Terrorist capabilities for cyberattack: overview and policy issues.
Tighter physical and border security may encourage terrorists and extremists to try to use other types of weapons to attack the United States. Persistent Internet and computer security vulnerabilities, which have been widely publicized, may gradually encourage terrorists to develop new computer skills, or develop alliances with criminal organizations and consider attempting a cyberattack against the U.S. critical infrastructure.
Cybercrime increased dramatically between 2004 and 2005, and several recent terrorist events appear to have been funded partially through online credit card fraud. Reports indicate that terrorists and extremists in the Middle East and South Asia may be increasingly collaborating with cybercriminals for the international movement of money, and for the smuggling of arms and illegal drugs. These links with hackers and cybercriminals may be adding to terrorists' computer skills, and finances obtained through drug trafficking may also provide terrorists with access to highly skilled computer programmers. The July, 2005 subway and bus bombings in England also indicate that extremists and their sympathizers may already be embedded in societies with a large information technology workforce.
The United States and international community have taken steps to coordinate laws to prevent cybercrime, but if trends continue computer attacks will become more numerous, faster, and more sophisticated. In addition, a recent report by the Government Accountability Office states that, in the future, U.S. government agencies may not be able to respond effectively to such attacks.
This report examines possible terrorists' objectives and computer vulnerabilities that might lead to an attempted cyberattack against the critical infrastructure of the U.S. homeland, and also discusses the emerging computer and other technical skills of terrorists and extremists. Policy issues include exploring ways to improve technology for cybersecurity, or whether U.S. counterterrorism efforts should be linked more closely to international efforts to prevent cybercrime.
This report will be updated as events warrant.
Contents Introduction Background When is Cyberattack Considered Cyberterrorism? Objectives for a Cyberattack Persistent Computer Security Vulnerabilities Effects of Counterterrorism Efforts Changing Concerns about Cyberattack, 2001-2005 Inconsistent Reporting of Terrorists' Cyber Activities Technical Skills of Terrorists Trends in Cybercrime The Insider Threat Links Between Terrorism and Cybercrime State Sponsors of Terrorists U.S. Efforts to Prevent Cybercrime International Efforts to Prevent Cybercrime Analysis and Policy Issues Related Legislation
Terrorists and violent extremists often rely on exploiting vulnerabilities of targets seen as soft and easy to access. Implementation of a stronger policy for domestic physical security has reduced some options for physical attack, and it is suggested by numerous experts that terrorists may be developing new computer skills or forming alliances with cybercriminals that may give them access to high level computer skills. In addition, continuing publicity about Internet computer security vulnerabilities may encourage terrorists' interest in attempting a possible computer network attack, or cyberattack, against U.S. critical infrastructure.
To date, the Federal Bureau of Investigation (FBI) reports that cyberattacks attributed to terrorists have largely been limited to unsophisticated efforts such as email bombing of ideological foes, or defacing of web sites. However, it says their increasing technical competency is resulting in an emerging capability for network-based attacks. The FBI has predicted that terrorists will either develop or hire hackers for the purpose of complimenting large conventional attacks with cyberattacks. (1)
IBM has reported that, during the first half of 2005, criminal-driven computer security attacks increased by 50 percent, with government agencies and industries in the United States targeted most frequently. (2) Cybercrime is now a major criminal activity, and it may become increasingly difficult to separate some forms of cybercrime from suspected terrorist activities. For example, in a recent report from the House Homeland Security Committee, FBI officials indicated that extremists have used identity theft and credit card fraud to support recent terrorist activities by Al Qaeda cells. (3) Also, according to press reports Indonesian police officials believe the 2002 terrorist bombings in Bali were partially financed through online credit card fraud. (4)
Some experts reportedly state that the Internet is now a prime recruiting tool for insurgents in Iraq. (5) Insurgents have created many Arabic-language Web sites that are said to contain coded plans for new attacks. Some reportedly give advice on how to build and operate weapons, and how to pass through border checkpoints. (6) Other news articles report that a younger generation of terrorists and extremists, such as those behind the July 2005 bombings in London, are learning new technical skills to help them avoid detection by law enforcement computer technology. (7)
This report reviews publications and government reports to explore the following: (1) examples of vulnerabilities that may raise the level of interest that terrorists might have in attempting a coordinated cyberattack; (2) effects of the War on Terror that are driving terrorists to use the Internet more; (3) inconsistent reporting about terrorists' cyber activities; and (4) ways that terrorists may be improving their cyber skills.
Distinctions between crime, terrorism and war tend to blur when attempting to describe a computer network attack (CNA) in ways that parallel the physical world. For example, if a nation state were to secretly sponsor non-state actors who initiate a CNA to support terrorist activities or to create economic disruption, the distinction between cybercrime and cyberwar becomes less clear. Because it is difficult to tell from where a cyberattack originates, an attacker may direct suspicion toward an innocent third party. Likewise, the interactions between terrorists and criminals who use computer technology may sometimes blur the distinction between cybercrime and cyberterrorism. So far, it remains difficult to determine the sources responsible for most of the annoying, yet increasingly sophisticated attacks that plague the Internet.
When is Cyberattack Considered Cyberterrorism?
Some observers feel that the term "Cyberterrorism" is inappropriate, because a widespread cyberattack may simply produce annoyances, not terror, as would a bomb, or other chemical, biological, radiological, or nuclear explosive (CBRN) weapon. However, others believe that the effects of a widespread computer network attack would be unpredictable and might cause enough economic disruption, fear, and civilian deaths, to qualify as terrorism. At least two views exist for defining the term Cyberterrorism:
* Effects-based: Cyberterrorism exists when computer attacks result in effects that are disruptive enough to generate fear comparable to a traditional act of terrorism, even if done by criminals.
