Cybersecurity
How vulnerable is the U.S. to cyberwarfare?
By Patrick Marshall

A series of hacking and virus incidents has dramatized the vulnerability of the United States to attacks launched in cyberspace by terrorists or hostile nations. In fact, U.S. authorities recently indicted a British man for hacking into 92 federal computer networks, including those used by the Department of Defense. A growing number of experts warn that the United States has grown too dependent upon. . . .

Read the Full Report (Subscription Required)
Buy Report PDF

Should software manufacturers be liable for vulnerabilities in their software?

Jonathan M. Smith Professor of engineering and applied science, University of Pennsylvania. Written for The CQ Researcher, September 2003	Harris Miller President, Information Technology Association of America. Written for The CQ Researcher September 2003

FBI Gives High Priority to Cybercrime

While politically motivated cyber-attacks on the U.S. infrastructure are a looming threat, cybercrimes — including identity theft, Internet scams and extortion — are a growing reality.

According to the joint annual report by the Computer Security Institute and the Federal Bureau of Investigation, 251 survey respondents alone reported losses of more than $200 million last year. While this represented an actual decline over the previous year, experts say the dollar figures are very “squishy.”

“Their numbers are really questionable, and I would hesitate to decide policy on the basis of those numbers,” warns technology consultant Richard Hunter of the Gartner Group. If anything, Hunter says, the costs are being underestimated.

“We have already had cybercrimes with the economic value in the tens of millions of dollars,” notes Hunter. “Those are actual dollar takes, not estimates. I can foresee that in the next few years we're going to see cybercrimes with economic impact measurable in the hundreds of millions of dollars. It's a green field, and law enforcement hasn't shown up. They're way behind the curve.”

In fact, cybercrime is a growing concern for law enforcement, especially at the federal level. FBI Director Robert S. Mueller III recently designated cybercrime as the agency's third-ranking priority, just behind terrorism and counterespionage.

Over the past decade, the United States has significantly increased penalties for hacking and other computer-related crimes.

The most notable increases in penalties were imposed as part of the USA Patriot Act of 2001. The tough, new law raised the maximum penality from five years to 10 years for first offenders and from 10 years to 20 years for repeat offenders. It also specifically makes it illegal to damage a computer used by the government “in furtherance of the administration of justice, national defense or national security,” even if the usual $5,000 damage threshold is not met.

The $5,000 damage threshold is itself a limitation that federal law enforcement officials would like to see removed across the board.

“In some of the cases investigated by the FBI, damages in excess of $5,000 on a particular system are difficult to prove,” FBI Director Louis Freeh told Congress in 2000. “In other cases, the risk of harm to individuals or to the public safety posed by breaking into numerous systems and obtaining root access, with the ability to destroy the confidentiality or accuracy of crucial — perhaps lifesaving — information is very real and very serious even if provable monetary damages never approach the $5,000 mark. In investigations involving the dissemination or importation of a virus or other malicious code, the $5,000 threshold could potentially delay or hinder early intervention by federal law enforcement.”

Of course, stronger laws against hacking are not likely to deter terrorists and enemy nation-states directly. But some analysts have noted that cybercriminals are a prime potential source of expertise for terrorists and nation-states. If the pool of cybercriminals can be reduced, it may make it more difficult for politically motivated hackers to recruit help.

Even then, some analysts say, it's going to take international cooperation to have any significant impact on cyberterrorism.

“We need a common set of laws or standards,” says James Lewis, a senior fellow at the Center for Strategic and International Studies. “We need a cooperative structure so that when an incident is occurring in one country [with] the source in another country, there is a way to get the police to operate quickly.”

The Council of Europe's Convention on Cybercrime, says Lewis, is a long step in the right direction.

The convention requires member nations to criminalize certain types of actions involving computers and networks. The convention also has provisions for information-sharing and for extradition of those accused of cybercrimes.

Thirty-four nations — including the United States — have signed the convention, though only three have ratified it. The convention must be ratified by five members of the Council of Europe in order to become binding.

Assuming that the convention comes into force, Lewis says, the international efforts to help investigate incidents and homogenize laws affecting hackers are “actually coming along fairly well.”

[1] Stephen Baker, “Where Danger Lurks,” Business Week, Aug. 25, 2003, p. 114.

Footnote: 1. Stephen Baker, “Where Danger Lurks,” Business Week, Aug. 25, 2003, p. 114.

[2] Testimony before the Senate Judiciary Subcommittee on Technology, Terrorism and Government Information, March 28, 2000.

Footnote: 2. Testimony before the Senate Judiciary Subcommittee on Technology, Terrorism and Government Information, March 28, 2000.