UNITED STATES LEGAL & POLICY ISSUES ON CYBERTERRORISM



Jeffrey F. Addicott* (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftn1)



1 Introduction



The terror attacks of September 11, 2001, changed the manner in which the United States viewed national security. In the post-9-11 world, al-Qa’eda-styled terrorists, rouge totalitarian regimes and others are continuously expanding capabilities and techniques in their quest to spread fear and devastation. With its vast global network of interconnected computers, one area where society is particularly vulnerable is cyberspace. The malicious use of cyberspace to cause massive harm to any nation’s critical infrastructure is so feared that a new term has been coined to describe the event – cyberterrorism.
The realm of cyberspace has become completely integrated into almost every aspect of the modern world so much so that civilized society is absolutely and totally dependent on the cyber world. For example, the vast majority of Americans cannot go through a single day without being affected in some manner by its presence; over 80% of adults in the United States now use the Internet. Moreover, the explosion in commercial and consumer Internet use is not limited to the United States. There are more than one billion Internet users across the planet, with the number predicted to pass two billion by 2011. Because the Internet is easily accessible, geographically unbounded and largely unregulated it is an ideal vehicle for communication and business. Globally, more and more businesses, consumers, government agencies and organizations of all kinds rely on cyberspace technology to enhance modernity. Not only does cyberspace provide unparallel opportunities for business transactions, communication, records storage and other personal uses, it also functions as the predominate tool for regulating all aspects of the nation’s critical infrastructure to include water, electricity, banking, transportation, technology, agriculture, medical, nuclear facilities, waste management, government services, etc.
Unfortunately, the same qualities that promote the marvels of cyberspace also make the Internet extremely vulnerable to a variety of untoward activities, to include crime, terrorism and even armed conflict. As the cyber world expands, so has concern about security of and security on the Internet. In other words, society’s dependency on the workings of cyberspace also provides unparallel opportunities for great harm. Apart from the ever present impact of common criminal activity through cyber crime - costing the American economy billions of dollars in losses each year - the specter a cyberterrorist attack on one or more of the country’s critical infrastructures hangs over the nation like the sword of Damocles. Indeed, if terrorists can plan and execute large scale attacks on the physical world, a fortiori, the cyber world, which affects all aspects of modern society, is equally ripe for terrorist attack. When the attack comes, cyberterrorism will strike a heavy blow to the soft underbelly of the nation’s critical infrastructure.


Until the April-May 2007 coordinated cyber attacks which shut down the entire nation of Estonia, the full destructive potential of cyberterrorism was something that the world had not adequately appreciated. When one considers that various terrorist organizations such as al-Qa’eda have been using the Internet to communicate, propagandize, finance and recruit new members for years, it is only logical to conclude that they are fully aware that cyberterrorism offers a low cost and easily masked method of inflicting major damage. It is simply naïve to believe that terrorists will fail to use cyberspace to conduct attacks against critical infrastructure. Accordingly, it is imperative that viable cybersecurity laws and policies be established to address cyberterrorism concerns prior to a mega cyber attack.

The question then turns to the matter of cybersecurity. Does a sufficient cybersecutity framework exist that can adequately protect cyberspace and the information it contains processes and transmits? While the government has embarked on a variety of initiatives with private and public entities to protect against the threat of cyberterrorism, a growing number of legal and policy issues remain unanswered. To be sure, the nation faces a variety of pressing challenges in addressing cyberterrorism. The purpose of this chapter is to provide a basic framework for understanding the threat of cyberterrorism and to explore the current state of preparedness from government and private industry perspectives.


2 Defining the Terms

With the phenomenal growth of the cyber world, dozens of new and unfamiliar terms have entered the lexicon. Before one can fully discuss the dangers associated with the threat of cyberterrorism, certain foundational terms require definition.

Cyberspace. The term cyberspace has many connotations and is used in a variety of contexts. Synonyms include the terms virtual space and cyber world (sometimes spelled cyberworld). In common understanding cyberspace refers to the entire function of computer-centric information technology - hardware and software - as it is created, stored and transmitted in the non-physical and physical terrain. A 2005 Congressional Research Service Report (CRS) (Creating a National Framework for Cybersecurity: An Analysis of Issues and Options), refers to cyberspace as “the combination of the virtual structure, the physical components that support it, the information it contains, and the flow of that information within it.” As a global phenomenon, cyberspace is largely controlled by private companies.




Cyberterrorism. Similar to the problem of obtaining universal agreement on defining the term “terrorism,” there is no generally accepted definition for cyberterrorism (sometimes spelled cyber terrorism). All intentional attacks on a computer or computer network involve actions that are meant to disrupt, destroy, or deny information. These attacks may be motivated by monetary gain, vandalism, terrorism, or as acts of war. Thus, most cyber attacks may be categorized as cyber crimes, but not all cyber attacks are deemed to be an act of cyberterrorism or war. Clearly, the key difference between cyber crime and cyberterrorism is the concept of terror. If a universal definition of the term terrorism does not exist, one can at least list four key characteristics of terrorism that better reflect the nature of the activity:



1. The illegal use of violence directed at civilians to produce fear in a target group.

2. The continuing threat of additional future acts of violence.

3. A predominately political or ideological character of the unlawful act.

4. The desire to mobilize or immobilize a given target group.



Combining these four key characteristics, then Secretary General of the United Nations, Kofi Annan, offered a succinct 2005 definition for terrorism:

[A]ny action constitutes terrorism if it is intended to cause death or serious bodily harm to civilians or non-combatants, with the purpose of intimidating a population or compelling a Government or an international organization to do or abstain from doing any act.




Adopting the general definitional theme of terrorism set out above, cyberterrorism is the improper use of various computing technology to engage in terrorist activity. Since the terror motivated cyber attack would most likely be against the critical infrastructure of a nation to intimidate or coerce another (usually a nation) in furtherance of specific political objectives, one commentator has defined cyberterrorism as “the premeditated, politically motivated attack against information, computer systems, computer programs, and data which results in violence against non combatant targets by sub-national groups or clandestine agents.”[1] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftn2) On the other hand, some commentators contend that the use of the term cyberterrorism to describe an attack on the critical infrastructure is inappropriate “because a widespread cyber attack may simply produce annoyances, not terror, as would a bomb, or other chemical, biological, radiological, or nuclear explosive (CBRN) weapon.”[2] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftn3)

Nevertheless, given the nation’s complete dependency on cyberspace, if a cyber attack caused widespread damage to computer networks associated with the critical infrastructure, the level of fear from the resulting economic disaster and/or civilian fatalities would rapidly qualify as terrorism. Certainly the digital fears that emerged from the month-long denial of service (DDoS) cyber attack on the small Baltic country of Estonia (orchestrated from Russian sources apparently in response to the removal of a bronze statue of a World War II era Soviet soldier from a park) would qualify as cyberterrorism and perhaps, as some argued, as an act of war. The Estonian cyber attacks resulted in a digital infrastructure disaster as Web sites for government officials, government agencies, daily newspapers, and Estonia’s biggest banks were overwhelmed and shut down due to the cyber onslaught of “unknown” digital information attacks.

Perhaps a more useful way to encapsulate the term cyberterrorism can be found in a 2005 CRS Report[3] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftn4) where the authors present cyberterrorism in two related categories:



· Effects-based: Cyberterrorism exists when computer attacks result in effects that are disruptive enough to generate fear comparable to a traditional act of terrorism, even if done by criminals [as opposed to terrorists].

· Intent-based: Cyberterrorism exists when unlawful or politically motivated computer attacks are done to intimidate or coerce a government or people to further a political objective, or to cause grave harm or severe economic damage.

Critical Infrastructure. The predominate concern that most drives the discussion of cyberterrorism is that a cyber attack will target one or more of the nation’s critical infrastructures. The term critical infrastructure is defined with more or less uniformity in a variety of documents and laws. The 2003National Strategy for the Physical Protection of Critical Infrastructure and Key Assets provides a detailed list of assets of national importance and critical infrastructure to include: information technology; telecommunications; chemicals; transportation; emergency services; postal and shipping services; agriculture and food; public health and healthcare; drinking water/water treatment; energy; banking and finance; national monuments and icons; defense industrial base; key industry/technology sites; and large gathering ******* The Department of Homeland Security (DHS)[4] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftn5) lists five general types of critical infrastructure:

(1) production industries: energy, chemical, defense industrial base;
(2) service industries: banking and finance, transportation, postal and shipping;
(3) sustenance and health: agriculture, food, water, public health;
(4) federal and state: government, emergency services;
(5) Information Technology (IT) and cyber: information and telecommunications.

Section 1016(b)(2) of the Critical Infrastructures Protection Act (CIPA) of 2001 specifically identifies as critical infrastructures “telecommunications, energy, financial services, water, and transportation sectors,” all of which have not only physical components, but cyber components as well. In addition, section 1016(e) of CIPA expands the concept of critical infrastructure to mean all “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” Both the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT Act) (renewed in 2006) and the Homeland Security Act of 2002 adopt the same definition set out below:

__________________________________________________

SEC. 1016. CRITICAL INFRASTRUCTURES PROTECTION

(a) SHORT TITLE.--This section may be cited as the “Critical Infrastructures Protection Act of 2001.”

(b) FINDINGS.--Congress makes the following findings:

(1) The information revolution has transformed the conduct of business and the operations of government as well as the infrastructure relied upon for the defense and national security of the United States.
(2) Private business, government, and the national security apparatus increasingly depend on an interdependent network of critical physical and information infrastructures, including telecommunications, energy, financial services, water, and transportation sectors.
(3) A continuous national effort is required to ensure the reliable provision of cyber and physical infrastructure services critical to maintaining the national defense, continuity of government, economic prosperity, and quality of life in the United States.
(4) This national effort requires extensive modeling and analytic capabilities for purposes of evaluating appropriate mechanisms to ensure the stability of these complex and interdependent systems, and to underpin policy recommendations, so as to achieve the continuous viability and adequate protection of the critical infrastructure of the Nation.

(c) POLICY OF THE UNITED STATES.--It is the policy of the United States—

(1) that any physical or virtual disruption of the operation of the critical infrastructures of the United States be rare, brief, geographically limited in effect, manageable, and minimally detrimental to the economy, human and government services, and national security of the United States;
(2) that actions necessary to achieve the policy stated in paragraph (1) be carried out in a public-private partnership involving corporate and non-governmental organizations; and
(3) to have in place a comprehensive and effective program to ensure the continuity of essential Federal Government functions under all circumstances.

(d) ESTABLISHMENT OF NATIONAL COMPETENCE FOR CRITICAL
INFRASTRUCTURE PROTECTION.

(1) SUPPORT OF CRITICAL INFRASTRUCTURE PROTECTION AND CONTINUITY BY NATIONAL INFRASTRUCTURE SIMULATION AND ANALYSIS CENTER.--There shall be established the National Infrastructure Simulation and Analysis Center (NISAC) to serve as a source of national competence to address critical infrastructure protection and continuity through support for activities related to counterterrorism, threat assessment, and risk mitigation.
(2) PARTICULAR SUPPORT.--The support provided under paragraph (1) shall include the following:
(A) Modeling, simulation, and analysis of the systems comprising critical infrastructures, including cyber infrastructure, telecommunications infrastructure, and physical infrastructure, in order to enhance understanding of the large-scale complexity of such systems and to facilitate modification of such systems to mitigate the threats to such systems and to critical infrastructures generally.
(B) Acquisition from State and local governments and the private sector of data necessary to create and maintain models of such systems and of critical infrastructures generally.
(C) Utilization of modeling, simulation, and analysis under subparagraph (A) to provide education and training to policymakers on matters relating to--
(i) the analysis conducted under that subparagraph;
(ii) the implications of unintended or unintentional disturbances to critical infrastructures; and
(iii) responses to incidents or crises involving critical infrastructures, including the continuity of government and private sector activities through and after such incidents or crises.
(D) Utilization of modeling, simulation, and analysis under subparagraph (A) to provide recommendations to policymakers, and to departments and agencies of the Federal Government and private sector persons and entities upon request, regarding means of enhancing the stability of, and preserving, critical infrastructures.
(3) RECIPIENT OF CERTAIN SUPPORT.--Modeling, simulation, and analysis provided under this subsection shall be provided, in particular, to relevant Federal, State, and local entities responsible for critical infrastructure protection and policy.

(e) CRITICAL INFRASTRUCTURE DEFINED.--In this section, the term “critical infrastructure” means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.




