Cybercrime & Cyberterrorism - a Cyberpsychological perspective
February 23, 2011, 20 min read
“Cyberterrorism is also clearly an emerging threat. Terrorist groups are increasingly computer savvy, and some probably are acquiring the ability to use cyber attacks to inflict isolated and brief disruptions of US infrastructure. Due to the prevalence of publicly available hacker tools, many of these groups probably already have the capability to launch denial-of-service and other nuisance attacks against Internet-connected systems. As terrorists become more computer savvy, their attack options will only increase.” (War on Terrorism, 2003)
This is what Robert Mueller, FBI Director, testified on 11 February 2003 before the US Senate on a hearing about War On Terrorism against Al-Qaeda and other terrorist organisations. The US and global media organisations picked up this testimony and begun speculating on the possibility of a large-scale Cyberterrorist attack. So far, such an attack has not materialised. At the same time a similar term, Cybercrime, is used to describe criminal activities on the Internet such as identity theft, copyright infringement and bank fraud, but many times these two terms (Cybercrime and Cyberterrorism) end up been used inter-changeably and their meaning, especially to the public, becomes blurred and unclear. Governments, policy networks and the media around the globe have engaged in an effort to build defences against Cyberattacks, bring new regulations in effect while maintaining an almost mythological atmosphere over the threats and risks of potential Cybercrime and Cyberterrorist attacks.
This essay will explore the concepts of Cybercrime and Cyberterrorism, how such acts are portrayed in the media and the government policies that come in effect. The focus will be on how all these processes affect people psychology in regards to induced feelings of anxiety and fear and not the illegal activities themselves. In essence the essay aims to investigate Furedi’s (2002, p. 34) statement that “what we already fear can now thrive in the new space provided by the Internet”.
Firstly, the terms Cybercrime and Cyberterrorism will be analysed and defined, in an effort to identify how they have been used over the past years, what are their similarities, differences and incorrect usages. Secondly, the two terms will be analysed in regards to real events of Cybercrime and Cyberterrorism and how such events lead to new government policy. The third part investigates how all these affect the psychology of the public and look into how individuals and groups have reacted in such cases. Finally, the last part aims to identify some potential solutions to the problem.
As the global reach of the Internet keeps growing, its effect on all areas of online human endeavour becomes more pervasive. Individuals or groups can exploit the anonymity afforded by cyberspace to engage in illegal or illicit activities that aim to intimidate, harm, threaten or cause fear to citizens, communities, organisations or countries. The virtual and physical distance between the attacker and the victim and the difficulty in tracing back the attack to an individual minimises the inherent threat of capture to the attacker. But how are such activities defined? What is a Cybercrime and what are its characteristics? How can a Cyberterrorist be identified and what are his or her differences from a Cybercriminal? So far, the definitions for Cybercrime and Cyberterrorism in literature, government documents and everyday use have been highly varied, context-specific and emotionally loaded, which makes discourse on the subject difficult. The FBI alone has published three distinct definitions of Cyberterrorism: “Terrorism that initiates…attack[s] on information” in 1999, to “the use of Cyber tools” in 2000 and “a criminal act perpetrated by the use of computers” in 2004.” (Baranetsky, 2009). Cybercrime and Cyberterrorism have been used to describe online acts such as:
- Black-hat hacking / Cracking
- Child sex offences (pornography and grooming)
- Crimes in virtual worlds
- Cyberactivism / Hacktivism
- Virus writing and malware
- Identity theft / Fraud
- Illegal financial transactions / Money laundering
- Copyright infringement
- Serious acts of cyberbullying
- Denial of service attacks
- Rogue bot-nets
Cyberterrorism usually has a stronger meaning than Cybercrime, describing acts that have similar characteristics to real-world terrorism attacks, but not always. On the other hand, Cybercrime is often used as a catch-all term to describe illegal, harmful and/or hostile activity on the Internet (including Cyberterrorism). Furthermore, other terms are sometimes used to describe similar illicit online acts, which complicate things even more, and their use is typically dependant on the context or the person/organisation that uses them. For example, a spokesperson within the military is likely to use the term Cyberwarfare to describe hostile online acts between two countries and/or acts of terrorism that originate from another country and are manifested online (instead of using the term Cyberterrorism).