* Intent-based: Cyberterrorism exists when unlawful or politically motivated computer attacks are done to intimidate or coerce a government or people to further a political objective, or to cause grave harm or severe economic damage. (8)
Objectives for a Cyberattack
According to Richard Clarke, former Administration Counter Terrorism Advisor and National Security Advisor, if terrorists were to launch a widespread cyberattack against the United States, the economy would be the intended target for disruption, while death and destruction might be considered collateral damage. (9) Many security experts also agree that a cyberattack would be most effective if it were used to amplify a conventional bombing or CBRN attack. Some computer security observers say that a widespread, coordinated cyberattack would technically be very difficult to orchestrate, and would unlikely be effective for furthering terrorists' goals. Because such an attack cannot directly cause death and destruction, may explain why there is no evidence that terrorist groups have undertaken one. (10) However, other observers say that, because of interdependencies among infrastructure sectors, a large-scale cyberattack that affected one sector could also have disruptive, unpredictable, and perhaps devastating effects on other sectors, and possibly long-lasting effects to the economy. These observers assert Al Qaeda and associated terrorist groups are becoming more technically sophisticated, and years of publicity about computer security weaknesses has made them aware that the U.S. economy could be vulnerable to a coordinated cyberattack. (11)
Publicity would be also one of the primary objectives for a terrorist attack. Extensive coverage has been given to the vulnerability of the U.S. information infrastructure and to the potential harm that could be caused by a cyberattack. This might lead terrorists to feel that even a marginally successful cyberattack directed at the United States may garner considerable publicity. (12)
Persistent Computer Security Vulnerabilities
At the July 2005 Black Hat computer security conference (a private sector sponsored annual meeting of organizations focused on cyber-security technology and related issues) Las Vegas, a security expert demonstrated an exploit of what many consider to be a significant Internet security flaw, by showing how the most commonly used Internet routers; the computer's device that forwards data to a desired destination, could quickly be hacked. (13) This router vulnerability could allow an attacker to disrupt selected portions of the Internet, or even target specific groups of banks or power stations. (14) Security expert Bruce Schneier, a recent critic of the idea of cyberterrorism, reportedly agreed that the router flaw was a "major" Internet security vulnerability, and could allow criminals to steal identity information, or otherwise attack networks. The company released in April 2005 a software patch to fix the problem, but over the following four months, had apparently not notified its customers and government agencies, including DHS, about the seriousness of the vulnerability. (15)
The United States may provide ample economic targets vulnerable to cyberattack, thus tempting terrorist groups to increase their cyber skills. (16) A February 2005 report by the President's Information Technology Committee (PITAC) stated that the information technology infrastructure of the United States, which is vital for communication, commerce, and control of the physical infrastructure, is highly vulnerable to terrorist and criminal attacks. The report also found that the private sector has an important role in protecting national security by deploying sound security products, and by adopting good security practices. (17) However, a recent survey of 136,000 PCs used in 251 commercial businesses in North America found that a major security software patch, known as SP2, was installed on only nine percent of the systems, despite the fact that Microsoft advertized the importance of installing the security patch one year ago. The remaining 91 percent of commercial businesses surveyed will continue to be exposed to major security threats until they deploy the software patch throughout their organizations. (18) This may bring into question the extent to which the private sector will self-protect without greater incentive.
Several recent studies by global computer security firms found that the highest rates for computer attack activity were directed against critical infrastructures, such as government, financial services, manufacturing, and power. These reports also show that the United States is the most highly targeted nation for computer attacks; during the first half of 2005, United States computer systems were attacked at a rate 10 times higher than the next most highly targeted nation, China (see section titled "Trends in Cybercrime", below). (19) U.S. federal agencies have come under criticism in past years for the effectiveness of their computer security programs. (20) Further, a May 2005 report by the Government Accountability Office (GAO) stated that because of the growing sophistication of malicious code on the Internet, the federal government may increasingly be limited in its ability to respond to cyber threats. (21)
Effects of Counterterrorism Efforts
DHS has reportedly suggested that terrorist groups may be forced, because of increased security measures, to change the weapons they try to use to strike against the United States. (22) Many observers that monitor the Internet suggest that due to the effects of intensified counterterrorism efforts worldwide, Islamic extremists are gravitating toward the Internet, and are succeeding in organizing online where they have been failing in the physical world. Terrorist groups increasingly use online services for covert messaging, through steganography, anonymous email accounts, and encryption. (23)
The Washington Times has reported that Islamic extremists are calling for creation of an Islamist hackers' army to plan cyberattacks against the U.S. government and that postings on the extremist bulletin board, al-Farooq, carry detailed cyberattack instructions, and include spyware programs for download that can be used to learn the passwords of targeted users. (24) Other extremist web sites reportedly resemble online training camps that may offer instructions for how to create a safe-house, how to clean a rocket-propelled grenade launcher, or what to do if captured. (25)
Changing Concerns about Cyberattack, 2001-2005
Following the September 11 attacks, public concerns were high about the threat of a possible follow-on cyberattack from terrorist groups. (26) Subsequently, there has been disagreement among security experts about (1) whether such an attack could possibly be launched by terrorists against U.S. civilian critical infrastructure, or (2) whether such an attack could seriously disrupt the U.S. economy. (27)
Simulated cyberattacks, conducted by the U.S. Naval War College in 2002, indicated that attempts to cripple the U.S. telecommunications infrastructure would be unsuccessful because system redundancy would prevent damage from becoming too widespread. Many observers suggest that evidence from natural disasters shows that many the critical infrastructure systems, including banking, power, water, and air traffic control, would likely recover rapidly from a possible cyberattack. (28)
To date, there has been no published report of a coordinated cyberattack launched against the critical infrastructure by a terrorist or terrorist group. Dennis McGrath of the Institute of Security Technology Studies at Dartmouth College reportedly observed that, "We hear less and less about a digital Pearl Harbor. Cyberterrorism is not at the top of the list of discussions". (29)
In May 2005, the CIA reportedly conducted a classified war game, dubbed "Silent Horizon," to practice defending against a simulated widespread cyberattack directed against the United States. The national security simulation was considered significant because many U.S. counterterrorism experts feel that far-reaching effects from a cyberattack are highly unlikely. (30) However, other observers believe that tests of countermeasures, even for unlikely events, may sometimes be prudent.
Inconsistent Reporting of Terrorists' Cyber Activities
A review of two annual U.S. government reports on terrorism activity shows inconsistent attention to the issue of possible cyberterrorism. (31) Two federal agencies report on terrorism activity annually: (1) the Department of State's (DoS) Patterns of Global Terrorism (32) and, (2) the Federal Bureau of Investigation's Annual Terrorism in the United States. (33)
In the DoS reports for the years 1996 to 1999, brief mention is made of cyberterrorism issues. In the year 2000, the report acknowledges that "widespread availability of hacking software and its anonymity and increasingly automated design make it likely that terrorists will more frequently incorporate these tools into their online activity." In 2001, however, no mention of cyberterrorism issues appeared in the DoS report, and for the years 2002 to 2004, only mentions of various security forums and international cybersecurity working groups were noted.
The FBI's Annual Terrorism Report similarly was inconsistent in mentioning cyberterrorism issues. In the 1996 and 1997 reports, there was no mention of cyberterrorism or related activity. In 1998 the report acknowledged that "cyber tools may find their way in the hands of terrorist" and speculated that "the spread of cyberattack tools, like the proliferation of conventional weapon technology may eventually wind up in the hands of terrorists". The following year, 1999, the Report stated that "the threat of cyberterrorism will grow in the new Millennium, as the leadership positions in extremist organizations are increasingly filled with younger, Internet-savvy individuals". These two reports arguably suggested that the issue of cyberterrorism was being followed closely. The Reports from 2000 to 2003 mentioned cyberterrorism, but only in the programmatic aspect regarding organizational changes the FBI was putting in place to address cybersecurity, with no mention of past or projected cyberterrorism incidents or issues. The FBI did not produce a report in 2004, and one is not yet due for 2005.
