Read an Excerpt

The Transnational Dimension of Cyber Crime and Terrorism

Hoover Institution Press

Cyber Crime and Security

The Transnational Dimension

Abraham D. Sofaer

Seymour E. Goodman

The information infrastructure is increasingly under attack by cyber criminals. The number, cost, and sophistication of attacks are increasing at alarming rates. They threaten the substantial and growing reliance of commerce, governments, and the public upon the information infrastructure to conduct business, carry messages, and process information. Some forms of attack also pose a growing threat to the public, and to critical infrastructures.

Much has been said about the threat posed by cyber crime, including terrorism, but little has been done to protect against what has become the most costly form of such crime: transnational attacks on computers and the information infrastructure. Measures thus far adopted by the private and public sectors fail to provide an adequate level of security against these attacks. The Internet and other aspects of the information infrastructure are inherently transnational. A transnational response sufficient to meet these transnational challenges is an immediate and compelling necessity.

The challenge of controlling transnational cyber crime requires a full range of responses, including both voluntary and legally mandated cooperation. Both the private and public sectors are now actively pursuing transnational initiatives, ranging in form from voluntary, informal exchange of information to a multilateral treaty proposed by the Council of Europe (COE) to establish common crimes and a substantial degree of cooperation in the investigation and prosecution of such crimes.

Public declarations and voluntary international cooperation have no doubt helped in dealing with transnational attacks. Funds are being made available to enhance the technological capacities of national law enforcement personnel engaged in cyber investigations, and through international cooperation, some attacks have been traced, and some perpetrators have been punished. But public pronouncements, educational programs, and voluntary cooperation are not enough. The sources of many transnational attacks have never been determined, and perpetrators of many of the most damaging attacks, even when identified, go unpunished. A great disparity exists, moreover, in the legal and technological capacity of states to meet the challenges of preventing, investigating, and prosecuting cyber crime.

An effective program against transnational cyber crime will require legal cooperation among states that involves the enforcement of agreed standards of conduct. A reasonably broad consensus exists among states concerning many forms of conduct that should be treated as cyber crime within national borders. This consensus must be translated into a legal regime in which all states that are connected to the Internet prohibit forms of conduct widely regarded as destructive or improper. In addition, much remains to be done to encourage and, as soon as practicable, to require states to adopt common positions to facilitate cooperation in investigation, the preservation of evidence, and extradition. States must establish and designate cross-patent agencies to deal with transnational issues, and to cooperate with counterparts throughout the world. To develop and secure the universal adoption of technological and policy standards to defend against, prosecute, and deter cyber crime and terrorism, states should create an international agency, along the lines of the International Civil Aviation Organization (ICAO) but designed to reflect the particular needs and nature of the cyber world. International cooperation must include an effective program to upgrade the capacities of states that lack the technological resources to cooperate in a comprehensive international regime. These measures, though far-reaching by comparison with current policies, can be fashioned to maximize private-sector participation and control, to ensure that privacy and other human rights are not adversely affected and so as not to impinge on the national security activities and interests of States Parties.

1. Scope of the Problem

A summary of the problem of cyber crime and terrorism was presented at the Stanford Conference by Peter G. Neumann, principal scientist at the Computer Science Laboratory, SRI International. He stated:

We are becoming massively interconnected. Whether we like it or not, we must coexist with people and systems of unknown and unidentifiable trustworthiness (including unidentifiable hostile parties), within the U.S. and elsewhere. Our problems have become international as well as national, and cannot be solved only locally.

Computer-related systems tend to fall apart on their own, even in the absence of intentional misuse. However, misuse by outsiders and insiders and the presence of malicious code ... present some enormously difficult challenges that are not being adequately addressed at present....

Computers and communications are increasingly being used in almost every imaginable application. However, our computer-communication systems are not dependably secure, reliable, or robust. Reliability, fault tolerance, security, and overall system survivability are all closely interrelated. There are fundamental vulnerabilities in the existing information system infrastructures, and serious risks that those vulnerabilities will be exploited — with possibly very severe effects.

Our national infrastructures depend not only on our interconnected information systems and networks, but also on the public switched network, the air-traffic control systems, the power grids, and many associated control systems — which themselves depend heavily on computers and communications.

Global problems can result from seemingly isolated events, as exhibited by the early power-grid collapses, the 1980 ARPANET collapse, and the 1990 long-distance collapse — all of which began with single-point failures.

