national laws defining and punishing seri- ous crimes against computer networks. Although the wording of this set does not have to be identical for each country, each must establish all of the collectively defined malicious behavior specified in the agreement as felonies within the country. Having such a set of laws on the books would be considered a necessary condition for admission to the convention. We believe that this would be suffi- cient for most extradition purposes. What is necessary is to get near congruence of national laws widely accepted and to make the subject a legitimate concern on a broad international level. . . There should be a near-universal set of States Parties. The problem is intrinsically global, and at least some element of a partial solution has to be global. Near-universal participation makes the problem legitimate globally, and tries to eliminate safe havens. Each country connected to the Internet is part of the threat problem, and an effort must be made to try to make each a part of the solution, which is decidedly not the case now. A major goal should be to build international capabilities to deal with the problem. To this end we would propose a working organization, somewhat similar to the International Civil Aviation Organization for that transportation infrastructure, to help develop standards, determine best practices, provide train- ing, and so forth, on a global scale, especially for the large number of countries that have little or no capacity to do anything for themselves in the cyberdomain at this time. This applies to both passive and active means of defense. We tenta- tively call this organization the Agency for Information Infrastructure Protection (AIIP).8 Avoid building too much technical and procedural detail into the basic agreement. At this time, nobody understands the technological and proce-

OCR for page 198
204 HIGH-IMPACT TERRORISM aural means and costs well enough to appreciate what it would take to require them on a large scale. It will take some time for thoughts and technology to mature to the point where such might be recommended or required. We recom- mend setting up a forum and means (e.g., through the AIIP) for the necessary discussions and work to take place. As is the case in other international domains, industry participation in these efforts would be highly desirable. The prospective convention is not meant to apply to the actions of states. We suspect that there are dozens of governments investigating the possi- bilities of so-called information warfare. Few of those would presumably be interested in constraining themselves at this early stage. This is not meant to be an arms control convention, just as the various widely accepted agreements on safety and security in civil aviation are not meant to ground the air forces of the countries of the world. States Parties would not violate the civil or human rights of their citi- zens. No State Party would be expected to compromise its own laws in this regard. So, for example, assume that both the United States and Iran are signato- ries. Say that an American citizen is suspected of attacking an Iranian system in a manner that is against the laws both countries have agreed upon in signing the convention. If the United States suspects that this person's human rights would be at risk if he were to be extradited to Iran, then the United States is obligated to try the person for that crime in the United States or to extradite him for trial to a third country that has a claim to jurisdiction but observes civil or human rights laws similar to those in the United States. We briefly note that our views on all of these points differ to a greater or lesser extent from those expressed or omitted in the draft agreement being devel- oped under the purview of the Council of Europe (CoE).9 We feel that the CoE draft is focused too much on matters of content violation and prosecution. We believe a broader spectrum of needs should be addressed to protect infrastructure and build defensive capabilities. We also briefly note that reasonably effective agreements exist in other domains along the lines enumerated in the above list. Perhaps the closest analo- gy is with civil aviation, which itself also happens to be extensively and increas- ingly dependent on cybersystems.~ There are others covering intrinsically trans- national domains such as maritime transportation, health, and pollution. We are a long way from having such an agreement, and there will be consid- erable difficulties along any path to an effective approximation. We touch on a few of the difficulties below. As with many international agreements, questions arise as to forms of enforcement and sanctions against signatories who are not living up to the condi- tions or who are in conscious violation. Work needs to be done on estimating the costs of such a convention. Just

