Recent world events have turned the eyes of the public away from the potential for international warfare and towards the actions of nonstate actors. One of the more quickly growing fears is not that of impending invasion or physical attack but rather the potential for cyberterrorism. The fear of electronic attacks, whether on one person or an entire network or Web site, has lead to increased security measures with the goal of preventing future attacks. These policies more than any other past counterterrorism initiatives run the risk of violating the civil rights and liberties of people the world over simply because of the currently free and open nature of the Internet. Proponents of cyber-liberty such as the Electronic Privacy Information Center (EPIC) and the Electronic Frontier Foundation (EFF) argue that the threat presented by cyberterrorism is overblown and that the number of actual instances of cyberterrorism is low enough that these policies are unnecessary at best and harmful to the people’s very freedom at worst. Countermeasures to cyber-terrorism either currently overstep or threaten to overstep reasonable bounds in restricting the peoples’ civil rights in the interest of national security and personal safety.
The term “cyberterrorism” was coined by Barry C. Collin and defined later by Kevin G. Coleman of the Technolytics Institute to mean “The premeditated use of disruptive activities, or the threat thereof, against computers and/or networks, with the intention to cause harm or further social, ideological, religious, political or similar objectives. … or to intimidate any person in furtherance of such objectives.” Cyberterrorists use a variety of means to create chaos on the Internet. Their targets typically include notable government or financial Web sites and servers, which they can either gain access to in order to steal private information, change content as a display of power, or completely take down via Distributed Denial of Service (DDOS) attacks, in which multiple users flood the bandwidth or resources of their target causing the target to shut down completely. Despite having numerous potential applications, to date cyberterrorism has largely been used as a display of power, rather than causing actual damage.
Such more dangerous examples of cyberterrorism are isolated and rare. The number of actual attacks that have caused permanent physical damage or threatened to is very low, boiling down to just two in the last ten years – in 2003, Romanian hackers took down the life support of 58 researchers in Antarctica and in 2000 a disgruntled employee caused sewage overruns via hacking in Australia. The lack of instances in which the public was in true danger creates the grounds for groups such as EPIC and EFF’s opposition to countercyberterrorism initiatives.
Most examples of cyberterrorism are merely displays of power. Just last year, many government and financial servers in Estonia were taken down by a massive DDOS attack originating, Estonian officials claim, in Russia. The attacks were in response to the Estonian government moving a Soviet war memorial from the center of Tallinn to the suburbs – seen by Russian protestors as an attack on their heritage, who responded first by rioting and soon by moving to the virtual world. There is controversy over Estonia’s claim of the source of the attacks, according to Ars Technica’s reporting. The nature of full-scale DDOS attacks is such that finding one single, verifiable source is nigh-impossible. The Estonia attacks represent the inherent problem with fighting cyberterrorism: how do you find, let alone fight, an enemy with complete anonymity on his side? Are the methods governments are required to use, which often have the side effect of violating some civil rights laws, worth the trouble, given that even widely-publicized attacks such as those on Estonia do not do much actual damage?
There are two major approaches to fighting cyberterrorism being taken by world leaders. The approach taken typically by Eastern countries, often called the Singaporean model due to Singapore’s method being an example followed by nearby Asian countries, seeks to prevent terrorists from ever having access to necessary information by heavily restricting access both into their own servers as well as controlling what their own citizens are allowed to access from other nations. Civil rights advocacy groups as well as many other organizations, such as Reporters Without Borders, have objected to the Singaporean model nearly since its conception, but other groups such as the OpenNet Initiative make the argument that Singapore’s restrictions do not actually run as far as these groups claim, citing original research that shows as little as 0.49% of their tested sites being blocked to make their case. The problem with ONI’s argument is that they look at only one facet of the Internet and the World Wide Web in particular – Web site access. This narrow outlook on the rights of the people on the Internet ignores other uses for the technology, many of which such as free reporting and assembly are considered civil rights and liberties.