Before attempting to define Cyberterrorism and Cybercrime one has to reflect on the validity of the two terms. Taipale (2010) has argued that “Cyberterrorism, whatever it is, is a useless term” and he believes that, “terrorists will use any strategic tool they can” so Cyberterrorism is no more important than other forms. A similar argument could be made for Cybercrime, as Wall (2008) says, “Cybercrime is relatively meaningless by itself because it is mainly a fictional construction that has no original reference point in law, science or social action.”. However, the term is gradually gaining ground in formal legal discourse due to new legislation in many countries such as Australia (Cybercrime Act 2001), Nigeria (Draft Cybercrime Act), the United States (proposed Cybercrime Act 2007) and the UK (the Home Office introduced its Cybercrime Strategy in March 2010).
An additional layer of complexity is added when one looks at the legal systems of different countries and their varied definitions of unlawful acts. It is not unusual for what one country defines as a criminal offence to merely be a civil wrong in another. The problem arises when an individual is the receiver of news about a Cyberterrorist attack in a foreign country, that would only be characterised as a hacking attempt or an Cyberactivism protest in his or her own country, and vice versa. It is thus likely that a person can manifest unwarranted feelings of fear, insecurity, anxiety or panic, along with a general confusion on how to interpret the news.
Until the late nineties, interest on Cyberterrorism was quite low with Cybercrime making the news sparingly, mainly on accounts of computer hacking and cracking incidents. As 2000 approached, catastrophic scenarios based on the millennium bug (a flaw in the way computers used to store dates) started to circulate in the news and there was some activity on the state level to prevent any unwanted side-effects from the bug. Although the millennium bug did not turn out to be as devastating as many were speculating at the time, it did introduce a new kind of fear into people’s minds. The fear that technology and manipulation of technological means (the Internet) by mal-intended individuals or groups can have a negative impact in their livelihoods. No matter how significant the millennium bug’s impact was on people’s lives, it pales in comparison to the aftermath of the terrorist attacks in the United States on September 11, 2001.
Shortly after the attacks, the US government announced its plan to initiate a War on Terror, (including war on Cyberterrorism). The mainstream media made extensive use of these two peculiar words (war and terror), for an effort that was supposedly aiming to help citizens feel safer, on a daily basis in order to inform citizens on the new potential threats. Such alleged threats included large scale Cyberattacks that would use computer networks to infiltrate critical infrastructures, aiming to endanger human lives or disrupt financial transactions and bring the country to a halt. Although, again, the front on Cyberterrorism has failed to materialise an attack of this magnitude, the War on Terror campaign was the point in time when Cyberterrorism was established as a new potential threat into the minds of people, mainly in the US, but also across the world. With the attention that War on Terror got from the public, the level of speculation on potential Cyberterrorism scenarios grew significantly to a point where some authors claimed that even nuclear meltdowns or chemical plant explosions were possible. Such claims are built on the basis of non-falsifiability, meaning if a predicted catastrophe fails to materialise it does not falsify the theory but merely shows that any security measures taken thus far are effective and/or that it is only a lucky coincidence and it is a matter of time for something unfortunate to happen. Such threats can be perceived as abstract, incomprehensible and uncontrollable, and generate longstanding fears in the public consciousness.
