Cyber-apocalypse now: securing the Internet against cyberterrorism and using universal jurisdiction as a deterrent.

• Author: Gable, Kelly A.

ABSTRACT

Cyberterrorism has become one of the most significant threats to the national and international security of the modern state, and cyberattacks are occurring with increased frequency. The Internet not only makes it easier for terrorists to communicate, organize terrorist cells, share information, plan attacks, and recruit others but also is increasingly being used to commit cyberterrorist acts. It is clear that the international community may only ignore cyberterrorism at its peril.

The primary security threat posed by the Internet is caused by an inherent weakness in the TCP/IP Protocol, which is the technology underlying the structure of the Internet and other similar networks. This underlying structure enables cyberterrorists to hack into one system and use it as a springboard for jumping onto any other network that is also based on the TCP/IP Protocol. Other threats to national and international security include direct attacks on the Internet and the use of the Internet as a free source of hacking tools. These threats will not be eradicated easily.

In the absence of feasible prevention, deterrence of cyberterrorism may be the best alternative. Without, at a minimum, a concerted effort at deterrence, cyberterrorism will continue to threaten national and international security. The most feasible way to deter cyberterrorists is to prosecute them under the international law principle of universal jurisdiction.

TABLE OF CONTENTS I. INTRODUCTION II. HISTORICAL BACKGROUND A. A Brief History of the Internet and Its Sister Networks B. A Brief History of Intelligence III. THE THREATS TO NATIONAL AND INTERNATIONAL SECURITY POSED BY INTERNATIONAL DEPENDENCE ON THE INTERNET A. Jumping from Network to Network--The Fundamental Insecurity of the TCP/IP Protocol B. Direct Attacks on the Internet C. The Internet As Hacker's Toolbox D. The Particular Vulnerability of Networks in the International Financial System IV. ATTEMPTS AT PREVENTION: LAWS, POLICY AND TECHNOLOGY A. Laws and Policy 1. U.S. Domestic Efforts 2. Efforts by International Organizations B. Technology 1. International Standards for Economic Transactions 2. International Standards for Encryption C. Attempts Are Insufficient to Prevent Cyberterrorism V. DETERRENCE VIA PRESCRIPTIVE JURISDICTION A. Territorial Jurisdiction--Too Unwieldy For Cyberterrorism B. Universal Jurisdiction--Uniquely Suited To Cyberterrorism 1. The Case for Universal Jurisdiction 2. The Non-Piracy Analogy 3. A Six-Fold Rationale 4. Dispelling Other Potential Concerns VI. CONCLUSION I. INTRODUCTION

It is a cold December day, already dark, when Aidan Smith leaves his office to catch the train home. As he is leaving the building, the power suddenly cuts out, bringing the elevator he is in to a screeching halt on the ground floor. He presses the emergency button, and the doors open, begrudgingly, to let him out. Shaken, he heads for the train station. As he steps out into the street, he realizes it is much darker than usual every building, every street light, every stoplight is dark. Only the headlights from passing cars light the sidewalk as he slowly makes his way to the train station. He finally arrives, but finds that the station is barely lit and is jammed with people waiting for trains that are not coming. Checking the news on his BlackBerry, he sees that Washington, D.C., New York, Chicago, and Los Angeles have simultaneously lost all electricity and that Al Qaeda replaced the White House website with a message proclaiming that they have hacked into and shut down these major power grids to cripple the U.S. economy, as the stock markets, airports, and banks cannot function without electricity. In short, A1 Qaeda has caused a cyber-apocalypse. (1)

Although this situation is hypothetical, the possibility is disturbingly real. Hackers scan U.S. government computer systems literally thousands of times a day, looking for a way in. (2) In 2001, hackers successfully attacked an electric power grid in California and a seaport in Houston; (3) more recently, hackers planted malicious software in the U.S. power grid, oil and gas distribution computer systems, telecommunications networks, and computer systems of the financial services industry. (4) In March 2007, researchers at the Department of Energy's Idaho National Laboratory caused a generator to self-destruct, just to see if they could. (5) Although these attacks were narrower in scope and magnitude than the hypothetical scenario, they each demonstrate the vulnerability of critical U.S. infrastructure. The fact that each of these critical infrastructure systems is accessible via the Internet heightens (and arguably creates) this vulnerability. (6)