SCADA. Cyberterrorism is not simply an attack on the Internet. As previously stated, the primary concern is that a cyberterrorist attack will target the electronic control systems that regulate the operational functions of a critical infrastructure so that the flow of essential services are disrupted. Such a scenario is possible because the thousands of interconnected computers, servers, routers, and switches associated with the myriad physical and virtual tasks inherent in operating and maintaining the nation’s most important critical infrastructures, such as defense systems, chemical and hazardous materials, water supply systems, transportation, energy, finance systems and emergency services are no longer predominately handled by people, but are rather electronically monitored and controlled by centralized computer networks called Supervisory Control and Data Acquisition (SCADA) systems (a term that also applies to systems that are equivalent in function such as distributed control systems or programmable logic control systems).

SCADA systems, or their equivalent, digitize and automate almost every imaginable task associated with a given critical infrastructure - from opening and closing valves in nuclear facilities, to operating circuit breakers on electrical power grids, to managing air traffic in the sky. Since SCADA systems provide the “brain power” to manage critical infrastructures a successful cyberterrorist attack on even a single SCADA could cause massive economic and physical damage across broad sections of the country.

Approximately, 85% of the nation’s critical infrastructures are owned and operated by private business where the predominate emphasis for SCADA is on maintaining system reliability and efficiency, not cybersecurity. In most cases, the SCADAs are connected to their associated private corporate networks which are in turn primarily connected directly or indirectly to the Internet. This cyberspace vulnerability presents an open door for a terrorist with the necessary skills to hack into a SCADA and, for example, disable the valves at the nuclear facility, shut down an entire electrical power grid, or redirect air traffic to harmful flight patterns.



Techniques Employed in Cyber Attacks. Not all disruptions of an information system’s confidentiality, integrity, or availability (CIA) constitute a cyber attack. In fact, most disruptions of information systems are caused by unintentional human error and called cyber incidents. A cyber attack refers only to the intentional disruption of an information system’s CIA. The National Institute of Standards and Technology Federal Information Processing Standards Publication 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006 defines a cyber incident as:



An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability (CIA) of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies. Incidents may be intentional or unintentional.



Taken from a Government Accountability Office Report, GAO-07-705, dated June 2007, the chart below lists the most common techniques employed in conducting a cyber attack, along with a brief description. The individuals making such attacks range from juveniles (so-called “script-kiddies”), to disgruntled ex-employees, to thieves, to competitors, to terrorists, to agents of foreign governments. Terrorists wishing to launch a cyberterror attack would employ one or more of the tools listed below:

Type
Description
Spamming
Sending unsolicited commercial e-mail advertising for products, services, and Web ******* Spam can also be used as a delivery mechanism for malware and other cyber threats.
Phishing
A high-tech scam that frequently uses spam or pop-up messages to deceive people into disclosing their credit card numbers, bank account information, Social Security numbers, passwords, or other sensitive information. Internet scammers use e-mail bait to “phish” for passwords and financial data from the sea of Internet users.
Spoofing
Creating a fraudulent Web site to mimic an actual, well-known Web site run by another party. E-mail spoofing occurs when the sender address and other parts of an e-mail header are altered to appear as though the e-mail originated from a different source. Spoofing hides the origin of an e-mail message.
Pharming
A method used by phishers to deceive users into believing that they are communicating with a legitimate Web site. Pharming uses a variety of technical methods to redirect a user to a fraudulent or spoofed Web site when the user types in a legitimate Web address. For example, one pharming technique is to redirect users —without their knowledge—to a different Web site from the one they intended to access. Also, software vulnerabilities may be exploited or malware employed to redirect the user to a fraudulent Web site when the user types in a legitimate address.
Denial-of-service attack
An attack in which one user takes up so much of a shared resource that none of the resource is left for other users. Denial-of-service attacks compromise the availability of the resource.
Distributed denial-of-service
A variant of the denial-of-service attack that uses a coordinated attack from a distributed system of computers rather than from a single source. It often makes use of worms to spread to multiple computers that can then attack the target.
Viruses
A program that “infects” computer files, usually executable programs, by inserting a copy of itself into the file. These copies are usually executed when the infected file is loaded into memory, allowing the virus to infect other files. A virus requires human involvement (usually unwitting) to propagate.
Trojan horse
A computer program that conceals harmful code. It usually masquerades as a useful program that a user would wish to execute.
Worm
An independent computer program that reproduces by copying itself from one system to another across a network. Unlike computer viruses, worms do not require human involvement to propagate.
Malware
Malicious software designed to carry out annoying or harmful actions. Malware often masquerades as useful programs or is embedded into useful programs so that users are induced into activating them. Malware can include viruses, worms, and spyware.
Spyware
Malware installed without the user’s knowledge to surreptitiously track and/or transmit data to an unauthorized third party.
Botnet
A network of remotely controlled systems used to coordinate attacks and distribute malware, spam, and phishing scams. Bots (short for “robots”) are programs that are covertly installed on a targeted system allowing an unauthorized user to remotely control the compromised computer for a variety of malicious purposes.





A review of the listed techniques point to four general types of attack. First, the most common type of cyber attack is service disruption or the distributed denial of service (DDoS) attack,[5] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftn6) which aims to flood the target computer with data packets or connection requests, thereby making it unavailable to the user or, in the case of a website, unavailable to the website’s visitors. DDoS attacks are often conducted utilizing “zombies” - computer systems controlled by a “master” through the utilization of “bots” or “botnets.” Service disruption could directly affect any aspect of the critical infrastructure causing regional or even global damage. A second, but related, type of cyber attack is designed to capture and then control certain elements of cyberspace in order to use them as actual weapons. The third category of cyber attack is aimed at theft of assets from, for example, financial institutions. This activity not only includes theft, but also extortion and fraud. Finally, a cyber attack can also manifest itself in a conventional explosive attack on a physical structure, such as a building that houses a SCADA.




Cybersecurity. There is no commonly accepted definition for the term cybersecurity (sometimes spelled cyber security). Obviously, responding to the task of protecting cyberspace requires, as a minimum, the adoption of a unified government definition. Different uses of the term cybersecurity can be found in a wide variety of federal laws, executive orders, presidential directives, and other agency directives. Taken together, cybersecurity is concerned with protecting the basic security of computerized systems from unauthorized access. The central focus of cybersecurity is protection an information system’s CIA. According to the 2005 CRS Report, Creating a National Framework for Cybersecurity: An Analysis of Issues and Options, cybersecurity refers to:



a set of activities and other measures intended to protect – from attack, disruption, or other threats – computers, computer networks, related hardware and devices software [sic], and the information they contain and communicate, including software data, as well as other elements of cyberspace. The activities can include security audits, patch management, authentication procedures, access management, and so forth. They can involve, for example, examining and evaluating the strengths and vulnerabilities of the hardware and software used in the county’s political and economic electronic infrastructure. They also involve detection and reaction to security events, mitigation of impacts, and recovery of affected components. Other measures can include such things as hardware and software firewalls, physical security such as hardened facilitates, and personnel training and responsibilities.





3 The Threat of Cyberterrorism



Along with the growth in cyberspace is a growth in cyber attacks. The almost seamless interconnectivity of the Internet presents a readily available and inexpensive opportunity for computer network cyber attack. Each day uncountable numbers of people gain access, or attempt to gain access, without authorization to computers in order to read, modify, or destroy information. Although the vast majority of harmful cyber attacks on U.S. interests to date - both government and private - have involved criminal activity, common sense and reason dictate that cybersecurity must better prepare for the real possibility of an Estonian-styled cyberterror attack. New forms of digital attacks are constantly emerging so that future cyber attacks will result from vulnerabilities in software that hackers find and exploit. During the week of July 17, 2006, alone, the United States Computer Emergency Response Team (US-CERT) listed more than 30 new vulnerabilities in cyberspace that fell in what they deemed a “high risk” category. Some of the security breaches that actually caused widespread damage received much publicity and still linger in the collective memory of society, e.g., computer worms such as the Love Bug, Slammer and Blaster. The Log Bug virus, which caused billions of dollars in losses, was caused by a single university student in the Philippines.

Former FBI Director Louis Freech claimed that “the FBI believes cyber-terrorism, the use of cyber-tools to shut down, degrade, or deny critical national infrastructures, such as energy, transportation, communications, or government services, for the purpose of coercing or intimidating a government or civilian population, is clearly an emerging threat.”

In fact, the probability of a cyber attack on a SCADA system is more likely than not because almost every government agency as well as practically every component of the private sector uses the so-called information superhighway of the Internet to communicate and conduct day-to-day activities. Not only is ease of communication a significant factor, but the appeal of cheap off-the-shelf software operating packages from, e.g., Microsoft, has proven irresistible to public and private entities when measured against the cost of developing and maintaining in-house proprietary software. In terms of cybersecurity, when one realizes that SCADA systems, or their equivalent, are no longer operated on more secure in-house special purpose software, but rather on off-the-shelf commercial software and hardware connected directly to the Internet, the probability of a successful mega cyber attack via a DDoS attack or virus is only a question of time.

4 Prosecuting Cyber Attacks




To even the cursory viewer, the expansion of law enforcement techniques in the post-9/11 world is stretching the protections of the Constitution’s Fourth Amendment (unreasonable searches and seizures). This debate is healthy and must continue as Congress and the Executive take steps to increase security measures. Early on the Congress expressed concern with cyber attacks conducted by hackers. The primary tool to criminalize such acts is found in the 1984 Counterfeit Access Device & Computer Fraud and Abuse Act (18 U.S.C. § 1030). It was amended in 1994, 1996 and in 2001 by the USA PATRIOT Act. The Counterfeit Access Device & Computer Fraud and Abuse Act makes it a federal crime to gain unauthorized access to, damage, or use illegally, certain “protected” computers and computer systems. The term protected applies to those computer systems used by the nation’s financial institutions, a federal government entity, or for interstate and foreign commerce. In addition to addressing acts of trafficking in passwords, espionage and fraud, the Counterfeit Access Device & Computer Fraud and Abuse Act also covers damage to such protected computers by the use of a virus, worm, or other device. The seven areas of interest in 18 U.S.C. § 1030(a) include:

computer trespassing, e.g., hacking, associated with a government computer
§ 1030(a)(3);

computer trespassing resulting in exposure to certain governmental, credit, financial, or commercial information, § 1030(a)(2);
damaging a either a government computer, a bank computer, or a computer
that is used in interstate or foreign commerce, § 1030(a)(5);

committing fraud where an integral part involves unauthorized
access to a government computer, a bank computer, or a computer
used in interstate or foreign commerce, § 1030(a)(4);

threatening to damage a government computer, a bank computer, or
a computer used in interstate or foreign commerce, § 1030(a)(7);

trafficking in passwords used for a government computer, a bank
computer, or a computer used in interstate or foreign commerce, § 1030(a)(6); and

accessing a computer to commit espionage, § 1030(a)(1).

Section 1030(b) makes it a crime to attempt to commit any of the offenses in § 1030(a). Section 1030(c) sets out the penalties, which range from imprisonment for not more than a year for simple violations to a maximum of life imprisonment should death result from intentional computer damage. Section 1030(g) creates a separate civil cause of action for victims.
Under § 218, the USA PATRIOT Act increased the scope and penalties associated with hackers where violators only need to intend to cause damage generally, and a second offense is punishable by up to a 20 year prison sentence. The USA PATRIOT Act also enlarged the definition for criminal acts associated with terrorism, 18 U.S.C. § 2332b(g)(5)(B), to include intentionally damaging a protected computer if the offense involves either impairing medical care, causing physical injury, threatening public health or safety, or damaging a governmental justice, national defense, or national security computer system.
Other federal statutes address illegal wire fraud, 18 U.S.C. § 1343; aggravated identity theft, 18 U.S.C. § 1028A; fraud in connection with identification documents, authentication features and information, 18 U.S.C. § 1028; intentional interference with computer-related systems used in interstate commerce, 18 U.S.C. § 1030(a)(5) (http://www.westlaw.com/Find/Default.wl?rs=dfa1.0&vr=2.0&DB=1000546&DocName=18USCAS1030&FindType=L); deceptive practices affecting commerce, 15 U.S.C. § 45(a)(1); and installing “sniffer” software to record keystroke and computer traffic, 18 U.S.C. § 2510-2421.


