Cyberterrorism And Cyberattack

In the wake of recent computer attacks, many have jumped to the conclusion that a new breed of terrorism is on the rise and our country must protect itself in every possible way. As a society, we have extensive operational and legal experience and proven techniques to fight terrorism, but are we prepared to fight terrorism in a new arena—cyberspace? Strategic planning of a war campaign involves characterization of the enemy’s goals, operational techniques, resources and agents. Before taking offensive action on the legislative and operational front, the enemy has to be precisely defined. That is, it is imperative to expand the definition of terrorism to include cyberterrorism.

Cyberterrorism is “any premeditated, politically motivated attack against information, computer systems, computer programs and data resulting in violence against non-combatant targets by sub-national groups or clandestine agents.” Although the issue of cyberterrorism has attracted enormous attention from cybercriminologists, cyber law experts and social science researchers, very little research has been conducted to analyze the legal issues associated with cyberterrorism in India. Globally, the issue of cyber terrorism has been analysed from four main angles, namely the missions involved in cyber terrorism, the methods adopted to achieve the ultimate objective of cyber terrorism, the consequences of cyber terrorism and the role of laws in combating cyber terrorism.

Most of the research has shown that the use of cyberspace by terrorist organisations has three objectives, namely to spread threat, to obtain maximum information about the targeted government and government assets in case of damage to property and civil society, and to ‘recruit’ new forces. Some researchers have established that cyber terrorism involves two main types of activities, namely cyber crime and misuse of information technology, and hence it would be wrong to assume that cyber terrorism is a new type of cyber crime. It may be worth noting that the types of cyber crimes involved in cyber terrorism may vary from identity theft to denial of service attack.

Cybercrime is a crime that is enabled by computers, or that targets computers. Some argue that there is no universally accepted definition for “cybercrime”, as “cyberspace” is simply a new specialized tool used to help commit crimes that are not new at all. Cybercrime can include the theft of intellectual property, violating patents, trade secrets, or copyright laws. However, cybercrime can also include attacks on computers to intentionally disrupt processing, or espionage to make unauthorized copies of classified data. If a terrorist group conducts a cyberattack to cause harm, such an act also fits the definition of cybercrime. The primary difference between a cyberattack to commit a crime or to spread terror is found in the attacker’s intent, and it is possible for actions under both labels to overlap.

Cyberterrorism can be defined in various ways, such as it can be politically motivated hacking operations aimed at causing serious harm such as loss of life or serious economic damage, or it can be unlawful attacks and threats of attack against computers, networks and the information stored in them, carried out to intimidate or coerce a government or its people in order to pursue political or social objectives. It can be a physical attack that destroys computerized nodes for critical infrastructure such as the Internet, telecommunications or the electric power grid without touching a keyboard. Some experts believe that no evidence has been found of an actual cyberterrorist attack as defined above. Despite the horrific acts of terrorism that have occurred in the last few decades, it appears that none of them fit the prevailing definition of politically motivated computer intrusions causing loss of life or serious economic damage. Computers have become a capable tool, another type of weapon if you will, of what we might call information warfare or cybercrime. Regardless of our working definition—cyberterrorism or cybercrime—the potential for causing economic damage is very high.

Evolution of Cyber Terrorism

Terrorism is constantly changing. While on the surface it remains “the systematic use of unlawful violence or the threat of unlawful violence to instill fear”…it is rapidly becoming the principal strategic tool of our adversaries. As terrorism evolves into the dominant irregular warfare strategy of the 21st century, it is adapting to changes in the global socio-political environment. Some of these changes facilitate terrorists’ abilities to operate, obtain funds and develop new capabilities. Other changes are gradually moving terrorism into a different relationship with the world at large. Cyber terrorism can be traced back to the attack on Germany’s communications system and logistical support in June 1944. This was followed by the World War II era, the collapse of the Soviet Union from 1945 to 1991 and the “Cold War”.

In the 1960s the USA Department of Defense introduced the Internet and computer networks and then developed protocols and the ICANN system to regulate cyberspace. By that time hackers had taken their shape in the information super highway in the 1960s to 1980s. In 1988 Osama Bin Laden founded “Al-Qaeda” on the basis of “Jihad”. In 1988, West German hackers accessed the systems of the United States Department of Defense. After this, the “Gulf War” was the first information war or I-war through the information highway or I-way. The United States passed the Nation Infrastructure Protection Act, 1990 to control cyber terrorism. I-way became popular in Europe in the year 1998. The United Kingdom (UK) established the Defense Evaluation and Research Agency in the year 1998. Then, Sweden, Norway Finland, Switzerland, Germany, France came forward to fight the cyber war. By 1990, the Internet became popular through the World Wide Web (www). www became very popular in India in 1995, before that the work of LTTE groups was dependent on websites and the Internet.

Methods of Cyber Terrorism

1.Attack on National Security: The clear and present danger of cyber threats to our critical infrastructure like the national power grid can no longer be ignored. Fortunately, the government has recently started drawing attention to cyber risks in the form of a presidential executive order, re-enactment of the cybersecurity law, and some long-delayed but sincere declarations about the ongoing attacks by China and other nation-states. It is now time to move from rhetoric to action.

National security depends on privacy, secret information, etc. and when terrorists attack them, they destroy, delete or modify that information or intend to do so and all these are considered terrorist attacks or cyber terrorism.

2. Cyber terrorism is a precursor to war: In the contemporary era of communication, convergence and new technology, one nation causes terrorist violence against another nation or nations by using or targeting new technology. This is called net war or warfare. For example net war between India–Pakistan, Israel–Pakistan, etc.

3. International Cyber Terrorist Attack: The latest front is the war against cyber terrorism. The Internet and its connected networks are under attack from many sectors including hackers, disgruntled employees, financial fraudsters, cyber criminals, and now state-sponsored cyber terrorists. When international terrorist groups communicate with each other through the Internet and its networks to attack a nation it is called an international cyber terrorist attack.

4. Networks to send terrorist messages: Cyber criminals began to use new technology to develop their own websites, and began to use networks to send terrorist messages and communicate within or between groups.

5. Digital Signature System: A digital code was created that can be attached to an electronically transmitted message that uniquely identifies the sender. Like a written signature, the purpose of a digital signature is to guarantee that the person sending the message is actually who he or she claims to be. Digital signatures are particularly important for electronic commerce and are a key component of most authentication schemes. To be effective, digital signatures must be unforgeable. There are many different encryption techniques to guarantee this level of security. They use e-mail, SMS, encryption programs and digital signature systems to communicate with themselves while maintaining the confidentiality of their activities.

