|
Article Excerpt
I. INTRODUCTION
The speed and anonymity of cyber attacks makes distinguishing among the actions of terrorists, criminals, and nation states difficult....(1)
In October 2006, a "sensitive Commerce Department bureau"--the Bureau of Industry and Security (BIS)--suffered a "debilitating attack on its computer systems." (2) The attack forced the BIS to disconnect its computers from the Internet, which interfered with its employees' ability to perform their duties. (3) It was traced to websites hosted by Chinese Internet service providers (ISPs), but the attackers were never identified. (4)
Consider for a moment the statement: the attackers were never identified. This statement has several implications, the most obvious of which is that the individuals who carried out the attack were never identified. That is far from remarkable; given the opportunities cyberspace creates for the remote commission of attacks and attacker anonymity, it is more common than not for cybercriminals to go unidentified and unapprehended. (5)
That, though, assumes we are dealing with cybercriminals, which brings us to another implication of the statement above: Not only were the BIS attackers never identified, the nature of the attack was never identified. It was apparently clear the attack came from China, (6) but what kind of attack was it? Was it cybercrime--the Chinese hackers launching a counting coup (7) on U.S. government computers? Was it cyberterrorism--an initial effort toward a takedown of U.S. government computers by terrorists (who may or may not have been Chinese) pursuing idiosyncratic ideological goals? Or was it cyberwarfare--a virtual sortie by People's Liberation Army hackers? (8)
The BIS episode illustrates why we need to assess how we approach attribution (Who launched the attack? What kind of attack is it?) and the corresponding problem of response (Who should respond to an attack--civilian law enforcement, the military, or both?). As Sections II, III, and IV explain, the essentially ad hoc approaches we currently use for both attribution and response worked well in the past but are becoming increasingly unsatisfactory as cyberspace becomes a viable vector for attacks, of whatever type.
My goal in this Article is to explore these issues in terms of the conceptual and legal issues they raise. I will also analyze some nontraditional ways of structuring our response to ambiguous attacks, such as the one that targeted the BIS computers. My hope is that this Article provides a basis for further discussion of these issues, the complexity of which puts their ultimate resolution outside the scope or ambitions of any single law review article.
Section II constructs a taxonomy of cyberthreats (crime, terrorism, and war) and explains why these evolving threat categories can make who--and what-attribution problematic. Section III explains how these difficulties with attribution impact the process of responding to cyberthreats. Section IV continues our examination of this issue by analyzing how we might improve our response capability without surrendering principles we hold dear. Section V is a brief conclusion, which summarizes the preceding arguments and analysis and offers some final thoughts on both.
II. IDENTIFYING CYBERCRIME, CYBERTERRORISM, AND CYBERWARFARE: TAXONOMY
[T]he ... "blurring of crime and war" at the operational level.... has accelerated over the last few decades. (9)
As Section I noted, the continuing evolution and proliferation of computer technology has created a new class of threats--"cyberthreats"--which societies must confront. These cyberthreats can be generically defined as using computer technology to engage in activity that undermines a society's ability to maintain internal or external order. (10)
Societies have historically used a two-pronged strategy to maintain the order they need to survive and prosper. Societies maintain internal order by articulating and enforcing a set of proscriptive rules (criminal law enforcement) that discourage the members of a society from preying upon each other in ways that undermine order, such as by killing, robbing, or committing arson. (11) Societies maintain external order by relying on military force (war) and, to an increasing extent, international agreements. (12) I call this the internal-external threat dichotomy, and the choice between law enforcement and military the attack-response dynamic.
As we will see, computer technology erodes the empirical realities that generated and sustain this dichotomous approach to maintaining order. This approach is based on the assumption that each society occupies a territorially-defined physical locus--that, in other words, sovereignty and "country" are indistinguishable. (13) One consequence of the presumptive isomorphism between sovereignty and territory is that threats to social order are easily identifiable as being either internal (crime/terrorism) or external (war). Computer-mediated communication erodes the validity of this binary decision tree by making territory increasingly irrelevant; as a study of cybercrime laws noted, "In the networked world, no island is an island." (14) In the twenty-first century, those bent on undermining a society's ability to maintain order can launch virtual attacks from almost anywhere in the world. As a result, these attacks may not fit neatly into the internal-external threat dichotomy and the attribution hierarchy (crime/terrorism, war) derived from that dichotomy.