The case of U.S. v. Mitra, 405 F.3d 492 (2005), United States District Court for the Western District of Wisconsin, serves as a good illustration of the application of the Counterfeit Access Device & Computer Fraud and Abuse Act in terms of defining offenses that fall under its umbrella. In Mitra the defendant was convicted of two counts of intentional interference with computer-related systems used in interstate commerce, in violation of 18 U.S.C. § 1030(a)(5) (http://www.lexis.com/research/buttonTFLink?_m=6c85984be1f93ec72ba3c339cb7075e4&_xfercite=%3ccite%20cc%3d%22USA%22%3e%3c%21%5bCDAT A%5b405%20F.3d%20492%5d%5d%3e%3c%2fcite%3e&_butType=4&_butStat=0&_butNum=3&_butInline=1&_butinfo=18%20U.S.C.%201030&_fmtstr=FULL&docnum=1&_startdoc=1&wchp=dGLbVtb-zSkAz&_md5=2cc1d626c09c5732f663d19999762663). The judge in the case noted that even though the statute violated does not directly address the acts committed by the defendant, that Congress had written a general statute not intended to list each and every particular forbidden act. The judge rightly explained that “[e]lectronics and communication change rapidly, while each legislator’s imagination is limited.” The conviction was upheld on appeal.





UNITED STATES v. MITRA

United States Court of Appeals, Seventh Circuit
405 F.3d 492 (2005)



EASTERBROOK (http://www.westlaw.com/Find/Default.wl?rs=dfa1.0&vr=2.0&DB=WLD-PEOPLECITE&DocName=0183259901&FindType=h), Circuit Judge. Wisconsin's capital city uses a computer-based radio system for police, fire, ambulance, and other emergency communications. The Smartnet II, made by Motorola, spreads traffic across 20 frequencies. One is designated for control. A radio unit (mobile or base) uses the control channel to initiate a conversation. Computer hardware and software assigns the conversation to an open channel, and it can link multiple roaming units into “talk groups” so that officers in the field can hold joint conversations. This is known as a “trunking system” and makes efficient use of radio spectrum, so that 20 channels can support hundreds of users. If the control channel is interfered with, however, remote units will show the message “no system” and communication will be impossible.

Between January and August 2003 mobile units in Madison encountered occasional puzzling “no signal” conditions. On Halloween of that year the “no system” condition spread citywide; a powerful signal had blanketed all of the City's communications towers and prevented the computer from receiving, on the control channel, data essential to parcel traffic among the other 19 channels. Madison was hosting between 50,000 and 100,000 visitors that day. When disturbances erupted, public safety departments were unable to coordinate their activities because the radio system was down. Although the City repeatedly switched the control channel for the Smartnet system, a step that temporarily restored service, the interfering signal changed channels too and again blocked the system’s use. On November 11, 2003, the attacker changed tactics. Instead of blocking the system’s use, he sent signals directing the Smartnet base station to keep channels open, and at the end of each communication the attacker appended a sound, such as a woman’s ***ual moan.

By then the City had used radio direction finders to pin down the source of the intruding signals. Police arrested Rajib Mitra, a student in the University of Wisconsin’s graduate business school. They found the radio hardware and computer gear that he had used to monitor communications over the Smartnet system, analyze how it operated, and send the signals that took control of the system. Mitra, who in 2000 had received a B.S. in computer science from the University, possessed two other credentials for this kind of work: criminal convictions (in 1996 and 1998) for hacking into computers in order to perform malicious mischief. A jury convicted Mitra of two counts of intentional interference with computer-related systems used in interstate commerce. See 18 U.S.C. § 1030(a)(5) (http://www.westlaw.com/Find/Default.wl?rs=dfa1.0&vr=2.0&DB=1000546&DocName=18USCAS1030&FindType=L). He has been sentenced to 96 months’ imprisonment. On appeal he says that his conduct does not violate § 1030 (http://www.westlaw.com/Find/Default.wl?rs=dfa1.0&vr=2.0&DB=1000546&DocName=18USCAS1030&FindType=L)-- and that, if it does, the statute exceeds Congress’s commerce power.

Section 1030(a)(5) (http://www.westlaw.com/Find/Default.wl?rs=dfa1.0&vr=2.0&DB=1000546&DocName=18USCAS1030&FindType=L) provides that whoever
(A)
(i) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
(ii) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or
(iii) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage; and
(B) by conduct described in clause (i), (ii), or (iii) of subparagraph (A), caused (or, in the case of an attempted offense, would, if completed, have caused)--
(i) loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value;
(ii) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals;
(iii) physical injury to any person;
(iv) a threat to public health or safety; or
(v) damage affecting a computer system used by or for a government entity in furtherance of the administration of justice, national defense, or national security ...
shall be punished as provided in subsection (c) of this section.

Subsection (e)(1) defines “computer” as “an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device.” Subsection (e)(2)(B) defines a “protected computer” to include any computer “used in interstate or foreign commerce or communication.” Finally, subsection (e)(8) defines “damage” to mean “any impairment to the integrity or availability of data, a program, a system, or information.”

The prosecutor’s theory is that Smartnet II is a “computer” because it contains a chip that performs high-speed processing in response to signals received on the control channel, and as a whole is a “communications facility directly related to or operating in conjunction” with that computer chip. It is a “protected computer” because it is used in “interstate ... communication”; the frequencies it uses have been allocated by the Federal Communications Commission for police, fire, and other public-health services. Mitra’s transmissions on Halloween included “information” that was received by the Smartnet. Data that Mitra sent interfered with the way the computer allocated communications to the other 19 channels and stopped the flow of information among public-safety officers. This led to “damage” by causing a “no system” condition citywide, impairing the “availability of ... a system, or information” and creating “a threat to public health or safety” by knocking out police, fire, and emergency communications. See § 1030(a)(5)(A)(i), (B)(iv) (http://www.westlaw.com/Find/Default.wl?rs=dfa1.0&vr=2.0&DB=1000546&DocName=18USCAS1030&FindType=L). The extraneous sounds tacked onto conversations on November 11 also are “information” sent to the “protected computer,” and produce “damage” because they impair the “integrity” of the official communications. This time subsection § 1030(a)(5)(B)(v) (http://www.westlaw.com/Find/Default.wl?rs=dfa1.0&vr=2.0&DB=1000546&DocName=18USCAS1030&FindType=L) is what makes the meddling a crime, because Mitra hacked into a governmental safety-related communications system.

Mitra concedes that he is guilty if the statute is parsed as we have done. But he submits that Congress could not have intended the statute to work this way. Mitra did not invade a bank's system to steal financial information, or erase data on an ex-employer’s system, see United States v. Lloyd, (http://www.westlaw.com/Find/Default.wl?rs=dfa1.0&vr=2.0&DB=506&FindType=Y&SerialNum=2001876812) 269 F.3d 228 (3d Cir.2001) (http://www.westlaw.com/Find/Default.wl?rs=dfa1.0&vr=2.0&DB=506&FindType=Y&SerialNum=2001876812), or plaster a corporation's web site with obscenities that drove away customers, or unleash a worm that slowed and crashed computers across the world, see United States v. Morris, (http://www.westlaw.com/Find/Default.wl?rs=dfa1.0&vr=2.0&DB=350&FindType=Y&SerialNum=1991049644) 928 F.2d 504 (2d Cir.1991) (http://www.westlaw.com/Find/Default.wl?rs=dfa1.0&vr=2.0&DB=350&FindType=Y&SerialNum=1991049644), or break into military computers to scramble a flight of interceptors to meet a nonexistent threat, or plant covert programs in computers so that they would send spam without the owners’ knowledge. All he did was gum up a radio system. Surely that cannot be a federal crime, Mitra insists, even if the radio system contains a computer. Every cell phone and cell tower is a "computer" under this statute's definition; so is every iPod, every wireless base station in the corner coffee shop, and many another gadget. Reading § 1030 (http://www.westlaw.com/Find/Default.wl?rs=dfa1.0&vr=2.0&DB=1000546&DocName=18USCAS1030&FindType=L) to cover all of these, and police radio too, would give the statute wide coverage, which by Mitra's lights means that Congress cannot have contemplated such breadth.

Well of course Congress did not contemplate or intend this particular application of the statute. Congress is a “they” and not an “it”; a committee lacks a brain (or, rather, has so many brains with so many different objectives that it is almost facetious to impute a joint goal or purpose to the collectivity). See Kenneth A. Shepsle, Congress is a “They,” Not an “It”: Legislative Intent as Oxymoron, (http://www.westlaw.com/Find/Default.wl?rs=dfa1.0&vr=2.0&DB=100297&FindType=Y&SerialNum=0102555314) 12 Int'l Rev. L. & Econ. 239 (1992) (http://www.westlaw.com/Find/Default.wl?rs=dfa1.0&vr=2.0&DB=100297&FindType=Y&SerialNum=0102555314). Legislation is an objective text approved in constitutionally prescribed ways; its scope is not limited by the cerebrations of those who voted for or signed it into law.

Electronics and communications change rapidly, while each legislator’s imagination is limited. Trunking communications systems came to market after 1984, when the first version of § 1030 (http://www.westlaw.com/Find/Default.wl?rs=dfa1.0&vr=2.0&DB=1000546&DocName=18USCAS1030&FindType=L) was enacted, and none of the many amendments to this statute directly addresses them. But although legislators may not know about trunking communications systems, they do know that complexity is endemic in the modern world and that each passing year sees new developments. That’s why they write general statutes rather than enacting a list of particular forbidden acts. And it is the statutes they enacted--not the thoughts they did or didn’t have--that courts must apply. What Congress would have done about trunking systems, had they been present to the mind of any Senator or Representative, is neither here nor there. See West Virginia University Hospitals, Inc. v. Casey, (http://www.westlaw.com/Find/Default.wl?rs=dfa1.0&vr=2.0&DB=708&FindType=Y&SerialNum=1991055192) 499 U.S. 83, 100-01, 111 S.Ct. 1138, 113 L.Ed.2d 68 (1991) (http://www.westlaw.com/Find/Default.wl?rs=dfa1.0&vr=2.0&DB=708&FindType=Y&SerialNum=1991055192).

Section 1030 (http://www.westlaw.com/Find/Default.wl?rs=dfa1.0&vr=2.0&DB=1000546&DocName=18USCAS1030&FindType=L) is general. Exclusions show just how general. Subsection (e)(1) carves out automatic typewriters, typesetters, and handheld calculators; this shows that other devices with embedded processors and software are covered. As more devices come to have built-in intelligence, the effective scope of the statute grows. This might prompt Congress to amend the statute but does not authorize the judiciary to give the existing version less coverage than its language portends. See National Broiler Marketing Ass’n v. United States, (http://www.westlaw.com/Find/Default.wl?rs=dfa1.0&vr=2.0&DB=708&FindType=Y&SerialNum=1978114255) 436 U.S. 816, 98 S.Ct. 2122, 56 L.Ed.2d 728 (1978) (http://www.westlaw.com/Find/Default.wl?rs=dfa1.0&vr=2.0&DB=708&FindType=Y&SerialNum=1978114255). What protects people who accidentally erase songs on an iPod, trip over (and thus disable) a wireless base station, or rear-end a car and set off a computerized airbag, is not judicial creativity but the requirements of the statuteitself: the damage must be intentional, it must be substantial (at least $5,000 or bodily injury or danger to public safety), and the computer must operate in interstate or foreign commerce.