6. Flowing worm: Flowing “worms”, viruses, Trojan horses that destroy government and public interest sites, networks and computers are also a method of cyber terrorism.

7. Cyber Theft: Cybercrime is a criminal activity carried out using computers and the Internet. It includes anything from downloading illegal music files to stealing millions of dollars from online bank accounts. Cybercrime also includes non-monetary crimes, such as creating and distributing viruses on other computers or posting confidential business information on the Internet. Not only this, unauthorized access, hacking/tampering with source codes, cyber theft, etc. that cause unexpected fear are also methods of cyber terrorism. This list is not exhaustive but is growing very rapidly.

SCADA Weaknesses

Supervisory control and data acquisition (SCADA) systems are computers that monitor and regulate the operations of most critical infrastructure industries (such as companies managing power grids). These SCADA computers automatically monitor and adjust switching, manufacturing, and other process control activities based on digitized feedback data collected by sensors. These control systems are often installed in remote locations, are often unmanned, and are only accessed periodically by engineers or technical staff via telecommunications links. However, for greater efficiency, these communication links are increasingly connected to corporate administrative local area networks or directly to the Internet. Some experts believe that the importance of SCADA systems for controlling critical infrastructure may make them an attractive target for terrorists. Many SCADA systems now also operate using commercial-off-the-shelf (COTS) software, which some observers believe is inadequately protected against cyberattacks. It is believed that these SCADA systems continue to be vulnerable to cyberattacks because many organizations that operate them have not paid adequate attention to the specific computer security requirements of these systems.

The following example may be helpful in illustrating the potential vulnerability of control systems and highlighting the cybersecurity issues that may arise for infrastructure computers when SCADA controls are interconnected with office networks. In August 2003, the “Slammer” Internet computer worm was able to corrupt the computer control systems at the Davis-Besse nuclear power plant located in Ohio for five hours (fortunately, the power plant was shut down and off-line when the cyber attack occurred). The computer worm was able to successfully enter the systems in the DavisBesse power plant control room because it found many connections to the Internet in the business network of its corporate offices, which bypassed the control room firewall.

However, other observers suggest that SCADA systems and critical infrastructure are more robust and resilient than early theorists of cyberterrorism suggested, and that this infrastructure would rapidly recover from a cyberterrorism attack. For example, they point out that water system failures, power outages, air traffic disruptions, and other scenarios such as potential cyberterrorism often occur as routine events, and rarely affect national security, even marginally. System failures caused by storms regularly occur at the regional level, where customers can often be denied service for hours or days. Technical experts who understand the system will work to restore functions as quickly as possible. Cyberterrorists would need to gradually create panic, attack many targets simultaneously over a long period of time to achieve strategic goals or have any notable impact on national security.

An important area that is not fully understood relates to the unpredictable interactions between the computer systems that operate various U.S. infrastructures. The concern is that multiple interdependencies (where downstream systems may rely on receiving good data through stable links with upstream computers) could potentially create a chain of effects that could have unexpected effects on national security. For example, when the “Blaster” worm disrupted Internet computers for several days in August 2003, some security experts suggest that slow communication links caused by Blaster worm network congestion may have contributed to power outages in the eastern United States that occurred simultaneously on August 14. The computer worm may have degraded the performance of many communication links between data centers that are typically used to send warnings to other utility managers downstream on the power grid.

1. The Department of Defense Uses Commercial-Off-the-Shelf: The Department of Defense uses commercial-off-the-shelf (COTS) hardware and software products in key information technology administrative functions, and in combat systems across all services, for example, in integrated combat systems for nuclear aircraft carriers. The DOD supports the use of COTS products to take advantage of technological innovation, product flexibility and standardization, and resulting contract cost-effectiveness. Still, Defense Department officials and others have said that COTS products lack security, and that strengthening the security of those products to meet military requirements can be very difficult and costly for most COTS vendors. To improve security, the Department of Defense’s information assurance practices require deploying multiple layers of additional protective measures around COTS military systems to make them more difficult for enemy cyber attackers to penetrate.

2. Expert security: However, on two separate occasions in 2004, viruses reportedly infiltrated two top-secret computer systems at the Army Space and Missile Defense Command. It is unclear how the viruses entered the military systems, or what their effects were. In addition, contrary to security policy requirements, the computers reportedly compromised lacked basic anti-virus software protection. Security experts have said that no matter how much security is put into computers, hackers always create new ways to defeat those protective measures.

Success of cyber attacks

Networked computers with exposed vulnerabilities can be disrupted or taken over by hackers or automated malicious code. Botnets opportunistically scan the Internet to find and infect computer systems that are poorly configured, or that lack current software security patches. Compromised computers are then taken to task for being enslaved in “botnets,” which can consist of thousands of compromised computers that are controlled remotely to collect sensitive information from each victim’s PC, or to attack en masse as a swarm against other target computers. Even computers that have updated software and the latest security patches can be vulnerable to a type of cyberattack known as a “zero-day exploit.” This can happen when a computer hacker discovers a new software vulnerability and launches a malicious attack to infect computers before the software vendor has created a security patch and distributed it to protect users. Zero-day vulnerabilities in increasingly complex software are routinely discovered by computer hackers. Recent news articles report that zero-day vulnerabilities are now available in online auctions, where buyers and sellers negotiate timed bidding periods and minimum starting prices. This allows newly-discovered computer security vulnerabilities to be quickly sold to the highest bidder. Computer security expert Terry Forslof of Tipping Point has reportedly said that such practices will “increase the perceived value of vulnerabilities, and the good guys will have trouble competing with the money they already get from the black market.”