Section II outlines a taxonomy of the three categories of cyberthreats: cybercrime, cyberterrorism, and cyberwarfare. Section III explains how these online variations of real-world threat categories challenge the processes we currently use for threat attribution.
A. CYBERCRIME
An online dictionary defines "cybercrime" as "a crime committed on a computer network." (15) The basic problem with this definition is that American lawyers need to be able to fit the concept of "cybercrime" into the specific legal framework used in the United States and into the more general legal framework that ties together legal systems around the world in their battle against cybercrime. (16) That leads me to ask several questions: Is cybercrime different from regular crime? If so, how? If not, if cybercrime is merely a boutique version of crime, why do we need a new term for it?
The first step in answering these questions is parsing out what cybercrime is and what it is not. When we do this, we see that the definition quoted above needs to be modified for two reasons.
The first reason is that this definition assumes every cybercrime constitutes nothing more than the commission of a traditional crime by nontraditional means (using a computer network instead of, say, a gun). As I have argued elsewhere, (17) that is true for much of the cybercrime we have seen so far. For example, online fraud such as the 419 seam (18) is nothing new as far as the law is concerned; it is simply "old wine in new bottles." (19) Until the twentieth century, people had only two ways of defrauding others: they could do it face to face by offering to sell someone the Brooklyn Bridge for a very good price; or they could do the same thing by using snail mail. (20) The proliferation of telephones in the twentieth century made it possible for seam artists to use the telephone to sell the bridge, again at a very good price. (21) And we now see twenty-first century versions of the same seams migrating online.
The same is happening with other traditional crimes, such as theft, extortion, harassment, and trespassing. (22) Indeed, it seems reasonable to believe that many, if not most, of the crimes with which we have traditionally dealt will migrate online in some fashion. Admittedly, a few traditional crimes--such as rape and bigamy--probably will not migrate online because the commission of these particular crimes requires physical activity that cannot occur online (unless, of course, we revise our definition of bigamy to encompass virtual bigamy). (23)
The same cannot be said of homicide: while we have no documented cases in which computer technology was used to take human life, this scenario is certainly conceivable and will no doubt occur. (24) Those who speculate on such things have postulated instances in which someone would hack into the database of a hospital and kill people by altering the dosage of their medication. (25) The killer would no doubt find this a particularly clever way to commit murder because the crime might never be discovered. The deaths might well be put down to negligence on the part of hospital staff; (26) and even if they were identified as homicide, it might be very difficult to determine which of the victims were the intended targets of the unknown killer and thereby begin the investigative process.
My point is that while most of the cybercrime we have seen to date is simply the commission of traditional crimes by new means, this will not be true of all cybercrime. We already have at least one completely new cybercrime: a distributed denial of service (DDoS) attack. A DDoS attack overloads computer servers and "make[s] a computer resource [such as a website] unavailable to its intended users." (27) In February 2000, a Canadian known as "Mafiaboy" launched attacks that effectively shut down websites operated by CNN, Yahoo!, Amazon.com, and eBay, among others. (28)
DDoS attacks are increasingly used for extortion. (29) Someone launches an attack on a website, then stops the attack and explains to the website owner that the attack will continue unless and until the owner pays a sum for "protection" against such attacks. (30) This is the commission of an old crime (extortion) by a new means, little different from tactics the Mafia used over half a century ago, though they relied on arson instead. (31)
But a "pure" DDoS attack, such as the 2000 attacks on Amazon.com and eBay, is not a traditional crime. It is not theft, fraud, extortion, vandalism, burglary, or any crime that was within a pre-twentieth century prosecutor's repertoire. (32) It is an example of a new type of crime: a "pure" cybercrime. (33) As such, it requires that we create new law that would make it a crime to launch such an attack. (34)
To summarize, one reason why the definition quoted above is unsatisfactory is that it does not encompass the proposition that cybercrime can consist of committing "new" crimes--crimes we have not seen before and therefore have not outlawed--as well as "old" crimes. The other reason I take issue with this definition is that it links the commission of cybercrime with the use of a computer network. (35)
Certainly, use of computer networks is usually true for cybercrime. In fact, it is probably the default model of cybercrime. But it is also possible that computer technology, not network technology, can be used for illegal purposes. A non-networked computer can, for example, be used to counterfeit currency or to forge documents. (36) In either instance, a computer--but not a computer network--is being used to commit a crime. Here, the computer is being used to commit an "old" crime, but it is at least conceptually possible that a non-networked computer could be used to commit a "new" crime of some type.