The Lipman Report (2010) states that “During 2009, a series of cyber attacks were launched against popular government Web sites in the United States and other countries, effectively shutting them down for several hours“ and claims that “most disturbing is the possibility that this limited success may embolden future hackers to attack critical infrastructure, such as power generators or air-traffic control systems — with devastating consequences for the United States economy and national security“. It is interesting to observe how a very trivial Denial of Service (DoS) attack is described as the predecessor of attacks on critical infrastructure, without any previous evidence to support the claim. Such attacks are placed under the heading “Cyber Warfare” in the report. The report goes on to describe Cyberterrorism threats that could possibly originate from Al Qaeda. In regards to Cybercrime the report claims that the annual cost of criminal activity is estimated at $1 trillion, but without providing relevant evidence. In essence, the report makes bold claims, presents huge numbers in dollars and goes from DoS attacked to Al Qaeda.
Such is the current state of affairs regarding Cyberterrorism and Cybercrime, that it is non-trivial for someone to fully understand the scope and implications of each term. This makes the public discourse on the subject and the process of legislation complicated for the stakeholders, the decision makers and for the public.
Following the Cyberterrorism and Cybercrime incidents of the past two decades, there is now a push for stricter control and regulation on cyber activity. This push originates mainly from the United States but more countries are joining in the effort. In the following paragraphs some of the most recent acts aiming to combat Cybercrime and Cyberterrorism will be presented. In June 25th 2010, the United States government released to the public a draft version of an upcoming policy against Cybercrime, titled National Strategy for Trusted Identities in Cyberspace: Creating Options for Enhanced Online Security and Privacy (Department of Homeland Security, 2010). The draft reads:
“One key step in reducing online fraud and identity theft is to increase the level of trust associated with identities in cyberspace. While this Strategy recognises the value of anonymity for many online transactions (e.g., blog postings), for other types of transactions (e.g., online banking or accessing electronic health records) it is important that the parties to that transaction have a high degree of trust that they are interacting with known entities.”
Fundamentally, this policy will enable the US government to create verified online identities for its citizens in a closed identity ecosystem that will be backed by private corporations such as Verizon, Google, PayPal, Symantec and AT&T (Hopkins, 2011). Users will then be able to use one login to sign in to many websites that implement this functionality and their personal details will be retrieved from a central location maintained by the government. This proposed policy has created controversy over its effect on issues of privacy and anonymity on the web (Hopkins, 2011; McCullagh, 2011). The security of data is also crucial, as the personal information of all the participating citizens could be subject to a hacking attack. A similar attempt has been made by China with its China Wide Web, a country-wide intranet that is closed to outsiders (Macavinta & Wingfield, 1997).
Another Cybercrime-related effort of governments across the world is the shutting down of websites that link to or host copyrighted content using file sharing and peer-to-peer technologies. The most popular website that was involved in such a case is The Pirate Bay, a site that lets its users share files using the popular torrent technology. Legal activity against such sites is usually initiated by the music and movie industry and their methodology varies. In the Pirate Bay’s case, the music industry moved against the owners of the site that are Swedish citizens. After a lengthy legal process in the Swedish courts, the website is still in operation and its owners although losing the first trials they are currently appealing an unfavourable for them court decision. But besides the outcome of that particular case, it is still unclear if the music industry will reap any benefits over the possible closure of the website or by imposing significant fines to its founders. Right after the move against the Pirate Bay many other new file sharing sites came to existence, while the view of many site users towards the music industry became quite negative. Similar actions against torrent websites are going on across the world coming either by private firms or by governments, prompted by representatives from the music and movie industry.
Beyond the tactic of targeting the owners of popular file sharing site, a recent trend is the creation of private law firms that represent copyright owners and go after Internet Service Providers (ISPs) and individual users, trying to make them stop sharing files or face significant fines. By sending mass lawsuits the copyright holders are trying to obtain the personal details of Torrent users who allegedly shared their material online. Once this information is handed over, they then offer the defendant the opportunity to settle the case for a few hundred dollars, thereby avoiding a full trial. This policy has been characterised as remarkable and unprecedented, as the business model behind this practice is to make money simply by threatening people to “pay up or else” (TorrentFreak, 2011). Significant controversy has been raised over this issue and courts in the UK have questioned the way such firms operate, as in the case of ACS Law. There have been many incidents where innocent individuals have been targeted and been sent warning letters, in essence putting them in defence where they have to prove their innocence and not the other way around (TorrentFreak, 2011). As in the case of the Pirate Bay and besides the fact that people might share copyrighted material in an illegal way or not, it is worth noting the effect that such acts have on the psychology of individuals. How people’s online behaviour is affected and whether they choose to conform or protest is a matter that has to be further studied and investigated.