1. Insider threat: An insider threat is a malicious hacker (also called a cracker or black hat) who is an employee or official of a business, institution, or agency. The term may also apply to an outsider who impersonates an employee or official by obtaining false credentials. The cracker gains access to the enterprise’s computer system or network, and then conducts activities intended to harm the enterprise. A major threat to organizations is that data can now be easily copied and moved outside using a variety of portable storage devices such as small flash drives. New highdensity memory stick technology reportedly allows installed computer applications to be run entirely from flash drives. This means that the entire contents of a PC can potentially be copied and stored on a small, easily portable and easily concealed media device. Employees with access to sensitive information systems may introduce threats in the form of malicious code inserted into software being developed locally or under offshore contract arrangements. For example, in January 2003, 20 employees of subcontractors employed by Sikorsky Aircraft Corporation in the United States were arrested for possessing false identification papers to gain security access to facilities containing restricted and sensitive military technology. All the defendants have pleaded guilty and have been sentenced, except for one man who was convicted at trial on 19 April 2004.

2. Persistence of computer system vulnerabilities: Vulnerabilities in software and computer system configurations provide entry points for cyberattacks. Vulnerabilities persist largely as a result of poor security practices and procedures; inadequate resources devoted to staff in the security function may also contribute to poor security practices. Home PC users often have little or no training in the best ways to effectively secure home networks and devices.

3. Defects in new software products: Determining liability for the consequences of defective software is a very difficult matter for the law. Software has many functions and applications and is often dependent on the operation of other technology to perform its function correctly and efficiently. What steps can the legislature take in introducing product liability legislation for software is to ensure that the legal terminology accurately defines the technical situation, so that software can be correctly classified and liability attached accordingly. Vendors of commercial-off-the-shelf software (COTS) are often criticized for releasing new products that contain errors, creating vulnerabilities in computer systems. Richard Clarke, a former White House cybersecurity adviser until 2003, has reportedly stated that many commercial software products contain poorly written or poorly configured security features. In response to such criticism, the software industry has reportedly made new efforts to design products with more secure architectures. For example, Microsoft has created a dedicated security response center and is now working closely with the Department of Defense and industry and government leaders to improve security features in its new products. However, many software industry representatives reportedly agree that no matter what investments are made to improve software security, vulnerabilities will remain in future software, as products continue to become more complex.

4. Inadequate resources: If the problem does not involve management control, it is probably related to resources. Although senior management may agree that the TSP benefits are attractive, they may not have given your manager the resources to implement it. In fact, they may have told your middle manager that, because the TSP will save time and money, he should limit the cost and schedule impact within the current plan. Although some managers may have enough flexibility to do this, very few do. Usually, the only way to deal with this problem is to persuade middle managers to either request additional resources from senior management or to defer some other commitments. Although the TSP is an attractive investment, its benefits do not accrue immediately. The investment must be made at the beginning of each project, but the cost and schedule benefits come at the end. Although software vendors periodically release fixes or upgrades to address newly discovered security issues, a critical software security patch may not be scheduled for installation on the organization’s computers until several weeks or months after the patch is available.

This task may be too time consuming, too complex, or too low a priority for system administration staff. As software complexity increases, more vulnerabilities emerge, so system maintenance never ends. Sometimes the security patch itself can disrupt computers when it is installed, forcing system administrators to take additional time to adjust the computer to accept the new patch. To avoid such disruption, a security patch may need to be tested on a separate isolated network before being distributed for installation on all other regularly networked computers. Because of such delays, computer security patches installed in many organizations may lag far behind the current cyber threat situation. Whenever delays are allowed to continue among private organizations, government agencies or PC users at home, widely reported computer vulnerabilities can remain unprotected, leaving networks open to potential attack for longer periods of time.

5. Estonia, 2007: Computer systems in Estonia—In the spring of 2007, government computer systems in Estonia came under sustained cyber attack, which various observers have labeled as cyberwarfare, or cyberterrorism, or cybercrime. On April 27, authorities in Estonia moved a Soviet-era war memorial commemorating an unknown Russian killed fighting the Nazis. The move stirred emotions and sparked riots by ethnic Russians and a blockade of the Estonian embassy in Moscow. The incident also marked the beginning of a series of large and sustained distributed denial-of-service (DDoS) attacks launched against several national websites in Estonia, including those of government ministries and the prime minister’s Reform Party. In the early days of the cyber attack, government websites, which normally receive about 1,000 visits per day, were reportedly receiving up to 2,000 visits every second. According to Estonian officials, this caused some websites to repeatedly go down for several hours or longer. These attacks flooded computers and servers and blocked legitimate users. These attacks were described as devastating because Estonia relies heavily on information technology but has limited resources to manage their infrastructure. Security experts say the cyber attacks against Estonia were unusual because the packet attack rate was very high, and the series of attacks lasted for weeks rather than hours or days, as is typically seen in a denial-of-service attack.

Eventually, NATO and the United States sent computer security experts to Estonia to help recover from the attacks, analyze the methods used, and trace the source of the attacks. The incident may serve to illustrate how computer network technology has blurred the boundaries between crime, war, and terrorism. A continuing problem during and after any cyber attack is to accurately identify the attacker, to determine whether it was sponsored by a state, or was the independent work of a few unconnected individuals, or was launched by a group to instill despair and fear by damaging computerized infrastructure and the economy. The uncertainty of not knowing the initiator also affects the decision of who should ultimately become the target of retaliation, and whether the response should come from law enforcement or the military.

Some other examples

Jeanson Ancheta, a 21-year-old hacker and member of a group called the “Botmaster Underground,” reportedly earned more than $100,000 from various Internet advertising companies who paid him to download specially designed malicious adware code onto more than 400,000 vulnerable PCs that he had secretly infected and taken over. He made thousands of dollars more by renting out his 400,000 unit “botnet swarm” to other companies who used them to send spam, viruses and other malicious code over the Internet. Ancheta was sentenced to five years in prison in 2006. When crackers in Romania illegally gained access to computers controlling life support systems at an Antarctica research station, the 58 scientists involved were endangered. However, the culprits were stopped before the damage was done. Most non-political acts of sabotage have caused financial and other damage, such as a case where a disgruntled employee released untreated sewage into water in Australia’s Maroochy Shire; computer viruses caused some non-essential systems in nuclear power plants to malfunction or shut down, but this is not believed to have been a deliberate attack. (Note: It is also argued that this is not really a case of cyberterrorism, but rather cybercrime, since cyberterrorism requires a political motive, not a primary focus on monetary gain.)

In October 2007 Ukrainian President Viktor Yushchenko’s website was attacked by hackers. A radical Russian nationalist youth group, the Eurasian Youth Movement, claimed responsibility. In 1999 hackers attacked NATO computers. The computers were flooded with emails and affected by denial of service (DoS). The hackers were protesting NATO bombings in Kosovo. Businesses, public organisations and educational institutions were bombarded with highly politicised emails containing the virus from other European countries.