Thus, a better definition of cybercrime is the use of computer technology to commit crime; to engage in activity that threatens a society's ability to maintain internal order. This definition encompasses both traditional and emerging cybercrimes. It also encompasses any use of computer technology, not merely the use of networked computer technology.
This generic definition does not, of course, provide the legal predicate needed to respond to cybercrime, as it is a conceptual definition of a category of crime rather than the definition of a particular offense or particular offenses. To ensure they can respond to new types of cybercrime, societies must monitor online activity in an effort to identity emerging activities that constitute a threat to their ability to maintain internal order. Once identified, these activities should be criminalized, just as the United Kingdom recently criminalized DDoS attacks. (37)
B. CYBERTERRORISM
[G]et ready.... terrorists are preparing.... cyberspace based attacks.... (38)
Generically, cyberterrorism consists of using computer technology to engage in terrorist activity. (39) This definition mirrors the generic definition of cybercrime articulated in the previous section, which is appropriate given that societies treat terrorism as a type of crime. However, societies conflate crime and terrorism because both threaten their ability to maintain internal order. The assumption, which derives from the dichotomy noted earlier, is that all threats to internal order should be dealt with in the same way. (40)
Although societies conflate crime and terrorism, we need to distinguish them because they differ in ways that are relevant to how societies need to respond to them. Basically, crime is personal while terrorism is political. (41) Crimes are committed for individual and personal reasons, the most important of which are personal gain and the desire or need to harm others psychologically and/or physically. (42)
Terrorism often results in the infliction of harms indistinguishable from those caused by certain types of crime (such as death, personal injury, or property destruction), but the harms are inflicted for very different reasons. (43) A federal statute, for example, defines "terrorism" as committing acts constituting crimes under the law of any country to intimidate or coerce a civilian population; to influence government policy by intimidation or coercion; or to affect the conduct of government by mass destruction, assassination, or kidnapping. (44) We will return to the issue of terrorism-as-crime in a moment, but first we need to focus on what precisely is involved in the commission of terrorist acts.
As the above definition suggests, terrorism is usually intended to directly or indirectly demoralize a civilian population; (45) this distinguishes terrorism from warfare, which is not supposed to target civilians. (46) In the real-world, terrorism usually achieves its primary goal (47) of demoralizing civilians by destroying property and injuring or killing civilians. (48) The 9/11 attacks on the World Trade Center are a perfect example of real-world terrorism; they were intended to destroy a premier symbol of capitalism and in so doing undermine the morale of U.S. citizens and the stability of the U.S. society. (49)
To date, there have been no known instances of cyberterrorism. (50) There have been cases which media has incorrectly described as cyberterrorism: in 2000, an Australian man hacked into a municipal waste-management system and dumped "millions of lives of raw sewage" into parks, rivers, and businesses. (51) Elsewhere, in 1997 a Massachusetts hacker shut down all communications to a Federal Aviation Administration (FAA) control tower at an airport for six hours. (52) These and similar cases, however, involved cybercrime, not cyberterrorism. In each instance, the perpetrator acted out of individual motivations--a desire for revenge or power--instead of out of a desire to advance a particular ideology by demoralizing segments of a civilian population. (53)
To understand what cyberterrorism can and will be, we must parse out how terrorists can use computer technology to demoralize a civilian population and thereby undermine a society's ability to sustain internal order. (54) Conceptually, computer technology's use for this purpose falls into three categories: (1) weapon of mass destruction; (2) weapon of mass distraction; and (3) weapon of mass disruption. (55) I now examine each, in order.