Since the attacks of 9/11, many observers are concerned that increased efforts to safeguard facilities, infrastructure, personnel safety, and the decrease in the DoS's and FBI's discussion of cybersecurity issues, together may indicate a lack of appreciation for the threat that may be facing the United States from possible cyberterrorism. Others suggest that although the frequency and severity of cyberattacks are on the rise, the federal government may not be sufficiently increasing its efforts to improve cybersecurity. (34)
Technical Skills of Terrorists
In April 2002, the Central Intelligence Agency (CIA) stated in a letter to the U.S. Senate Select Committee on Intelligence that cyberwarfare attacks against the U.S. critical infrastructure will become a viable option for terrorists as they become more familiar with the technology required for the attacks. Also according to the CIA, various groups, including Al Qaeda and Hizballah, are becoming more adept at using the Internet and computer technologies, and these groups could possibly develop the skills necessary for a cyberattack. (35)
Through captured literature, it is known that many Al Qaeda members are well educated, and have familiarity with engineering and other technical areas. (36) During a November 2001 attack by U.S. forces, Al Qaeda fighters fled from Kabul, Afghanistan leaving behind many documents and sensitive information that yielded a profile of some Al Qaeda operatives as well-educated and trained in the use of computer systems. "Technical treatises in Arabic, English, German as well a students' notebooks in Arabic, Turkish, Kurdish, and Russian reflected a consistent interest in and widespread familiarity with electrical and chemical engineering, atomic physics, ballistics, computers, and radios", according to researchers and journalists who reportedly examined the documents. (37)
Iman Samudra, convicted and now awaiting execution for taking part in the 2002 bombings of two Bali nightclubs, has written a book titled "Aku Mekawan Terroris*", which reportedly translates to "Me Against the Terrorist". Samudra advocates that Muslim youth actively develop hacking skills "to attack U.S. computer networks". Samudra names several websites and chat rooms as sources for increasing hacking skills. He urges Muslim youth to obtain credit card numbers and use them to fund the struggle against the United States and its allies. (38) The terrorist attacks in Bali, and recent attacks in several other countries, may have been funded through stolen credit cards. (39)
In February 2005, FBI director Robert Mueller, testified before the Senate Select Committee on Intelligence that terrorists show a growing understanding of the critical role of information technology in the U.S. economy and have expanded their recruitment to include people studying math, computer science, and engineering. (40)
Trends in Cybercrime
According to an August 2005 computer security report by IBM, more than 237 million overall security attacks were reported globally during the first half of the year. (41) Government agencies were targeted the most, reporting more than 54 million attacks, while manufacturing ranked second with 36 million attacks, financial services ranked third with approximately 34 million, and healthcare received more than 17 million attacks. The most frequent targets for these attacks, all occurring in the first half of 2005, were government agencies and industries in the United States (12 million), followed by New Zealand (1.2 million), and China (1 million). These statistics may represent an underestimation, given that most security analysts agree that the number of incidents reported are only a small fraction of the total number of attacks that actually occur.
Usually, a cyberattack is difficult to detect until after it is well underway, and may involve hundreds or thousands of compromised computers that are directed by a cybercriminal to attack as a swarm from all parts the globe. If the attack is against a yet-undisclosed, or newly-discovered security vulnerability, the targeted computer systems may be at a significant disadvantage. Most current computer security safeguards operate mainly to prevent the types of attacks that are known to administrators. A new, unique type of attack against computers may encounter inadequate, untested, or non-existent defenses.
A 2004 survey by an internet security company, covering 450 networks in 35 countries, found that hacking had become a profitable criminal pursuit. (42) Hackers sell unknown computer vulnerabilities (commonly called "zero-day exploits") on the black market to criminals who use them for fraud. Hackers with networks of compromised computers rent them to other criminals who use them to launch coordinated attacks against targeted individuals or businesses, including banks or other institutions that manage financial information. (43)
In Autumn 2004, organized cybercriminals appear to have infiltrated the computer systems of the London offices of Sumitomo, the Japanese bank, in an attempt to steal 220 million [pounds sterling]. The cybercriminals reportedly planned to transfer the money to other bank accounts around the world. Officials at the London police fraud squad reportedly stated that Sumitomo is the only incident so far in which an attack by external cybercriminals has nearly succeeded against a major bank. (44) Figures from the National Hi-Tech Crime Unit in England show that, in 2003, at least 83 per cent of U.K. companies were targeted by hackers in attempts to seize control of their systems. (45)
Identity theft involving thousands of victims is enabled by advances in computer technology, and by poor computer security practices. (46) For example, MasterCard International reported that more than 40 million credit card numbers belonging to U.S. consumers were accessed by a computer hacker and were at risk of being used for fraud. (47) Some of these account numbers were reportedly being sold on a Russian web site, and some consumers have seen fraudulent charges appear on their statements. Officials at the UFJ bank in Japan reportedly stated that some of that bank's customers may also have become victims of fraud related the same theft of MasterCard information. (48)
It has been reported that information about stolen credit cards and bank accounts is now traded online in a highly structured arrangement, involving buyers, seller, intermediaries, and service industries. These services include offering to change a billing address of a theft victim, through manipulation of stolen PINs or passwords. Estimates by some observers are that, in a highly profitable black market, each stolen MasterCard number can be sold for between $42 and $72. (49)
The Insider Threat
A 2003 study of security incidents, conducted by the U.S. Secret Service and the Carnegie Mellon Software Engineering Institute, found that attacks on computer systems committed by insiders with authorized access, have reportedly cost industry millions of dollars in fraud and lost data. (50) Insider employees with access to sensitive information systems can initiate threats in the form of malicious code inserted into software that is being developed either locally, or under offshore contracting arrangements. For example, in January 2003, twenty employees of subcontractors working in the United States at the Sikorsky Aircraft Corporation were arrested for possession of false identification used to obtain security access to facilities containing restricted and sensitive military technology. All of the defendants pleaded guilty and have been sentenced, except for one individual who was convicted at trial on April 19, 2004. (51)
Links Between Terrorism and Cybercrime
Linkages between criminal and terror groups may allow terror networks to expand and undertake large attacks internationally by leveraging criminal sources, money, and transit routes. For example, observers speculate that Aftab Ansari, a criminal suspect located in Dubai, used ransom money earned from prior kidnappings to assist with funding for the September 11, 2001 terrorist attacks. Also, London police officials believe that terrorists obtained the high-quality explosives used for the 2005 bombings on an Eastern European black market. (52) The recent subway and bus bombings in the U.K. also indicate that terrorists may be active within other countries that have large computerized infrastructures, along with a large, highly skilled information technology workforce. A report by the Department of Homeland Security (DHS) predicts that other possible sponsors of terrorist attacks against the United States homeland may include groups such as Jamaat ul-Fuqura, a Pakistani-based organization allegedly linked to Muslims of America; Jamaat al Tabligh, an Islamic missionary organization; and, the American Dar Al Islam Movement. (53)
The proportion of cybercrime that can be directly, or indirectly attributed to terrorists is difficult to determine. For example, organized criminals use information technology for the movement of money internationally. Where criminals and terrorists work together, members of terrorist groups may be given special training in computer software, or in engineering, to facilitate communications through the Internet. In-house financial specialists and experienced advisors may also knowingly, or sometimes unknowingly, help cybercriminals evade the scrutiny of bank regulators and international investigators. These reportedly may include, accountants, bank employees in offshore zones and in major financial centers who may or may not also be terrorists or supportive of the political motives of their clients. (54)
Officials of the U.S. Drug Enforcement Agency (DEA), reported in 2003 that 14 of the 36 groups found on the U.S. State Department's list of foreign terrorist organizations were involved in drug trafficking. Consequently, DEA officials reportedly argued that the war on drugs and the war on terrorism are and should be linked. (55) A 2002 report by the Library of Congress Federal Research Division, revealed a "growing involvement of Islamic terrorist and extremists groups in drug trafficking", and limited evidence of cooperation between different terrorist groups involving both drug trafficking and trafficking in arms. (56) State Department officials, at a Senate hearing in March 2002, also indicated that some terrorist groups may be using drug trafficking as a way to gain financing while simultaneously weakening their enemies in the West through exploiting their desire for addictive drugs. (57) Western Europe and North America continue to be regions that have major narcotics markets, optimal infrastructure, and open commercial nodes that increasingly serve the transnational trafficking needs of both criminal and terrorist groups. (58)
Drug traffickers are reportedly among the most widespread users of computer messaging and encryption, and often have the financial clout to hire high level computer specialists capable of using steganography (writing hidden messages contained in digital photographs) and other means to make Internet messages hard or impossible to decipher. Access to such high level specialists can allow terrorist organizations to transcend borders and operate internationally without detection. Many highly trained technical specialists available for hire are located in the countries of the former Soviet Union and in the Indian subcontinent. Some specialists will not work for criminal or terrorist organizations willingly, but may be misled or unaware of their employers political objectives. Still, others will agree to provide assistance because well-paid legitimate employment is scarce in their region. (59)
State Sponsors of Terrorists
The prospect of a nation-state supporting cyberterrorism activity is worrisome. However, in March 2005, a Department of Homeland Security (DHS) report indicated that, of the six nations currently listed by the State Department as terrorist sponsors, five of them--North Korea, Sudan, Syria, Libya, and Cuba--are described as a diminishing concern for terrorism. Only Iran remains listed as a nation-state possibly having a future motivation to assist terrorist groups in attacking the United States homeland.