Measuring Cybercrime

For example, according to a study conducted by the Cooperative Association for Internet Data Analysis (CAIDA) on January 25, 2003, the SQL Slammer worm (also known as “Sapphire”) spontaneously spread within 10 minutes of being released onto the Internet, infecting more than 90% of vulnerable computers worldwide, making it the fastest spreading computer worm in history. As the study notes, the Slammer worm doubled in size every 8.5 seconds and achieved its full scanning rate (55 million scans per second) after about 3 minutes. It caused significant network disruptions, causing numerous airline flight cancellations and automated teller machine (ATM) malfunctions. Each year, the Computer Security Institute (CSI), with assistance from the FBI, surveys thousands of security personnel from U.S. corporations, government agencies, financial institutions, and universities. The CSI/FBI Computer Crime and Security Survey, published annually, is probably the most widely used source of information about how often computer crimes occur and how costly these crimes can be. The 2006 survey showed that the average financial loss due to security breaches was $167,713, down 18% from the previous year’s average loss of $203,606.

However, some observers argue that the analysis reported in the CSI/FBI survey may be questionable, as the survey methodology is not statistically valid. This is because the survey is limited to CSI members only, making it unlikely that respondents are a representative sample of all security professionals, or that their employers are representative of employers in general. Additionally, the 2006 CSI/FBI survey shows that most companies are ignoring security incidents. Given the apparent absence of statistically valid survey results regarding the financial costs of computer crime, and the lack of clear data on the number and type of computer security incidents reported, it appears that there may currently be no valid way of understanding the true scope and intensity of cybercrime. The increasing use of botnets and sophisticated malicious code also suggests that both the percentage of unreported cybercrime, as well as the percentage that is unreported, may be increasing.

1. Problems in detecting cybercrime: The challenge of identifying the source of attacks is complicated by the reluctance of commercial enterprises to report attacks, due to potential liability concerns. CERT/CC estimates that 80% of all actual computer security incidents are still unreported. Law enforcement officials admit they are making little progress in tracing the profits and finances of cybercriminals. Online payment services such as PayPal and e-gold enable criminals to launder their profits and exploit loopholes in international law enforcement. Recently, Intermix Media was fined $7.5 million for distributing spyware that silently collects personal information from a user’s PC. However, some adware and spyware providers can reportedly still reap millions of dollars in profits per year. Many companies that distribute spyware are difficult to prosecute legally, as they usually also provide some legitimate services. In many cases, the money supporting cybercrime is so distributed that it is difficult for law enforcement agencies to trace it.

2. Better measurement of cybercrime trends: CERT/CC’s experiences show that statistical methods for measuring the volume and economic impacts of cyberattacks can be questionable. Without solid statistical methods for accurately reporting the scope and impacts of cybercrime, government and law enforcement authorities will continue to have unreliable measures of the effectiveness of their policies and enforcement actions. Data from many computer security reports now used to measure annual financial losses to U.S. industry due to intrusions and cybercrime are considered by some observers to be limited in scope or possibly contain statistical bias. Is there a need for more statistically reliable analysis of trends in computer security vulnerabilities and types of cyberattacks to more accurately show the costs and benefits of improving national cybersecurity? Congress may want to encourage security experts to find more effective ways of collecting data that would allow for accurate analysis of cyberattack and cybercrime trends. Congress may also want to encourage security researchers to find better ways to identify the initiators of cyber attacks.

Federal Efforts to Protect Computers

The federal government has taken steps to improve its computer security and encourage the private sector to adopt strong computer security policies and practices to reduce infrastructure vulnerabilities. In 2002, the Federal Information Security Management Act (FISMA) was enacted, giving the Office of Management and Budget (OMB) responsibility for coordinating information security standards and guidelines developed by federal agencies. In 2003, the National Strategy for Securing Cyberspace was published by the administration, aimed at encouraging the private sector to improve computer security for U.S. critical infrastructure through setting an example for best security practices by federal agencies. The National Cybersecurity Division (NCSD) within the National Security and Programs Directorate of the Department of Homeland Security (DHS) oversees cybersecurity tracking. The Center for Analysis and Response (CSTARC) is tasked with analyzing cyberspace threats and vulnerabilities, issuing alerts and warnings for cyber threats, improving information sharing, responding to major cybersecurity incidents, and assisting in recovery efforts at the national level. Additionally, a new Cyber Warning and Information Network (CWIN) has become operational in 50 locations, and serves as an early warning system for cyber attacks. CWIN is designed to be reliable and durable, with no dependency on the Internet or the Public Switched Network (PSN), and reportedly will not be affected if there is a disruption in the Internet or PSN.

In January 2004, NCSD also created the National Cyber Alert System (NCAS), a coordinated national cybersecurity system that distributes information to subscribers to help identify, analyze, and prioritize emerging vulnerabilities and cyber threats. NCAS is managed by the United States Computer Emergency Readiness Team (US-CERT), a partnership between NCSD and the private sector, and customers can sign up to receive notices from this new service by visiting the US-CERT website.

1. International Convention on Cybercrime: Cybercrime is also a major international challenge, although the approach to criminalizing computer-related wrongdoing still varies across countries. However, the Convention on Cybercrime was adopted in 2001 by the Council of Europe, a consultative assembly of 43 countries based in Strasbourg. The Convention, which came into force in July 2004, is the first and only international treaty to deal with law violations “on the Internet or other information networks”. The Convention requires participating countries to update and harmonize their criminal laws against hacking, copyright infringement, computer-facilitated fraud, child pornography and other illegal cyber activities. Although the United States has signed and ratified the Convention, it has not signed a separate protocol that includes provisions to criminalize xenophobia and racism on the Internet, which would raise constitutional issues in the United States. The separate protocol could be interpreted as requiring nations to imprison anyone convicted of publicly insulting certain groups of people based on characteristics such as race or ethnic origin through a computer system, a requirement that could make it a crime to e-mail jokes about ethnic groups or to question whether genocide occurred.