1. Weapon of Mass Destruction
This is a conceptual option, but not a real possibility. The notion that computer technology can be a weapon of mass destruction is based on a flawed premise: the concept that computers, alone, can be used to inflict the kind of demoralizing carnage the world saw in New York and Washington, D.C., on 9/11 or in Madrid on 3/11. (56) Computers, as such, cannot inflict physical damage on persons or property; that is the province of real-world implements of death and destruction. (57)
However, computers can be used to set in motion forces that produce physical damage. Instead of hacking into a municipal waste-management system for revenge, cyberterrorists could disable the systems that control a nuclear power plant and cause an explosion like the one at Chernobyl in 1986. (58) By claiming responsibility for the catastrophe, the cyberterrorists could exploit the resulting illness, death, and radioactive contamination to undermine citizens' faith in their government's ability to protect them and maintain order.
This is a viable terrorism scenario, but it is not a cyberterrorism scenario. While computer technology would be used to trigger the explosion, the victims would recall it as a nuclear catastrophe, not as a computer catastrophe. Here, as in other computer as weapon of mass destruction scenarios, computer technology plays an incidental role in the commission of a terrorist act, serving merely as a detonator. To describe this scenario as cyberterrorism is as inappropriate as describing the 1998 U.S. embassy bombings carried out by Al-Qaeda as automotive-terrorism because vehicles were used to deliver the bombs to the target sites. (59)
2. Weapon of Mass Distraction
This is both a conceptual and a realistic possibility. Here, computer technology plays a pivotal role in the commission of a terrorist act, an act that differs in essential ways from the real-world terrorism to which we are accustomed. Computer technology is used to manipulate a civilian population psychologically. This manipulation saps civilian morale by undermining citizens' faith in the efficacy of their government. (60) Depending on the type of manipulation involved, it can also result in the infliction of personal injury, death, and property destruction.
To understand how computer technology could be used purely for psychological manipulation, consider this scenario: on September 11, 2001, as planes crashed into the World Trade Center and the Pentagon, millions of Americans watched the events unfold on television; many also used the Internet to try to find out more about what was happening. (61) The CNN site experienced particularly heavy traffic that day. (62) What if, instead of finding CNN-generated content, these visitors had encountered a Web page that announced, in appropriately terrifying graphics, "World War--Nuclear Holocaust in Europe and Australia, Japan Devastated by Chemical Attack"? (63)
As this was 2001, an over-the-top Orson Welles "War of the Worlds" reaction would have been unlikely, (64) since for the last decade, people typically have been obtaining their news from several types of media and from various sources within each type. But the posting of such a falsified page could have acted as a terror multiplier, enhancing the unnerving effects of the day's real-world terrorist events. (65) It could also have left lingering doubts in the public's mind as to whether "the government" had actually "covered up" the extraterritorial disasters once reported on CNN. These doubts could have provided the predicate for a long-term campaign of eroding public confidence in public officials and news outlets.
Now consider a scenario coupling psychological manipulation with injury, even death. At l:00 p.m. on a Wednesday in San Francisco, the local Office of Emergency Services and Homeland Security receives messages via a secure government computer system informing them that a "suitcase nuclear device" is on the Bay Area Rapid Transit (BART) system, the public transportation system that serves San Francisco and surrounding cities. (66) The officials are told the device is in the hands of terrorists who will detonate it in two hours, at 3:00 p.m. If such a device were detonated, the death and destruction would be unimaginable--far greater than that inflicted on 9/11. The officials issue an immediate evacuation order for the San Francisco area. This produces chaos as panicked citizens desperately try to flee an impending nuclear disaster: cars clog the streets and accidents ensue, while those without cars clamor for other means of public transportation, leading to stampedes. Death, injury and property damage result--except that there is no impending disaster, no suitcase nuke. Terrorists hacked the government computer system and sent credible, fake messages, which the local officials reasonably believed. The net result is that the terrorists could achieve injury, death, and destruction as well as a dramatic erosion in the public's confidence in the government's ability to ensure their security without having to deploy an actual weapon. (67)
In these and other computer as weapon of mass distraction scenarios, computer technology is used primarily for psychological manipulation. The first scenario is a "true" computer as weapon of mass distraction scenario; the second scenario tends to blend weapon of mass distraction with hypothesized weapon of mass disruption effects. The point, though, is that neither scenario involves the actual use of real-world weapons; the computer is the only implement the terrorists employ.