The Internet’s uses do not stop at simply viewing Web pages. ONI’s study did not test the freedom to post information on the Internet from Singapore, an activity that is heavily regulated. One notable instance of regulation is that of Chen Jiahao, a Singaporean graduate exchange student at the University of Illinois whose blog, which contained posts criticizing Singaporean government agency A*STAR, caused Jiahao to be sued for defamation under Singaporean law. He was eventually forced to not only shut down his blog, but issue an apology to A*STAR and its chairman Philip Yeo for comments that under U.S. law would not be given a second glance. The lawsuit brought against Jiahao had its basis in the Computer Misuse Act, an act of law created to prevent cyberterrorism but used, as in Jiahao’s case, to restrict speech the Singaporean government does not agree with.
The other major approach to counter-cyberterrorism is the model used more often in Western countries, which does not actually restrict access but rather expands the access of the government and other investigatory groups have to monitor the actions taken by Internet users – viewing histories, content of messages, etc. The countries taking this approach to counter-cyberterrorism have increased their security greatly since recent instances of terrorism that were apparently planned over the Internet, such as the World Trade Center attacks of September 11, 2001. One of the most notable and most controversial counterterrorism measures taken in these Western countries is the United States’ PATRIOT Act, which “gave sweeping new powers to both domestic law enforcement and international intelligence agencies and eliminated the checks and balances that previously gave courts the opportunity to ensure that such powers were not abused.” according to civil rights group EFF. The PATRIOT Act loosened restrictions on many of the surveillance tools used by law enforcement agencies, such as wiretaps, search warrants, pen/trap orders, and subpoenas. According to opponents of the act, it enables these agencies to spy on any citizen they wish simply by stating the surveillance is related to an ongoing criminal investigation.
Certain provisions of the PATRIOT Act have the potential to violate basic civil rights such as that of free speech and assembly through widening the definition of “terrorism,” overstepping the bounds of necessary security in the same way the Singaporean Computer Misuse Act did in Jiahao’s case. PATRIOT §802, which amends 18 USC §2331, is cited by the EFF as an unnecessary widening of surveillance justification. Section 802 modifies the definition of “domestic terrorism” to include subjective interpretation of “terrorist acts” by allowing acts that “appear” to be threatening to be considered terrorism. The potential for the Act to step on citizens’ First Amendment right to free speech and assembly is reckless in the face of very few terrorist attacks originating domestically. One simply has to look at other nations’ examples to see what could go wrong with such expansive legislation – instances of abuse of power by other nations with similarly free surveillance restrictions are far more numerous than the terrorist attacks such policies aim to prevent, both successful and thwarted.
The PATRIOT Act is hardly the first or last instance of potentially overbearing Western counter-cyberterrorism legislature. Reporters Without Borders, an international media-rights group, has spoken out against many Western democracies they accuse of becoming “predators of digital freedoms.” The group cites examples such as Canadian law passed soon after September 11, 2001 that “clearly undermines the confidentiality of exchanges of electronic mail,” the FBI’s development of surveillance technologies such as Carnivore and Magic Lantern, and French law that requires Internet providers to keep records of e-mail exchanges for one year and make it easier for authorities to decode messages protected by encryption software.
The West’s predominance in software development has led to some of the biggest advancements in counterterrorist technology, if not policy, in the world. Most notably, the FBI has developed two technologies that allow for easier Internet surveillance and raise a number of concerns with civil rights advocacy groups – Carnivore and Magic Lantern. Carnivore’s functions include recording e-mail messages sent to and from specific e-mail accounts, recording all network traffic to and from specific IP addresses, recording all of the servers, Web pages, and FTP files visited by a particular IP address, or it can go the other way and track who is accessing Web pages and FTP files. Carnivore’s dangers do not lie solely in potential civil rights violations. Because of the breadth of Carnivore’s surveillance, it requires access at the source of network traffic, which in the United States is overwhelmingly through major Internet Service Providers (ISPs). As such, Carnivore is installed in the data centers of these companies. Putting such powerful technology so close to the source of Internet data raises concerns with technology experts, who fear that it grants easy and increased access to hackers to nearly all Internet traffic flowing through the United States. Carnivore, by design, harms the security of our nation and information.