China is often cited as providing government support to computer-hackers. A paper published in 1999 authored by two senior colonels in the Chinese military specifically discusses the need for China to place new emphasis on information warfare methods to attack enemy financial markets, civilian electricity networks, and telecommunications networks by burying "... a computer virus and hacker detachment in the opponent's computer systems in advance ..." of launching the information warfare network attacks. (60)
Methods for conducting information warfare, that might involve secretly sponsoring terrorists, could be used to advance the goals of a nation state. With this in mind, DoD officials have acknowledged that hackers, apparently based in China, have been successfully penetrating U.S. military networks since 2001, and perhaps earlier. News report indicate that hackers have broken into military networks at (1) the U.S. Army Information Systems Agency, (2) the Naval Ocean Systems Center, (3) the Defense Information Systems Agency, and (4) the United States Army Space and Strategic Defense installation. Although some of these successful cyberattacks were directed against unclassified networks, one intrusion reportedly did obtain data on a future Army command and control system. (61) Although the hackers are suspected to be based in China, DoD and security officials remain divided over (1) whether the ongoing cyberattacks are coordinated or sponsored by the Chinese government, (2) whether they are the work of individual and independent hackers, or (3) whether the cyberattacks are being initiated by some third-party organization that is using network servers in China to disguise the true origins of the attacks.
U.S. Efforts to Prevent Cybercrime
To improve cybersecurity for federal agencies and the critical infrastructure, the Office of Management and Budget (OMB) has created a task force to investigate how agencies can better coordinate cybersecurity functions such as training, incident response, disaster recovery, and contingency planning. The U.S. Department of Homeland Security has also created a new National Cyber Security Division that will focus on reducing vulnerabilities in the government's computing networks, and in the private sector to help protect the critical infrastructure. (62)
Officials at DHS and the Department of Justice (DoJ) have announced plans to survey 36,000 U.S. businesses in 2005 to measure the type and frequency of computer security incidents. The survey will provide the first and only statistically valid measure of trends in computer security using national data on cybercrime, including U.S. businesses in all sectors of the civilian critical infrastructure. (63) The DHS National Cyber Security Division (NCSD) (64), and the National Cyber Response Coordination Group (NCRCG) (65) have also announced plans to conduct a national cybersecurity preparedness and response exercise, called Cyber Storm, also scheduled for winter 2005.
In August 2005, DoD Directive 3020.40, the "Defense Critical Infrastructure Program," assigned functional responsibility within DoD for coordinating with public and private sector services for protection of defense critical infrastructures from terrorist attacks, including cyberattack. (66) DoD also announced the formation of the Joint Functional Component Command for Network Warfare (JFCCNW) which has responsibility for defending all DoD computer systems. The expertise and tools used in this mission are for both offensive and defensive operations. (67)
Security vendors have learned that to combat cybercrime more effectively, it must be treated as a global problem. Many of these security vendors have created their own independent advance-warning systems through linking proprietary security equipment into global networks that share information collected by their distributed customer base. One example is an early-warning cyber-security intrusion program that's composed of a global network of 19,000 firewall and intrusion-detection devices maintained by thousands of volunteer data partners. This early intrusion system correlates global data to detect the start of a possible swarming Internet attack originating simultaneously in different parts of the world, and notifies administrators to help them defend their systems when targeted. (68) A similar public/private partnership security warning program was created through the Cyber Incident Detection Data Analysis Center (CIDDAC) (69). In 2005, CIDDAC will install special sensors on the networks of participating partner companies to automatically detect cyberattacks and notify administrators and law enforcement.
International Efforts to Prevent Cybercrime
Cybercrime is a major international challenge, however attitudes about what composes a criminal act of computer wrongdoing may still vary from country to country. The European Union has set up the Critical Information Infrastructure Research Coordination Office (CI2RCO), which is tasked to examine how its member states are protecting their critical infrastructures from possible cyberattack. The project will identify research groups and programs focused on IT security in critical infrastructures.
The Convention on Cybercrime was adopted in 2001 by the Council of Europe, a consultative assembly of 43 countries, based in Strasbourg. The Convention, effective July 2004, is the first and only international treaty to deal with breaches of law "over the internet or other information networks". The Convention requires participating countries to update and harmonize their criminal laws against hacking, infringements on copyrights, computer facilitated fraud, child pornography, and other illicit cyber activities. (70) To date, eight of the 42 countries that signed the Convention have completed the ratification process.
Although the United States has signed the Convention, it did not sign a complementary protocol that contained provisions to criminalize xenophobia and racism on the Internet, which would likely not be supported by the U.S. Constitution. (71) The complementary protocol could be interpreted as requiring nations to imprison anyone guilty of "insulting publicly, through a computer system" certain groups of people based on characteristics such as race or ethnic origin, a requirement that could make it a crime to e-mail jokes about ethnic groups or question whether the Holocaust occurred. The Department of Justice has said that it would be unconstitutional for the United States to sign that additional protocol because of the First Amendment's guarantee of freedom of expression. The Electronic Privacy Information Center, in a June 2004 letter to the Foreign Relations Committee, objected to U.S. ratification of the Convention, because it would "would create invasive investigative techniques while failing to provide meaningful privacy and civil liberties safeguards." (72) However, a coalition of U.S. industry associations, including the Business Software Alliance, the Cyber Security Industry Alliance, the American Bankers Association, the Information Technology Association of America, InfraGard, Verisign, and several others, have urged the U.S. Senate Foreign Relations Committee to recommend ratification of the Convention. (73)
The Bush Administration submitted the Convention on Cybercrime (Treaty Doc. 108-11) to the Senate for hearings and resolution in November 2003. On July 26, 2005, the U.S. Senate Foreign Relations Committee approved the signed Convention, clearing the way for a floor vote later in the year. A report from the Senate Foreign Relations Committee is expected to be published before the end of the current session of Congress.