Let us turn, then, to the commerce requirement. The system operated on spectrum licensed by the FCC. It met the statutory definition because the interference affected “communication.” Mitra observes that his interference did not affect any radio system on the other side of a state line, yet this is true of many cell-phone calls, all of which are part of interstate commerce because the electromagnetic spectrum is securely within the federal regulatory domain. See, e.g., Radovich v. National Football League, (http://www.westlaw.com/Find/Default.wl?rs=dfa1.0&vr=2.0&DB=708&FindType=Y&SerialNum=1957103398) 352 U.S. 445, 453, 77 S.Ct. 390, 1 L.Ed.2d 456 (1957) (http://www.westlaw.com/Find/Default.wl?rs=dfa1.0&vr=2.0&DB=708&FindType=Y&SerialNum=1957103398); Federal Radio Commission v. Nelson Brothers Bond & Mortgage Co., (http://www.westlaw.com/Find/Default.wl?rs=dfa1.0&vr=2.0&DB=708&FindType=Y&SerialNum=1933122805) 289 U.S. 266, 279, 53 S.Ct. 627, 77 L.Ed. 1166 (1933) (http://www.westlaw.com/Find/Default.wl?rs=dfa1.0&vr=2.0&DB=708&FindType=Y&SerialNum=1933122805). Congress may regulate all channels of interstate commerce; the spectrum is one of them. See United States v. Lopez, (http://www.westlaw.com/Find/Default.wl?rs=dfa1.0&vr=2.0&DB=708&FindType=Y&SerialNum=1995096321) 514 U.S. 549, 558, 115 S.Ct. 1624, 131 L.Ed.2d 626 (1995) (http://www.westlaw.com/Find/Default.wl?rs=dfa1.0&vr=2.0&DB=708&FindType=Y&SerialNum=1995096321); United States v. Morrison, (http://www.westlaw.com/Find/Default.wl?rs=dfa1.0&vr=2.0&DB=708&FindType=Y&SerialNum=2000308396) 529 U.S. 598, 608-09, 120 S.Ct. 1740, 146 L.Ed.2d 658 (2000) (http://www.westlaw.com/Find/Default.wl?rs=dfa1.0&vr=2.0&DB=708&FindType=Y&SerialNum=2000308396). Mitra’s apparatus was more powerful than the Huygens probe that recently returned pictures and other data from Saturn's moon Titan. Anyway, the statute does not ask whether the person who caused the damage acted in interstate commerce; it protects computers (and computerized communication systems) used in such commerce, no matter how the harm is inflicted. Once the computer is used in interstate commerce, Congress has the power to protect it from a local hammer blow, or from a local data packet that sends it haywire. (Indeed, Mitra concedes that he could have been prosecuted, consistent with the Constitution, for broadcasting an unauthorized signal. See 47 U.S.C. § 301 (http://www.westlaw.com/Find/Default.wl?rs=dfa1.0&vr=2.0&DB=1000546&DocName=47USCAS301&FindType=L), § 401(c) (http://www.westlaw.com/Find/Default.wl?rs=dfa1.0&vr=2.0&DB=1000546&DocName=47USCAS401&FindType=L).) Section 1030 (http://www.westlaw.com/Find/Default.wl?rs=dfa1.0&vr=2.0&DB=1000546&DocName=18USCAS1030&FindType=L) is within the national power as applied to computer-based channel-switching communications systems.

Mitra offers a fallback argument that application of § 1030 (http://www.westlaw.com/Find/Default.wl?rs=dfa1.0&vr=2.0&DB=1000546&DocName=18USCAS1030&FindType=L) to his activities is so unexpected that it offends the due process clause. But what cases such as Bouie v. Columbia, (http://www.westlaw.com/Find/Default.wl?rs=dfa1.0&vr=2.0&DB=708&FindType=Y&SerialNum=1964100566) 378 U.S. 347, 84 S.Ct. 1697, 12 L.Ed.2d 894 (1964) (http://www.westlaw.com/Find/Default.wl?rs=dfa1.0&vr=2.0&DB=708&FindType=Y&SerialNum=1964100566), hold is that a court may not apply a clear criminal statute in a way that a reader could not anticipate, or put a vague criminal statute to a new and unexpected use. Mitra's problem is not that § 1030 (http://www.westlaw.com/Find/Default.wl?rs=dfa1.0&vr=2.0&DB=1000546&DocName=18USCAS1030&FindType=L) has been turned in a direction that would have surprised reasonable people; it is that a broad statute has been applied exactly as written, while he wishes that it had not been. There is no constitutional obstacle to enforcing broad but clear statutes. See Rogers v. Tennessee, (http://www.westlaw.com/Find/Default.wl?rs=dfa1.0&vr=2.0&DB=708&FindType=Y&SerialNum=2001405173) 532 U.S. 451, 458-62, 121 S.Ct. 1693, 149 L.Ed.2d 697 (2001) (http://www.westlaw.com/Find/Default.wl?rs=dfa1.0&vr=2.0&DB=708&FindType=Y&SerialNum=2001405173) (discussing Bouie (http://www.westlaw.com/Find/Default.wl?rs=dfa1.0&vr=2.0&FindType=Y&SerialNum=1964100566)’s rationale and limits). The statute itself gives all the notice that the Constitution requires.

….



The most well known piece of legislation associated with the terror attacks of September 11, 2001, is the USA PATRIOT Act. Designed as a tool to assist law enforcement to disrupt terrorist cells and their bases of operation, the USA PATRIOT Act was passed by an overwhelming majority of the Congress and signed into law by President Bush on October 26, 2001, and renewed with amendments on March 26, 2006.

The USA PATRIOT Act consists of a mixed variety of provisions aimed at both the investigation of suspected terrorists and the disruption of the sources of funding and support for terrorist organizations. Almost all of the provisions in the USA PATRIOT Act amend or add language to existing federal statutes. In terms of cyberterrorism, a number of changes have expanded the ability of both law enforcement and intelligence agencies (there are a variety of federal entities involved in the collection of foreign intelligence which include the National Security Agency, the Federal Bureau of Investigations, the Central Intelligence Agency, the Department of Defense, and the Department of Homeland Security) regarding surveillance and investigative powers. The intelligence community can now better monitor the Internet and share information with other federal and state entities.

Sections § 201 and § 202 of the USA PATRIOT Act authorizes interception of certain electronic communications for the collection of evidence related to terrorism, computer fraud and abuse. The USA PATRIOT Act at § 214 (“Pen Register and Trap and Trace Authority under FISA”) also expands the ability of law enforcement agents to employ “pen registers,” “trap and trace” devices, “sneak and peek” searches and “roving wiretaps” (which permits surveillance on the person and not, for example, on the phone or phone number). This section expands the scope of the Foreign Intelligence Surveillance Act of 1978 (FISA) and provides more powers to the FISA courts to grant court orders.
Section 217 sets out precise definitions regarding interception of computer trespasser communications. Among other things it clearly defines “wire communications,” “electronic communications,” “user” and “computer trespasser.” For instance, a computer trespasser “means any person who accesses a protected computer without authorization and thus has no reasonable expectation of privacy in any communication transmitted to, through, or from the protected computer.”


In addition, both the USA PATRIOT Act at § 214 and the Cyber Security and Enhancement Act (CSEA) have eased the warrant and subpoena requirements under the old Electronic Communications Privacy Act of 1986 (ECPA) in cases requiring immediate action. Under the CSEA, the government official need not obtain a warrant if he has a “good faith” belief regarding the prevention of death or serious bodily harm. In addition, the CSEA amends 18 U.S.C. § 3125(a)(1) to allow a government official to use a pen register or a trap and trace device without a warrant or a court order if there is a “threat to national security and an ongoing attack on a protected computer system.”

Under § 506(a) of the USA PATRIOT Act, the Federal Bureau of Investigation (FBI) was given primary authority to investigate offenses associated with espionage or national security, expect those cases under the Secret Service. The USA PATRIOT Act authorizes the Director of the Secret Service to establish nationwide electronic crimes task forces (ECTF) to assist law enforcement, the private sector and academia in detecting and suppressing computer-based crime, and allows enforcement action to be taken to protect financial payment systems while combating transnational financial crimes directed by terrorists or other criminals. Since combating cyberterrorism as a partnership effort is imperative, the Secret Service encourages the private sector to bring issues to the ECTF that affect their particular industry and to learn how to protect their own corporate security. One of the many perks for the government is that it is able to connect with private companies that have a particular expertise and resources that many law enforcement agencies are lacking. For instance, AT&T is able to break encryption codes with greater speed than most law enforcement entities.
A 2007 report issued by the Government Accountability Office (GA0) noted that government and private sectors face a number of serious obstacles in securing cyberspace particularly in the context of law enforcement and operational security. The four main categories of concern in the GAO report touched on cyber crime, but would also be equally pertinent in regards to any type of cyber attack to include cyberterrorism:

(1) accurately reporting cyber crime to law enforcement;
(2) ensuring adequate law enforcement analytical and technical capabilities: obtaining and retaining investigators, prosecutors, and cyber forensics examiners & keeping up to date with current technology and criminal techniques;
(3) working in a borderless environment with laws of multiple jurisdictions; and


(4) protecting information and information systems & raising awareness

about criminal behavior.)


Individual states have also enacted laws associated with cyberterrorism concerns. These laws address a wide range of issues from improving security measures for wireless networks to criminalizing the installation of software on another’s computer which is then used in deceptive methods. In addition to criminal laws, civil actions based on commercial code unfair competition prohibitions can also serve to punish hackers.
The fear of cyberterrorism as a destructive force has caused at least 48 states to pass non-release provisions to their state open government laws - state freedom of information laws (patterned after the federal Freedom of Information Act) and state Sunshine laws (providing for public access to government meetings). An examination of the legislative thrust of most of these non-release provisions is to deny potential terrorists access to certain information that could aid them in conducting a disabling physical or cyber attack on the critical infrastructure. For instance, the Ohio Revised Code makes specific exceptions to the Ohio Open Government law regarding non-release of information related to acts of terrorism, critical infrastructures, and security records. Under §149.433(B): “A record kept by a public office that is a security record or an infrastructure record is not a public record under §149.433 of the Revised Code and is not subject to mandatory release or disclosure under that section.” Under §149.433(A)(3), the term “security records” is broadly construed to include:

(a) Any record that contains information directly used for protecting or maintaining the security of a public office against attack, interference, or sabotage, and
(b) Any record assembled, prepared, or maintained by a public office or public body to prevent, mitigate, or respond to acts of terrorism, to include any of the following:
(i) Those portions of records containing specific and unique vulnerability assessments or specific and unique response plans either of which is intended to prevent or mitigate acts of terrorism, and communication codes or deployment plans of law enforcement or emergency response personnel;
(ii) Specific intelligence information and specific investigative records shared by federal and international law enforcement agencies with state and local law enforcement and public safety agencies; and
(iii) National security records classified under federal executive order and not subject to public disclosure under federal law that are shared by federal agencies, and other records related to national security briefings to assist state and local government with domestic preparedness for acts of terrorism.

The term “infrastructure record” under the Ohio Revised Code §149.433(A)(2) means:

Any record that discloses the configuration of a public office’s critical systems including, but not limited to, communication, computer, electrical, mechanical, ventilation, water, and plumbing systems, security codes, or the infrastructure or structural configuration of the building in which a public office is located.” However, the term infrastructure record “does not mean a simple floor plan that discloses only the spatial relationship of components of a public office or the building in which a public office is located.

The term “act of terrorism” under the Ohio Revised Code §149.433(A)(1) has the same statutory meaning as is found in Ohio Revised Code §2909.21:

‘Act of terrorism’ means an act that is committed within or outside the territorial jurisdiction of this state or the United States, that constitutes a specified offense if committed in this state or constitutes an offense in any jurisdiction within or outside the territorial jurisdiction of the United States containing all of the essential elements of a specified offense, and that is intended to do one or more of the following:
(1) Intimidate or coerce a civilian population;
(2) Influence the policy of any government by intimidation or coercion; or
(3) Affect the conduct of any government by the act that constitutes the offence.



5 Government Responses to Cyberterrorism




Starting with the Clinton Administration and continuing to date, the government’s approach to cybersecurity for owners/operators of private computer systems has been one of cooperative engagement and not mandatory regulation. The general feeling was that since the civilian sector invented and developed cyberspace, security should be left to market forces. In short, despite the rapidly expanding reliance on the Internet by American businesses, consumers and government agencies, the government provides extremely little affirmative regulatory laws in terms of cybersecurity functions for non-government computer systems. Instead, the concept of engagement stresses the promotion of voluntary public-private alliances to combat cyber attacks of all kinds with particular regard to protecting the nation’s critical infrastructure. With but minor exceptions, aimed at government computer systems, the theme of engagement predominates all of the federal laws, executive orders and presidential directives associated with cyberspace. These include the following: Internet Integrity and Critical Infrastructure Protection Act (2000); Cyber Security Research and Development Act; National Strategy to Secure Cyberspace (2003); National Strategy for the Physical Protection of Critical Infrastructures and Key Assets (2003); Presidential Decision Directive (PDD) 63; Executive Order 13821, Critical Infrastructure Protection in the Information Age; and Homeland Security Presidential Directive No. 7 (HSPD-7). The two strategies are designed to help America secure the cyber world by establishing three main objectives: (1) prevent cyber attacks against America’s critical infrastructure; (2) reduce national vulnerability to cyber attacks; and (3) reduce damage and recovery time from cyber attacks when they do occur.

