"At light speed": attribution and response to cybercrime/terrorism/warfare.

• Author: Brenner, Susan W.

1. INTRODUCTION

   The speed and anonymity of cyber attacks makes distinguishing among the actions of terrorists, criminals, and nation states difficult....(1) In October 2006, a "sensitive Commerce Department bureau"--the Bureau of Industry and Security (BIS)--suffered a "debilitating attack on its computer systems." (2) The attack forced the BIS to disconnect its computers from the Internet, which interfered with its employees' ability to perform their duties. (3) It was traced to websites hosted by Chinese Internet service providers (ISPs), but the attackers were never identified. (4)

   Consider for a moment the statement: the attackers were never identified. This statement has several implications, the most obvious of which is that the individuals who carried out the attack were never identified. That is far from remarkable; given the opportunities cyberspace creates for the remote commission of attacks and attacker anonymity, it is more common than not for cybercriminals to go unidentified and unapprehended. (5)

   That, though, assumes we are dealing with cybercriminals, which brings us to another implication of the statement above: Not only were the BIS attackers never identified, the nature of the attack was never identified. It was apparently clear the attack came from China, (6) but what kind of attack was it? Was it cybercrime--the Chinese hackers launching a counting coup (7) on U.S. government computers? Was it cyberterrorism--an initial effort toward a takedown of U.S. government computers by terrorists (who may or may not have been Chinese) pursuing idiosyncratic ideological goals? Or was it cyberwarfare--a virtual sortie by People's Liberation Army hackers? (8)

   The BIS episode illustrates why we need to assess how we approach attribution (Who launched the attack? What kind of attack is it?) and the corresponding problem of response (Who should respond to an attack--civilian law enforcement, the military, or both?). As Sections II, III, and IV explain, the essentially ad hoc approaches we currently use for both attribution and response worked well in the past but are becoming increasingly unsatisfactory as cyberspace becomes a viable vector for attacks, of whatever type.

   My goal in this Article is to explore these issues in terms of the conceptual and legal issues they raise. I will also analyze some nontraditional ways of structuring our response to ambiguous attacks, such as the one that targeted the BIS computers. My hope is that this Article provides a basis for further discussion of these issues, the complexity of which puts their ultimate resolution outside the scope or ambitions of any single law review article.

   Section II constructs a taxonomy of cyberthreats (crime, terrorism, and war) and explains why these evolving threat categories can make who--and what-attribution problematic. Section III explains how these difficulties with attribution impact the process of responding to cyberthreats. Section IV continues our examination of this issue by analyzing how we might improve our response capability without surrendering principles we hold dear. Section V is a brief conclusion, which summarizes the preceding arguments and analysis and offers some final thoughts on both.

2. IDENTIFYING CYBERCRIME, CYBERTERRORISM, AND CYBERWARFARE: TAXONOMY

   [T]he ... "blurring of crime and war" at the operational level.... has accelerated over the last few decades. (9) As Section I noted, the continuing evolution and proliferation of computer technology has created a new class of threats--"cyberthreats"--which societies must confront. These cyberthreats can be generically defined as using computer technology to engage in activity that undermines a society's ability to maintain internal or external order. (10)

   Societies have historically used a two-pronged strategy to maintain the order they need to survive and prosper. Societies maintain internal order by articulating and enforcing a set of proscriptive rules (criminal law enforcement) that discourage the members of a society from preying upon each other in ways that undermine order, such as by killing, robbing, or committing arson. (11) Societies maintain external order by relying on military force (war) and, to an increasing extent, international agreements. (12) I call this the internal-external threat dichotomy, and the choice between law enforcement and military the attack-response dynamic.