Analysis and Policy Issues
Computer security experts disagree about whether a widespread coordinated cyberattack by terrorists is a near-term or long-term possibility. However, terrorists have repeatedly demonstrated a willingness to plan and launch conventional attacks against targets that have easy accessibility and numerous vulnerabilities. Internet and computer system vulnerabilities are persistent and widely publicized. As technology continues to advance, the capability, reliance, and interdependent nature of computer systems likely will be more vulnerable to cyberattack tools that are becoming faster and more sophisticated. Terrorists may also be developing links with cybercriminals that will give them access to high-level computer skills. The time may be approaching when a cyberattack may offer advantages that cause terrorists to act, even if the probability of success, or level of effectiveness, is unknown. Similar to terrorists reconnaissance of physical targets to assess the level of security prior to an attack, it is suggested that the U.S. may experience a number of small cyber intrusion events prior to an attempt at a larger more devastating attack.
One issue is whether DHS has done enough to strengthen computer security for civilian federal agencies and for the private sector. In July 2005, DHS Secretary Michael Chertoff announced creation of the new position of Assistant Secretary for Cyber and Telecommunications Security. In doing so he acknowledged both the efficiencies and vulnerabilities of modern technology upon which so much of society now depends. (74) Many cybersecurity observers hope that by elevating the DHS Cyber Security Officer from a Division Director to an Assistant Secretary level position, the new senior official will become a more effective proponent of federal government efforts to address and manage information technology vulnerabilities, incident response programs, and remediation efforts.
DHS is also supporting efforts to encourage U.S. computer systems to change to the new, reportedly more secure, IPV6 Internet Protocol. (75) Despite these efforts, according to GAO officials, DHS does not have an Internet recovery plan, or a national cybersecurity threat assessment. DHS officials have stated that a draft cybersecurity threat evaluation plan will be available in late 2005, but a finalized cybersecurity plan that pinpoints the nations's weakest security links will likely not be available until 2006. (76) Leaders of the Senate Committee on Homeland Security and Governmental Affairs, Subcommittee on Financial Management, Government Information and International Security, reportedly have stated that DHS does not have a robust way to detect a coordinated attack against the critical infrastructure. (77)
Security vulnerabilities found in the Internet and in critical infrastructure computer systems are widely publicized. Many experts are concerned that private sector cyber-security firms do not notify DHS or their customers immediately upon recognition of a potentially serious Internet security vulnerability. If hackers become aware of this vulnerability, observers speculate that these individuals could disable portions of the Internet, or successfully disrupt selected portions of the U.S. or international critical infrastructure. This raises the following questions:
* Should vendors of computer products be required to quickly report all serious, newly discovered product vulnerabilities to DHS?
* Should computer service providers or businesses be required to report to DHS any major security vulnerabilities that have been newly exploited by cybercriminals?
* Should there be penalties if an organization has a poor security policy that contributes to a major loss of sensitive information?
Some actions are underway that Congress may consider. (78) For example, on September 30, 2005, an interim rule was issued by the Federal Acquisition Regulations Council, outlining several new steps acquisition workers must take to ensure IT security is incorporated into all federal purchases. Under this interim rule, government contracting officers must include additional cybersecurity rules in their acquisition planning, which will require vendors to improve computer security for the IT products and services they supply to the federal government. (79)
Experts now believe that terrorist collaborate with organized crime networks in the Middle East for international smuggling of arms and illegal drugs. Criminal drug traffickers can provide terrorists with access to computer specialists with high-level technical skills. What are the pro's and con's of linking counterterrorism efforts more closely to the efforts of agencies that counter drug trafficking?
Should the counterterrorism efforts be linked more closely with international efforts to prevent cybercrime? What are effective ways to encourage more international cooperation for identifying which activities should be labeled as cybercrime, and for punishing those who operate as cybercriminals?
Security experts have reportedly stated that, although U.S. military networks are relatively secure, many of those networks remain highly dependent on the civilian communications infrastructure. (80) Should DoD collaborate more closely with DHS for new technologies to strengthen the computer security of civilian agencies and infrastructure?
Trends for cybercrime indicate that computer attacks could increase in number, speed, and sophistication. Will future unknown computer vulnerabilities and sophisticated attacks allow terrorist to launch an effective cyberattack that might overwhelm the ability of civilian agencies to respond effectively? Could a new approach to computer security reduce vulnerabilities? An example of a new approach to improve computer security for computer systems and the Internet might include development and refinement of quantum methods for unbreakable cryptography. (81) However, new approaches to computer security could also lead to the emergence of new threats directed against new vulnerabilities. For example, the proliferation and use of commercial products with unbreakable cryptography could seriously undermine the ability of law enforcement to perform critical missions such as protecting against threats posed by terrorists, organized crime, and foreign intelligence agents.
The following bills are related to improving national computer security, or the prevention of cybercrime:
* H.R. 285. On January 6, 2005, the Department of Homeland Security Cybersecurity Enhancement Act of 2005 was introduced by Representative Mac Thornberry. The bill proposes to amend the Homeland Security Act of 2002 to enhance cybersecurity by creating a new Directorate for Information Analysis and Infrastructure Protection in a National Cybersecurity Office, headed by an Assistant Secretary for Cybersecurity, who shall assist the Secretary in promoting cybersecurity for the Nation. The bill also proposes appropriate measures for the recovery of the cybersecurity elements of critical infrastructure. Referred to the House Committee on Homeland Security, Subcommittee on Economic Security, infrastructure Protection, and Cybersecurity, February 18, 2005. Forwarded by the Subcommittee to the Full House Committee on Homeland Security, April 20, 2005.
* S. 768. On April 12, 2005, the Comprehensive Identity Theft Prevention Act was introduced by Senator Charles Schumer. The bill proposes to establish in the Federal Trade Commission (FTC) an Office of Identity Theft to coordinate international responses to identify theft and development of best practices to protect consumers. The bill also proposes to amend the Homeland Security Act of 2002 to establish in the Directorate for Information Analysis and Infrastructure Protection of the Department of Homeland Security(DHS) a National Cybersecurity Office to assist in promoting cybersecurity for the United States, and to grant the Assistant Secretary for Cybersecurity primary authority for all cybersecurity-related critical infrastructure programs of DHS. On April 12, 2005, the bill was referred to the Senate Committee on Commerce, Science, and Transportation.
* H.R. 1817. Introduced on April 26, 2005, by Representative Christopher Cox, this bill proposes to authorize appropriations for fiscal year 2006 for the Department of Homeland Security, and establish in DHS an Assistant Secretary for Cybersecurity appointed by the President. Referred jointly and sequentially to the House Committee on Energy and Commerce, the House Committee on Government Reform, House Committee on the Judiciary , the House Committee on Science, the House Committee on Transportation and Infrastructure, the House Committee on Ways and Means, the House Committee on Intelligence, May 3, 2005. Reported (Amended) by the Committee on Energy and Commerce. (H. Rept. 109-71, Part II.), and the Committee on Judiciary (H. Rept. 109-71, Part III), May 13, 2005. On passage Passed by recorded vote: 424-4 (Roll no. 189), May 18, 2005. Received in the Senate and referred to the Senate Committee on Homeland Security and Governmental Affairs, May 18, 2005.
* H.R. 3109. Introduced on June 29, 2005, by Representative Sheila Jackson-Lee, this bill proposes to authorize the Secretary of Homeland Security to establish a program to award grants to institutions of higher education for the establishment or expansion of cybersecurity professional development programs. Referred to the House Committee on Science, and to the Committee on Education and the Workforce, and the Committee on Homeland Security, June 29, 2005.