3. Weapon of Mass Disruption
When terrorists use computer technology as a weapon of mass disruption, their goal is to undermine a civilian populace's faith in the stability and reliability of essential infrastructure components such as mass transit, power supplies, communications, financial institutions, and health care services. (68) Although the weapon of mass disruption and weapon of mass distraction alternatives both target civilians' faith in essential aspects of their society, they differ in how computer technology is used to corrode civilian confidence in societal infrastructure and services.
As we saw in the previous section, terrorists launch a psychological attack when they use computer technology as a weapon of mass distraction; the goal is to undermine civilians' confidence in one or more of the systems they rely on for essential goods or services. The cyberterrorists accomplish this by making citizens believe a system has been compromised and is no longer functioning effectively. The terrorists do not actually impair the functioning of the system. Their goal is to inflict psychological, not systemic, damage.
However, when computer technology is used as a weapon of mass disruption, terrorists' goal is the infliction of systemic damage on one or more target systems. This version of cyberterrorism is closer to the scenarios that sometimes appear in the popular media in which cyberterrorists shut down an electrical grid or the systems supplying natural gas or petroleum to a particular populace. (69)
Like the weapon of mass distraction alternative, this scenario is a conceptual yet realistic possibility. Here, terrorists utilize computer technology in a fashion that is analogous to, but less devastating than, their utilization of real-world weapons of mass destruction. Their goal is not to inflict the catastrophic carnage and destruction we saw on 9/11. (70) Rather, it is more insidious: to demoralize a civilian populace by making civilians question the government's ability to keep things working. In other words, terrorists seek to undermine citizens' faith in their government's ability to maintain the essential fabric of their lives by ensuring that the systems on which they rely function as they are intended to.
As many have noted, our increasingly urbanized, increasingly technologized lifestyle makes us more vulnerable to this type of terrorism than traditional, rural societies:
The key to unlocking the disruptive potential of cities ... is to attack key points ... within target infrastructure ... to force a change in the city's dynamic. Infrastructure attacks, particularly on power/fuel/water, negate the ability of the government to deliver political goods.... This halts economic activity and ... damages the ability of the government to deliver political goods, which are the key to legitimacy. (71)
In this excerpt, the author is assuming attacks of a more drastic character, such as those inflicted in war. (72) He cites contemporary Baghdad as an example of how cities can
be engineered to radiate instability.... This is accomplished through acts that leverage three attributes of modern cities. These include:
* Extreme mobility and interconnectedness (for example, high rates of automobile and cell phone ownership).
* Complete reliance on high volume infrastructure networks.
* Complex and heterogeneous social networks that are held together under pressure. (73)
The same effect can be achieved, less dramatically, with cyberterrorist attacks that disrupt the functioning of infrastructure components. A recent exercise conducted by the U.S. Secret Service and Department of Homeland Security demonstrates this. In February 2006, more than three hundred participants from the American public and private sectors and from four other countries conducted a simulated cyberterrorism assault, called Cyber Storm, on U.S. government agencies and businesses. (74) The attacks were meant to disrupt "critical infrastructure, ... leading to cascading effects" within the participating countries' "economic, societal, and governmental structures." (75) The exercise revealed problems in coordination between the public and private sectors and between different agencies in the public sectors. It also showed that talented, determined attackers can inflict serious damage on components of the United States' infrastructure. (76)
The Cyber Storm attacks were launched by a loosely knit coalition of domestic terrorists and opportunistic attackers, including a "cyber saboteur," a disgruntled airport employee, and German hackers. (77) Among other things, the disparate attackers crashed the FAA computer control system, caused electrical power and Internet outages, shut off the heat in government buildings, compromised medical data, posted a false Amber alert, altered one "No Fly" list and posted another one online, shut down commuter trains, and altered account balances in financial institutions. (78)
Cyber Storm was intended to test how collaborating government agencies and private sector representatives would respond to cyberattacks. (79) The exercise demonstrated that these cyberattacks can be launched with a fair degree of efficacy. (80) The Cyber Storm report noted that while the "good guy" players were "generally effective in addressing single threats/attacks,.... [p]layers were challenged when attempting to develop an integrated situational awareness picture and cohesive impact assessment across sectors and attack vectors." (81) It also noted that improved "processes, tools and technology" would "enhance the quality, speed and coordination of response," particularly for "cascading attacks or consequences." (82) The Cyber Storm report at least implicitly indicates that improvements are needed in interagency (and inter-sector) coordination, contingency planning, risk assessment, and definition of "roles and responsibilities across the entire cyber incident response community." (83)
The effects of the Cyber Storm attacks were localized and somewhat limited because the goal of the exercise was to test responses, not to explore how cyberattacks can demoralize civilians. (84) Still, shutting down FAA systems, commuter trains, electrical power, Internet access, and heat would unnerve the victim populace. Arguably, one of the most effective ways to mount a weapon of mass disruption attack would be to structure outages or other interferences of essential services in a way that dramatically demonstrates that these systems are now under the control of some anonymous, hostile agency.