The Justice Department has stated that it would be unconstitutional for the United States to sign that additional protocol because of the First Amendment’s guarantee of freedom of speech. The Electronic Privacy Information Center objected to U.S. ratification of the convention in a June 2004 letter to the Foreign Relations Committee because it would “create invasive investigative techniques while failing to provide meaningful privacy and civil liberties safeguards.” On August 3, 2006, the U.S. Senate passed a resolution ratifying the convention. The United States will comply with the convention based on existing U.S. federal law; no new implementing legislation is expected to be required. Legal analysts say U.S. negotiators were successful in eliminating most of the objectionable provisions, ensuring that the convention closely matches existing U.S. laws.

2. The Department of Defense and the response to a cyberattack: If a terrorist group uses a cybercrime botnet to destroy computers in a third-party country, such as China, in order to launch a cyberattack against the United States, the U.S. response to the cyberattack must be carefully considered to avoid retaliating against the wrong entity. Will the resulting effects of cyber weapons used by the United States be difficult to limit or control? Will a response to a cyberattack that can be attributed to the United States possibly encourage other extremists or rogue nations to launch their own cyberattacks against the United States? Will a U.S. attempt to increase surveillance of another entity through the use of cyber espionage computer code be labeled an unprovoked attack, even if it is directed against computers belonging to a terrorist group? If a terrorist group later copies, or reverse-engineers, a destructive U.S. military cyberattack program, could it be used against other U.S. countries? Have you confronted allies, or returned to attacking civilian computer systems in the United States? If the effects become widespread and severe, would the use of cyber weapons by the US violate traditional rules of military conflict, or constitute a violation of international law? Commercial electronics and communications equipment are now used extensively to support complex US weapons systems, and are likely vulnerable to cyberattack. This situation is known to our potential adversaries. To what extent do military forces and national security face threats from computer security vulnerabilities that exist in commercial software systems; and how can the computer industry be encouraged to create new COTS products that are less vulnerable to cyberattack?

The Need to Improve Cybersecurity

Department of Defense (DOD) officials have stated that, although the threat of a cyberattack is “less likely” than a traditional physical attack, it may actually prove more damaging, as it may involve disruptive technology that can produce unforeseen consequences, giving an adversary an unexpected advantage. Homeland Security Presidential Directive 7 required the Department of Homeland Security (DHS) to coordinate efforts to protect cybersecurity for the nation’s critical infrastructure. This resulted in the publication of two reports in 2005, titled “Interim National Infrastructure Protection Plan” and “National Plan for Research and Development in Support of Critical Infrastructure Protection,” in which DHS provided a framework for identifying, prioritizing, and protecting each infrastructure sector.

However, some observers question why, in light of such numerous reports describing the urgent need to reduce cybersecurity vulnerabilities, there is not a clear perceived sense of national urgency to bridge the gap between cybersecurity and the threat of cyberattack. For example, despite the Federal Information Security Management Act (FISMA) of 2002, some experts argue that security remains a low priority, or is treated almost as an afterthought in some domestic federal agencies. In 2007, the Government Accountability Office released a report, titled “Critical Infrastructure Protection: Many Efforts Are Underway to Secure Control Systems, but Challenges Remain,” which stated that cybersecurity risks to infrastructure control systems have actually increased because of the continued interconnections with the Internet and the continued open availability of detailed information on the technology and configuration of control systems. The report stated that no overall strategy yet exists to coordinate activities to improve computer security among federal agencies and the private sector, which owns critical infrastructure. Some observers argue that, as businesses gradually tighten their security policies for headquarters and administrative systems, remote systems controlling critical infrastructure and manufacturing may soon be seen as easy targets of opportunity for cybercriminal.

Cybercrime is clearly one of the risks of doing business in the Internet age, but observers argue that many decision-makers may currently view it as a low-probability threat. Some researchers suggest that the many past reports describing the need to improve cybersecurity have not been compelling enough to make a case for dramatic and immediate action by decision makers. Others suggest that although relevant information is available, future probabilities are still low, reducing the apparent need for current action. Additionally, the costs of current inaction are not borne by current decision-makers. These researchers argue that IT vendors must be willing to treat security as a product feature that is equal to performance and cost; IT researchers must be willing to value cybersecurity research as much as they value research for high-performance or cost-effective computing; and finally, IT buyers must be willing to bear current costs in order to obtain future benefits.

1. Increase in technical capabilities of terrorists: Terrorism is a subjective and derogatory term. This being so, difficulties arise in attempting to find a definition of terrorism that can be classified as universal. The main problem in defining terrorism is that it is ultimately a moral judgment shaped by social and political contexts and, therefore, definitions will vary depending on these contexts. But how can we wage a “global” war against terrorism when there is never a consensus on who terrorists really are? Of course it has been argued that those who have been labelled terrorists have been driven to act in this way because it is the only means left to them to deal with “injustice”. The argument is that they act out of desperation, and while their actions may be considered reprehensible by some, there will always be others who will support them. Computers belonging to Al Qaeda seized indicate that its members are becoming more familiar with hacker tools and services available on the Internet. Might terrorist groups find it profitable to hire cybercrime botnets to attack specific targets, possibly including civilian critical infrastructure in Western countries? Could strategically used cybercrime botnets provide extremists with a useful way to increase the impact of a traditional terrorist attack using bombs? As computer-literate youth increasingly join the ranks of terrorist groups, will cyberterrorism become increasingly mainstream in the future? Will a computer-literate leader raise awareness of the advantages of attacking information systems, or be more receptive to suggestions from other, newly computer-literate members? Once a new strategy gains widespread media attention, will it possibly inspire other rival terrorist groups to follow a new path?

2. Incentives for the National Strategy to Secure Cyberspace: Does the National Strategy to Secure Cyberspace present clear incentives for achieving security objectives? Suggestions to increase incentives could include requiring that all software purchased for federal agencies be certified under the “Common Criteria” testing program, which is now a requirement for military software purchases. However, industry observers say the software certification process is lengthy and could hinder innovation and competitiveness in the global software market. Should the National Strategy to Secure Cyberspace rely on voluntary action on the part of private firms, home users, universities, and government agencies to secure their networks, or is potential regulation needed to ensure best security practices? Has the public response to improving computer security been slow in part because no regulations are currently in place? Will regulation to improve computer security interfere with innovation and possibly harm U.S. competitiveness in technology markets? Two former presidential cybersecurity advisers have differing views: Howard Schmidt has said that market forces, rather than the government, should determine how product technology should be developed for better cybersecurity; however, Richard Clarke has said the IT industry has done little on its own to improve the security of its systems and products.