* H.R. 744. Introduced on February 10, 2005, by Representative Bob Goodlatte, this bill proposes to amend title 18, United States Code, to discourage spyware, and expresses the sense of Congress that the Department of Justice should vigorously prosecute those who use spyware to commit crimes, and those that conduct phishing or pharming scams. Reported by the House Committee on Judiciary (H. Rept. 109-93) May 23 2005. Passed by the House (395-1) May 23, 2005. Received in the Senate and referred to the Senate Committee on the Judiciary, May 24, 2005.
(1) Keith Lourdeau, FBI Deputy Assistant Director, testimony before the U.S. Senate Judiciary Subcommittee on Terrorism, Technology, and Homeland Security, February 24, 2004.
(2) IBM Press Release, Government, financial services and manufacturing sectors top targets of security at tacks in first half of 2005, August, 2, 2005, [http://www.ibm.com/news/ie/en/2005/08/ie_en_news_20050804.html].
(3) According to FBI officials, Al Qaeda terrorist cells in Spain used stolen credit card information to make numerous purchases. Also, the FBI has recorded more than 9.3 million Americans as victims of identity theft in a 12 month period; June, 2005. Report by the Democratic Staff of the House Homeland Security Committee, Identity Theft and Terrorism, July 1, 2005, p.10.
(4) Alan Sipress, An Indonesian's Prison Memoir Takes Holy War Into Cyberspace, Washington Post, December 14, 2004, A19.
(5) Jonathan Curiel, TERROR.COM: Iraq's tech-savvy insurgents are finding supporters and luring suicide-bomber recruits over the Internet, San Francisco Chronicle, July 10, 2005, [http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2005/07/10/CURIEL.TMP].
(6) Jonathan Curiel, Iraq's tech-savvy insurgents are finding supporters and luring suicide-bomber recruits over the Internet, San Francisco Chronicle, July 10, 2005, A.01.
(7) Michael Evans and Daniel McGrory, Terrorists Trained in Western Methods Will Leave Few Clues, London Times, July 12, 2005.
(8) For a more in-depth discussion of the definition of cyberterrorism, see CRS Report, RL32114, Computer Attack and Cyberterrorism: Vulnerabilities and Policy Issues for Congress.
(9) Kevin Rademacher reporting remarks of Richard Clarke at CardTech/SecurTech security conference April 2005, Clarke: ID theft prevention tied to anti-terrorism efforts, Las Vegas Sun, April 13, 2005, [http://www.lasvegassun.com/sumbin/stories/text/2005/ apr/13/518595803.html].
(10) Joris Evers, Does Cyberterrorism Pose a True Threat?, PCWorld, March 14, 2003, [http://www.peworld.com/news/article/0,aid,109819,00.asp]. Joris Evers, reporting remarks by Bruce Schneier at CeBIT technology trade show in March 2003, Cyberterror Threat Overblown, Computerworld, March 14, 2003, [http://www.computeworld,com/printthis/2003/0,4814,79368,00.html]. Gabriel Weimann, Special Report--Cyberterrorism: How Real is the Threat?, United States Institute of Peace, Washington, D.C., May 2004. Dan Ilett reporting remarks of Richard Clarke at the Oxford University Internet Institute in February 2005, Clarke joins latest cyberterror debate, ZDNet UK, February 11, 2005, [http://www.zdnet.co.uk/print/?TYPE=story& AT=39187582-39020375t-10000025c].
(11) Dan Verton, Black Ice: The Invisible Threat of Cyber-Terrorism, McGraw-Hill, 2003, p.110. Keith Lourdeau, Deputy Assistant Director of the FBI Cyber Division, testimony before the Senate Judiciary Subcommittee on Terrorism, Technology and Homeland Security, February 24, 2004. Ryan Naraine reporting remarks of Roger Cressey at Infosec World 2005, Cyber-Terrorism Analyst Warns Against Complacency, eWEEK.com, April 4, 2005, [http://www.eweek.com/article2/0,1759,1782288,00.asp].
(12) The Electronic Intrusion Threat to National Security and Emergency Preparedness (NS/EP) Internet Communications, Office of the Manager, National Communications System, December 2000, p.31, [http://www.ncs.gov/library/reports/electron ic_intrusion_threat2000_final2.pdf].
(13) Amy Storer, Update: IPv6 risks may outweigh benefits, SearchSecurity.com, July 29, 2005, [http://searchsecurity.techtarget.com/originalContent/0,2 89142,sid14_gci1112459,00.html?track=NL-358&ad=525032USCA].
(14) Victor Garza, Security researcher cause furor by releasing flaw in Cisco Systems IOS, SearchSecurity.com, July 28, 2005, [http://searchsecurity.techtarget.com/originalContent/ 0,289142,sid14_gci1111389,00.html].
(15) Justin Rood, Cisco Failed to Alert DHS, Other Agencies About Software Security Flaw, CQ Homeland Security, August 2, 2005, [http://homeland.cq.com/hs/display.do? docid=1810432&sourcetype=31&binderName=news-all].
(16) Dan Verton, Black Ice: The Invisible Threat of Cyber-Terrorism, McGraw-Hill, 2003, p.110.
(17) The President's Information Technology Advisory Committee, Cyber Security: A Crisis of Prioritization, Report to the President, February 2005, p.25, [http://www.nitrd.gov/pitac/reports/20050301_cybersecurity/ cybersecurity.pdf].
(18) John Foley, Businesses Slow to Deploy Windows XP SP2, Information Week, April 26, 2005, p.26.
(19) IBM News, Report finds online attacks shift toward profit, August 2, 2005, [http://www.ibm.com/news/us/en/2005/08/2005_08_02.html]. Symantec Press Release, Symantec Internet Security Threat Report Highlights Rise In Threats To Confidential Information, March 21, 2005, [http://www.symantec.com/press/2005/n050321.html].
(20) Based on 2002 data submitted by federal agencies to the White House Office of Management and Budget, GAO noted, in testimony before the House Committee on Government Reform (GAO-03-564T, April 8, 2003), that all 24 agencies continue to have "significant information security weaknesses that place a broad array of federal operations and assets at risk of fraud, misuse, and disruption.", Christopher Lee, November 20, 2002, Agencies Fail Cyber Test: Report Notes 'Significant Weaknesses' in Computer Security, [http://www.washingtonpost.com/ac2/wp-dyn/ A12321-2002Nov19?language=printer.]
(21) GAO report 05-231, Information Security; Emerging Cybersecurity Issues Threaten Federal Information Systems, May 2005.
(22) Eric Lipton, Homeland Report Says that Threat From Terror-List Nations Is Declining, The New York Times, March 31, 2005, Section A, P.9.
(23) Terrorist suspects are reportedly using encryption techniques to prevent police from accessing vital intelligence on seized computers, according to U.K. police. Stewart Tendler, Encrypted files frustrate police, Times Online, July 20, 2005, [http://technology.timesonline.co.uk/article/0,,20409-1701405,00.html]. See CryptoHaven, [http://www.cryptoheaven.com/], and SecretMaker, [http://www.secretmaker.com/emailsecurer/steganography/default.html].
(24) Shaun Waterman, Islamists Seek To Organize Hackers' Jihad in Cyberspace, August 26, 2005, Washington Times, p.9.