   As we will see, computer technology erodes the empirical realities that generated and sustain this dichotomous approach to maintaining order. This approach is based on the assumption that each society occupies a territorially-defined physical locus--that, in other words, sovereignty and "country" are indistinguishable. (13) One consequence of the presumptive isomorphism between sovereignty and territory is that threats to social order are easily identifiable as being either internal (crime/terrorism) or external (war). Computer-mediated communication erodes the validity of this binary decision tree by making territory increasingly irrelevant; as a study of cybercrime laws noted, "In the networked world, no island is an island." (14) In the twenty-first century, those bent on undermining a society's ability to maintain order can launch virtual attacks from almost anywhere in the world. As a result, these attacks may not fit neatly into the internal-external threat dichotomy and the attribution hierarchy (crime/terrorism, war) derived from that dichotomy.

   Section II outlines a taxonomy of the three categories of cyberthreats: cybercrime, cyberterrorism, and cyberwarfare. Section III explains how these online variations of real-world threat categories challenge the processes we currently use for threat attribution.

   1. CYBERCRIME

      An online dictionary defines "cybercrime" as "a crime committed on a computer network." (15) The basic problem with this definition is that American lawyers need to be able to fit the concept of "cybercrime" into the specific legal framework used in the United States and into the more general legal framework that ties together legal systems around the world in their battle against cybercrime. (16) That leads me to ask several questions: Is cybercrime different from regular crime? If so, how? If not, if cybercrime is merely a boutique version of crime, why do we need a new term for it?

      The first step in answering these questions is parsing out what cybercrime is and what it is not. When we do this, we see that the definition quoted above needs to be modified for two reasons.

      The first reason is that this definition assumes every cybercrime constitutes nothing more than the commission of a traditional crime by nontraditional means (using a computer network instead of, say, a gun). As I have argued elsewhere, (17) that is true for much of the cybercrime we have seen so far. For example, online fraud such as the 419 seam (18) is nothing new as far as the law is concerned; it is simply "old wine in new bottles." (19) Until the twentieth century, people had only two ways of defrauding others: they could do it face to face by offering to sell someone the Brooklyn Bridge for a very good price; or they could do the same thing by using snail mail. (20) The proliferation of telephones in the twentieth century made it possible for seam artists to use the telephone to sell the bridge, again at a very good price. (21) And we now see twenty-first century versions of the same seams migrating online.

      The same is happening with other traditional crimes, such as theft, extortion, harassment, and trespassing. (22) Indeed, it seems reasonable to believe that many, if not most, of the crimes with which we have traditionally dealt will migrate online in some fashion. Admittedly, a few traditional crimes--such as rape and bigamy--probably will not migrate online because the commission of these particular crimes requires physical activity that cannot occur online (unless, of course, we revise our definition of bigamy to encompass virtual bigamy). (23)

      The same cannot be said of homicide: while we have no documented cases in which computer technology was used to take human life, this scenario is certainly conceivable and will no doubt occur. (24) Those who speculate on such things have postulated instances in which someone would hack into the database of a hospital and kill people by altering the dosage of their medication. (25) The killer would no doubt find this a particularly clever way to commit murder because the crime might never be discovered. The deaths might well be put down to negligence on the part of hospital staff; (26) and even if they were identified as homicide, it might be very difficult to determine which of the victims were the intended targets of the unknown killer and thereby begin the investigative process.

      My point is that while most of the cybercrime we have seen to date is simply the commission of traditional crimes by new means, this will not be true of all cybercrime. We already have at least one completely new cybercrime: a distributed denial of service (DDoS) attack. A DDoS attack overloads computer servers and "make[s] a computer resource [such as a website] unavailable to its intended users." (27) In February 2000, a Canadian known as "Mafiaboy" launched attacks that effectively shut down websites operated by CNN, Yahoo!, Amazon.com, and eBay, among others. (28)

      DDoS attacks are increasingly used for extortion. (29) Someone launches an attack on a website, then stops the attack and explains to the website owner that the attack will continue unless and until the owner pays a sum for "protection" against such attacks. (30) This is the commission of an old crime (extortion) by a new means, little different from tactics the Mafia used over half a century ago, though they relied on arson instead. (31)

      But a "pure" DDoS attack, such as the 2000 attacks on Amazon.com and eBay, is not a traditional crime. It is not theft, fraud, extortion...