Until recently, it was understood that when an organisation of government body wanted to take action against a website that used to facilitate illegal activity, they moved legally against the owner(s) of the website, its ISP or its users. Recently, the United States homeland security, in an unprecedented move, took back ownership of many .com domain names that were used to host sites that facilitated illegal activity. Domain names ending in .com are regulated by the US-based Internet Corporation for Assigned Names and Numbers (ICANN) organisation. In November 2010 the U.S. Immigration and Customs Enforcement (ICE) seized 82 website domains involved in selling counterfeit goods as part of Cyber Monday crackdown operation (U.S. Immigration and Customs Enforcement, 2010), and made the following announcement on their website:
“As of today – what is known as ‘Cyber Monday’ and billed as the busiest online shopping day of the year – anyone attempting to access one of these websites using its domain name will no longer be able to make a purchase. Instead, these online shoppers will find a banner notifying them that the website’s domain name has been seized by federal authorities (U.S. Immigration and Customs Enforcement, 2010).”
This action created uproar in the file sharing community (TorrentFreak, 2010) and lead to various reactions from users and site owners. Many file sharing websites simply changed their domain name from one that ends in .com to others that end in .me, .tv and .info that are regulated by other countries in order to avoid having their website seized by the US government. Some website owners that had their site seized, started a legal process against that action. The question still remains on how effective such aggressive measures are and what is their effect on the behaviour of individuals.
According to a 2007 study commissioned by security software makers AVG of more than 1,400 regular Internet users, Cybertheft is the UK’s most feared crime, outranking burglary, assault and robbery (Ashford, 2007). The study found that 87% of the participants were worried about the threat of Cybertheft, 33% were not convinced they had adequate measures in place to protect themselves, while 25% said there was not enough information available on Cybertheft to protect themselves effectively. That leaves a significant percentage of people (62%) that although can find enough information to protect themselves, they are still inherently worried about the threat of Cybertheft. Furedi (2002) and others have portrayed the general culture of fear as a type of psychological fear of fear (Phobophobia), which can lead to stress, intense anxiety and unrealistic and persistent public fear of crime and danger, regardless of the actual presence of such fear factors. Garland (2002) describes this phenomenon as the crime complex, a societal state where public anxiety about crime is the norm and has been imprinted in people’s everyday lives as an established and expected societal aspect.
News reporting by the mainstream media has a tendency to feed the sensation seeking public with shocking information, while also feeding off it. Baudrillard (1994, p. 34) describes this as a “dizzying whirl of reality”, the continuous desire for sensationalism that blurs reality with rhetoric; reality being ‘what is actually happening’ and rhetoric being ‘what could happen’. To this extend, relatively insignificant events can sparkle significant reactions and have a considerable impact upon public perception, even more so when they trigger panics and moral panics (Garland, 2008). Such irrational social inferences are documented in the field of Social Psychology as the base-rate fallacy or base-rate neglect. “Base-rate information is general information, usually factual and statistical, about an entire class of events” (Hogg & Vaughan, 2008, p. 69). In the case of media reporting on Cybercrime or Cyberterrorism, individual reported incidents tend to be perceived as a stereotypical representation of the current status quo in Cyberspace and are not taken within the context and scope that they occurred.