The National Strategy to Secure Cyberspace specifically recognizes that cyberspace constitutes “the control system of our country.” In addition, the document recognizes that a comprehensive national strategy must protect against such cyber attacks which “can have serious consequences such as disrupting critical operations, causing loss of revenue and intellectual property, or loss of life.” The main goal of the National Strategy to Secure Cyberspace calls of the entire society – the federal government, state and local government, private industry and the American public – to engage in coordinated and focused efforts to secure cyberspace. To expedite this goal, the primary focus of the National Strategy to Secure Cyberspace is the establishment of a national cyber space security response system consisting of federal, state and local governments as well as the private sector. Thus, not only does the National Strategy to Secure Cyberspace reinforce the private sector’s involvement in critical infrastructure protection, it also expands on the Clinton era 1998 PDD 63. PDD 63 recognizes that addressing cyber risks to the nation’s critical infrastructures requires close coordination and cooperation across federal agencies and among the private sector. Since the policy of engagement depends on public and private sector coordination, research and preparation to repel a cyber attack, PDD 63 specifically tasks federal agencies with developing critical infrastructure protection plans (CIP) and establishing relationships with private industry sectors. It calls for those private commercial enterprises working in any of the identified 14 vertical industries such as banking, commerce, telecommunications, power, water, utilities and transportation, to have assessments conducted of their network infrastructure.

In 2001, President Bush expanded this effort with Executive Order 13821, Critical Infrastructure Protection in the Information Age, which continues many of the initiatives begun by PDD 63 to include the creation of the President’s Critical Infrastructure Protection Board to better coordinate all federal cyber security efforts. In addition, the 2003 HSPD-7 designates certain federal agencies to work with private sector counterparts; designates the DHS as the lead agency for information and telecommunications critical infrastructure; and assigns the Secretary of Homeland Security with the task of coordinating all matters dealing with protecting the nation’s critical infrastructure. In fact, numerous public entities have individual and collaborative responsibilities to ensure that the cyber world is protected. For example, DHS established the National Cyber Security Division as part of its Information Analysis and Infrastructure Protection Directorate to better fulfill its oversight responsibilities. One of DHS’s main objectives is to structure a response system that fully joins the government and the private sector together in order to promote the creation of a viable crisis management response in the event of a major cyber attack. In addition, DHS seeks to identify and remediate existing vulnerabilities by developing new security systems and technologies. Along with DHS, the Department of Justice (DOJ), the Federal Trade Commission (FTC), and the Department of Defense (DOD) are all focused on responding to intentional, unlawful cyber attacks that threaten the confidentiality, integrity and availability of information networks.

DHS also encourages the development of voluntary partnerships with the private sector through information sharing and analysis centers (ISACs). Currently DHS lists 14 ISACs across the nation. The Cyber Security Research and Development Act authorizes a multi-year grant effort to promote computer security measures from private sources as well as universities and the establishment of multi-disciplinary Centers for Computer and Network Security Research. US-CERT is another joint endeavor between DHS and the public and private sectors. It is charged generally with protecting the nation’s infrastructure and is responsible for coordinating defense and response against cyber attacks nationwide.
The development of effective tools to protect cyberspace is of paramount importance. Realizing that the superhighway of the cyber world is composed of hundreds of thousand of interconnected computers, servers, switches and fiber optics that allow our critical infrastructures to function, the threat of cyberterrorism requires urgent cybersecurity measures. As demonstrated by the cyber attack on Estonia in 2007, the threat is no longer a topic of academic debate. Considering that approximately 85 per cent of America’s critical infrastructure is privately owned and operates via control systems that are largely connected to the Internet, it is imperative that the government - law enforcement and military - not only partner with private industry in a unified manner to establish both reactive and proactive strategies, but also conduct realistic training exercises. Unfortunately, the pace of progress in this regard is slow.
In February 2006, DHS hosted the first ever government-led real world cyber exercise called Cyber Storm (Cyber Storm 2 was held in 2008). Costing over 3 million dollars, this invitation only exercise provided over 100 public and private agencies from over 60 locations in five countries with a platform to address a variety of technical and cooperative issues associated with a realistic “staged” mega cyber attack against large-scale critical infrastructure elements to include energy, transportation and information technology. Considering that reviews of the exercise showed that many of the participants did not even know of the existence of the National Cyber Response Coordination Group, which serves as the primary federal organization to respond to major cyber attacks, it is evident that a key component of the engagement strategy demands increased training exercise. In addition, considering that 90 percent of the threat from cyberterrorism exists in the private sector, it is equally evident that relying on voluntary engagement practices may not be adequate – regulatory mandates are needed.


There can be absolutely no question that the threat of cyberterrorism is a grave concern that has the potential for significant damage to vast areas of the public domain. Indeed, because of cyberterrorism’s great potential for harm to the basic pillars of society many commentators argue that cyberspace has passed into the realm of a societal “commons” that obliges the government to exert greater protection. If cyberspace is considered a commons, a fortiori, cybersecurity demands that the government provide solid protection and regulation for the common good of the general public. From this perspective many question the wisdom of a federal policy to secure cyberspace that fails to incorporate strict security cybersecurity standards or regulations on the private sector as part of the strategy.

Because it is impossible to immediately determine the source of a cyber attack – it may be an amateur “script kiddie,” a terrorist, or even a nation-state – the so-called “response baton” will originate with the private sector and then may be passed to law enforcement and next, perhaps, to the military. Clearly, the main thrust of a commons oriented cybersecurity strategy would involve two key elements: (1) a program that required the sharing of timely and accurate information all along the continuum from private to government and (2) the adoption of industry specific cybersecurity standards and certification for all information systems.

The concept of “standards” is defined by the National Standards Policy Advisory Committee as: “a prescribed set of rules, conditions, or requirements concerning definitions of terms; classification of components; specification of materials, performance, or operations; delineation of procedures; or measurement of quantity and quality in describing materials, products, systems, services, or practices.” As suggested by the government’s current engagement strategy, the federal government only promulgates cybersecurity standards for federal computer systems, except national security systems. The federal standards are developed by the National Institute of Standards and Technology (NIST) and set out as Federal Information Processing Standards (FIPS). FIPS are promulgated under the simple rule-making procedures (notice and comment) of the Administrative Procedure Act.

In accordance with National Security Directive 42, standards regarding national security systems are developed and controlled by the Committee on National Security Systems. The Federal Information Security Act of 2002, defines a national security system as:

Any computer system (including any telecommunications system, used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency …

(i) the function of which –

(I) involves intelligence activities;

(II) involves cryptologic activities related to national security;

(III) involves command and control of military forces;

(IV) involves equipment that is an integral part of a weapon or weapons system;

(V) … is critical to the direct fulfillment of military or intelligence missions; or

(ii) is protected at all times by procedures established for information that have been specially authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy.

In 2008, President Bush signed National Security Presidential Directive 54 and Homeland Security Presidential Directive 23. The classified directives expand the intelligence communities’ role in cybersecurity for federal agencies’ computer systems and expand DHS’s ability to work with the DOD on cybersecurity threats.

To be sure, numerous public and private studies offer various proposals for sound security and best practices needed to reduce vulnerabilities from cyber attack The studies usually prescribe a standardized integration of cybersecurity technology associated with all critical infrastructure systems in order to ensure an acceptable national level of cybersecurity. While various approaches have been advanced, the 2005 CRS report RL32777, observed that none of them are “likely to be widely adopted in the absence of sufficient economic incentives for cybersecurity.”

Those who believe that the federal government should not require the development and enforcement of mandatory cybersecurity standards in the private sector, often argue that apart from issues of intrusiveness and technical feasibility, that such requirements would simply be too costly. Although the argument related to cost would be dwarfed into insignificance when measured against the monetary damage incurred in the event of a mega cyberterrorist attack, technical matters ranging from how to develop said standards in the rapidly changing world of cyberspace to how the government would measure compliance pose significant challenges.

Those who critique the engagement strategy argue that absent the impetus that would be provided by a massive cyberterrorist attack on the nation’s critical infrastructure, efforts to actually create a meaningful cooperative proactive and reactive strategy between the government and private industry are piecemeal. Even the more immediate negative consequences to businesses caused by the impact of cyber crime (which drains billions of dollars from consumers and private industry each year) have not resulted in the necessary strides to produce stronger and more secure computer networks.

The basic reason for the lack of cooperation is that private companies are largely unwilling to share information about security breaches with other companies or the government. First, they are concerned that competitors might gain access to exclusive company data that is shared with the government through a public Freedom of Information Act (FOIA) request or by means of other sources (the Critical Infrastructure Protect Act exempts such revelations to the government from FOIA). Second, because the private sector operates in a competitive market based economy, public revelations about security breaches at the company could have serious negative responses from stockholders or consumers.

Unfortunately, it is a hard fact that very few private companies have exhibited interest in joining the cybersecurity effort to the degree that the various government strategies so strongly desire. The frustration is that without a cooperative effort to identify breaches and the possible weak points of security systems, the vulnerabilities to cyber attack are magnified and countermeasures remain far behind. For certain, when the West suffers its first “Pearl Harbor cyber attack,” the government will adopt a more draconian stance in order to force private industry to share information and to develop better cybersecurity systems. For the time being, apart from suffering economic loss, there are no driving incentives for private industry to work together to combat cyberterrorism.


6 Cyber Attacks as an Act of War

A number of nation-states, to include the United States, are rapidly developing the operational doctrine and functional tools necessary to conduct cyber warfare. There is no doubt that cyber warfare with its non-kinetic use of force will be the next area for weapon development by militaries around the world. In fact, according to a variety of open source documents the Peoples Republic of China openly boasts that it intends to develop the capability to win an information cyber war by the mid-21st century. In fact, scores of nation-states are actively involved in developing cyber war capabilities.
Cyber warfare involves the action of conducting a cyber information attack on the computer network of an adversary in order to limit their ability to obtain or use information. Of course, this matter is not restricted to the activity of nation-states – hackers and terrorists are not constrained by any rule of law and might engage in coordinated cyber attacks that could equally disrupt a nation’s computer network system. Nevertheless, since the rule of law would certainly encompass the use of cyber information activity conducted by a nation-state, it is necessary to examine the law and policy issues related to cyber warfare.
The use of “information warfare” or cyber warfare is a new concept; the use of cyber tactics are emerging as a key component of 21st century warfighting. For instance, the U.S. military conducted successful cyber attacks in both the 1991 Gulf War and the 2003 Iraq War (to a lesser degree) to disrupt Iraqi command and control networks and the operation of other essential physical facilities. Currently, the Joint Functional Component Command for Network Warfare (JFCCNW) functions under the United States Strategic Command (STRATCOM), to coordinate cyber information actions for the DOD. In 2008, the U.S. Air Force established a Cyber Command to prepare its forces for fighting wars in cyberspace by protecting those information systems which operate U.S. critical infrastructures and to be able, if tasked, to attack an adversaries computer networks. The U.S. Navy has the Naval Network Warfare Command in Norfolk, Virginia. In short, DOD is developing both offensive and defensive capabilities to conduct war in cyberspace.


Like a number of legal issues that have emerged in the post-9/11 world, the question of addressing cyber attacks from an international law of war perspective remains unsettled. The central legal issue poses the following question: Does the use a of cyber attack constitute a sufficient “use of force” in the context of the law of war to be deemed an “armed attack” or an “act of war?”

The use of the term act of war traditionally refers to the use of aggressive force against a sovereign State by another State in violation of the United Nations (U.N.) Charter and/or customary international law. In almost every instance in the modern era, such illegal acts occur without a formal declaration of war and the aggressive act itself triggers the ensuing armed conflict, i.e., war. The application of the traditional law of war principles (also known as the law of armed conflict) was developed by the international community in response to readily recognized deliberate armed attacks by soldiers, aircraft, or vessels on the military, citizens, or territory of another nation-state. At the time of the development of the law of war, cyberspace did not exist. Thus, the question of whether or not a computer network attack is an act of war requires extrapolation from the existing norms related to the law of war.

Any analysis of the matter must begin with the U.N. Charter. The goal of the U.N. Charter is to restrict the unfettered power of member States to pursue activities and policies that threatened international peace and security. Understanding that the U.N. Charter does not outlaw the use of force - it only outlaws the use of aggressive force - there are four primary provisions of the U.N. Charter under which the use of force is analyzed.

First, Articles 2(3) and (4) set out the general obligations of all member States to settle disputes in a peaceful manner and to refrain from “the threat or use of force.” U.N. Charter Article 2(3) requires that, “[a]ll Members shall settle their international disputes by peaceful means in such a manner that international peace and security, and justice are not endangered.” U.N. Charter Article 2(4) states, “[a]ll Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any State, or in any other manner inconsistent with the purposes of the United Nations.” In 1970, the General Assembly elaborated on Article 2(4), with U.N. General Assembly Resolution 2625, Declaration on Principles of International Law Concerning Friendly Relations and Cooperation among States in Accordance with the Charter of the United Nations. Although General Assembly resolutions are considered as non-binding recommendations they often prove useful, particularly to the extent that they contain authoritative restatements of customary international law. General Assembly Resolution 2625 states:



Every State has the duty to refrain from organizing, instigating, assisting, or participating in acts of civil strife or terrorist acts in another State or acquiescing in organized activities within its territory directed towards the commission of such acts, when the acts referred to in the present paragraph involve a threat or use of force.