One way to do this would be to launch sequenced, synchronized attacks shutting down ATMs and other financial systems in carefully selected U.S. cities. (85) They should be minor cities, perhaps Des Moines, Ithaca, Tulsa, Lexington, Eugene, and Fresno. The reason for this is that we are more likely to expect terrorist attacks on major cities. The bombing of the Oklahoma City federal building was especially horrific because until then, we had not expected catastrophes in the Heartland. Many still do not.
As the financial system attacks progressed from city to city, it would become increasingly apparent they were neither random, nor the product of software bugs, nor otherwise explainable, but were instead the product of terrorist activity. While attacks such as these would not inflict the sheer horror of the 9/11 attacks, they could further terrorist goals by creating a climate of insecurity and anger at the government, something analogous to what we saw with the Hurricane Katrina fiasco. The negative effects could be magnified if the attacks were sporadically repeated in other cities or if they were coupled with similar attacks on other non-financial systems, such as electrical power, telephone communication, or air traffic control. (86)
Another kind of attack might target health care systems. We have already seen an inadvertent example of this. In 2005, a botnet, a network of compromised computers, (87) controlled by Christopher Maxwell attacked a Seattle hospital. (88) The botnet shut down computers in the Intensive Care Unit and caused operating room doors and doctors' pagers not to function. (89) Maxwell did not intend for his botnet to attack Seattle's Northwest Hospital or any other hospital; rather, he was using it to earn commissions for surreptitiously installing adware on users' computers. (90) The attack, if such it was, occurred because the botnet was searching for computers to add to its system; in so doing, it overloaded the hospital's computer systems and shut down various functions. (91) Because the attack was inadvertent, its effects were not as serious as they would have been had there been a sustained attack. Hospital staff was therefore able to improvise solutions that prevented patients from being harmed and ensured uninterrupted quality patient care. (92)
As the Seattle episode illustrates, weapon of mass disruption attacks can cause personal injury or even death (along with property damage). (93) They can also be, but are not necessarily, blended attacks, which combine the infliction of real harms with psychological manipulation. (94)
4. Cyberterrorism as Crime
Having analyzed how terrorists can use computer technology to advance their primary goals of demoralizing civilians and destabilizing governments, by logical extension, it is fair to define terrorism as a crime rather than as war. Terrorism is defined and prosecuted as a crime in the U.S. and elsewhere. (95) A federal statute makes terrorism a federal crime in the United States. (96) Other countries criminalize terrorism, and both the United Nations and the European Union have defined terrorism in a criminal context. (97)
The practice of treating terrorism as crime no doubt evolved for two reasons. First, terrorists historically tended to be home-grown; they might, like the first-century Zealots or eleventh-century Hashhashin, target foreigners in their own country, but they were still a local, domestic threat. (98) Second, their efforts generally target a society's ability to maintain order in the face of internal threats, and the activities in which they engage are functionally indistinguishable from many crimes. (99) Real-world terrorists kill, injure, and kidnap people and destroy property. The activity is the same as that conducted by criminals--only the motivation differs.