Our defenses against a variety of adversities — from intentional misuse to hardware flaws and software bugs to environmental disturbances — are fundamentally inadequate.

Our defenses against large-scale coordinated attacks are even more inadequate....

The risks of cyber terrorism and cyber crime vastly outweigh our abilities to control those risks by technological means, although technology can help and should be vigorously pursued. There are many important problems, such as providing better defenses against denial of service attacks, outsiders, and insiders. Socio-politico-economic measures must also be considered.

2. Costs of Cyber Crime

The costs of cyber crime are difficult to measure, but by any reasonable standard they are substantial and growing exponentially. The most comprehensive available source of data on costs is compiled annually by the Computer Security Institute (CSI), with the participation of the FBI's Computer Intrusion Squad. The CSI survey for 2000, edited by Stanford Conference participant Richard Power, is based on 643 responses from computer security practitioners in U.S. corporations and government agencies. It establishes that computer security breaches are widespread, diverse, and costly. Respondents are investing heavily in a variety of security technologies, at a cost estimated by the International Data Corporation to grow from $2 billion in 1999 to $7.4 billion in 2003. These investments are dramatic evidence of the huge costs being inflicted by cyber crime. To these amounts must be added the costs of cyber crime insurance, a new coverage for an expanding market.

In spite of the costly defensive measures thus far adopted, CSI/FBI survey respondents experiencing unauthorized use of their computer systems increased from 42 percent in 1996 to 70 percent in 2000; those not experiencing such events declined from 37 percent to 18 percent in the same period. Only 37 percent of all attacks reported in 1996 involved Internet connections; in 2000 this proportion increased to 59 percent, with a corresponding decline in insider attacks. So far, the most serious category of reported financial loss has been through "theft of proprietary information," which appears to include attacks that result in the theft of financial data. Other categories of substantial losses include fraud, virus attacks, denial of service, and sabotage.

Estimating the monetary damage inflicted by cyber crime is difficult but worth attempting, and particularly valuable for tracking relative costs from year to year. The CSI/FBI surveys for the last four years report total losses of about $100,000,000 in 1997, increasing to some $266,000,000 in 2000. Stephen J. Lukasik has found a pattern reflecting a trend in which costs have essentially doubled each year. This progression has been shattered by costs associated with the "I Love You" virus of May 2000, estimated at between $1 and $10 billion. Although the costs reported by respondents include lost time, and may be exaggerated, the reluctance of companies to acknowledge losses tends to result in underreporting. The overall numbers are useful indicators when these uncertainties are taken into account.

3. Transnational Nature of Cyber Crime

At a purely technical level, all messages on the Internet are broken down into "packets" that separate and travel through available routers and servers located throughout the world. Cyber crime goes beyond this technical, transnational dimension and involves senders who deliberately fashion their attacks and other crimes to exploit the potential weaknesses present in the infrastructure's transnational nature. These weaknesses include: (1) a worldwide target pool of computers and users to victimize, or to exploit in denial-of-service or other attacks, which enables attackers to do more damage with no more effort than would be necessary in attacking computers or users in a single state; and (2) the widespread disparities among states, in the legal, regulatory, or policy environment concerning cyber crime, and the lack of a sufficiently high degree of international cooperation in prosecuting and deterring such crime.

The most damaging cyber attacks thus far experienced have been transnational, originating in many different countries and aimed at computers everywhere. Here are some prominent examples:

• The so-called "Phonemasters," a "loosely-knit," "12-member" international "hacking ring" headed by Jonathan Bosa-nac of Rancho Santa Fe, California (near San Diego), who, using the on-line name "The Gatsby," developed a method for gaining access to telephone networks (such as MCI, WorldCom, Sprint, and AT&T), credit-reporting databases (such as Equifax), and even the FBI's own National Crime Information Center, which they utilized in a number of countries. "The breadth of their monkey-wrenching was staggering; at various times they could eavesdrop on phone calls, compromise secure databases, and redirect communications at will. They had access to portions of the national power grid, air-traffic-control systems and had hacked their way into a digital cache of unpublished telephone numbers at the White House. ... [T]hey often worked in stealth, and avoided bragging about their exploits. ... Their customers included ... the Sicilian Mafia. According to FBI estimates, the gang accounted for about $1.85 million in business losses."