Second, if a State engages in the use of aggressive force, Article 24 of the U.N. Charter gives the Security Council the “primary responsibility for the maintenance of international peace and security.” Article 27 requires that all permanent members of the U.N. Security Council (China, France, Russia, the United States and Britain) must agree on enforcement provisions, e.g., authorizing member States to engage in the defensive use of armed force.

The third element in the analytical framework is Article 51 of the U.N. Charter, which expresses the “inherent right of self-defense” in the case of an armed attack. The inherent right of self-defense refers to the ancient customary right of a country to unilaterally engage in acts of self-defense in response to an armed attack regardless of what any other nation or organization, to include the United Nations, may or may not do.

Article 51 of the U.N. Charter states:


Nothing in the present Charter shall impair the inherent right of individual or collective self-defense if an armed attack occurs against a Member of the United Nations, until the Security Council has taken measures to maintain international peace and security. Measures taken by Members in the exercise of the right of self-defense shall be immediately reported to the Security Council and shall not in any way affect the authority and responsibility of the Security Council under the present Charter to take at any time such action as it deems necessary in order to maintain or restore international peace and security.




While a cyber attack has the potential to do great harm to the critical infrastructure of a given nation-state, would such an action rise to the level of what Article 51 deems as an “armed attack?” Clearly, a cyber attack of sufficient scope on either the military network or the critical infrastructure could constitute a violation Article 2(3) and 2(4), but would that be considered enough to constitute an armed attack triggering the customary right of self-defense now codified under Article 51 of the U.N. Charter?

Common sense would dictate that a cyber attack of sufficient magnitude should be considered an armed attack, but when the U.N. Charter was drafted in 1945, the founders clearly did not foresee the potential for devastation that could come from cyberspace. For instance, Article 41 of the U.N. Charter views the “complete or partial interruption of … telegraphic, radio, and other means of communication” as measures not rising to the level of the use of armed force. In turn, the definition of aggression as adopted by the 1974 General Assembly Resolution 3314, excludes the concept of cyber attacks as an act of aggression that would constitute an armed attack. According to the U.N. Definition of Aggression, a State engages in aggression in the following ways:


Article 1

Aggression is the use of armed force by a State against the sovereignty, territorial integrity, or political independence of another State, or in any manner inconsistent with the Charter of the United Nations ….
Article 2
The first use of armed force by a State in contravention of the Charter shall constitute prima facie evidence of an act of aggression ….
Article 3
Any of the following acts, regardless of a declaration of war, shall … qualify as an act of aggression:
(a) The invasion or attack by the armed forces of a State … of another State or part thereof;
(b) Bombardment by the armed forces of a State against the territory of another State …
(c) The blockade of the ports or coasts of a State by the armed forces of another State;
(d) An attack by the armed forces of a State on the land, sea, or air forces, or marine and air fleets of another State;
(e) The use of armed forces of one State … in contravention of the conditions provided for in the agreement or any extension of their presence in such territory beyond the termination of the agreement;
(f) The action of a State in allowing its territory, which it has placed at the disposal of another State, to be used by that other State for perpetrating an act of aggression against a third State;


(g) The sending by or on behalf of a State of armed bands, groups, irregulars, or

mercenaries, which carry out acts of armed force against another State of such

gravity as to amount to the acts listed above, or its substantial involvement

therein.



Finally, because there is no absolute requirement that a “threat to the peace, breach of the peace, or act of aggression,” take the form of a traditional styled armed attack, Article 39 of the U.N. Charter ultimately provides the Security Council with the final authority to determine whether a particular cyber attack would constitute a breach of the peace, and to what degree. Obviously, for the Security Council to take action, the cyber attack would have to be extensive in nature. In other words, the consequences of a cyber attack would be a central ingredient in their decision making process. Article 39 of the U.N. Charter states:



The Security Council shall determine the existence of any threat to the peace, breach of the peace, or act of aggression and shall make recommendations, or decide what measures shall be taken in accordance with Articles 41 and 42, to maintain or restore international peace and security.

A related issue in the analysis is the issue of State-sponsorship. The law of war recognizes acts of self defense in the context of the acts of a hostile nation-state, not of individual actors or groups of individuals that act in their private capacity. The expectation is that the aggrieved State will notify the nation-state where the private actors are located and then request assistance and cooperation. If the host nation is unwilling or unable to provide assistance and cooperation, then the aggrieved State may be justified to use force as was the case with the United States vis a vis the Taliban’s support for the terrorist al-Qa’eda network in Afghanistan. On the other hand, if the cyber attack cannot be traced to a nation-state, the matter of retaliation is greatly limited.
Clearly, the international laws associated with the use of force are woefully inadequate in terms of addressing the threat of cyber warfare. Without a clear set of rules addressing cyber warfare, individual nation-states will no doubt operate within the framework of existing legal norms by extrapolation, much like the North Atlantic Treaty Organization (NATO) did when it invoked the NATO collective self-defense clause under Article 5 of its Charter, declaring that the terror attacks of 9/11 constituted an “armed attack” under international law despite the fact that al-Qa’eda is not a nation-state.
The international community needs to agree on the application of cyber warfare to the international rules of armed conflict. To date, however, periodic calls for the development of international rules dealing with information warfare have gone unanswered. In 1998 and 1999, for example, Russia was unsuccessful in its bid to get the United Nations to explore the need for an information warfare weapons arms control protocol. The Russian resolution asked member States to provide input on the “advisability of elaborating international legal regimes to ban the development, production and use of particularly dangerous information weapons.”
The only real significant international agreement on cyber matters to date is the Council of Europe Convention on Cybercrime, which was ratified by five nations, including the United States, on July 1, 2004. There is hope that this convention, which focuses on cyber crime and not cyber warfare, may at least present a starting point for future efforts in the realm of cyber warfare.
Currently, DOD views the use of cyber technology in military operations as a part of what is termed Information Operations (IO). IO consists of five subcategories: Psychological Operations (PSYOP); Military Deception (MILDEC); Operations Security (OPSEC); Computer Network Operations (CNO); and Electronic Warfare (EW). While the domestic guidelines that detail how and when the United States would conduct a computer network attack is classified information in National Security Presidential Directive 16 (February 2003), there are a number of unclassified DOD policy directives that speak to IO operations which would certainly have impact on cyber warfare. For instance, in regard to PSYOP, only non-domestic audiences can be targeted. This restriction would certainly apply to electronic warfare.
From a military perspective, the use of cyber technology in warfare is something that is clearly viewed as a new and powerful weapon. Cyber warfare offers a cheap method of employing targeted force against an adversary - it requires no deployment of soldiers, vehicles, or vessels. As is the case for all weapons, however, the American military command structure responds to lawful commands from the government and uses force in accordance with Standing Rules of Engagement (SROE). Depending on the objective of the military operation, the SROE are further amplified by multiple levels of Rules of Engagement (ROE) which are developed by commanders and their lawyers. Designed for offensive and defensive uses of force, these rules ensure compliance with the law of war as well as domestic law. Even though no review has yet been produced, the DOD has recommended a legal review to determine what level of data manipulation constitutes an attack.
At the end of the day, if directed by lawful authority, DOD can and will attack an adversary’s computer system – private or government. The unresolved issue that is seldom discussed centers on the mechanics – the U.S. military relies significantly on the computer systems of the private sector and would presumably have to use those private assets in any large scale cyber attack.

7 Legal Issues in the Private Sector

From the viewpoint of the private sector, there are a variety of cyberspace related legal issues that require close attention. At the forefront of most Internet users’ minds is the question of privacy. As they venture online, users and consumers look for reassurance that the personal information they submit will remain protected by their own computer, their Internet service provider (ISP) and the Web site they are visiting. Conversely, the chief concern of technology developers, manufacturers and owner/operators is the question of legal responsibility regarding the type and level of cybersecurity protection.
As noted in the discussion on the government’s overall cybersecurity strategy in the private sector, the understated theme of engagement continues to characterize the approach for user privacy and cyber system integrity. The matter of cybersecurity in general and security standards in particular are left in the hands of civilian technology developers, manufacturers and owner/operators.
Federal legislation mandating protective measures in terms of computer security is restricted to federal agencies only, e.g., the Federal Information Security Management Act of 2002. Apart from a few specific laws associated with protecting financial and health-related information from disclosure, government efforts to set security standards or make private entities responsible for protecting their computer systems has not yet come of age. A brief survey of federal involvement in this area reveals only two major pieces of legislation – one in health and one in financial reporting - and even those two indirectly address cybersecurity concerns. The Health Insurance Portability and Accountability Act of 1996 requires certain private entities to establish security programs that protect the health-related information in their possession and the Sarbanes-Oxley Act of 2002, requires corporate executives of publicly held companies to annually certify the integrity of their financial reporting under penalty of fines or imprisonment. While the Sarbanes-Oxley Act was passed in the wake of the accounting scandals at Enron and WorldCom, it spurred a massive increase in cybersecurity spending by private companies now concerned about the operating effectiveness of computerized internal controls and fraud prevention.


Liability issues associated with breaches of computer security rubricate cyber discussions from both ISPs and private companies. Liability for failure to protect customers from cyber attacks and liability for (unknowingly) hosting a DDoS attacker are two significant concerns that will soon find their way into court as civil actions in tort or product liability claims. Currently, however, there are no federal laws holding a technology developer, manufacturer, or owner/operator liable if they sell or offer a product that has inadequate cybersecurity protections or design flaws. As a practical matter, licensing agreements or terms of service agreements include disclaimer protections.

In tandem with these cyber “defensive” concerns, i.e., responsibility for damage done to third parties as a result of inadequately providing security protection as a technology developer, manufacturer, or owner/operator, is the emerging issue of the increased use of “offensive” or self-defense responses to a cyber attack, e.g., actions employed by private network security personnel in response to a cyber attack on their system. Known as hackback - an offensive response against a cyber attacker - this offensive process may also damage the computer networks of innocent third parties used by the attacker. While hackback illustrates a desire by some in the civilian sector to take cybersecurity matters into their own hands, it also raises a number of legal issues.

Identification of the source(s) of a cyber attack, including the Internet Protocol (IP) address of the attacker, is vital to the identification of the attacker, the deployment of effective countermeasures and the development of new cybersecurity defense tools. However, due to a number of techniques that can be used to hide the identity of an attacker, manually tracing the multiple sources of a DDoS attack generally proves overly burdensome and requires more time to conduct than the actual attack itself. As a practical matter, then, the best way to identify the source of an attack is through an automated process. One such program is known as “IP Traceback.” Southwest Research Institute (SwRI), San Antonio, Texas is currently working on a project to develop an Autonomous System Traceback (AST) solution to combat cyber attacks, including DDoS attacks. As such, AST provides a useful platform in the discussion of a variety of legal issues that are not only integral in the context of developing and deploying the AST solution, but in dealing with liability and privacy issues associated with both defensive and offensive cybersecurity actions.
Experts correctly refer to the IP traceback concept as a problem because tracing an attack to its source is complicated by the fact that attackers typically forge, or “spoof,” the IP address from which the attack packet is sent. Spoofed packets will contain an invalid or false IP address in the packet header making the packet appear as though it originated from the “spoofed” IP address. To complicate matters further, the traditional method of tracing the source of an attack is largely a manual process that must be conducted during the course of an attack (this is further aggravated because the attack can be carried out from a multitude of sources). The complexity of such attacks thereby renders traditional tracing of IP addresses impractical for commercial networks in terms of cost effectiveness.
Four main types of IP traceback exist: packet marking; packet or hash-based logging; link testing; and Internet Control Message Protocol (ICMP) traceback.[6] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftn7) In general, each of these approaches has suffered technical, policy and legal restrictions. The need for additional hardware, software upgrades, modifications to network configurations and filtering the enormous amount of data processed on computer networks have presented technical obstacles. Further, one of the key limitations to successful deployment of IP traceback systems is the necessity for cooperation among ISPs. According to one report on the matter:

Tracking an anonymous attack is not a trivial task. An individual or organization would find this task difficult, if not impossible, without involving their upstream ISPs. Today, tracing an anonymous attack even within a single ISP remains a manual task. ISPs and enterprise networks do not have incentives to monitor for attack packets …. The lack of incentives comes from the fact that monitoring for such packets has no immediate benefit to the ISP itself or its subscribers. Furthermore, participating in traceback may mean disclosure of internal topology, investment in additional equipment, upgrades to existing equipment, and additional operational costs for the ISP. Consequently, IP traceback solutions should not assume complete cooperation of ISPs.[7] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftn8)

Looking at the final goal of the traceback process - identifying and blocking the source of the attack - the AST method of IP traceback focuses not on identifying a specific computer as the attack source but rather locating the Autonomous System (AS)[8] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftn9) from which the attack originated. AST monitors record hashes of the packet signature - in this case, specific fields in the packet header - for each packet that crosses their borders. The route of an attack packet may then be traced back by identifying each AS it crossed, without the need to examine internal network paths. Additionally, and most importantly for privacy concerns, the contents of the traffic are never viewed or stored. Only a hash of the packet’s header information is stored by the AST. In other words, no internal network topology is disclosed to the AST, only whether an AS saw the packet and where it received the packet from. Since AST does not utilize any of the active traceback techniques such as “active defense” or hackback, an AST model remains within the passive realm. Because there is no expectation of privacy from routing information, the Electronic Communications Privacy Act (ECPA), which generally prohibits the interception, use, or disclosure of email contents while they are being transmitted, does not protect packet headers which are used to route information from point A to point Z.
Accordingly, AST developers express two specific concerns in the area of liability: (1) what liability might a company or ISP have for failing to use AST technology (if it were one day viewed as an industry standard practice, for instance) in its network cybersecurity program, and (2) what liability might attach if a company or ISP became host to a DDoS attacker?
Answering the first question, without the benefit of significant judicial case law on the subject, mandates reference to traditional notions of common law tort liability. For an ISP, or other commercial firm, to be liable under tort law requires that the provider breach a legal duty to exercise a level of care imposed by either statute or common law.
Sources for common law tort liability require consideration as to the developing legal standard for information security, which in this case would be discovered by reviewing trends in the area of cybersecurity. At a minimum, there exists at least a general obligation to provide some level of cybersecurity. Specifically, legal obligations for technology developers, manufacturers and owner/operators regarding information security derive from multiple sources – enacted federal and state laws; regulations and government enforcement actions; and common law fiduciary duties and obligations to provide reasonable care. The legal obligation to implement cybersecurity measures can be classified as either industry-specific, data-specific, or focused on public companies.
As previously noted, a handful of federal laws have been enacted in order to protect personal data and financial reporting of individuals, customers, or prospects held by certain private companies. The Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act require the integrity of financial reporting and the Health Insurance Portability and Accountability Act mandates cybersecurity protections for personal information. The Children’s Online Privacy Protection Act of 1998 requires protection of personal information regarding children. The Securities Exchange Commission (SEC) also imposes regulations regarding cybersecurity standards for internal financial controls over information systems.
The Federal Trade Commission (FTC) possesses a series of enforcement actions and consent decrees which extend security obligations to certain private industries. Originally, the FTC facilitated cases based on the alleged failure by companies to provide adequate information security contrary to representations they made to customers (deceptive trade practices claims). In June 2005, the FTC significantly broadened the scope of its enforcement by asserting that a failure to provide appropriate information security was, itself, and unfair trade practice – even in the absence of any false representations by the defendant as to the state of its security.
A variety of federal and state E-transaction laws (E-SIGN and UETA) now require all companies to provide security for storage of electronic records relating to online transactions. In addition, sector-specific regulations are experiencing proliferation. This includes the Internal Revenue Service’s (IRS) requirement for companies to implement information security to protect electronic tax records and SEC regulations on cybersecurity concerns as a condition to engage in certain E-transactions The Food and Drug Agency (FDA) also has agency regulations that require security for certain types of records.
Many legal commentators suggest that corporate directors have a duty of care rooted in a fiduciary obligation that includes responsibility for the security of the company’s information systems. They also argue that there may be a common law duty to provide cybersecurity, the breach of which constitutes a tort.
State laws also impose certain cybersecurity obligations to ensure the security of personal information. These laws are known as security breach laws. In 2003, California enacted the California Database Protection Act, Cal. Civil Code § 1798.82 (2006), becoming the first state in the nation to enact legislation requiring any government or private entity that possessed confidential personal information (e.g., social security numbers) to notify the owners of said information in the event of a disclosure to an unauthorized person resulting from a security breach. Additionally, § 1798.81.5 (2006) of the Act added an unprecedented statutory duty on businesses that own or authorize the use of personal information to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.” Thus, businesses obtaining the personal or confidential information of California customers now have a statutory duty to not only provide notification to individuals regarding security breaches but must also provide reasonable care for securing such data. California’s approach has served as a model for statutes in dozens of other states. As of 2007 at least thirty-five states require businesses to notify their customers or clients if there is a security breach involving sensitive personal information. These laws generally apply to any business maintaining the information of a resident of the state which enacts the statute California’s approach has served as a model for statutes in dozens of other states to include: Arkansas (Ark. Code Ann. §4-110-101 et seq.)
California (Cal. Civ Code §1798.82)
Connecticut (2005 Conn. Acts 148)
Delaware (De. Code Ann. tit. 6, 12B-101 et seq.)
Florida (Fla. Stat. Ann. §817.5681)
Georgia (Ga. Code Ann, §10-1-910 et seq.)
Illinois (815 Ill. Comp. Stat. 530-1 et seq.)
Indiana (Ind. Code §1.IC 4-1-10)
Louisiana (La. Rev. Stat. Ann. §51.3071 et seq.)
Maine (Me. Rev. Stat. Ann. tit. 10, §1346 et seq.)
Minnesota (Minn. Stat. §325E.61 and §609.891)
Montana (Mont. Code Ann. §30-14-1701 et seq.)
Nevada (2005 Nev. Stat. 485)
New Jersey (A. 4001, 2005 Leg. 211th Sess. (N.J. 2005))
New York (A. 04254, 228th Gen. Assem., Reg. Sess. (N.Y. 2005))
North Carolina (N.C. Gen. Stat. §75-65)
North Dakota (N.D. Cent. Code §51-30-01 et seq.)
Ohio (Ohio Rev. Code §1349.19)
Pennsylvania (S.B. 712)
Rhode Island (R.I. Gen. Laws §11-49.2-1 et seq.)
Tennessee (2005 Tenn. Pub. Acts 473)
Texas (Tex. Bus. & Com. Code Ann. §48.001 et seq.)
Washington (Wash. Rev. Code §19.255.010)

For instance, in 2005, the Texas legislature passed Senate Bill 122, which amended the Texas Code of Criminal Procedure and Texas Business and Commerce Code. The relevant portion of the Texas Business and Commerce Code, § 48.102(a) (2006) reads: “A business shall implement and maintain reasonable procedures, including taking any appropriate corrective action, to protect and safeguard from unlawful use or disclosure any sensitive personal information collected or maintained by the business in the regular course of business.” Like the approach in California, the Texas legislature statutorily defined that businesses within the state owe a duty to their customers to implement reasonable procedures to safeguard personal data. Section 521.053 of the
Texas Business & Commerce Code provides:
Any person who maintains computerized data that includes sensitive personal information not owned by the person shall notify the owner or license holder of the information of any breach of system security immediately after discovering the breach, if the sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person. (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_edn1)
The law defines sensitive personal data as:
Sensitive personal information” means, subject to Subsection (b), an individual’s first name or first initial and last name in combination with any one or more of the following items, if the names and the items are not encrypted:
(A) social security number;
(B) driver’s license number or government-issued identification number; or
account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

What, then, is considered reasonable care in the context of cybersecurity protection? Some analysts argue that the very fact that a security breach occurs indicates a breach of a common law duty owed by the ISP or a commercial firm to provide reasonable security for its customers’ personal information. The more reasoned approach is to look at industry standards. In fact, in various cyberspace arenas a number of standards, best-practices and guidelines have been developed. While adherence to an existing industry standard is not dispositive to the determination of reasonable care owed, it is relevant.[9] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftn10) Indeed, a given court could determine that a party was negligent and did not take reasonable security precautions even if the industry standard was met.[10] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftn11) Accordingly, although implementation of IP traceback technology is not yet an industry custom, the availability of the AST technology may help determine a new standard of reasonable care owed to protect customer data from intruders. Of course, other factors would also be relevant, such as the cost of using the technology, the availability of alternative technologies and any evidence of problems with the technology (e.g., security breaches in networks using IP traceback methods).
Another approach would be for the federal or state government to allow plaintiffs to sue manufacturers under various product liability laws. This has not occurred at the federal level.
The second question regarding liability issues for hosting a DDoS attacker poses a more difficult challenge. No court has thus far held an ISP liable for the actions of its users.[11] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftn12) Most cases involving ISP liability have involved questions of copyright and trademark infringement or responsibility for offensive content posted on the Internet. In fact, many of the court decisions find that ISPs are statutorily immune from liability for the actions of their customers under, for example, the Communications Decency Act. The Communications Decency Act states that “no provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.”[12] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftn13)
Do ISPs enjoy the same protection in the case of security breaches by intruders that harm ISP customers? While it may seem a stretch to extend the Communications Decency Act to this area, at least one court has already done so. In Green v. America Online, Inc., 318 F.3d at 471 (3rd Cir. 2003) the court extended the language of the Communications Decency Act to a “punter” program. The court first “not[ed] that the dictionary includes ‘signal’ as a definition of ‘information’,” and it then asserted that the punter program was in fact a signal; therefore, it was information.
The current approach of some courts to provide immunity is consistent with the way ISPs view their role. Universally, ISPs take the position that they are only providing a “pipe” through which customers connect and information flows. Additionally, most ISPs have a “Terms of Use” agreement with their customers in which the customer agrees not to engage in certain prohibited or criminal activities. In Green v. America Online, Inc., the court held that an ISP was not liable for the actions of two of its subscribers, including posting offensive messages about the plaintiff in a chat room. The Green opinion was in line with a 1997 ruling from the 4th Circuit in Zeran v. America Online, Inc., 129 F.3d 328 (4th Cir. 1997). The court in Zeran ruled that the defendant was not liable for damages caused by the defamatory messages posted by an unidentified third party. In Noah v. AOL Time Warner, 261 F. Supp.2d 532 (E.D. Va. 2003), the district court held that a “chat room” was not a place of public accommodation under the Civil Rights Act and that the ISP was not liable for defamatory messages posted in the chat room.
Aside from the limited amount of firm case law, new distinctions in terminology will certainly impact on future regulatory issues. In Nat’l Cable & Telecomm. Assoc. v. Brand X Internet Serv., 125 S.Ct. 2688, 2711-12 (2005), the Supreme Court held that broadband cable companies provided “information services” rather than “telecommunication services.” This means that cable companies, functioning as ISPs, are not common carriers, yet, telecommunication companies, which function as ISPs, are common carriers and subject to regulation under the Telecommunications Act of 1996. While the Telecommunications Act focuses almost exclusively on rates of service and interchange between carriers, any future legislation that affects one industry, should be carefully worded to include both telecommunication and information providers.
In a DDos attack, the actual attacker is the immediate wrongdoer, but courts may extend liability to other tortfeasors who have contributed to the attacks. The most common civil action following a DDoS cyberattack will most likely be under a negligence theory of some sort. In this vein, an emerging negligence theory is the so-called “Encourage Free Radicals” (EER) doctrine. The EFR doctrine preserves the liability of an original tortfeasor if the second tortfeasor is a “free radical” and the case exhibits factors that influence the courts to hold the original tortfeasor liable for encouraging free radicals.[13] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftn14) Free radicals are “those individuals who are shielded from liability by anonymity, insufficient assets, lack of mental capacity, or a lack of good judgment.”[14] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftn15) Cyber criminals clearly fit the description of free radicals because they are judgment-proof, elusive and protected by anonymity. Cyberterrorists, in particular DDoS attackers, exemplify free radicals because their judgment is blinded by ideological or religious motivations. Additionally, a DDoS attacker spoofs or hides the true origin of the attack, making identification of the attacker difficult.
The second factor necessary for applying the EER doctrine is that the original tortfeasor’s encouragement of the free radical constituted negligent behavior. Liability in a negligence action requires that the victim of a DDoS prove: (1) that the defendant had a duty to the plaintiff to take reasonable care to avoid the attack or reduce its risk; (2) that defendant breached this duty; (3) that the breach was the actual and legal cause of the attack; and (4) that the breach resulted in actual harm. While courts have not explicitly identified a duty of care for Internet cybersecurity a willingness to recognize such a duty is developing. For instance, some courts have recognized that in certain circumstances a failure to apply a security patch constitutes a breach of duty.[15] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftn16) The AST system is a logical and cost-effective precaution to protect against DDoS because if implemented by ISPs, it operates as a central element of the ISP’s information security protocol by mitigating or preventing the attack and resulting damage.
The court will consider other factors in holding the original tortfeasor liable for damage caused to third parties by encouraging free radicals. These factors include such things as whether the defendant (ISP) by lax cybersecurity measures, created an opportunity for the free radical; whether the free radical’s behavior was foreseeable; whether the foreseeable harm was serious; the deliberateness of the defendant’s behavior; and whether a special relationship existed between the defendant, the third party victim, or both (a defendant who encourages a free radical through a nonfeasance as opposed to a misfeasance will not be liable unless there was a special relationship). The court also factors in the seriousness of the harm as measured by the economic impact of the cyber attack.
While the law is currently in the early stages of development, ISPs and others need to anticipate developments and implement risk management strategies for cyber attacks. Clearly, advancements in DDoS fighting technologies will shape the future of ISP tort liability.
Another statute warranting attention in the context of the AST and other new cybersecurity tools is the federal Support Anti-Terrorism by Fostering Effective Technologies Act (SAFETY Act). The SAFTEY Act provides a legal liability shield to designated anti-terrorism technologies thereby encouraging the adoption of innovative technologies that will help protect cyberspace. Under the terms of the SAFTEY Act, “sellers” of a technology that would “be effective in facilitating the defense against acts of terrorism, including technologies that prevent defeat or respond to such acts” can petition the Secretary of Homeland Security to designate the technology as a Qualified Anti-Terrorism Technology (QATT).[16] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftn17) Specifically, the sellers of “any product, equipment, service, device, or technology designed, developed, modified, or procured for the specific purpose of preventing, detecting, identifying, or deterring acts of terrorism” can apply for government certification from DHS. Once the Secretary has certified that the proposed “goods” conform to the seller’s specifications, a rebuttable presumption is established that can “only be overcome by evidence showing that the seller acted fraudulently or with willful misconduct in submitting information to the Secretary during the course of the Secretary’s consideration of such technology.” A cybersecurity technology certified as a QATT, means that any liability actions regarding the use of the QATT must be brought in federal court. The SAFTEY Act also restricts the legal claim to actual damages, removing punitive or exemplary damages from the claim.
Furthermore, the SAFETY Act approach departs from the government contractor’s defense set out in Boyle v. United Technologies Corp,[17] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftn18) where the private party contractor obtained immunity only if he conformed to the “government’s specifications.” Not only does the SAFTEY Act provide the designer of a QATT certified technology the ability to raise a government contractor defense (which absolves the manufacturer of liability outright), but it actually departs from the criteria that such a defense can only be raised in products liability where the product was developed and manufactured according to government contract and specifications required by such contract. Again, the SAFTEY Act standard is simply that the goods conform to the seller’s specifications. This presumption may only be rebutted by a showing of evidence that the seller acted fraudulently or with willful misconduct in submitting information to the Secretary during the QATT application process. Moreover, it should be noted that this presumption follows the QATT no matter where the customer is located. Therefore, the defense would be viable in situations where the technology was sold to non-federal government customers, in addition to instances where the federal government is the customer.
Finally, sellers of QATTs are required to obtain liability insurance for themselves, “contractors, subcontractors, suppliers, vendors, customers of the seller” and vendors of those customers. Thus, if the AST, or any new cybersecurity technology, could be certified as a QATT, potential customers would certainly be more inclined to adopt the technology.
· At a minimum, technology developers, manufacturers and owner/operators should ensure that they craft judicious licensing agreements or terms of service agreements that make clear to potential customers the following: (1) they (ISPs in particular) are not liable for the actions of third parties which result in damages; (2) they will use network monitoring technologies for performance and security purposes; and (3) they reserve the right to terminate connections that threaten their customers. Acceptance of such an agreement could signify approval of the technology’s use.
From a defensive perspective, the issue of liability to customers in the context of safeguarding private information and securing networks against cyber attack is of great concern. Unfortunately, from a legal perspective, because of the rapid pace at which technological developments occur, the law in this area is substantially behind.