In a 2003 survey (PewInternet, 2003) 49% of US citizens said that they were afraid of Cyberassaults on key parts of the US economy. Lack of control over a situation that is perceived as threatening or dangerous gives rise to feelings of emotional distress, fear and insecurity. Such strong emotions can inhibit flexible thinking and lead to irrational behaviour (Sutherland, 2007, p. 89) or other equally strong reactions. The effects of Cybercrime and Cyberterrorism related discourse and the induced fear in the public can be seen by acts such as the need more laws to protect them against illegal cyber activity and the giving away of their own privacy in exchange for better security. In a 2001 survey of United States citizens (PewInternet, 2001), such trends were identified. 62% of the respondents said that new laws need to be written just for the Internet to protect their email and online activities, and 57% approved the Federal Bureau of Investigation (FBI) to intercept email over the Internet to and from people suspected of criminal activities. At the same time 62% of the citizens surveyed said that they trust their government to do what is right only some of the time. When asked how much, if at all, have they heard about an existing computer system known as Carnivore, which allows the FBI to intercept email messages sent or received by people suspected of criminal activities, 77% said that they knew nothing at all.
Cybercrime and Cyberterrorism are two issues that are likely to continue to exist for many years to come and they surely must be dealt with. But this process needs to be done in a way that will ensure the growth of the Internet in an inclusive and open way, maintaining the fundamental principles that it has been built upon. One of the principal issues is the disambiguation of the terms Cybercrime and Cyberterrorism. Government bodies, policy networks, scholars, the media and the people need to engage in a global conversation that will help demythologise Cybercrime and define what constitutes a Cybercrime and how Cybercriminals should be dealt with. Cyberterrorism should be decoupled from Cybercrime and be specified in realistic terms, as to what are the probable threats of a Cyberterrorist act and to what extend society should go to face such effects. After these two terms have been clearly and unambiguously defined, people will be much better equipped to receive and comprehend related news and policies, and will be able to engage in a meaningful discourse over the subject. This will help alleviate unwarranted fears while at the same time enable individuals to make informed decisions when considering a new proposed policy by weighing its pros versus the cons and its effects on multiple levels, long and short term , instead of giving-in to fear and forfeiting their privacy and online freedom for better security.
The role of the media (television, blogs, online news outlets and more) is critical in the process of educating the public and engaging in a conversation, as they will be the mediators and curators of information and discourse on the issue. Thus, a concise and sensible approach, devoid of fear-mongering and shock practices, should be followed. Since this is an international issue, governments and policy networks across the world have to come together and discuss openly on what is better for their citizens. Scholars and academics can provide valuable expertise on technological, psychological, ethical and other issues, while highlighting any misgivings by those involved in the process. The people in their local communities, families and social networks should help and train each other to increase their peers’ level of Internet literacy and highlight the advantages of the web. A higher Internet literacy level can help people protect themselves even better by taking simple security measures, such as using anti-virus software and identifying potential risks or scams in their online financial transactions.
It is clear that the accelerating growth of the cyber landscape presents both significant opportunities and critical challenges. On the one hand, online technologies present many benefits such as global and fast access to information, entertainment, education and more. On the other hand, the technological developments that produce these benefits also present risks. As people go online they may also be exposed to sources that are inappropriate, or subjected to contact with individuals who may want to cause them harm. The same websites, applications and games that Internet users access for professional or personal reasons may also contain or lead to exploitative advertisements, offensive language, sexually explicit material, violent or illegal content, scams, bullying, or even child predators.
Furthermore, as the Internet is an open and participatory medium by its definition, people create, author and share their own content by joining conversations on forums, writing their thoughts on blogs and sharing photos or videos on social networking websites. Thus, the privacy of their information can be put at risk if Internet users do not take appropriate measures. Although most members of society are aware of the Internet as a platform and understand its huge potential, others are confused on how to reap its benefits or how it can be useful to them, leaving them disconnected and without a voice in the digital revolution that is taking place. Some even view this new open and inter-connected medium as a threat to their way of life and would like a much more restricted and closed version of it. The challenge for the society of the 21st century is to take advantage of these opportunities, while at the same time protect itself from the risks inherent in use of web and its many applications.