It seems reasonable to continue this approach of treating cyberterrorists as criminals, even though cyberterrorism, unlike most traditional, real-world terrorism, can be committed remotely. (100) For example, in the Cyber Storm exercise, three hackers operating from Germany contributed to the disruption of services in the United States. (101) One might argue that this remote commission capacity warrants treating cyberterrorism differently--approaching it as an external, rather than an internal, threat to social order. To do that, we would have to define "remote" cyberterrorism as something other than crime. (102) Alternatively, we could expand our definition of crime to encompass at least one type of external threat. (103)
As I noted earlier, cybercrime can also be committed remotely. This has certain consequences for how we approach the investigation and apprehension of those who commit cybercrime, (104) but for "mere" cybercrime, the capacity to act remotely is clearly irrelevant to the inherent nature of the phenomenon itself. Theft is theft, fraud is fraud, and extortion is extortion, regardless of whether they are committed by the victim's next-door neighbor or by someone halfway around the world. The same is true for the other categories of harm-infliction we define as crime. As long as the remote (or local) perpetrator acts out of personal motives, the dynamic is that of crime--the victimization of one individual by another. (105) Therefore, instead of focusing on means (how harm is inflicted), we focus on the harm itself, because it is the infliction of these types of harm (criminal harms) that threatens internal order. (106)
The same should be true for terrorism. Insofar as terrorist acts are designed to undermine a society's ability to maintain internal order, they are indistinguishable from, and should be treated as, crime regardless of whether they are perpetrated locally or remotely.
Before we conclude this discussion, I need to make one caveat: the approach I outline above is satisfactory when the only factor differentiating crime or terrorism from cybercrime or cyberterrorism is local versus remote commission. Indeed, as the next section explains, the analysis can become more complex when crimes or terrorist acts are carried out in Nation-State A by individuals who are acting as agents of Nation-State B.
C. CYBERWARFARE
[T]he intruders retained an ability to keep coming back into our systems, even.... as our cyber warriors tried ... to block ... them.... (107)
In the fall of 2006, the U.S. Air Force adopted a new mission statement in which it pledged to "fight in Air, Space, and Cyberspace." (108) The new statement recognizes what has been apparent for some time: warfare can and will migrate into cyberspace. (109)
Cyberwarfare is the conduct of military operations by virtual means. (110) It consists of nation-states' using cyberspace to achieve the same ends that they pursue through the use of conventional military force: achieving advantages over a competing nation-state or preventing a competing nation-state from achieving advantages over them. (111)
This is already happening, according to some accounts. There are reports that the People's Republic of China is launching cyberattacks that are intended to cripple Taiwan's infrastructure and paralyze that island nation's government and economy. (112) The attacks allegedly target Taiwan's public utility, communications, transportation, and operational security networks. (113)
As noted above, the distinguishing characteristic of war is that it is a struggle between nation-states; (114) war--like all human activity--is carried out by individuals, but here individuals act on behalf of a particular nation-state. (115) Like terrorism, warfare tends to result in the destruction of property (often on a massive scale) and in the injury and deaths of individuals (also often on a massive scale). (116) Unlike terrorism, war is limited, at least in theory, to clashes between the aggregations of individuals (armies), who respectively act for the warring nation-states. (117) Injuring and killing civilians occurs, but like most property damage and destruction, it is a collateral event. (118) The primary focus of war in general and of particular wars is to "triumph" over the adversarial nation-state(s), whatever that means in a given context. (119)
In the real-world, there can be ambiguity as to whether an event is a crime or an act of terrorism, (120) but war is always unambiguous. (121) When Japan bombed Pearl Harbor in 1941, (122) it was clearly an act of war; the same was true when Hitler invaded Poland in 1939 and has been true throughout recorded history. (123)
War is unambiguous in the real-world because it is unique; only nation-states can summon the resources needed to launch a physical land, sea, or air attack on another nation-state. The clarity of war is further enhanced by the fact that those who conduct an attack wear uniform clothing and insignia that identify them as members of a particular nation state's armed forces. (124) And, of course, real-world warfare involves the violation of territorial boundaries. Nation-states are defined by the territory they control; (125) acts of war have, as a result, historically involved breaching the integrity of the victim state's borders. (126) This, after all, is why war is a nation-state's response to an external threat--though not the only possible response. The threat to social order comes not from "insiders" who are at least ostensibly legitimately in the state's territorial boundaries but from another nation-state--a necessary externality. (127)