• David L. Smith, a New Jersey programmer, pleaded guilty in December 1999 of creating the "Melissa" computer virus and using an x-rated website to spread it through cyber space via e-mail in March 1999, where it "rampaged personal, government, and corporate computers around the world," "caused worldwide devastation," and was estimated to have done $80 million (or more) in damages.

• From December 1999 through April 2000, five hackers in Moscow stole more than 5,400 credit card numbers belonging to Russians and foreigners from Internet retailers, pocketing more than $630,000 until arrested. The incident pointed up the threat that "Eastern European fraudsters continue to pose ... for all card issuers, even those with no direct business in the region.

• In 1995–96, from his home in Buenos Aires, a twenty-one-year-old Argentine student, Julio Cesar Ardita, "slipped through the security of ... systems at Harvard University's Faculty of Arts and Science, the U.S. Defense Department, the U.S. Naval Command, the San Diego-based Control and Ocean Surveillance Center, the Washington-based Naval Research Lab, NASA's Ames Research Center and Jet Propulsion Laboratory, and the Los Alamos National Laboratory in New Mexico." His actions were not criminal in Argentina, and his extradition to the U.S. was refused, although he later surrendered voluntarily.

• Reports of persistent, international attacks on official government websites throughout the world in 1999–2000 appeared with great frequency. Some of the notable ones include: (1) Hackers breaking into the website of the Ministry of Finance of Romania in November 1999 to introduce bogus taxes and to change the official exchange rate of the national currency. (2) Recurrent Taiwan-China "hacker" wars in 1999 and 2000 in which attackers broke into various government and business websites, penetrating protective firewall software with seeming ease. (3) Frequent transnational attacks on sensitive military and other national security networks of many governments, as well as public service websites/infrastructure at the national and local levels.

• The "I Love You" virus was propagated from the Philippines in May 2000. Estimates of the damage it caused range up to $10 billion, mostly in lost work time. U.S. investigators pressed to have the suspects in the attack — computer programming students from the Philippines — arrested and prosecuted, and Filipino investigators attempted to do so under a 1998 law prohibiting the use of "access devices," such as credit cards, to defraud. The Chief State Counsel concluded, however, that this law could not be used, since "the intention of a computer hacker ... is not to defraud but to destroy files." The Philippines adopted a law punishing those who spread computer viruses with up to three years' imprisonment and fines from $2,350 to a maximum "commensurate" with the damage caused. The new law will not apply retroactively, however, so this costly act has gone unpunished.

4. Weaknesses of the Current System

The open and defiant manner in which hackers currently operate reflects the weakness of the legal, defensive, and investigative capacities of the current system. They plan and discuss proposed forms of attack on websites, exchanging ideas and comments. These activities enabled Thomas A. Longstaff of the Computer Emergency Response Team (CERT)/Coordination Center (CC), Software Engineering Institute (SEI) at Carnegie Mellon University to predict at the Stanford Conference that a new and very harmful, distributed form of denial-of-service attack was the next likely threat. He described precisely the method that was used by hackers in the subsequent worldwide February 2000 attacks — on CNN, eBay, Amazon.com, and others — to plant programs in computers around the globe that enabled hackers to send so many messages to particular IP addresses that they were rendered inoperable. Though law enforcement personnel were able to anticipate this type of attack, they were not able to prevent it, and security personnel at CNN, Yahoo!, Amazon.com, and others could not defend against it. After several months of investigation, in April 2000, the Royal Canadian Mounted Police (RCMP) arrested a Montreal teenager on suspicion of having caused the CNN and other shutdowns, but the extent to which the culprit (or culprits) may be successfully prosecuted is in doubt, and deterrence of those not caught and punished, as well as of other would-be attackers, seems unlikely. These troubling failures stem from serious weaknesses in the authority and capacities of states to protect cyber systems from attacks.

Escalating Dangers of Attacks

New forms of denial-of-service and other destructive types of attack, such as the "I Love You" virus, have been openly discussed, or uncovered, and cyber copycats continue to be active, replicating or modifying attacks into yet more dangerous forms — such as the "Killer Resume" follow-on to "I Love You" — with virtually complete impunity.

---

Excerpted from The Transnational Dimension of Cyber Crime and Terrorism by Abraham D. Sofaer, Seymour E. Goodman. Copyright © 2001 Board of Trustees of the Leland Stanford Junior University. Excerpted by permission of Hoover Institution Press.
All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

---