- Ashford, W. (2007, October 29). Cybercrime is biggest UK fear. Computer Weekly. Retrieved from: http://www.computerweekly.com/
- Baranetsky, V. (2009, November 6). What is cyberterrorism? Even experts can’t agree. Harvard Law Record. Retrieved from: http://www.hlrecord.org/news/what-is-cyberterrorism-even-experts-can-t-agree-1.861186
- Baudrillard, J. (1994). Simulacra and Simulation. Ann Arbor: University of Michigan Press.
- Cyberterrorism, Testimony before the Special Oversight Panel on Terrorism Committee on Armed Services U.S. House of Representatives (2000) (testimony of Denning, D. E.).
- Department of Homeland Security. (2010). National Strategy for Trusted Identities in Cyberspace: Creating Options for Enhanced Online Security and Privacy. Retrieved from http://www.dhs.gov/xlibrary/assets/ns_tic.pdf
- Furedi, F. (2002). Culture of Fear. London: Continuum.
- Garland, D. (2002). The Culture of Control. Oxford: Oxford University Press.
- Garland, D. (2008). On the concept of moral panic. Crime, Media, Culture, 4(1), 9–30.
- Hogg, M. A., & Vaughan, G. M. (2008). Social Psychology. (5th ed.). England: Pearson Education Limited.
- Hopkins, C. (2011, January 10). Obama’s Internet Plan Sounds an Awful Lot Like a National Internet ID. ReadWriteWeb. Retrieved from: http://www.readwriteweb.com/
- Macavinta, C. & Wingfield, N. (1997, January 15). China’s national intranet. CNET. Retrieved from: http://news.cnet.com/
- McCullagh, D. (2011, January 7). Obama to hand Commerce Dept. authority over cybersecurity ID. CNET. Retrieved from: http://news.cnet.com/
- PewInternet. (2001, April 2). Fear of Online Crime. PewInternet. Retrieved from: http://www.pewinternet.org/Reports/2001/Fear-of-Online-Crime.aspx
- PewInternet. (2003, August 31). The Internet and Emergency Preparedness. PewInternet. Retrieved from: http://www.pewinternet.org/Reports/2003/The-Internet-and-Emergency-Preparedness.aspx
- Sutherland, S. (2007). Irrationality. Great Britain: Pinter & Martin Ltd.
- Taipale, K. A. (2010). Cyber-Deterrence. In E. Gelbstein & P. C. Reich (Eds.), Law, Policy and Technology: Cyberterorrism, Information Warfare, Digital and Internet Immobilization. Information Science Publishing.
- The Lipman Report. (2010, October 15). Threats to the Information Highway: CyberWarfare, Cyber Terrorism and Cyber Crime. The Lipman Report. Retrieved from: http://www.guardsmark.com/library/computer_security.asp?nav=4&subnav=1
- TorrentFreak. (2010). U.S. Government Seizes BitTorrent Search Engine Domain and More. TorrentFreak. Retrieved from http://torrentfreak.com/
- TorrentFreak. (2011). US Case Against Hundreds of BitTorrent File-Sharers Dismissed. TorrentFreak. Retrieved from http://torrentfreak.com/
- U.S. Immigration and Customs Enforcement. (2010, November 29). ICE seizes 82 website domains involved in selling counterfeit goods as part of Cyber Monday crackdown. U.S. Immigration and Customs Enforcement. Retrieved from: http://www.ice.gov/news/releases/1011/101129washington.htm
- Wall, D. S. (2008). Cybercrime and the Culture of Fear: Social Science Fiction (s) and the Production of Knowledge about Cybercrime. Information, Communication & Society, 11(6), 861–884.
- War on Terrorism, Testimony Before the Select Committee on Intelligence of the United States Senate (2003) (testimony of Robert S. Mueller, III, Director, FBI).