OCR for page 198
CYBERTERRORISM 205 two examples of such costs include an estimate of the volume of requests and investigations (and their growth rates) that would have to be handled, and the cost of standing up and running an organization such as the AIIP. In terms of savings, we note that many major cyber-attacks (e.g., via virus or denial of service) have been estimated to cost hundreds of millions of dollars. So, as in the case of averted airline disasters, every prevented major incident represents a huge "savings." How do we effectively scale up to a near-universal sign-up? In addition to the obvious approach of simply starting with a small number of countries, possibilities include the use of more limited agreements as "building blocks" to acquire subsets of partners and experience in "what works." These more limited agreements might be done bilaterally, or multilaterally based on sector (e.g., for the cyberdimensions of civil aviation) or regional (e.g., for Europe) distinctions.ll A related question is what to require of a State Party as a condition for admission? Two possibilities are a set of harmonized domestic laws and the existence of a competent national authority. Another issue is what to do with nonsignatories? For example, should (could?) an effort be made to create a form of quarantine? We believe that some kind of extensive international convention is inevita- ble. Given the time scales involved and how long it takes to work out effective agreements, we also believe it is prudent to pursue serious deliberations on the matter, with the intent of developing an initial "greatest common denominator" that has a strong likelihood of finding broad acceptance among a large and diverse set of countries. The realistic issue is not whether we can achieve an ideal agreement, but rather how to get something that is far better than what exists now and that can be updated and improved over time. Can anything be proposed that is significantly different from and better than what has been out- lined here and in the Stanford Draft? In this regard, it may be appropriate to recall and adapt to the current context Churchill's classic statement that "democ- racy is the worst form of government except all those others that have been tried from time to time.''l2 NOTES 1. We simply define "cyberspace" to include the Internet and all other extensive wide-area networks with similar architectures and protocols. Many of the latter are sector specific (e.g., the global money transfer systems used by the international banking and finance industries). 2. Soo Hoo, K., S. Goodman, L. Greenberg. 1997. Information technology and the terrorist threat. Survival 39(3):135-155. 3. These are defined in Articles 3 and 4 in Sofaer, A.A., S.E. Goodman, et al. 2000. A Proposal for an International Convention on Cyber Crime and Terrorism. Stanford: Center for International Security and Cooperation, Stanford University. Article 1, Paragraph 2, which unnecessarily attempts

OCR for page 198
206 HIGH-IMPACT TERRORISM to define "cyberterrorism," should be considered deleted. Hereafter this is referred to as the Stanford Draft. Grove, G.D., S.E. Goodman, S.J. Lukasik. 2000. Cyber-attacks and international law. Sur- vival 42(3):89-103. 5. Goldsmith, J. 1999. Paper presented at the Conference on International Cooperation to Com- bat Cyber Crime and Terrorism, Stanford University, December 6-7, 1999. 6. Such issues are already becoming problematic. See, for example, Brunker, M. Cyberspace evidence seizure upheld. FBI downloaded data from suspects' computers in Russia. MSNBC, May 30, 2001. 7. Sofaer et al., op. cit., discussed throughout the text. 8. Lukasik, S.J. 2000. What Does an "AIIP" Do? Presentation notes, Georgia Institute of Technology, Atlanta, May 27. 9. European Committee on Crime Problems, Committee of Experts on Crime in Cyber-Space, Council of Europe. 2000. Draft Convention on Cyber-Crime, Draft No. 25, Rev. 5. Strasbourg, December 22, 2000. 10. See Goodman, S., M. Cuellar, H. Whiteman. 2001. In The Transnational Dimensions of Cyber Crime and Terrorism, A.D. Sofaer and S. E. Goodman, eds. Stanford: Hoover Institution Press, pp. 69-124. 11. Whiteman, H. 2001. International Institutions and Agreements to Combat Serious Cyber- Crime. Presentation at the Georgia Tech-Stanford Workshop on Protecting Cyberspace: The Inter- national Dimension, Washington, May 1, 2001. We might also note that a set of bilateral agreements will be unworkable as a long-term solution. Global connectivity enables too many countries. For N countries, a perfect set of bilateral agreements that would allow any two to work together would number N(N - 1)/2. In our case, N = 220, necessitating 24,090 bilateral agreements. If one recognizes that attacks could involve three or more countries, the number of multilateral agreements short of a universal agreement becomes expo- nential. 12. Ibid. Whiteman is Assistant Deputy Minister, Security, and Emergency Preparedness, Trans- port Canada.