The Future Attraction of Critical Infrastructure Systems

There is no published evidence yet indicating that cybercriminals have a broad focus on attacking the control systems that operate U.S. civilian critical infrastructure. Disabling infrastructure controls for communications, electrical distribution, or other infrastructure systems is often described as a potential scenario to magnify the effects of a simultaneous conventional terrorist attack involving explosives. However, in 2006, at a security discussion in Williamsburg, Virginia, a government analyst reportedly stated that criminal extortion schemes may have already occurred where cyber attackers have exploited control system vulnerabilities for economic gain. And, in December 2006, malicious software that automatically scans control system vulnerabilities was reportedly made available on the Internet for use by cybercriminals. This scanner software could reportedly enable individuals with little knowledge of infrastructure control systems to locate an Internet-connected SCADA computer and immediately identify its security vulnerabilities.

The Idaho National Laboratory is tasked with studying and reporting on technology risks associated with infrastructure control systems. Previous studies have shown that many, if not most, automated control systems are connected to the Internet, or are connected to Internet-connected corporate administrative systems, and are currently vulnerable to cyberattacks. And, because many of these infrastructure SCADA systems were not originally designed with security as a priority, in many cases, new security controls to mitigate known security vulnerabilities can no longer be easily implemented. Following past trends where hackers and cybercriminals have exploited easy vulnerabilities, some analysts now predict that we may gradually see new instances where cybercriminals exploit vulnerabilities in critical infrastructure control systems.

Awareness through education

1. Improve the security of commercial software: The main concern is that since free and open source software (FOSS) is created by communities of developers with the source code publicly available, access to it is also open to hackers and malicious users. As a result, there may be a perception that FOSS is less secure than proprietary applications. Another concern is that the FOSS community may be slow to release critical software patches when vulnerabilities are discovered. FOSS proponents claim that these concerns are unfounded and that open source can match proprietary and, in some cases, provide greater security. Some security experts assert that computer security for America’s critical infrastructure would be significantly improved if system administrators received the necessary training to keep their computer configurations secure. However, should software product vendors be required to create high-quality software products that are more secure and require fewer patches? Could software vendors possibly increase the level of security for their products by rethinking the design, or adding more testing procedures during product development?

2. Education and awareness of cyber threats: Prior to the first Cybersecurity Awareness Month in October 2004, discussions of national security had little to do with technology. However, due to the increased threat of domestic and international cyberattacks on America’s public and private infrastructure after 9/11, a need arose to promote cybersecurity beyond simple computer password security. Sponsored by the Department of Homeland Security’s National Cybersecurity Division (NCSD) and the nonprofit National Cybersecurity Alliance, Cybersecurity Awareness Month is a time to promote security awareness among all participants in the digital realm. Of course, the concept is far more advanced than just password protection of computers and mobile devices. A recent article published in Computer Weekly points out that cyberattacks, whether they are like the recent attacks by the Syrian Digital Army or various groups of computer hackers, will increase significantly over the next decade.

Ultimately, reducing the threat to national security from cybercrime depends on a strong commitment from the government and the private sector to follow best management practices that help improve computer security. Several government reports already exist that describe the threat of cybercrime and make recommendations for management practices to improve cybersecurity. A 2004 survey by the National Cyber Security Alliance and AOL revealed that most home PC users do not have adequate protection against hackers, do not have up-to-date anti-virus software protection, and are confused about what protections they should use and how to use them. How can computer security training be made available to all computer users that will keep them aware of constantly changing computer security threats, and that will encourage them to follow proper security procedures?

3. Coordination between the private sector and government: Coordination is extremely important to resolve any potential conflicts between economic and environmental goals and to create holistic policies. To achieve this goal, countries such as Nepal and the Philippines have already set up advisory councils for the planning authority, such as the Environment Protection Council and the PCSD, which have multi-sectoral representation from the government as well as NGOs and the private sector, to ensure that different interests and perspectives are considered before any policy is formulated to meet national goals. What can be done to improve information sharing between the federal government, local governments, and the private sector to improve computer security? Effective cybersecurity requires sharing relevant information about threats, vulnerabilities, and exploits. How can the private sector obtain information from the government about specific threats that the government now considers confidential, but which can help protect the private sector from cyberattacks? And, how can the government obtain specific information about the number of successful computer intrusions from private industry when companies resist reporting because they want to avoid publicity and protect their trade secrets?

Should cybercrime information voluntarily shared with the federal government about successful intrusions be protected from disclosure through Freedom of Information Act requests? How can the United States better coordinate security policies and international law to gain the cooperation of other countries to better protect against cyberattacks? Chasing hackers may require tracebacks through networks that require the cooperation of multiple Internet service providers located in many different countries. The effort is further complicated if the legal policy or political ideology of one or more of the countries involved conflicts with that of the United States. 38 countries, including the United States, participate in the European Council’s Convention on Cybercrime, which aims to combat cybercrime by harmonizing national laws, improving investigative capabilities, and promoting international cooperation. However, how effective will the Convention be without the participation of other countries where cybercriminals now operate freely?

Motives behind cyber terrorism

Political protestors may have hired the services of cybercriminals to help them disrupt the Estonian government’s computer systems, possibly through a large network of infected PCs, called a ‘botnet’.
Cyber attacks carried out by individuals and countries, targeting economic, political and military organisations.
Cybercriminals have reportedly formed alliances with drug traffickers in Afghanistan, the Middle East and elsewhere where profitable illicit activities are used to support terrorist groups;
Cybercrime trends are described, showing how malicious internet websites and other cybercrimes such as identity theft are linked to traditional terrorist activity.

The web war against India

Frequent reports of cyber attacks originating in China have led to a common perception in the West that most cybercrime and hacking originates from China. The US, Belgium, France and Russia have said that China is attempting to ‘aggressively’ control cyberspace through cyber operations of the Chinese People’s Liberation Army. According to the US, in September 2007 the Chinese military was planning a cyber attack targeting the Pentagon computer system and the office of US Defense Secretary Robert Gates. According to reports, China has internally set a deadline of 2050 to be able to deter any military attack through cyber warfare. In addition, hackers have been organized into unions and red alliances with alleged ‘official support’. Also, China has protected itself by a firewall known as the ‘Great Red Firewall’.