(25) Tom Spring, Al Qaeda's Tech Traps, PCWorld, September 1, 2004, [http://www.pcworld.com/news/article/0,aid,117658,00.asp].
(26) In July 2002, Gartner Research and the U.S. Naval War College hosted a three-day, seminar-style war game called "Digital Pearl Harbor" (DPH), with the result that 79 percent of the gamers said that a strategic cyberattack against the United States was likely within the next two years. Gartner Research, 'Digital Pearl Harbor': Defending Your Critical Infrastructure, October 4, 2002, [http://www.gartner.com/pages/story.php.id.2727.s.8.jsp].
(27) Robert Gates, former CIA director, warned that the threat of cyberterrorism should be taken particularly seriously. Keith Lourdeu, deputy assistant director of the FBI Cyber Division, stated that "our networked systems make inviting targets for terrorists due to the potential for large-scale impact on the nation." Douglas Schweitzer, Be Prepared for Cyberterrorism, Computerworld, April 6, 2005. However, others believe that infrastructure systems are robust and could recover quickly. Richard Forno, Shredding the Paper Tiger of Cyberterrorism, Security Focus, September 25, 2002, [http://www.securityfocus.com/printable/columnists/111]. See also, CRS Report 32114,Computer Attack and Cyberterrorism: Vulnerabilities and Policy Issues for Congress.
(28) Scott Nance, Debunking Fears: Exercise Finds 'Digital Pearl Harbour' Risk Small, Defense Week, April 7, 2003, [http://www.kingpublishing.com/publications/dw/]. William Jackson, War College Calls Digital Pearl Harbor Doable, Government Computer News, August 23, 2002, [http://www.gcn.com/vol1_no1/daily-updates/19792-1.html].
(29) CIA Overseeing 3 Day Wargame on Internet, Associated Press, May 25, 2005.
(30) Ted Bridis, 'Silent Horizon' war games wrap up for the CIA, USA Today, May 26, 2005, [http://www.usatoday.com/tech/news/techpolicy/ 2005-05-26-cia-wargames_x.htm].
(31) John Rollins, Specialist in Terrorism and International Crime, Congressional Research Service, August 2005.
(32) "Country Reports on Terrorism" is submitted in compliance with Title 22 of the United States Code, Section 2656(f) which requires the Department of State to provide Congress with a full and complete annual report on terrorism for those countries and groups meeting the criteria of Section (a)(1) and (2) of the Act., [http://www.state.gov/s/ct/rls/c14812.htm].
(34) GAO report 05-231, Information Security; Emerging Cybersecurity Issues Threaten Federal Information Systems, May 2005.
(35) Dan Verton, Black Ice: The Invisible Threat of Cyberterrorism, McGraw-Hill, 2003, p.87.
(36) Tom Spring, Al Qaeda's Tech Traps, PCWorld, September 1, 2004, [http://www.pcworld.com/news/article/0,aid,117658,00.asp].
(37) Anthony Davis, The Afghan files: Al-Qaeda documents from Kabul, Jane's Intelligence Review, February 1, 2002.
(38) FBI Report FEA20041222000744, version 17, Convicted Indonesian Terrorist Calls for Computer Hacking, Jihad Against US, Decembe r 4, 2004, [https://www.fbis.gov/portal/server.pt/gateway/ PTARGS_0_22439_246_203_0_43/http%3B/apps.fbis.gov%3B7011/ fbis.gov/search/Search?action=viewDocument&holding=5051585].
(39) Richard Clarke, former counterterrorism advisor for Presidents George W. Bush and Bill Clinton, stated that we are vulnerable to people who would use our identities against us. Kevin Rademacher, Clarke: ID theft prevention tied to anti-terrorism efforts, Las Vegas Sun, April 13, 2005 [http://www.lasvegassun.com/sunbin/stories/text/20 05/apr/13/518595803.html].
(40) Testimony before the Senate Select Committee on Intelligence, February 16, 2005.
(41) The Global Business Security Index reports worldwide trends in computer security from incidents that are collected and analyzed by IBM and other security organizations. IBM press release, IBM Report: Government, Financial Services and Manufacturing Sectors Top Targets of Security Attacks in First Half of 2005, IBM, August 2, 2005.
(42) Counterpane Internet Security, Attack Trends 2005, June 2005, [http://www.schneier.com/essay-085.pdf]
(43) Bruce Schneier, Attack Trends: 2004 and 2005, June 6, 2005, [http://www.schneier.com/blog/archives/2005/06/attack_trends_2.html].
(44) Conal Walsh, Terrorism on the cheap--and with no paper trail, The Guardian Observer (London), July 17, 2005.
(45) Hi-Tech Crime: The Impact on U.K. Business 2005, 2004 Survey, [http://www.nhtcu.org/media/documents/publications/8817_Survey.pdf]
(46) On April 12, 2005, personal information, such as Social Security Numbers for 310,000 U.S. citizens, may have been stolen in a data security breach that involved 59 instances of unauthorized access into its corporate databases using stolen passwords. Boston College reported in March 2005 that a hacker had gained unauthorized access to computer database records with personal information for up to 106,000 alumni, and in the same month, Chico State University of California, reported that its databases had been breached containing the names and Social Security numbers for as many as 59,000 current and former students. David Bank and Christopher Conkey, New Safeguards for Your Privacy, The Wall Street Journal, March 24, 2005, p. D1.
(47) Jonathan Krim and Michael Barbaro, 40 Million Credit Card Numbers Hacked, Washington Post, June 18, 2005, A01. See also the report by the U.S. House of Representative Homeland Security Committee, July 1, 2005, raising concerns about potential ties between identity theft victims and terrorism. Caitlin Harrington, Terrorists Can Exploit Identity Theft, Report From House Democrats Says, CQ Homeland Security, July 1, 2005.
(48) BBC News, Japan cardholders 'hit' by theft, June 21, 2005, [http://news.bbc.co.uk/1/hi/business/4114252.stm].
(49) CCRC staff, Russia, Biggest Ever Credit Card Scam, Computer Crime Research Center, July 8, 2005, [http://www.crime-research.org/news/08.07.2005/1349/].
(50) Marisa Randazzo, et. al., Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector, Carnegie Mellon Software Engineering Institute, August 2004.
(51) U.S. Attorneys Office District of Connecticut, [http://www.usdoj.gov/usao/ct/attf.html].
(52) Conal Walsh, Terrorism on the cheap--and with no paper trail, The Guardian Observer (London), July 17, 2005. Rollie Lal, Terrorists and organized crime join forces, International Herald Tribune, May 25, 2005, [http://www.iht.com/articles/2005/05/23/opinion/edlal.php]. Barbara Porter, Forum Links Organized Crime and Terrorism, By George*, Summer 2004, [http://www2.gwu.edu/~bygeorge/060804/crimeterrorism.html].
(53) The DHS report, dated January 2005, is entitled "Integrated Planning Guidance, Fiscal Years 2005-2011." Justin Rood, Animal Rights Groups and Ecology Militants Make DHS Terror List, Right-Wing Vigilantes Omitted, CQ Homeland Security, March 25, 2005. Eric Lipton, Homeland Report Says that Threat From Terror-List Nations Is Declining, The New York Times, March 31, 2005, Section A, P.9.
