In 2008, the U.S. Department of Defense (DOD) suffered the most comprehensive and destructive security breach of military computers in recent history.[] It began with a virus that was uploaded to a computer at a Mid
dle East military base and quickly spread throughout the network of the U.S. Central Command, amounting to what security officials described as a “digital beachhead” from which data could be sent to foreign servers.[] While the security community has responded to this wake-up call by significantly investing in new technology and creating a U.S. Cyber Command[], many areas of national security policy still need to be upgraded to the digital age. One of the most obvious areas is the definition of terrorism which as it stands does not include cyber-attacks against the U.S. and its interests.
Cyber-attacks can cause massive damage, akin to that of traditional terrorist acts. Besides the usual examples of cyber-espionage against the security community, cyber-attack can cripple power grids, transportation systems and financial networks. Not only does such an attack cause massive damage to the infrastructure, but it can cause civilian causalities as well as disrupt military operations that rely on the infrastructure.[] When perpetrated by national governments, such attacks are often interpreted as acts of aggression. In the brief yet destructive 2008 war between Georgia and Russia, it is widely believed Russia executed a systematic cyber-attack against the Georgian government as it was simultaneously amounting a physical invasion.[] More recent headlines have reported that the Iranian government was attacked with a destructive computer virus called Stuxnet, causing massive damage to its nuclear program initiative, with most analysts pointing at Israel.[]
The U.S. has taken into account the development of cyber-warfare as a means for waging war. In his confirmation hearings for the Secretary of Defense, Leon Panetta has stated his belief that the next Pearl Harbor may well come in the form of a cyber-attack.[] Last year, the DOD has begun to put into motion methods to consider cyber-attacks as acts of war, officially opening the doors for the military to respond with force.[] There is no doubt that the defense community has begun to shift policy to address cyber-attacks by foreign nations, but cyber-attacks executed on behalf of terrorist groups has still not been explicitly addressed.
There are inherent difficulties in identifying and responding to cyber-attacks. The actual forensic work needed to identify the source of an attack is extremely time consuming, and may not even be possible under some circumstances.[]
Additionally, if the attack is executed by a non-state actor, such as a terrorist group or organized crime, there may not be any assets for the government to respond to in kind.[] Finally, it is difficult to constitute what an “attack” is as opposed to “espionage”, the more common form of cyber-intrusion.[] Even the DOD, who has begun to recognize cyber-attacks as acts of war, has trouble identifying what constitutes an attack in terms of the proper response.[]
The very nature of the cyber underworld, combined with the complexities explained above, creates fertile ground for serious acts of terrorism. There already exists a developed market for “cybercrime services”, complete with standardized prices for cyber-attacks.[] Furthermore, cyber-attacks are considered ridiculously cheap to deploy, with some sources citing costs of about 4 cents per machine.[] Given the limited technical and financial resources required, the availability of a developed black market for cyber-services, and the lack of hesitation on the part of attackers due to the difficulty of detection and attribution, terrorists have the ultimate incentive to amount a cyber-attack.
As it currently stands, the definition of a terrorist act does not explicitly include cyber-attacks, while identifying other specific actions such as kidnapping and assassination.[] Of course if a terrorist group was found executing an attack on the computer networks of the U.S. government or its interests, they would most likely be able to be prosecuted under existing law as acts of terrorism. However, when considering the characteristics of a cyber-attack, there is no clear place where it would fit in the definition. For example, cyber-attacks don’t necessarily endanger human life and their highly complex forms may not violate domestic criminal codes outright. In addition, with the difficulty of tracing the source of cyber-attacks comes the difficulty of distinguishing an attack as a form of domestic or international terrorism.
The lack of clarity signals the government’s unfamiliarity, and by extension its lack of preparation, for the threat of cyber-terrorism. To send a clear message, both to policy makers and potential terrorists, that the U.S. defense community is preparing for future forms of conflict, cyber-attacks should be explicitly addressed in statute and definition. Just as the DOD is signaling its preparation for cyberspace as a zone of operations by revising the definition acts of war, the national security community should similarly communicate to the world its intention to battle cyber-terrorism.
[] William J. Lynn, Defending a New Domain, Foreign Affairs, Sept. 2010, at
97.
[] Id.
[] Id. at 98.
[] Id. at 100.
[] John Markoff, Before the Gunfire, Cyberattacks, The New York Times (Aug. 12, 2008), http://www.nytimes.com/2008/08/13/technology/13cyber.html.
[] Ronen Bergman, Will Israel Attack Iran?, The New York Times (Jan. 25, 2005). http://www.nytimes.com/2012/01/29/magazine/will-israel-attack-iran.html?_r=2&hp.
[] Hearing to Consider the Nomination of Hon. Leon E. Panetta to be Secretary of Defense, 112th Cong. (2011)(statement by Leon Panetta about need to prepare cyber-security capabilities).
[] Siobhan Gorman & Julian E. Barnes, Cyber Combat: Act of War, The Wall Street Journal, (May 30, 2011, 10:30 PM), http://online.wsj.com/article/SB10001424052702304563104576355623135782718.html
[] Supra note 1 at 99.
[] Id.
[] Id.
[] Supra note 8.
[]William J. Lynn, The Pentagon’s Cyberstrategy, One Year Later, Foreign Affairs (Sept. 28, 2011) http://www.foreignaffairs.com/articles/68305/william-j-lynn-iii/the-pentagons-cyberstrategy-one-year-later?page=show.
[] Supra note 5.
[] 18 U.S.C. § 2331 (2001).
Comments