The threat dichotomy (internal versus external threat, crime and terrorism versus war) we reviewed earlier is consequently a stable, reliable way of parsing real-world attacks. We may be somewhat uncertain as to whether a particular event is crime or terrorism, but that is ultimately of little moment because we use the same approach for both, since both threaten internal order. And the monopolization of territory and military force by nation-states means that in the real-world, we will never be uncertain as to whether we are confronted with a threat to internal order (crime/terrorism) or a threat to our nation-state's ability to maintain external order (war). (128) In the real-world, only nation-states wage war. (129)
As the scenario we began with implicitly illustrates, this threat dichotomy breaks down when attacks are vectored through the virtual world. By giving non-state actors access to a new, diffuse kind of power, (130) cyberspace ends nation-states' monopolization of the ability to wage war and effectively levels the playing field between all actors. (131) In the twenty first century, states generate crime and terrorism as well as war, and individuals wage war in addition to committing crimes and carrying out acts of terrorism. I examine these issues next.
III. IDENTIFYING CYBERCRIME, CYBERTERRORISM, AND CYBERWARFARE: ATTRIBUTION
For our purposes, attribution encompasses two issues: (132) who carried out an attack, and what kind of an attack it was. The first issue goes to assigning responsibility for committing an attack. The second goes to assigning responsibility for responding to an attack. We will call the first "attacker-attribution" and the second "attack-attribution." The sections below examine how we currently approach both. Section IV then considers how we can improve our approach to what is becoming the most problematic aspect of attribution: attack response.
A. ATTACKER-ATTRIBUTION
The task of identifying those who are responsible for an attack has been, and will remain, a constant. As we will see, identification of the attacker can play an integral role in ascertaining the nature of an attack; and ascertaining the nature of an attack is usually the first step in formulating a response to an attack, of whatever type.
We will divide our consideration of attacker-attribution into two stages. First, we review how attacker-attribution is currently approached for real-world attacks. Second, we will consider how attacker-attribution becomes problematic as attacks migrate online, in whole or in part.
1. Real-world Attribution
Attacker-attribution has historically been less problematic for war than for crime or terrorism. (133) The laws of war require states launching an attack on another state to identify themselves, though this convention is apparently honored more in the breach than in its realization. (134) Even if that is true, it is generally not difficult to identify the state responsible for an act of war in the real-world. The initial attack may be a surprise, as with Pearl Harbor, but attributing the attack to a specific state tends to be a relatively simple process. Military attackers wear distinctive, uniform clothing and use equipment with insignias or characteristics indicating their national affiliation. The language the attackers use will be another indicator of their country of origin, as well as circumstances of the attack itself. (135) The location from which an attack is launched can be another clue: if Nation-State A is under attack by missiles being launched from Nation-State B, Nation-State A's decision-makers can reliably infer that either Nation-State B, or another nation with which Nation-State B is affiliated (Nation-State C, say) is responsible for the attack. (136)
Identifying those responsible for a crime is usually much more difficult. Criminals have a strong incentive to avoid identification because it is generally the first step to being apprehended, tried, convicted, and sanctioned for their misdeeds. (137) With rare exceptions, (138) criminals do not intentionally identify themselves as the architects of their crimes (though they may do so indirectly by using a nom de crime, such as "the Zodiac Killer"). (139) Since crime control is essential for the maintenance of internal order, nation-states have developed a standardized, generally effective approach for identifying those who commit crimes in their territory. (140)
This criminal investigation approach assumes activity in the real-world because, until recently, physical reality was the only arena of crime commission. (141) The approach therefore focuses on finding attribution evidence at a physical crime scene by locating witnesses who saw the perpetrator and can describe and hopefully identify him, and physical evidence...
|