Several years ago, the Belgian Justice Minister claimed that attacks against the Belgian federal government originated from China and were possibly sanctioned by the Chinese government. In the words of expert Mr. Brahma Chellaney, ‘The Chinese are opening a new front of asymmetric warfare for India.’ ‘On one hand Pakistan is saying that terrorists are non-state actors, and on the other hand China is saying that hackers are non-state actors.’ However, as Mr. Chellaney pointed out, it is not clear why a non-state actor would attack Indian government, security and defence installations. Since 2006, China has reportedly been launching cyber attacks on Indian computer systems on a daily basis, both private and government.

The Chinese are constantly scanning and mapping India’s official networks which not only gives them access to content but will also enable them to disable the network in case of a conflict between the two countries. In 2008, the main attack carried out by China was the attack on NIC (National Informatics Centre), which targeted the National Security Council and the Ministry of External Affairs (MEA). In April 2008 Indian government officials said that the computer network of the Ministry of External Affairs had been breached by alleged Chinese hackers. The hackers reportedly broke into the Ministry of External Affairs’ internal communication network and accessed emails containing information on policies and decision matters in the ministry’s offices in India and their foreign missions.

In September 2008, the newspaper DNA reported that suspected Chinese hackers had breached cyber security at high levels in the Indian government, with several cabinet ministers complaining that their email accounts had been hacked. On 21 February 2009, the Information Warfare Monitor reported that 10 websites of various ministries and departments of the Indian government had been hacked by attackers suspected to be from China. According to the newspaper DNA report, a senior official of the IT Ministry of the Government of India said, ‘Low to medium intensity cyber intrusion has been reported in a web server maintained by the Government of India. In March 2009 there was reportedly an attempt to hack Indian embassy computers and spyware was found on the computers. Subsequently, the Ministry of External Affairs and Indian embassies have reportedly issued strict regulations on the use of email by bureaucrats and have implemented rules that require them to change passwords frequently and use email only for routine communications. The Ministry of External Affairs has also begun periodic security reviews of all MEA computers to check for spyware and other computer threats.

On 15 December 2009, computers of the Indian Prime Minister’s Office (PMO) and the Ministry of External Affairs in New Delhi were hacked by installing a ‘Trojan virus’ from a mail allegedly sent from China. The Trojan virus allowed the attackers to access and delete personal Gmail accounts of government officials. The attack was discovered by Google engineers in Silicon Valley, Northern California, who launched a covert counter-attack to trace the Chinese intruders who allegedly accessed the government’s private Gmail accounts. Investigators were able to verify the hackers’ Internet Protocol addresses and Media Access Control (MAC) addresses, which are unique identification numbers, and confirmed that they came from China. According to a New York Times report, a Google team remotely accessed a computer in Taiwan, which they suspected was the source of the attack, and then found that the attack was planned on the Chinese mainland. The hidden virus came in an email and was embedded in an Adobe Acrobat attachment which breached both Gmail and other networks’ security. Both Indian investigators and Google engineers believed that the data stolen through the trojan could be useful only to the government. On the same day, 15 December 2009, various US companies including Google reported cyber attacks from China, although China has denied any role in the attacks. The 15 December 2009 attack was reported by National Security Advisor MK Narayanan to the Times of London that, ‘This is not the first case of an attempt to hack our computers.’ Concerned by the attack, the Indian government sent a team of intelligence officials to audit the security standards of systems and computers in key Indian missions around the world.

In April 2010, the Army CERT issued a high alert to all military formations and establishments to guard against planned ‘focused large-scale cyber attacks’ on government organisations, major brands and corporate groups ‘facing the Internet’. According to the Army CERT alert, effective measures should be taken to protect the network from data theft, distributed denial of service attacks, crippling computer viruses, etc., which are mainly carried out by Chinese hackers. Some military establishments, including the Defence Services Staff College in Wellington, had apparently even avoided using computers directly connected to the internet when the alert sounded.

An April 2010 report on cyber attacks on India by two Canadian researchers John Mark-Off and David Barboza of the University of Toronto, John K. Munk School of Global Affairs, titled ‘Shadows in the Cloud: Investigating Cyber Espionage 2.0’ (hereinafter ‘Shadows Report’) describes how an India-focused espionage gang based in Chengdu, People’s Republic of China (PRC) used social networking sites such as Twitter, Google Groups, Blogspot, Blog.com, Baidu Blogs and Yahoo! Mail to take control of computers in India infected with viruses or other malware. The shocking revelation of the Shadows Report was that based on geographical location, most of the compromised computers were in India. The Shadows Report analyzes how the attackers ‘leveraged multiple redundant cloud computing systems, social networking platforms, and free web hosting services to maintain persistent control while operating a core server located in the People’s Republic of China.’ The attackers obtained documents marked ‘secret’, ‘restricted’, and ‘confidential’ from the Indian government, as discussed in detail below.

An earlier investigation by the Shadows Report authors, John Mark-Off and David Barboza, resulted in a report titled ‘Tracking Ghost Net: Investigating a Cyber Espionage Network’ (hereinafter referred to as Tracking Ghost Net), which focused on allegations of Chinese cyber espionage against the Tibetan community. For the Tracking Ghost Net investigation, the researchers conducted field investigations in India, Europe, and North America. The Tracking Ghost Net report documented 1,295 compromised computers spread across 103 countries, 30% of which were identified as ‘high-value’ targets, including foreign ministries, embassies, international organisations, news organisations and a computer located at NATO headquarters. The Tracking Ghost Net report found that government-related entities in India and across the world have been compromised, including computers at Indian embassies in Belgium, Serbia, Germany, Italy, Kuwait, the US, Zimbabwe, and Indian High Commissions in Cyprus and the UK. However, the Tracking Ghost Net report did not find enough evidence to implicate the Chinese government.

In March 2010, Canadian and US computer security researchers conducted a second investigation, which monitored the espionage campaign for eight months, and found that intruders had stolen classified and restricted documents from the highest levels of the Indian Ministry of Defence. As discussed above, Shadows investigators found that the India-focused espionage gang used social networking service providers such as Twitter, Google and others to infect emails or social networking with malware, which, in turn, allowed the infected computer to receive more sophisticated malware through attachments. Master servers in China monitored the infiltration of computers to transfer documents ranging from personal details to missile analysis to secure drop zones.