9 Conclusion



The use of SCADA systems and the Internet to digitize and automate almost every aspect of the workings of electric utilities; chemical, gas and oil refineries; public transportation; or hospital services makes them a tempting target for cyber terrorists who desire to cripple some component(s) of the nation’s critical infrastructure. Since American SCADA systems are designed for efficiency not security – SCADAs are predominately linked to the Internet - the opportunity for a significant cyber attack is greatly enhanced. Making SCADA systems safe and secure is further frustrated by the absence of a strong federal strategy that mandates information sharing and cybersecurity standards. In addition, the widespread technical ignorance of security managers and the false sense of security due to the absence of a major cyberterrorist incident on America’s infrastructure contribute to the vulnerability equation.

If the threat of cyberterrorism is not met with the same recognition and gravity as a physical terrorist attack, it is only a matter of time before a computer savvy jihadist will deal a devastating blow to the United States. To date, private industry has expressed great opposition to increased government management of cyberspace and has lobbied hard against mandatory cybersecurity standards and regulations regarding, for example, legal liability (product liability law suits) for security failures.

Clearly, meaningful federal action is needed to elevate cybersecurity to a national priority. At a minimum, this means instituting mandatory reporting requirements to the government for cyber attacks directed towards private industry and increasing the partnering of private industry with the government to develop long-term research and development in cybersecurity standards.



Selected Bibliography



Mark Pollit, Cyberterrorism: Fact or Fancy? Proceedings of the 20th National

Information Systems Security Conference, October 1997, at 285-289.

John Rollins and Clay Wilson. Terrorist Capabilities for Cyberattack: Overview and Policy

Issues, CRS Report RL33123, Oct. 20, 2005.

Peiter Zatko, Inside the Insider Threat, Computer World, June 10, 2004.

Cybercrime Law Report, On the Hill Hacking for Terror, March 8, 2004.

Dan Verton, Black Ice: The Invisible Threat of Terrorism (2003).

John Malcolm, Virtual Threat, Real Terror: Cyberterrorism in the 21st Century, Testimony of

the Deputy Assistant Attorney General John G. Malcolm on Cyberterrorism, Senate Judiciary

Committee, Subcommittee on Terrorism, Technology and Homeland Security, February 24,

2004.

Brett Stohs, Protecting the Homeland Exemption: Why the Critical Infrastructure Information

Act of 2002 will Degrade the Freedom of Information Act, Berkeley Technology Law

Journal, Summer 2003.




* (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftnref1) Professor of Law and Director, Center for Terrorism Law, St. Mary’s University School of Law. B.A. (with honors), University of Maryland, 1976; J.D., University of Alabama School of Law, 1979; L.L.M., The Judge Advocate General’s School of Law, 1987; L.L.M., University of Virginia School of Law, 1992; S.J.D., University of Virginia School of Law, 1994. This article is a modified and abridged version of a chapter entitled Cyberterrorism and the Law which will appear in Legal Issues in the Struggle Against Terror (2009), published by the Center for National Security Law, University of Virginia School of Law, Charlottesville, VA.



[1] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftnref2) See Mark Pollit, Cyberterrorism: Fact or Fancy? Proceedings of the 20th National Information Systems Security Conference, October 1997, at 285-289.

[2] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftnref3) See John Rollins and Clay Wilson. Terrorist Capabilities for Cyberattack: Overview and Policy Issues, CRS Report RL33123. October 20, 2005.

[3] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftnref4) Id.

[4] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftnref5) DHS/IAIP Daily Open Source Infrastructure Reports, available at http://www.dhs.gov/dhspublic/interapp/editorial-0542.xml (http://www.dhs.gov/dhspublic/interapp/editorial-0542.xml).


[5] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftnref6) See Mindi McDowell, Understanding Denial-of-Service Attacks, US-CERT Cyber Security Tip ST04-015 (2004), at http://www****-cert.gov/cas/tips/ST04-015.html.
In a distributed denial-of-service (DDoS) attack, an attacker may use your computer to attack another computer. By taking advantage of security vulnerabilities or weaknesses, an attacker could take control of your computer. He or she could then force your computer to send huge amounts of data to a web site or send spam to particular email addresses. The attack is “distributed” because the attacker is using multiple computers, including yours, to launch the denial-of-service attack.
Id.

[6] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftnref7) Andrey Belenky & Nirwan Ansari, On IP Traceback, IEEE Communications Magazine, vol. 41, no.7, 142-153 (July 2003) (analyzing the technical details of the various approaches to IP Traceback.); Chun He, Formal Specifications of Traceback Marking Protocols, (May 2002) (unpublished honors thesis, University of Texas at Austin), available at http://www.cs.utexas.edu/ftp/pub/techreports/tr02-42.pdf (summarizing the four named techniques).

[7] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftnref8) Id. at 152.

[8] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftnref9) An autonomous system (AS) is defined as: “A network that is administered by a single set of management rules that are controlled by one person, group or organization. Autonomous systems often use only one routing protocol, although multiple protocols can be used. The core of the Internet is made up of many autonomous systems.” Scalable IP Traceback for Internet Attack Attribution,” available at http://www.SwRI.org/3pubs/ird2005/Synopses/109446.htm.

[9] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftnref10) See Coats & Clark, Inc. v. Gay, 755 F.2d 1506, 1511 (11th Cir. 1985) (holding that evidence of industry custom is admissible to determine negligent care); Rossell v. Volkswagen of America, 709 P.2d 517, 523-34 (Ariz. 1985) (finding that, under Arizona law, industry custom is admissible evidence to establish defendant’s conduct as reasonable under the circumstances).

[10] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftnref11) See The T.J. Hooper, 60 F.2d 737 (2d Cir. 1932) (holding that failure to equip tug boats with radios that could receive weather broadcasts was negligent, even though it was not yet industry custom to install such radios).

[11] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftnref12) See limitations on liability relating to material online, 17 U.S.C.A. § 512 (1999) (providing a “safe harbor” for Internet Service Providers that unknowingly host copyrighted material).

[12] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftnref13) Id at § 230 (c) (1). The term “information content provider” means any person or entity that is responsible, in whole or in part, for the creation or development of information provided through the Internet or any other interactive computer service. Id. at § 230(f)(3).

[13] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftnref14) See Meiring de Villiers, [I]Free Radicals in Cyberspace: Complex Liability Issues in Information Warfare, 4 Nw. J. Tech. & Intell. Prop. 13 (2005) (discussing the policy rationale behind the EFR doctrine is that solvent defendants should not be allowed to escape judgment by shifting liability to judgment-proof and undeterrable individuals because the deterrence rationale of tort law would be defeated and plaintiffs left without compensation).

[14] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftnref15) Mark F. Grady, Proximate Cause Decoded, 50 UCLA L. Rev. 293, 306-12 (2002) (The EFR Doctrine was pioneered by Mark Grady. See Mark F. Grady, The Free Radicals of Tort, Supreme Court Economic Review, 2004, 189 discussing that the EFR doctrine’s long history developed primarily during the nineteenth century alongside negligence cases generally).

[15] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftnref16) See Id citing Maine Public Utilities Commission, Docket No. 2000-849, Inquiry Regarding the Entry of Verizon-Maine Into the InterLATA Telephone Market Pursuant to Section 271 of Telecommunications Act of 1996 (2003) (Maine Public Utilities Commission concluded that Verizon acted unreasonably by failing to apply a security patch issued six months prior by Microsoft). See also Guess?, Inc., F.T.C. Docket C-4091 (2003) Complaint, at http://www.ftc.gov/os/caselist/0223260.htm (http://www.ftc.gov/os/caselist/0223260.htm) (FTC held that Guess?, Inc. failed to patch a web site vulnerability that made it susceptible to SQL injection attacks. The FTC explained that Guess had been vulnerable to commonly known or reasonably foreseeable attacks and that the vulnerability was successfully exploited resulting into the loss of 191,000 customer credit card numbers. Further, Guess had known of the vulnerability and the fix was relatively cheap and easy.)

[16] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftnref17) Homeland Security Act of 2002, Pub. L. No. 107-296, § 862 (2002) (defining the term “technology” to include products, equipment, services and devices) id. at § 865(1).

[17] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftnref18) Boyle v. United Technologies Corp., 487 U.S. 500 (1988).



[i] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ednref1) Tex. Bus. & Com. Code Ann. § 521.053(c) (Vernon Supp. 2007) (emphasis added).