The Internet has revolutionized and exponentially increased the threat that terrorism poses to national and international security. The Internet not only makes it easier for terrorists to communicate, organize terrorist cells, share information, plan attacks, and recruit others, (7) but also is increasingly being used to commit cyberterrorist acts. In February 2009, the Director of National Intelligence testified before the Senate Select Committee on Intelligence that terrorist groups have expressed their intent to use cyber attacks against the United States. (8) Indeed, cyberterrorists and hackers attempt to penetrate Department of Defense computer systems thousands of times a day. (9)

Cyberterrorism has become one of the most significant threats to the national and international security of the modern state, and cyberattacks are occurring with increased frequency. Starting on July 4, 2009, a week-long cyberattack crippled numerous U.S. and South Korean websites, including those of the U.S. Departments of Transportation and Treasury; the U.S. Federal Trade Commission; the South Korean President's Office; the South Korean National Assembly; and U.S. Forces Korea. (10) Although the South Korean government initially believed that North Korea had perpetrated the attack, security experts later suggested that cyberterrorists operating in the United Kingdom may have been the source of the attack, which affected hundreds of thousands of personal computers across dozens of countries. (11)

Estonia was the target of a comparably massive attack from April to May 2007, when a multi-week wave of cyberattacks effectively shut down the country by disrupting the websites of the Estonian President and Parliament, (12) the vast majority of Estonian ministries, three of the country's six largest news organizations, and two of its major banks. (13) The attack on Estonia was so effective partly because Estonia has established an e-government, conducting most of its basic governmental operations via the Internet. (14) For example, Estonians conduct more than 98% of their banking online, (15) pay their taxes online, and vote online. (16) Accordingly, these relatively simple attacks effectively brought the country to a halt for three weeks.

Other significant examples of cyberterrorism in the past few years include the theft of information regarding the new U.S. military stealth fighter jet, the hacking into the U.S. Air Force's air traffic control systems, (17) and Titan Rain, which is the codename given by the U.S. government to a series of intelligence-gathering cyberattacks conducted by a group of Chinese hackers. (18) Furthermore, these are only the most publicized of examples--every day cyberterrorists attempt to undermine national and international security and wreak havoc in order to further their terrorist agendas. In a single day in 2008, for instance, hackers targeted the Pentagon with six million attempts to access its computer system. (19)

These attacks showcase a range of potential tools in the cyberterrorist's arsenal. Some may be relatively simple and low-tech; this also means they are relatively easy to deploy. They also highlight the potential damage that could be caused by more sophisticated attacks. In fact, cybersecurity has become so important that traditionally secretive organizations charged with protecting national security are speaking out about the threat. (20) Increasingly, it is clear that the international community may only ignore cyberterrorism at its peril.

Roughly defined, cyberterrorism refers to efforts by terrorists to use the Internet to hijack computer systems, bring down the international financial system, or commit analogous terrorist actions in cyberspace. (21) The United States has defined cyberterrorism as "a criminal act conducted with computers and resulting in violence, destruction, or death of its targets in an effort to produce terror with the purpose of coercing a government to alter its policies," and it includes attacks on computer networks and transmission lines within that definition. (22) Put simply, cyberterrorism generally is understood as any terrorist act conducted in or by means of cyberspace or the Internet. (23) This definition is necessarily broad and includes everything from basic hacking and denial of service attacks to concerted efforts to unleash weapons of mass distraction or mass disruption. (24) Such a definition, however, is limited in application regarding the actor or actors and the intent behind the attack.

First, the term cyberterrorism refers only to terrorist actions taken by individuals, groups of individuals, or organizations such as Al Qaeda. To the extent that either a state or its agent was to act in similar ways, (25) it would be considered an act of aggression or use of force under international law, which may be considered cyberwarfare. (26)

Second, the term cyberterrorism refers only to those actions that are taken by terrorists with the intent or goal of causing destruction or inciting terror, generally for religious or political purposes, although financial gain to facilitate further attacks may be a secondary motivation. (27) It often is difficult to distinguish cybercrime from cyberterrorism during an attack, as...