(54) Louise I. Shelley and John T. Picarelli, Methods Not Motives: Implications of the Convergence of International Organized Crime and Terrorism, Police Practice and Research, Vol. 3, No. 4, 2002 p.311, [http://www.american.edu/traccc/Publications/ Shelley%20Pubs/To%20Add/MethodsnotMotives.pdf].
(55) Authorization for coordinating the federal war on drugs expired on September 30, 2003. For more information, see CRS Report RL32353, War on Drugs: Reauthorization of the Office of National Drug Control Policy. Also, see D.C. Prefontaine, QC and Yvon Dandurand, Terrorism and Organized Crime Reflections on an Illusive Link and its Implication for Criminal Law Reform, International Society for Criminal Law Reform Annual Meeting--Montreal, August 8-12, Workshop D-3 Security Measures and Links to Organized Crime, August 11, 2004, [http://www.icclr.law.ubc.ca/Publications/Reports/ International%20Society%20Paper%20of%20Terrorism.pdf].
(56) Berry, L., Curtis, G.e., Hudson, R. A. and N. A. Kollars. A Global Overview of Narcotics-Funded Terrorist and Other Extremist Groups. Federal Research Division, Library of Congress. Washington (D.C.): Library of Congress, May 2002.
(57) Rand Beers and Francis X. Taylor, U.S. State Department, Narco-Terror: The Worldwide Connection Between Drugs and Terror, testimony before the U.S. Senate Judiciary Committee, Subcommittee on Technology, Terrorism, and Government Information, March 13, 2002.
(58) Glenn Curtis and Tara Karacan, The Nexus Among Terrorists, Narcotics Traffickers, Weapons Proliferators, and Organized Crime Networks in Western Europe, A study prepared by the Federal Research Division, Library of Congress, December 2002, p.22, [http://www.loc.gov/rr/frd/pdf-files/WestEurope_NEXUS.pdf].
(59) Louise Shelly, Organized Crime, Cybercrime and Terrorism, Computer Crime Research Center, September 27, 2004, [http://www.crime-research.org/articles/Terrorism_Cybercrime/].
(60) Qioa Lang and Wang Xiangsui, Unrestricted Warfare, Beijing: PLA Literature and Arts Publishing House, February 1999.
(61) Frank Tiboni, The New Trojan War, Federal Computer Week, August 22, 2005, p.60. Nathan Thornburgh, Inside the Chinese Hack Attack, August 25, 2005, [http://www.time.com/time/nation/printout/0,8816,1098371,00.html].
(62) Jason Miller, New Cybersecurity Team Meets this Week, Government Computer News, March 21, 2005. Grant Gross, Homeland Security to Oversee Cybersecurity, PC World, June 9, 2003, [http://www.pcworld.com/news/article/0,aid,111066,00.asp].
(63) Dibya Sarkar, DHS, DOJ plan cybercrime survey, FCW.com, January 13, 2005, [http://www.fcw.com/fcw/articles/2005/0110/web-survey-01-13-05.asp].
(64) The NCSD is the focal point for the federal government's interaction with state and local government, the private sector, and the international community concerning cyberspace vulnerability reduction efforts.
(65) The NCRCG is a forum of 13 principal agencies that coordinates intra-governmental and public/private preparedness operations to respond to and recover from large-scale cyberattacks.
(66) The Defense Critical Infrastructure is defined as those DoD and non-DoD networked assets essential to project, support, and sustain military forces and operations worldwide.
(67) John Lasker, U.S. Military's Elite Hacker Crew, Wired News, April 18, 2005, [http://www.wired.com/news/print/0,1294,67223,00.html].
(68) Paul Roberts, Symantec Offers Early Warning of Net Threats, PCWorld, February 12, 2003, [http://www.pcworld.com/news/article/0,aid,109322,00.asp].
(69) CIDDAC is a not-for-profit organization that combines private and government perspectives to facilitate automated real-time sharing of cyberattack data. CIDDAC is specifically designed to protect privacy rights while collecting cyber threat information from sensors attached to corporate computer networks.
(70) Full text for the Convention on Cyber Crime may be found at [http://conventions.coe.int/Treaty/Commun/QueVoulezVous.asp?NT=185&CM=8&DF= 18/06/04&CL=ENG].
(71) The U.S. Senate Committee on Foreign Relations held a hearing on the Convention on June 17, 2004. CRS Report RS21208, Cybercrime: The Council of Europe Convention. Estelle Durnout, Council of Europe ratifies cybercrime treaty, ZDNet, March 22, 2004, [http://news.zdnet.co.uk/business/legal/0,39020651,39149470,00.htm].
(73) Patience Wait, Industry Groups urge Senate ratification of cybercrime treaty, Government Computer News, June 6, 2005, [http://appserv.gcn.com/vol1_no1/web/362 57-1.html]. Declan McCullagh, Tech Firms call for approval of cybercrime treaty, Cnet News.com, June 29, 2005, [http://news.com.com/2102-7348_3-576 8462.html?tag=st.util.print].
(74) Secretary Michael Chertoff, U.S. Department of Homeland Security, Second Security Stage Review Remarks, July 13, 2005, [http://www.dhs.gov/dhspublic /interapp/speech_0255.xml].
(75) IPV6 is the designation for a newer, more secure communications protocol for the Internet. For more information, see CRS Report RL32411: Network Centric Warfare: Background and Oversight Issues for Congress.
(76) Wilson Dizard, Cybersecurity plans wait for DHS to complete its evaluation of threats, Government Computer News, July 25, 2005, vol.24, No.20.
(77) Grant Gross, Senators Call on DHS to Improve Cybersecurity Efforts, Symantec, [http://enterprisesecurity.symantec.com/publicsector/ article.cfm?articleid=5862&EID=0].
(78) See National Institute of Standards and Technology web site for Federal Agency Security Practices, [http://csrc.nist.gov/fasp/].
(79) Jason Miller, IT security requirements now part of the FAR, Government Computer News, September 30, 2005, [http://www.gcn.com/vol1_no1/daily-updates/37162-1.html]. Federal Register, September 30, 2005, Vol70, No. 189, Pg. 57449-57452.
(80) Barton Reppert, remarks made by Clifford Lau, July 26, 2005, at the Rayburn House Office Building, subsequent to a hearing by the House Science Committee.
(81) Quantum cryptography: In the microscopic world, once a system is observed, it is inevitably affected and changes into another state (Heisenberg's Uncertainty Principle). By incorporating the fact that weak light behaves as "photons" subject to this law, quantum cryptography is an unbreakable cryptography with the photons becoming the information carriers, or information cameras. Press Release, Mitsubishi Electric, 2002, [http://global.mitsubishielectric.com/news/news_releases/ 2002/mel0560_b.html].
Specialist in Terrorism and International Crime
Foreign Affairs, Defense, and Trade Division
Specialist in Technology and National Security
Foreign Affairs, Defense, and Trade Division
|Printer friendly Cite/link Email Feedback|
|Author:||Rollins, John; Wilson, Clay|
|Publication:||Congressional Research Service (CRS) Reports and Issue Briefs|
|Date:||Oct 1, 2005|
|Previous Article:||Oil and gas disruption from Hurricanes Katrina and Rita.|
|Next Article:||Disaster response and appointment of a recovery czar: the executive branch's response to the flood of 1927.|