Magic Lantern, the FBI’s response to many of the criticisms stated by the public about Carnivore, is a program that is installed on end users’ computers, not a piece of hardware placed in data centers like Carnivore. Magic Lantern, once installed, allows the FBI to see every keystroke recorded on the user’s computer, enabling them to see encrypted messages sent from the user by seeing what is typed, as well as reading encrypted messages sent to the user by seeing what the encryption key typed in is. Magic Lantern’s scope is restricted to targeted computers, alleviating concerns about Carnivore’s omnipotent access to information. Concerns raised about the nature of Magic Lantern, which is akin to the trojan variety of computer virus in its method of delivery to the computer and nature once on a computer, have received no real answer. David Sobel, a lawyer with EPIC, has raised concerns over the legal use of Magic Lantern; he argues that “[Magic Lantern] raises a new set of issues that neither Congress nor the courts have ever dealt with.”
Many of the dangers present in counter-cyberterrorism measures are hypothetical in nature, a concern raised within a 2003 Reporters Without Borders report on Internet surveillance around the globe. However, the concerns raised by lawmaking bodies in expanding their counterterrorism legislation are largely hypothetical as well, especially in relation to cyberterrorism given the very low number of actual instances of cyberterrorism. With both sides of the argument over the scope of counterterrorism measures, it is important to default to the rules restricting government’s influence, and to place more mind on the civil rights and liberties of citizens than the potential for attack. Overly restrictive policies only encourage dissent, as occurs in Singapore and other Asian countries under heavy scrutiny by their government. The threat of cyberterrorism is not great enough to justify the steps that have been taken in prevention of potential attacks.
Bibliography
Anderson, Nate. ” Massive DDoS attacks target Estonia; Russia accused .” Ars Technica . 13 Nov. 2008 .
EFF: EFF Analysis of USA PATRIOT Act (Oct. 31, 2001).” Electronic Frontier Foundation | Defending Freedom in the Digital World. 13 Nov. 2008 .
“Electronic Frontier Foundation | Defending Freedom in the Digital World.” Electronic Frontier Foundation | Defending Freedom in the Digital World. 13 Nov. 2008 .
“Electronic Privacy Information Center.” Electronic Privacy Information Center. 13 Nov. 2008 .
“Internet Filtering in Singapore in 2004-2005: A Country Study | OpenNet Initiative.” ONI Home Page | OpenNet Initiative. 13 Nov. 2008 .
Jiahao, Chen. “Chen Jiahao’s letter.” Escape from Paradise. 13 Nov. 2008 .
Longley, Robert. “FBI Has a Magic Lantern.” U.S. Government Info – Resources. 13 Nov. 2008 .
Lynch, Timothy. “Breaking the Vicious Cycle: Preserving Our Liberties While Fighting Terrorism.” The Cato Institute. 13 Nov. 2008 .
Poulsen, Kevin. “South Pole ‘cyberterrorist’ hack wasn’t the first,.” The Register 19 Aug. 2004. 12 Nov. 2008 .
“‘Predators Of Digital Freedoms’, Report: Web Freedom Eroding Under Guise Of War On Terror – CBS News.” CBS News – Breaking News. 13 Nov. 2008 .
“Reporters sans frontieres – The Internet under surveillance.” Reporters sans frontieres – Reporters Without Borders – Reporteros sin fronteras. 13 Nov. 2008 .
Smith, Tony. “Hacker jailed for revenge sewage attacks.” The Register 31 Oct. 2001. 12 Nov. 2008 .
Sposato, Mike. “The FBI’s Magic Lantern.” WorldNetDaily. 28 Nov. 2001. 13 Nov. 2008 .
Sullivan, Bob. “FBI Software Cracks Encryption Wall: ‘Magic Lantern’ Part of New ‘Enhanced Carnivore Project.” MSNBC News. 20 Nov. 2001. 13 Nov. 2008 .
“USA Patriot Act of 2001, Sections 802-811.” Ratical.org. 13 Nov. 2008 .
Weimann, Gabriel. Terror on the Internet: The New Arena, the New Challenges. Washington: The United States Institute Of Peace, 2006.