Shadows investigators found that hackers had stolen classified documents from the Indian government and reports from Indian military analysts and corporations, as well as documents from the United Nations and other governments’ agencies. The stolen documents carried ‘secret,’ ‘restricted,’ and ‘confidential’ notices. In addition to encrypted diplomatic correspondence, two documents were marked ‘secret’, six ‘restricted’ and five ‘confidential’. According to the report, the stolen documents included secret assessments of India’s security situation in the states of Assam, Manipur, Nagaland and Tripura, as well as sensitive information obtained from a member of the National Security Council Secretariat regarding Naxalites and Maoists. The stolen documents also included confidential information obtained from Indian embassies, including assessments of India’s international relations and activities with West Africa, Russia/Commonwealth of Independent States and the Middle East, as well as visa applications, passport office circulars and diplomatic correspondence.

Shadows investigators also found evidence that Indian embassy computers in several missions, including embassies in Kabul, Moscow and Dubai, UAE, and the Indian High Commission in Abuja, Nigeria, were compromised. Computers used by the Indian Military Engineering Services in Calcutta, Bangalore and Jalandhar; the 21st Mountain Artillery Brigade in Assam and three air force bases were also reportedly damaged, including the Air Force Station on Race Course Road opposite the Prime Minister’s residence. Computers at the Army Institute of Technology in Pune and the Military College of Electronics and Mechanical Engineering in Secunderabad were also damaged, according to the Shadows report. The spies also stole information about several Indian missile systems, according to the Shadows report. The spies also took documents related to network centricity (SP’s Land Force 2008) and network-centric warfare, as well as documents detailing plans for intelligence fusion and technologies for monitoring and analyzing network data (Defence Research and Development Organization 2009). The Shadows report also identified several institutions in India as affected by the attacks, including the National Security Council Secretariat, the Military Engineer Services and other military academic institutions, as well as several companies.

After uncovering a series of email addresses, investigators discovered that the attacks were carried out by hackers based in Chengdu, China, where a large number of Tibetans live. Researchers believe the hackers may have been affiliated with the prestigious University of Electronic Science and Technology in Chengdu. The Shadows report also examined the extent to which the attackers were connected to the Chinese government. According to the Shadows report, one possibility is that the state authorizes private individuals to carry out attacks against enemies of the state ― a view supported by the finding that there is no direct government control over hacker groups in the PRC. According to the Shadows report, information freely obtained by the Chinese hacker community would likely reach elements within the Chinese state.

On 24 March 2010, Shadows investigators contacted intelligence officials in India and informed them about the espionage ring they were tracking. They requested and were given instructions to dispose of classified and restricted documents. However, the China-based cyber espionage network targeting the Indian Army and the resulting warning by Army officials may be only the beginning. Subsequent investigations have revealed that it is a fully dedicated India-specific espionage system aimed at business, diplomatic, strategic and academic interests.

The Chinese are known to use mainly three weapons against Indian networks: bots, key loggers and mapping of networks (each of these types of cybercrime is discussed in detail in the next section of this chapter). The Chinese are reportedly experts in installing BOTS, a parasitic program embedded in a network (known as BOTNETS), which hijacks the network and forces other computers to act according to its instructions. The controlled computers are known as ‘zombies’ and are a vital tool in cyber warfare. So, at the selected time, the controller of the BOTNETS will command the zombies as per their wish. In other words, there are networks in India that are controlled by China. So, it is not surprising that the cyber attack on government websites operated from the Prime Minister’s Office on March 21, 2010 was traced to an Indian IP address associated with the ISP Videsh Sanchar Nigam Limited (VSNL). Key loggers are software that scan computers, their processes and data as soon as a person presses a key on the keyboard. This information is immediately passed on to an external controller so that they know even when you change your password. Mapping or scanning of networks is done as an initial step of cyber warfare strategy.

1. Indian Government Response: The Indian government’s response to the Shadows report was to basically acknowledge the hacking attempts, but also state that the hackers never succeeded. The Ministry of Defence said it was ‘studying the report’ which had ‘a lot of grey areas.’ However, the Ministry of External Affairs reportedly considered cyber security collaboration with the University of Toronto’s Munk School of Global Affairs. The Ministry of Communications and Information Technology has issued security guidelines to all ministries and government departments, asking them to set up 24×7 cyber control rooms, implement information security best practices, deploy information security experts and formulate their own information security policies.

The National Crisis Management Committee (NCMC), headed by the Cabinet Secretary, also monitors all national-level cyber crises. The Indian government is reportedly developing a full-fledged crisis management plan to counter cyber attacks such as the recent attack on Indian embassies. The crisis management plan calls for each central administrative department under each critical area to establish 24-hour control rooms, which will be activated immediately upon receipt of a crisis situation and prepare detailed contingency plans. Each department is required to screen and conduct background checks of all employees engaged in the implementation and monitoring of the cyber security and crisis management plans, including contractors and third party users. Independent identity checks in the form of satisfactory character references, accuracy of biodata, claimed academic and professional qualifications, credit checks, criminal record checks and passport or similar documents are to be conducted on each employee. Organizations have also been directed to implement periodic IT security risk assessments, backup of files critical to mission accomplishment, security awareness training of personnel and periodic testing and evaluation of technical security measures. Indian diplomats are reportedly prohibited from the following activities: logging on to social networking sites such as Facebook, Orkut and Ibibo, downloading peer-to-peer music; sharing photos via Flickr and Picasa, writing blogs; and using Gmail, Yahoo! Or Hotmail for official communications.

In a written reply to a question raised in the Lok Sabha on 27 July 2010, the Department of Information Technology (DIT) said that it has initiated a flagship programme on cyber forensics, which focuses specifically on the development of cyber forensic tools, establishment of infrastructure for investigation and training of law enforcement and judicial offices in the use of cyber forensic tools for collecting and analysing digital evidence. In addition, the DIT has set up cyber forensic training laboratories in the CBI and Kerala Police for skill upgradation in the area of cyber crime investigation and has also sponsored projects in northeastern states to set up cyber forensic training facilities in state police organisations. In addition, the Indian Computer Emergency Response Team (CERT-In) has been set up under the DIT to create awareness about cyber security. It plays both proactive and reactive roles.

Nevertheless, India is considered to be slow in developing corrective measures in the event of a web attack and has failed to develop offensive strategies to counter the attacks. Cyber warfare is not yet a major component of India’s security doctrine.

Read Also: