Botnets, Cybercrime, and Cyber Terrorism: Vulnerabilities and Policy Issues for Congress

^Pr^ep^ar^{ed f}^o^r^M^e^m^b^ers^an^d^Com^mⁱ^t^t^ees^of^C^ong^r^e^ss

Cybercrime is becoming more organized and established as a transnational business. High
technology online skills are now available for rent to a variety of customers, possibly including
nation states, or individuals and groups that could secretly represent terrorist groups. The
increased use of automated attack tools by cybercriminals has overwhelmed some current
methodologies used for tracking Internet cyberattacks, and vulnerabilities of the U.S. critical
infrastructure, which are acknowledged openly in publications, could possibly attract cyberattacks
to extort money, or damage the U.S. economy to affect national security.
In April and May 2007, NATO and the United States sent computer security experts to Estonia to
help that nation recover from cyberattacks directed against government computer systems, and to
analyze the methods used and determine the source of the attacks. (See Larry Greenemeier,
“Estonian Attacks Raise Concern Over Cyber ‘Nuclear Winter,’” Information Week, May 24,
2007, at http://www.informationweek.com/news/showArticle.jhtml?articleID=199701774.) Some
security experts suspect that political protestors may have rented the services of cybercriminals,
possibly a large network of infected PCs, called a “botnet,” to help disrupt the computer systems
of the Estonian government. DOD officials have also indicated that similar cyberattacks from
individuals and countries targeting economic, political, and military organizations may increase in
the future. (See Jeanne Meserve, “Official: International Hackers Going After U.S. Networks,”
CNN.com, October 19, 2007, http://www.cnn.com/2007/US/10/19/cyber.threats/index.html. and
Sebastian Sprenger, “Maj. Gen. Lord Is a Groundbreaker,” Federal Computer Week, October 15,

2007, vol. 21, no. 34, p. 44.)

Cybercriminals have reportedly made alliances with drug traffickers in Afghanistan, the Middle
East, and elsewhere where profitable illegal activities are used to support terrorist groups. In
addition, designs for cybercrime botnets are becoming more sophisticated, and future botnet
architectures may be more resistant to computer security countermeasures. (See Tom Espiner,
“Security Expert: Storm Botnet ‘Services’ Could Be Sold,” CnetNews.com, October 16, 2007,
http://www.news.com/Security-e xpert-Storm-botnet-services-c ould-be -s old/2100-7349_3-

6213781.html.)

This report discusses options now open to nation states, extremists, or terrorist groups for
obtaining malicious technical services from cybercriminals to meet political or military
objectives, and describes the possible effects of a coordinated cyberattack against the U.S. critical
infrastructure. This report will be updated as events warrant.

Introduc tion ..................................................................................................................................... 1
Backgr ound ..................................................................................................................................... 2
Three Basic Methods for Disrupting Computer Systems..........................................................2
Cyberattack, Cybercrime, and Cyberterrorism.........................................................................3
Definitions for Cyberterrorism..................................................................................................3
Definitions for Cybercrime.......................................................................................................3
Botnet s ........................................................................................................................ .............. 4
Estonia, 2007.............................................................................................................................6
Other Trends in Cybercrime Methods.......................................................................................7
Malicious Code Hosted on Websites...................................................................................8
Identity Theft......................................................................................................................9
Cyber Espionage...............................................................................................................10
Terrorism Linked to Cybercrime.............................................................................................13
Terrorist Groups Linked to Hackers..................................................................................15
Terrorist Capabilities for Cyberattack.....................................................................................15
Possible Effects of a Coordinated Cyberattack.......................................................................16
SCADA Vulnerabilities.....................................................................................................18
Unpredictable Interactions Between Infrastructures.........................................................19
Civilian Technology that Supports DOD..........................................................................20
Why Cyberattacks Are Successful..........................................................................................20
The Insider Threat.............................................................................................................21
Persistence of Computer System Vulnerabilities..............................................................21
Errors in New Software Products.....................................................................................21
Inadequate Resources........................................................................................................22
Future Attractiveness of Critical Infrastructure Systems........................................................23
Measuring Cybercrime............................................................................................................23
Problems Tracing Cybercrime.................................................................................................25
Organized Cybercrime............................................................................................................25
Federal Efforts to Protect Computers......................................................................................26
International Convention on Cybercrime................................................................................27
The Need to Improve Cybersecurity.......................................................................................28
Issues for Congress........................................................................................................................29
Growth in Technical Capabilities of Terrorists........................................................................29
Better Measurement of Cybercrime Trends............................................................................30
DOD and Cyberattack Response.............................................................................................30
Incentives for the National Strategy to Secure Cyberspace....................................................31
Improving Security of Commercial Software.........................................................................32
Education and Awareness of Cyberthreats..............................................................................32
Coordination Between Private Sector and Government..........................................................32
Legislative Activity.......................................................................................................................33
Figure 1. Diagram of Purported Echelon Spy System....................................................................11

Author Contact Information..........................................................................................................34

The U.S. military is supported partly by civilian high technology services and products, most ¹
often in the form of communications systems and computer software. In future conflicts that
involve cyberwarfare between nations, the distinction between U.S. military and civilian targets
may be blurred and civilian computer systems may increasingly be seen as viable targets ²
vulnerable to attack by adversaries.
Computer networking technology has also blurred the boundaries between cyberwarfare,
cybercrime, and cyberterrorism. Officials in government and industry now say that cybercrime
and cyberattack services available for hire from criminal organizations are a growing threat to ³
national security as well as to the U.S. economy. New and sophisticated cybercrime tools could
operate to allow a nation state or terrorist group to remain unidentified while they direct ⁴
cyberattacks through the Internet. Many experts point out that past incidents of conventional
terrorism have already been linked with cybercrime, and that computer vulnerabilities may make ⁵
government and civilian critical infrastructure systems seem attractive as targets for cyberattack.
Some experts argue that the government of Estonia may have already experienced this type of
cyberattack directed against their systems and websites in April, 2007.
This report explores the possible connections between cybercriminals and terrorist groups that
want to damage the U.S. economy or national security interests. The report also examines the
effects of a coordinated cyberattack against the U.S. critical infrastructure, including use of
cybercrime tools that could possibly take advantage of openly-publicized cyber vulnerabilities.
Trends in cybercrime are described, showing how malicious Internet websites, and other
cybercrimes such as identity theft are linked to conventional terrorist activity.
Congress may wish to explore the possible effects on the U.S. economy and on the U.S. military
that could result from a coordinated attack against civilian and military computers and
communications systems, whether due to cybercrime or cyberterrorism. Congress may also wish
to explore the difficulties associated with establishing doctrine for selecting an appropriate
military or law enforcement response after such an attack.

¹^D^a^{n K}^u^e^h^l,^pr^of^e^s^s^o^r^a^t^the^N^a^tiona^{l D}^e^f^e^ns^e^Uⁿ^iv^e^r^sⁱ^t^y^Sc^hool^o^f^Iⁿ^f^o^r^m^a^{tion W}^a^r^f^a^r^e^a^{nd Str}^a^te^gy^{, ha}^s^poin^t^e^d^out
^tha^t^a^hig^h^pe^rc^eⁿ^ta^g^e^of^{U.S. m}^ilita^ry^m^e^ss^a^g^e^s^f^l^o^w^th^roug^{h c}^o^m^m^e^rc^ia^{l c}^o^m^m^unic^a^tions^c^h^aⁿ^ne^{ls, a}^nd^{this re}^lia^nc^e
^c^r^e^a^t^e^s^a^v^u^lne^r^a^b^ility^during^c^oⁿ^f^lic^{t. Eric}^Na^e^f^{, “}^W^aⁿ^ja^,”^Iⁿ^foc^oⁿ^M^agazⁱⁿ^e^{, Oc}^to^be^{r 2}⁰⁰³^,^http^://^www^.i^wa^r.org^.^uk^/
^inf^o^c^on/^io-^k^ue^hl.^h^tm^.
²^Se^ba^s^tia^{n S}^p^r^e^ng^e^r^{, “}^M^a^j^{. G}^e^n.^L^o^r^d^I^s^a^G^r^ound^br^e^a^k^e^r^,”^Fe^de^r^a^{l C}^o^m^pute^r^W^e^e^k^{, O}^c^tobe^{r 1}⁵^,²⁰⁰⁷^{, v}^o^l.²¹^,^no.
^{34, p. 44}^.
³^J^a^m^e^s^L^e^wⁱ^s^,^te^s^tⁱ^m^ony^bef^o^r^e^the^H^ous^e^C^o^m^m^itte^e^{on H}^o^m^e^laⁿ^d^Se^c^u^r^ity^{, Su}^bc^om^m^itte^e^{on Em}^e^r^gⁱ^ng^T^h^r^e^a^t^s^,
^C^y^be^r^s^e^c^u^rⁱ^t^y^{, a}^{nd Sc}^ie^nc^e^aⁿ^d^T^e^c^hnol^og^y^,^A^p^r^{il 15,}²⁰⁰⁷^.
⁴^Tⁱ^m^G^r^een^e,^“S^t^o^rm^W^o^r^m^S^t^ri^{kes Back at}^S^ecu^ri^t^y^P^r^o^s^,^”^Net^w^o^r^kW^o^r^l^d^.^c^o^m^,^Oct^o^b^e^{r 2}⁴^,²⁰⁰⁷^,^at
^http:^//w^w^w^.ne^t^w^o^r^k^w^o^r^l^d.c^o^m^/^ne^w^s^/²⁰⁰^7/¹⁰²⁴⁰^7-^s^t^or^m^-^w^o^r^m^-
^s^e^c^u^r^ity^.ht^m^l?^nlhts^e^c⁼^1022s^e^c^u^rⁱ^ty^a^l^e^r^t4&^&ⁿ^la^dna^m^e⁼¹⁰²⁵^07s^e^c^ur^ity^a^l^.
⁵^Bri^aⁿ^Kreb^s,^“T^h^r^{ee W}^o^rked^t^h^e^W^e^b^t^o^Hel^p^T^e^rro^ri^st^s,^”^T^h^{e Wash}ⁱⁿ^gt^on^Po^st^{, J}^u^ly^6,²⁰^07,^p.^D⁰^{1. W}^a^ls^h,
^T^e^rro^{rism o}ⁿ^t^h^{e Ch}^e^a^p^.^Rollie^L^a^{l, “}^T^e^{rrorists a}^{nd Org}^a^niz^e^d^Cri^m^e^{Join F}^o^rc^e^s^,”^Iⁿ^te^r^nat^io^{nal H}^e^r^a^{ld Tr}ⁱ^b^uⁿ^e^{, Ma}^y
^{25, 20}⁰⁵^,^a^t^http^://w^ww^.iht.c^om^/^a^rtic^le^s/200^5/^05/^23/^opⁱⁿⁱ^on/^e^d^la^l.p^{hp. Ba}^r^b^a^r^a^P^o^rte^r^,^“^F^or^um^Lⁱ^nk^s^Org^a^niz^e^d^Crim^e
^an^d^T^e^rro^rism^,”^By^G^e^or^ge!^{, sum}^m^e^{r 200}^{4, a}^t^htt^p^://w^ww^2.gw^u.e^du/^~by^g^e^o^rg^e^/⁰⁶⁰⁸^04/^c^r^im^e^t^e^rroris^m^.htm^l.

It is clear that terrorist groups are using computers and the Internet to further goals associated
with spreading terrorism. This can be seen in the way that extremists are creating and using
numerous Internet websites for recruitment and fund raising activities, and for Jihad training
purposes. Several criminals who have recently been convicted of cybercrimes used their technical
skills to acquire stolen credit card information in order to finance other conventional terrorist ⁶
activities. It is possible that as criminals and terrorist groups explore more ways to work
together, a new type of threat may emerge where extremists gain access to the powerful network
tools now used by cybercriminals to steal personal information, or to disrupt computer systems
that support services through the Internet.
There are several effective methods for disrupting computer systems. This report focuses on the
method known as cyberattack, or computer network attack (CNA), which uses malicious
computer code to disrupt computer processing, or steal data. A brief description of three different
methods are shown here. However, as technology changes, future distinctions between these
methods may begin to blur.
An attack against computers may (1) disrupt equipment and hardware reliability, (2) change ⁷
processing logic, or (3) steal or corrupt data. The methods discussed here are chosen based on
the technology asset against which each attack mode is directed, and the effects each method can
produce. The assets affected or effects produced can sometimes overlap for different attack
methods.
• Conventional kinetic weapons can be directed against computer equipment, a
computer facility, or transmission lines to create a physical attack that disrupts
the reliability of equipment.
• The power of electromagnetic energy, most commonly in the form of an
electromagnetic pulse (EMP), can be used to create an electronic attack (EA)
directed against computer equipment or data transmissions. By overheating
circuitry or jamming communications, EA disrupts the reliability of equipment ⁸
and the integrity of data.
• Malicious code can be used to create a cyberattack, or computer network attack
(CNA), directed against computer processing code, instruction logic, or data. The
code can generate a stream of malicious network packets that can disrupt data or
logic through exploiting a vulnerability in computer software, or a weakness in
the computer security practices of an organization. This type of cyberattack can

⁶^G^r^e^g^o^r^y^Crab^b^,^“U.^S^.^P^o^st^al^S^e^rvi^ce^G^l^o^b^a^l^In^vestⁱ^g^atⁱ^oⁿ^s^,^”^and^Yu^val^Ben^-It^zh^ak,^“CT^O^Fⁱⁿ^j^an^,^”^P^r^esen^t^a^tⁱ^o^{n at}^t^h^e
^G^a^r^t^ne^r^I^T^Se^c^u^r^ity^Su^m^m^{it 200}⁷^,^W^a^s^h^ing^t^on,^D^C^{, J}^u^ne^4,²⁰⁰⁷^.
⁷^A^ll^m^e^thods^of^c^o^m^pute^r^a^tta^c^k^are^w^{ithin the}^c^u^rre^{nt c}^a^p^a^b^il^itie^s^of^s^e^ve^ra^{l na}^tions^.^Se^e^{CRS Re}^p^o^r^{t RL}³¹⁷^87,
^Informat^io^{n Ope}^r^at^io^{ns a}^{nd Cy}^be^rwar^{: Cap}^abi^litie^{s a}ⁿ^d^Re^late^{d P}^o^lic^y^Issue^s^{, by}^C^l^ay^W^ils^on.
⁸^For^m^o^r^e^on^e^l^e^c^t^r^o^m^a^gⁿ^e^tic^w^e^a^pons^,^s^e^e^C^R^S^R^e^por^t^R^L³²⁵^44,^Hⁱ^gh^Altit^ude^E^l^e^c^t^r^o^m^a^gⁿ^e^tic^P^u^ls^e⁽^H^EM^{P) and}
^Hi^g^h^P^o^{wer Mi}^cro^w^a^{ve (}^H^P^M⁾^Devi^{ces: T}^h^rea^t^A^ssessmen^t^s^{, by}^C^l^ay^W^ils^on.

disrupt the reliability of equipment, the integrity of data, and the confidentiality
of communications.
Labeling a “cyberattack” as “cybercrime” or “cyberterrorism” is problematic because of the
difficulty determining with certainty the identity, intent, or the political motivations of an ⁹
attacker. “Cybercrime” can be very broad in scope, and may sometimes involve more factors
than just a computer hack. “Cyberterrorism” is often equated with the use of malicious code.
However, a “cyberterrorism” event may also sometimes depend on the presence of other factors
beyond just a “cyberattack.”
Various definitions exist for the term “cyberterrorism”, just as various definitions exist for the ¹⁰
term “terrorism.” Security expert Dorothy Denning defines cyberterrorism as “... politically
motivated hacking operations intended to cause grave harm such as loss of life or severe ¹¹
economic damage.” The Federal Emergency Management Agency (FEMA) defines
cyberterrorism as “unlawful attacks and threats of attack against computers, networks, and the
information stored therein when done to intimidate or coerce a government or its people in ¹²
furtherance of political or social objectives.”
Others indicate that a physical attack that destroys computerized nodes for critical infrastructures,
such as the Internet, telecommunications, or the electric power grid, without ever touching a ¹³
keyboard, can also contribute to, or be labeled as cyberterrorism. Thus, it is possible that if a
computer facility were deliberately attacked for political purposes, all three methods described
above (physical attack, EA, and cyberattack) might contribute to, or be labeled as
“cyberterrori sm.”
Cybercrime is crime that is enabled by, or that targets computers. Some argue there is no agreed-
upon definition for “cybercrime” because “cyberspace” is just a new specific instrument used to
help commit crimes that are not new at all. Cybercrime can involve theft of intellectual property,

⁹^S^e^{rge Krasa}^vⁱⁿ^,^Wh^a^t^is^Cyb^e^rterro^rism?^Co^m^p^u^t^{er Cri}^m^{e Rese}^ar^ch^Cen^t^er,^A^p^ri^l²³^,²⁰⁰⁴^,^ht^t^p^:^/^/^www^.^c^ri^m^e^-
^research^.^o^rg/^aⁿ^a^l^y^tⁱ^c^s/^Krasaviⁿ^/^.
¹⁰^U^nde^r^{22 U}^S^C^,^Se^c^tioⁿ²⁶^56,^“^t^e^r^r^o^rⁱ^s^m^”^is^de^fⁱ^ne^{d a}^s^pr^em^e^d^ita^{ted, p}^o^lit^ic^a^lly^m^o^tiv^a^t^e^d^vⁱ^oleⁿ^c^e^pe^r^p^e^t^r^a^te^d
^a^g^aⁱ^ns^{t nonc}^om^ba^ta^{nt ta}^r^g^e^t^s^by^s^ub^na^tio^na^{l g}^r^ou^ps^or^c^l^a^nde^s^tⁱⁿ^e^a^g^eⁿ^ts^{, us}^ua^lly^inte^nde^d^to^inf^l^ue^nc^e^aⁿ^a^udieⁿ^c^e^.
^T^h^e^Uⁿ^ite^{d Sta}^t^e^s^ha^s^e^m^ploy^e^d^this^de^fⁱ^niti^on^of^te^r^r^o^rⁱ^s^m^f^o^r^s^t^a^tis^tic^a^l^a^{nd a}ⁿ^a^l^y^tic^a^l^pur^p^o^s^e^s^sⁱ^nc^e¹⁹⁸^{3. U}^.^S.
^D^e^pa^r^t^m^e^{nt of}^Sta^t^e^,²⁰⁰²^,^P^a^tterⁿ^{s o}^f^Gl^o^b^a^l^T^e^rro^rism,²⁰⁰³^{, htt}^p^://w^ww^.st^a^te^.g^ov^/^s^/c^t/rls/pg^t^rpt/²⁰⁰^1/^htm^l^/
¹⁰²²⁰^.htm^.
¹¹^Dorot^h^y^De^nning^{, “}^A^c^tiv^is^m^,^H^a^c^tiv^is^m^,^a^{nd Cy}^be^rte^rroris^m^{: T}^h^e^Inte^rne^t^a^s^a^to^{ol f}^o^{r I}ⁿ^f^l^ue^nc^ing^Fore^igⁿ^Polic^y^,^”
^{in J}^o^{hn A}^r^qui^lla^aⁿ^d^D^a^vⁱ^{d R}^o^nf^{eldt, e}^d^s^.,^N^e^t^w^o^r^{ks an}^{d N}^e^t^w^a^r^s^{, (}^R^a^{nd 2}⁰⁰¹⁾^,^p.²⁴^{1. D}^o^r^o^t^h^y^D^e^nning^,^{Is Cyb}^e^r
^Wa^{r Next}^?^Socⁱ^a^l^Sc^ie^nc^e^Re^s^e^a^r^c^h^Couⁿ^c^{il, N}^o^v^e^m^b^e^r^2001,^a^t^ht^tp://w^w^w^.s^s^r^c^.^org^/^s^e^pt11/^e^s^s^a^y^s^/deⁿⁿⁱ^ng^.htm^.
¹²^htt^p^://w^ww^.^f^e^m^a^.^g^o^v^/^pdf^/onp^/^t^oolk^it_a^p^p_^d.p^d^f^.
¹³^D^a^{n Ve}^r^t^on^{, “}^A^D^e^fⁱ^nition^of^C^y^be^r^-^t^e^r^r^o^rⁱ^s^m^”^,^Co^mp^u^t^erwo^rld^{, A}^u^g^u^st^{11, 20}^03,^htt^p^://w^ww^.c^o^m^pute^r^w^o^rld.c^o^m^/
^s^e^c^u^r^ity^topic^s^/s^e^c^u^rⁱ^t^y^/^s^tor^y^/⁰^,¹⁰⁸⁰¹^,8³⁸^43,⁰⁰^.htm^l.

a violation of patent, trade secret, or copyright laws. However, cybercrime also includes attacks
against computers to deliberately disrupt processing, or may include espionage to make
unauthorized copies of classified data. If a terrorist group were to launch a cyberattack to cause
harm, such an act also fits within the definition of a cybercrime. The primary difference between
a cyberattack to commit a crime or to commit terror is found in the intent of the attacker, and it is
possible for actions under both labels to overlap.
Botnets are becoming a major tool for cybercrime, partly because they can be designed to very
effectively disrupt targeted computer systems in different ways, and because a malicious user,
without possessing strong technical skills, can initiate these disruptive effects in cyberspace by ¹⁴
simply renting botnet services from a cybercriminal. Botnets, or “Bot Networks,” are made up
of vast numbers of compromised computers that have been infected with malicious code, and can
be remotely-controlled through commands sent via the Internet. Hundreds or thousands of these
infected computers can operate in concert to disrupt or block Internet traffic for targeted victims,
harvest information, or to distribute spam, viruses, or other malicious code. Botnets have been
described as the “Swiss Army knives of the underground economy” because they are so versatile.
Botnet designers, or “botmasters”, can reportedly make large sums of money by marketing their
technical services. For example, Jeanson Ancheta, a 21-year-old hacker and member of a group
called the “Botmaster Underground”, reportedly made more than $100,000 from different Internet
Advertising companies who paid him to download specially-designed malicious adware code
onto more than 400,000 vulnerable PCs he had secretly infected and taken over. He also made
tens of thousands more dollars renting his 400,000-unit “botnet herd” to other companies that
used them to send out spam, viruses, and other malicious code on the Internet. In 2006, Ancheta ¹⁵
was sentenced to five years in prison.
Botnet code was originally distributed as infected email attachments, but as users have grown
more cautious, cybercriminals have turned to other methods. When users click to view a spam
message, botnet code can be secretly installed on the users’ PC. A website may be unknowingly
infected with malicious code in the form of an ordinary-looking advertisement banner, or may
include a link to an infected website. Clicking on any of these may install botnet code. Or, botnet
code can be silently uploaded, even if the user takes no action while viewing the website, merely
through some un-patched vulnerability that may exist in the browser. Firewalls and antivirus
software do not necessarily inspect all data that is downloaded through browsers. Some bot
software can even disable antivirus security before infecting the PC. Once a PC has been infected,
the malicious software establishes a secret communications link to a remote “botmaster” in
preparation to receive new commands to attack a specific target. Meanwhile, the malicious code
may also automatically probe the infected PC for personal data, or may log keystrokes, and
transmit the information to the botmaster.
The Shadowserver Foundation is an organization that monitors the number of command and
control servers on the Internet, which indicates the number of bot networks that are being

¹⁴^Je^a^nne^Me^se^rv^e^,^“^O^ff^ic^ia^{l: Inte}^rna^tiona^{l Ha}^c^k^e^r^{s G}^o^ing^Af^te^{r U.S. Ne}^tw^orks,”^CNN.c^o^m^,^Oc^tobe^{r 1}⁹^{, 2}⁰⁰⁷^,
^http:^//w^w^w^.c^nn.c^o^m^/²⁰⁰^7/^U^S^/10/^19/^cy^be^r^.^thr^e^a^t^s^/inde^x^.^htm^l^{. Se}^ba^s^tia^{n Spr}^e^ng^e^r^{, “}^M^a^j^{. G}^e^{n. L}^o^r^d^I^s^a
^G^r^oundbr^e^a^k^e^r^,”^Fe^de^r^a^{l C}^o^m^put^e^r^W^e^ek^{, O}^c^tobe^{r 1}⁵^,²⁰^07,^v^o^l.²¹^{, n}^o^.³⁴^{, p}^.⁴⁴^.
¹⁵^{Bob Ke}^e^f^e^,^“^P^{C Se}^c^u^r^ity^{Still M}^o^re^of^a^Wⁱ^{sh tha}ⁿ^a^Prom^ise^,^”^The^Atlan^t^{a J}^ourⁿ^a^l^,^Fe^br^ua^r^y^{3, 20}^07,^p.^1A^.

controlled online at a given time. From November 2006 through May 2007, approximately 1,400
command and control servers were found to be active on the Internet. The number of individual
infected drones that are controlled by these 1,400 servers reportedly grew from half a million to
more than 3 million from March to May 2007. Symantec, another security organization, reported ¹⁶
that it detected 6 million bot-infected computers in the second half of 2006.
Some botnet owners reportedly rent their huge networks for US$200 to $300 an hour, and botnets ¹⁷
are becoming the weapon of choice for fraud and extortion. Newer methods are evolving for
distributing “bot” software that may make it even more difficult in the future for law enforcement
to identify and locate the originating “botmaster.” Some studies show that authors of software for
botnets are increasingly using modern, open-source techniques for software development,
including the collaboration of multiple authors for the initial design, new releases to fix bugs in
the malicious code, and development of software modules that make portions of the code reusable
for newer versions of malicious software designed for different purposes. This increase in
collaboration among hackers mirrors the professional code development techniques now used to
create commercial software products, and is expected to make future botnets even more robust
and reliable. This, in turn, is expected to help increase the demand for malware services in future ¹⁸
years.
Traditionally, botnets organize themselves in an hierarchical manner, with a central command and
control location (sometimes dynamic) for the botmaster. This central command location is useful
to security professionals because it offers a possible central point of failure for the botnet.
However, in the near future, security experts believe that attackers may use new botnet
architectures that are more sophisticated, and more difficult to detect and trace. One class of ¹⁹
botnet architecture that is beginning to emerge uses peer-to-peer protocol, which, because of its
decentralized control design, is expected to be more resistant to strategies for countering its ²⁰
disruptive effects. For example, some experts reportedly argue that a well-designed peer-to-peer
botnet may be nearly impossible to shut down as a whole because it may provide anonymity to ²¹
the controller, who can appear as just another node in the bot network.

¹⁶^Julie^Bort^{, “}^A^tta^c^k^of^the^Kille^{r Bots,”}^Netwo^r^{k W}^o^rld^,^J^u^{l 2/}^{9, 20}^{07, p. 29}^.
¹⁷^S^u^san^M^acL^ean^,^“Rep^o^r^t^w^a^rn^{s o}^f^Organⁱ^zed^C^y^b^e^{r Cri}^m^e,^”^I^t^W^o^r^l^dC^an^ad^a^{, A}^u^g^u^s^t²⁶^,²⁰⁰⁵^,
^http:^//w^w^w^.itw^or^ldc^aⁿ^a^d^a^.^c^o^m^/^a^/^I^T^-^F^oc^us^/39c⁷⁸^a^a⁴^-^d^f^47-⁴²^31-^a⁰^83-^dd^d1a^b⁸⁹^85f^b.h^t^m^l^.
¹⁸^Mc^Af^e^e^Vⁱ^rtua^{l Crim}^inolog^y^Re^port:^Org^a^niz^e^d^Crim^e^a^{nd the}^Int^e^rne^t^{, De}^c^e^m^b^e^r²⁰⁰^6,^http^://w^ww^.sigm^a^.c^o^m^.pl/
^plik^i/^a^l^bum^s^/^us^e^r^pic^s^/¹⁰⁰⁰^7/^Vir^t^ua^l_C^r^im^inolog^y^_^R^e^por^t_²⁰⁰⁶^.p^df^.
¹⁹^Gⁿ^u^t^el^l^a^emerged^{as t}^h^{e f}ⁱ^rst^f^u^l^l^y^d^e^c^eⁿ^t^ralⁱ^zed^p^eer-t^o^-^p^eer^p^r^o^t^oco^lⁱⁿ²⁰⁰⁰^,^and^w^a^{s u}^s^ed^oⁿ^t^h^{e I}ⁿ^t^e^rn^et^t^o^sh^are
^a^{nd s}^w^a^p^m^u^sⁱ^c^f^ile^s^{in M}^P^{3 c}^o^m^p^r^e^s^sⁱ^{on f}^o^r^m^a^t^{. T}^h^e^m^u^sⁱ^c^indus^t^r^y^w^a^s^of^te^{n f}^r^us^tr^a^t^e^d^{in the}ⁱ^r^e^f^f^o^r^t^s^to^c^o^uⁿ^te^r
^t^hⁱ^s^p^eer-t^o-p^{eer t}^ech^no^l^o^gy^b^eca^u^s^{e i}^t^cou^l^dⁿ^o^tⁱ^d^en^tⁱ^f^y^a^maiⁿ^coⁿ^t^ro^l^lⁱⁿ^{g sou}^r^ce.^Sⁱⁿ^{ce t}^h^en^,^sever^a^l^o^t^h^e^r^p^eer-t^o^-
^pe^e^r^pr^ot^oc^ols^ha^v^e^be^eⁿ^de^v^e^lop^e^d.
²⁰^S^y^man^t^ec,^T^r^o^j^an^.^P^ea^c^o^{mm: B}^uⁱ^l^dⁱ^ng^a^P^eer-t^o^-^P^{eer B}^o^tⁿ^et^,²⁰⁰⁷^,^htt^p^://w^ww^.s^y^m^aⁿ^te^c^.^c^o^m^/^eⁿ^te^rprise^/
^s^e^c^u^r^ity^_r^e^s^pons^e^/^w^e^blog^/20^07/⁰¹^/^t^r^o^ja^np^eaco^mm^_build^ing^_^a^_^pe^e^r^t.htm^l^{. Ma}^tthe^w^Broe^rs^m^a^,^Pe^e^r^-to-Pe^e^r^Botⁿ^e^t^{s a}
^N^e^w^and^G^r^owⁱⁿ^{g T}^h^r^e^at^,^CSO^Oⁿ^line^,^A^p^ril¹⁷^{, 2}⁰⁰⁷^,^htt^p^://w^w^w^2.c^s^oonline^.^c^o^m^/^bl^og^_v^ie^w^.^ht^m^l^?^C^ID⁼³²⁸⁵^2.
^Ju^lⁱ^aⁿ^B.^G^rⁱ^zzard^et^.^al^.^,^P^eer-t^o^-^P^{eer B}^o^tⁿ^et^{s: Overvi}^{ew a}ⁿ^d^Ca^se^S^t^ud^y^{, 20}^07,^htt^p^://w^ww^.use^nix^.^org^/^e^v^eⁿ^ts/
^hot^bots^07/^te^c^h^/^f^ull_pa^pe^r^s^/g^rⁱ^z^z^a^r^d^/^g^rⁱ^z^z^a^r^d_htm^{l/. R}^e^inie^r^Sc^ho^of^a^{nd R}^a^l^{ph K}^oni^ng^,^Det^ectⁱⁿ^g^P^eer-t^o^-^P^eer^B^o^tⁿ^et^s^,
^Fe^br^ua^r^y^{4, 20}⁰⁷^{, h}^ttp:^//s^ta^f^f^.s^cⁱ^enc^e^.^uv^a^.^nl/^~^de^la^a^t/s^ne^-²⁰⁰⁶^-²⁰⁰⁷^/p1⁷^/^r^e^por^t.p^d^f^.
²¹^T^o^m^Es^pine^r^,^“^S^e^c^u^r^ity^Ex^pe^r^{t: Stor}^m^B^o^tne^t^‘^s^e^r^vⁱ^c^e^s^’^C^ould^B^e^Sol^d^,”^Cⁿ^e^t^N^e^w^s^.c^om^{, O}^c^tobe^r^{16, 2}⁰⁰⁷^,
^http:^//w^w^w^.ne^w^s^.^c^o^m^/^Se^c^u^r^ity^-^e^x^p^e^r^t-^Stor^m^-^botne^t-^s^e^r^v^ic^e^s^-^c^ould-^be^-^s^ol^d/²¹⁰^0-⁷³⁴⁹^_³^-⁶²¹³⁷⁸¹^.^h^tm^{l. R}^obe^r^t
^Le^m^o^s^,^{Bot s}^o^ftw^ar^e^look^s^t^o^im^p^r^ov^e^pe^e^r^age^,^T^h^e^Re^gⁱ^ste^r^{, Ma}^y^{4, 2}⁰⁰⁶^,^htt^p^://w^ww^.the^re^gⁱ^st^e^r^.c^o.uk^/²⁰⁰^6/^05/^04/
ⁿ^u^g^ach^e_^p2^p_^bo^tⁿ^et^/^.

In the Spring of 2007, government computer systems in Estonia experienced a sustained
cyberattack that has been labeled by various observers as cyberwarfare, or cyberterror, or
cybercrime. On April 27, officials in Estonia moved a Soviet-era war memorial commemorating
an unknown Russian who died fighting the Nazis. The move stirred emotions, and led to rioting
by ethnic Russians, and the blockading of the Estonian Embassy in Moscow. The event also
marked the beginning of a series of large and sustained Distributed Denial-Of-Service (DDOS)
attacks launched against several Estonian national websites, including government ministries and ²²
the prime minister’s Reform Party.
In the early days of the cyberattack, government websites that normally receive around 1,000
visits a day reportedly were receiving 2,000 visits every second. This caused the repeated shut ²³
down of some websites for several hours at a time or longer, according to Estonian officials. The
attacks, which flooded computers and servers and blocked legitimate users, were described as
crippling, owing to Estonia’s high dependence on information technology, but limited resources
for managing their infrastructure. Security experts say that the cyberattacks against Estonia were
unusual because the rate of the packet attack was very high, and the series of attacks lasted ²⁴
weeks, rather than hour or days, which is more commonly seen for a denial of service attack.
Eventually, NATO and the United States sent computer security experts to Estonia to help recover
from the attacks, and to analyze the methods used and attempt to determine the source of the
attacks.
This event can serve to illustrate how computer network technology has blurred the boundaries
between crime, warfare, and terrorism. A persistent problem during and after any cyberattack is
accurate identification of the attacker, by finding out whether it was sponsored by a nation, or was
the independent work of a few unconnected individuals, or was initiated by a group to instill
frustration and fear by damaging the computerized infrastructure and economy. The uncertainty
of not knowing the initiator also affects the decision about whom should ultimately become a
target for retaliation, and whether the response should come from law enforcement or the military.
Initially, the Russian government was blamed by Estonian officials for the cyberattacks, and there
were charges of cyberwarfare. Other observers argued that the cyberattack involved collusion
between the Russian government and trans-national cybercriminals who made their large botnets
available for short-term rent, either to individuals or to larger groups. They argue that as the
rented time expired, the intensity of the persistent cyberattacks against Estonia also began to fall ²⁵
off. However, not all security experts agree, and it remains unclear at this time whether the
cyberattacks were sanctioned or initiated by the Russian government, or if a criminal botnet was
actually involved.

²²^Ro^b^e^rt^V^a^m^o^si^,^“Cy^b^erat^t^a^{ck i}ⁿ^E^s^t^oⁿⁱ^a—W^h^at^It^Real^l^y^M^ean^s,^{” Cn}^et^New^s^.^c^o^m^,^M^a^y²⁹^,²⁰⁰⁷^,^a^t
^http:^//ne^w^s^.^c^o^m^.^c^o^m^/^C^y^be^r^a^tta^c^k⁺ⁱⁿ⁺^Es^tonia^-^w^h^a^t⁺^it+^r^e^a^l^l^y^+m^e^a^ns^/20^08-⁷³⁴⁹^_3-⁶¹⁸⁶⁷⁵^1.^htm^l^.
²³^C^h^rⁱ^s^t^o^phe^r^R^hoa^ds^{, “}^C^y^b^e^r^A^ttac^k^Ve^x^e^s^Es^tonia^,^Pos^e^s^D^e^ba^te^,”^T^h^{e Wa}^l^l^S^t^reet^Jou^rⁿ^a^l^{, Ma}^y¹⁸^{, 20}⁰⁷^{, p}^.^A⁶^.
²⁴^Ca^roly^{n Ma}^rsaⁿ^{, “}^E^x^a^mⁱ^ning^the^Re^a^lity^o^f^C^y^be^r^w^a^r^{in W}^a^k^e^of^Estoniaⁿ^A^tta^c^k^s,”^Netwo^r^{k W}^o^rld^{, A}^u^g^u^s^t²⁷^,
²⁰⁰^{7, v}^o^l^.^24,ⁿ^o^.^33,^p.²⁴^.
²⁵^I^a^{in T}^hom^s^{on, “}^R^us^sⁱ^a^‘^H^ir^e^d^B^o^tne^t^s^’^f^o^r^Es^t^onia^C^y^be^r^-^W^a^r^,”^C^o^m^putⁱⁿ^g^{, http}^://w^w^w^.^c^om^puting^.^c^o^.uk^/^v^nune^t/
^ne^w^s^/²¹⁹¹⁰⁸²^/^c^laⁱ^m^s^-^r^u^s^sⁱ^a^-^hir^e^d-^b^o^tne^t^s^.

After some investigation, network analysts later concluded that the cyberattacks targeting Estonia
were not a concerted attack, but instead were the product of spontaneous anger from a loose
federation of separate attackers. Technical data showed that sources of the attack were worldwide
rather than concentrated in a few locations. The computer code that caused the DDOS attack was
posted and shared in many Russian language chat rooms, where the moving of the war memorial
was a very emotional topic for discussion. These analysts state that although access to various
Estonian government agencies was blocked by the malicious code, there was no apparent attempt
to target national critical infrastructure other than internet resources, and no extortion demands
were made. Their analysis thus far concluded that there was no Russian government connection ²⁶
to the attacks against Estonia. However, investigation into the incident continues, and officials
from the United States view some aspects of the event as a possible model for future
cyberwarfare or cyberterrorism directed against a nation state.
In January 2008, a court in Estonia convicted and fined a local man for bringing down a
government website, as part of the extended cyberattack in 2007. The 20-year-old, who is
apparently an ethnic Russian Estonian, used his home PC to carry out the attack. The
investigation continues, and so far, he is the only person convicted for participating in the ²⁷
cyberattack against Estonia.
Cybercrime is usually conducted through a connection to the Internet, but can also involve
unauthorized removal of data on small, portable flash drive storage devices. Cybercrime, usually
in the form of network hacking, has involved persons with strong technical skills, often motivated
by the desire to gain popularity among their technology peers. However, the growing trend is now
to profit from these network cyberattacks by targeting specific systems, often through
collaboration among criminals and technical experts. The motives that drive these cybercriminal
groups now may differ from those of their paying customers, who may possess little or no
technical skills.
New technologies continue to outpace policy for law enforcement. Problems of coordination
among agencies of different countries, along with conflicting national policies about crime in
cyberspace, work to the advantage of cybercriminals who can choose to operate from geographic
locations where penalties for some forms of cybercrime may not yet exist. Sophisticated tools for
cyberattack can now be found for sale or for rent on the Internet, where highly-organized
underground cybercrime businesses host websites that advertise a variety of disruptive software
products and malicious technical services. High-end cybercrime groups use standard software
business development techniques to keep their products updated with the latest anti-security
features, and seek to recruit new and talented software engineering students into their
organizations.
Where illicit profits are potentially very large, some high-end criminal groups have reportedly
adopted standard IT business practices to systematically develop more efficient and effective
computer code for cybercrime. Studies also show that organized crime groups now actively
recruit college engineering graduates and technical expert members of computer societies, and

²⁶^Hei^s^{e S}^ecu^ri^t^y^,^Es^toniaⁿ^D^D^o^S^—^{a fi}^na^{l a}^naly^s^is^{, htt}^p^://w^ww^.heⁱ^se^-se^c^u^rit^y^.c^o.uk^/ne^w^s/^print/⁹⁰⁴⁶^1.
²⁷^Mⁱ^k^e^S^a^c^h^o^ff,^M^{an C}^onv^ic^te^{d I}ⁿ^Es^tonⁱ^{a C}^y^be^r^A^ttac^k^{, W}^e^b^P^r^o^N^e^w^s^{, J}^a^nua^r^y^{24, 20}⁰⁸^,
^http:^//w^w^w^.^w^e^bpr^one^w^s^.c^om^/^t^op^ne^w^s^/²⁰^08/^01/^24/^m^a^n-^c^onv^ic^te^d-^in-^e^s^t^on^ia^-^c^y^b^e^r^-^a^tta^c^k^.

sponsor them to attend more information technology (IT) courses to further their technical
expertise. However, in some cases, targeted students may not realize that a criminal organization ²⁸
is behind the recruitment offer.
Cyberattacks are increasingly designed to silently steal information without leaving behind any
damage that would be noticed by a user. These types of attacks attempt to escape detection in
order to remain on host systems for longer periods of time. It is also expected that as mobile
communication devices are incorporated more into everyday life, they will be increasingly ²⁹
targeted in the future for attack by cybercriminals.
Malicious code, such as viruses or Trojan Horses, are used to infect a computer to make it
available for takeover and remote control. Malicious code can infect a computer if the user opens
an email attachment, or clicks an innocent-looking link on a website. For example, users who
visited the popular MySpace and YouTube websites in 2005, and who lacked important software
security patches, reportedly may have had their PCs infected if they clicked on a banner
advertisement which silently installed malicious code on their computers to log keystrokes or
capture sensitive data. During the first half of 2006, the Microsoft Security Team reported that it
had removed 10 million pieces of malicious software from nearly 4 million computers and web ³⁰
servers. Recently, analysts at Google tested several million web pages for the presence of
malicious software, and determined that 4.5 million of the web pages examined were suspicious
in nature. After further testing of the 4.5 million web pages, over 1 million were found to launch
downloads of malicious software, and more than two thirds of those programs were “bot”
software that, among other things, collected data on banking transactions and then emailed the ³¹
information to a temporary email account.
Researchers at the San Jose, Calif.-based security firm, Finjan Inc., after reviewing security data
from the first quarter of 2007, found that more malware is hosted on servers in countries such as
the U.S. and U.K., than in other countries with less developed e-crime law enforcement policies.
Findings from the Finjan 2007 Web Security Trends Report are based on an analysis of more than

10 million unique websites from Internet traffic recorded in the UK, and include the following:

• Attacks that involve the use of code obfuscation through diverse randomization
techniques are growing more numerous and complex, making them virtually
invisible to pattern-matching/signature-based methods in use by traditional
antivirus products.

²⁸^Mc^Af^e^e^Vⁱ^rtua^{l Crim}^inolog^y^Re^port:^Org^a^niz^e^d^Crim^e^a^{nd the}^Int^e^rne^t^{, De}^c^e^m^b^e^r²⁰⁰^6,^http^://w^ww^.sigm^a^.c^o^m^.pl/
^plik^i/^a^l^bum^s^/^us^e^r^pic^s^/¹⁰⁰⁰^7/^Vir^t^ua^l_C^r^im^inolog^y^_^R^e^por^t_²⁰⁰⁶^.p^df^.
²⁹^A^w^e^{b c}^r^aw^le^r⁽^a^ls^{o k}^now^{n a}^s^a^W^e^{b s}^p^ide^r^or^W^e^{b r}^o^b^o^t)^is^a^pr^og^r^a^m^or^a^u^tom^a^te^{d s}^c^rⁱ^{pt t}^h^a^t^br^ow^s^e^s^the^W^o^r^l^d
^Wⁱ^de^W^e^{b in a}^m^e^thodic^a^l^{, a}^u^to^m^a^te^{d m}^a^nne^r^.^W^e^{b c}^r^a^w^l^e^r^s^a^r^e^m^a^inly^us^e^d^{to c}^r^e^a^t^e^a^c^opy^of^a^l^{l the}^vⁱ^s^ite^d^pa^g^e^s
^f^o^{r la}^te^{r proc}^e^ssing^by^a^se^a^r^c^h^eⁿ^gⁱ^ne^tha^t^w^{ill i}^nde^x^the^dow^nloa^de^{d pa}^g^e^{s to}^provⁱ^d^e^f^a^{st se}^a^r^c^h^e^s^{. W}ⁱ^kⁱ^pe^dia^,
^http:^//e^n.wⁱ^kⁱ^pe^dia^.^or^g^/^wⁱ^k^i/W^e^b^_c^r^a^w^l^e^r^.
³⁰^Elise^A^c^ke^r^m^aⁿ^{, “}^H^a^c^k^e^{rs’ In}^f^e^c^tions^Slit^he^{r Ont}^o^W^e^{b Site}^s,”^T^h^{e Mercu}^r^{y New}^s^{, J}^a^nua^r^y^{3, 200}⁷^,^p.^1.
³¹^Jeff^He^ch^t^,^“W^eb^Bro^w^sers^A^r^{e Ne}^w^F^r^oⁿ^t^lⁱⁿ^eⁱⁿ^In^t^e^rⁿ^et^W^a^r,^”^NewS^ci^en^tⁱ^s^t^T^ech^,^Ma^y^{5, 200}^7,
^http:^//w^w^w^.ne^w^s^c^ie^ntis^tte^c^h^.c^om^/a^r^tic^le^.ns^?^id=^m^g¹⁹⁴²⁶⁰²^6.0^00&^pr^int=^tr^ue^{. N}ⁱ^e^l^s^P^r^ov^os^e^t^{. a}^l^.,^T^h^e^Ghostⁱⁿ^the
^Br^ow^s^e^r^:^Analy^s^is^{of W}^e^b-^b^a^s^e^d^M^a^lw^ar^e^{, G}^oog^le^{, Inc}^.,^htt^p^://w^ww^.use^nix^.^org^/^e^v^eⁿ^ts/^hot^bo^ts07^/^t^e^c^h/f^u^ll_pa^pe^rs/
^pr^ov^os^/^p^r^o^v^o^s^.^pdf^.

• Criminals are displaying an increasing level of sophistication when embedding
malicious code within legitimate content with less dependence on outlaw servers
in unregulated countries.
Finjan found that 90% of the websites examined containing malware resided on servers located in
the U.S. or U.K. “The results of this study shatter the myth that malicious code is primarily being
hosted in countries where e-crime laws are less developed,” Finjan CTO Yuval Ben-Itzhak ³²
reportedly stated.
Botnets and other examples of malicious code can operate to assist cybercriminals with identity
theft. Current FBI estimates are that identity theft costs American businesses and consumers $50
billion a year. Individual users are often lured into clicking on tempting links that are found in
email or when visiting websites. Clicking on titles such as “Buy Rolex watches cheap,” or
“Check out my new Photos,” can take advantage of web browser vulnerabilities to place
malicious software onto a users system which allows a cybercriminal to gather personal
information from the user’s computer.
Malicious code can scan a victim’s computer for sensitive information, such as name, address,
place and date of birth, social security number, mother’s maiden name, and telephone number.
Full identities obtained this way are bought and sold in online markets. False identity documents
can then be created from this information using home equipment such as a digital camera, color
printer, and laminating device, to make official-looking driver’s licences, birth certificates, ³³
reference letters, and bank statements.
Identity theft involving thousands of victims is also enabled by inadequate computer security ³⁴
practices within organizations. MasterCard International reported that in 2005 more than 40 ³⁵
million credit card numbers belonging to U.S. consumers were accessed by computer hackers.
Some of these account numbers were reportedly being sold on a Russian website, and some
consumers have reported fraudulent charges on their statements. Officials at the UFJ bank in
Japan reportedly stated that some of that bank’s customers may also have become victims of ³⁶
fraud related to theft of the MasterCard information. In June 2006, officials from the U.S.
Department of Energy acknowledged that names and personal information belonging to more
than 1,500 employees of the National Nuclear Security Administration (NNSA) had been stolen

³²^Finjaⁿ^{, I}ⁿ^c^.,^W^e^b^Se^c^u^r^ity^Tr^eⁿ^d^s^Re^por^{t, Q}²²⁰⁰⁷^{, htt}^p^://w^ww^.^fⁱⁿ^ja^n.c^o^m^/^Conteⁿ^t.a^s^px^?ⁱ^d=⁸²^7.
³³^L^{ou Bo}^bson^{, “}^I^deⁿ^tity^T^h^e^f^{t Ruining}^Lⁱ^v^e^s,”^The^Su^nd^ay^M^a^il^{, M}^a^y^20,²⁰⁰⁷^{, p. 62}^.
³⁴^On^A^p^ri^l¹²^,²⁰⁰⁵^,^p^e^rson^alⁱⁿ^f^o^rmatⁱ^oⁿ^,^s^u^ch^{as S}^o^ci^al^S^ecu^ri^t^y^Nu^m^b^ers^f^o^{r 3}¹⁰^,⁰⁰^{0 U.}^S^.^ci^tⁱ^zens,^m^a^{y h}^a^{ve b}^een
^st^o^l^enⁱⁿ^{a d}^a^t^a^secu^ri^t^y^b^r^each^t^h^atⁱⁿ^vo^l^v^ed⁵⁹ⁱⁿ^st^an^{ces o}^f^uⁿ^a^ut^h^o^rⁱ^zed^{access i}ⁿ^t^oⁱ^t^s^co^r^p^o^r^at^e^dat^a^b^a^{ses u}^sⁱⁿ^g
^st^o^l^en^p^a^ssw^o^r^d^s^.^Bo^st^on^Co^l^l^ege^rep^o^r^t^e^{d i}ⁿ^M^a^rch²⁰⁰⁵^t^h^at^{a h}^a^{cker h}^a^d^gaiⁿ^ed^uⁿ^a^u^t^ho^ri^zed^{access t}^o^co^m^p^u^t^er
^da^ta^ba^s^e^r^e^c^o^r^d^s^w^{ith pe}^r^s^ona^lⁱⁿ^f^o^r^m^a^{tion f}^o^r^up^to¹⁰^6,⁰⁰^{0 a}^l^um^{ni, a}ⁿ^{d i}ⁿ^t^h^e^s^a^m^e^m^{onth, C}^h^ic^o^Sta^t^e^Uⁿ^iv^e^r^s^ity^o^f
^Calⁱ^f^o^rⁿⁱ^a,^rep^o^r^t^e^d^t^h^atⁱ^t^s^d^a^t^a^{bases h}^a^d^b^een^b^r^each^ed^c^oⁿ^t^aiⁿⁱ^{ng t}^h^{e n}^a^m^e^{s an}^d^S^o^ci^al^S^ecu^ri^t^y^nu^m^b^ers^f^o^{r as}
^m^aⁿ^y^a^s^59,0^{00 c}^u^r^r^e^{nt a}ⁿ^{d f}^o^r^m^e^r^s^t^ude^nts^.^D^a^vⁱ^{d B}^a^nk^a^{nd C}^h^rⁱ^s^t^ophe^r^C^onk^e^y^{, “}^N^ew^Saf^e^g^u^a^r^ds^f^o^r^Y^our
^P^rⁱ^v^acy^,^”^The^W^a^{ll Str}^e^e^t^J^our^nal^{, Ma}^rc^{h 2}⁴^,²⁰⁰⁵^{, p}^.^D¹^.
³⁵^Joⁿ^a^t^h^aⁿ^Kri^m^an^d^Mⁱ^ch^ael^Barbaro^,^“4^{0 M}ⁱ^l^lⁱ^oⁿ^Credⁱ^t^Card^Num^b^{ers H}^ack^ed^,^”^Wa^sh^ing^t^on^P^o^st^{, J}^une¹⁸^{, 2}⁰⁰⁵^,^p.
^A^{01. Se}^e^a^l^s^o^the^r^e^por^t^by^the^U^.^{S. H}^o^us^e^of^R^e^pr^e^s^eⁿ^ta^tiv^e^s^H^o^m^e^la^{nd Se}^c^u^r^ity^C^o^m^m^itte^e^,^J^u^l^y^{1, 20}^05,^r^a^is^ing
^c^onc^e^r^{ns a}^b^o^u^t^poteⁿ^tia^{l tie}^s^be^twe^eⁿ^ideⁿ^ti^ty^the^f^{t v}ⁱ^c^tⁱ^m^{s a}^{nd te}^rrorism^{. Ca}^{itlin Ha}^rring^to^{n, “}^T^e^{rrorists Ca}^{n Ex}^plo^it
^Ideⁿ^tity^T^h^e^f^{t, Re}^{port Fr}^om^House^De^m^o^c^r^a^t^{s Sa}^y^s^,”^C^Q^H^o^m^e^{land Se}^c^u^r^ity^{, J}^u^ly^{1, 2}⁰⁰⁵^.
³⁶^{BBC New}^s^{, “J}^ap^an^Card^h^o^ld^ers^{‘Hit’ b}^y^T^h^e^f^{t,” Ju}ⁿ^e²¹^,²⁰⁰⁵^{, at}^h^ttp^:^//n^ew^s.b^b^c^.co^.^u^k^/1^/^h^i/^b^u^sⁱⁿ^e^ss/4¹¹⁴²⁵²^.stm^.

in a network intrusion that apparently took place starting in 2004. The NNSA did not discover the ³⁷
security breach until one year after it had occurred.
Some sources report that stolen credit card numbers and bank account information are traded
online in a highly structured arrangement, involving buyers, sellers, intermediaries, and service
industries. Services include offering to conveniently change the billing address of a theft victim,
through manipulation of stolen PINs or passwords. Observers estimated that in 2005 such ³⁸
services for each stolen MasterCard number cost between $42 and $72. Other news articles
report that, in 2007, a stolen credit card number sells online for only $1, and a complete identity,
including a U.S. bank account number, credit-card number, date of birth, and a government-³⁹
issued ID number now sells for just $14 to $18.
As of January 2007, 35 states have enacted data security laws requiring businesses that have
experienced an intrusion involving possible identity theft to notify persons affected, and to
improve security for protection of restricted data. However, existing federal and state laws that
impose obligations on information owners, may require harmonization to provide protections that ⁴⁰
are more uniform.
Cyber espionage involves the unauthorized probing to test a target computer’s configuration or
evaluate its system defenses, or the unauthorized viewing and copying of data files. However,
should a terrorist group, nation, or other organization use computer hacking techniques for
political or economic motives, their deliberate intrusions may also qualify them, additionally, as
cybercriminals. If there is disagreement about this, it is likely because technology has outpaced
policy for labeling actions in cyberspace. In fact, industrial cyber espionage may now be
considered a necessary part of global economic competition, and secretly monitoring the
computerized functions and capabilities of potential adversary countries may also be considered ⁴¹
essential for national defense.
U.S. counterintelligence officials reportedly have stated that about 140 different foreign
intelligence organizations regularly attempt to hack into the computer systems of U.S.
government agencies and U.S. companies. Cyber espionage, which enables the exfiltration of
massive amounts of information electronically, has now transformed the nature of ⁴²
counterintelligence, by enabling a reduced reliance on conventional spying operations. The
Internet, including satellite links and wireless local networks, now offers new, low cost and low

³⁷^Dawⁿ^On^le^y^an^d^P^a^tien^{ce W}^a^it,^{“DOD’s E}^f^f^o^{rts to}^S^t^{ave o}^f^f^Nati^oⁿ^-^S^t^{ate Cy}^b^e^{rattacks Be}^gin^w^ith^Chⁱⁿ^a,^”
^Go^vern^m^en^t^Co^mpu^t^{er News}^,^A^u^gu^st²¹^,²⁰⁰⁶^.
³⁸^{CCRC staff}^,^Rus^sⁱ^{a, Bi}^gge^s^t^Ev^e^r^C^r^e^d^{it C}^a^r^d^Sc^am^,^Co^m^p^u^t^{er C}^rⁱ^m^{e R}^e^sear^ch^Cen^t^er,^Ju^l^y⁸^,²⁰⁰⁵^,^at
^http:^//w^w^w^.c^rⁱ^m^e^-^r^e^s^e^a^r^c^h^.or^g^/ⁿ^e^w^s^/^08.^07.²⁰^05/¹³⁴⁹^/.
³⁹^Da^vⁱ^{d Ha}^y^e^{s, “}^A^Dolla^{r g}^o^e^s^a^Long^W^a^y^{in Sw}^iping^P^r^iv^a^t^e^Da^ta^,”^The^K^a^ns^as^Cⁱ^ty^St^ar^,^M^a^r^c^h²⁰^,²⁰⁰⁷^,^p^.¹^.
⁴⁰^{For m}^o^re^inf^o^rm^a^{tion a}^b^o^u^{t la}^w^s^re^la^te^{d to}^ideⁿ^t^ity^the^f^{t, se}^e^CRS^Re^{port RL}³⁴¹²^0,^Fe^de^{ral I}ⁿ^form^atioⁿ^Se^c^u^rity
^and^Dat^a^Bre^a^c^h^Noti^fic^ati^oⁿ^La^ws^,^b^y^Gⁱⁿ^a^M^a^ri^{e S}^t^even^s.
⁴¹^U^.^{S. i}ⁿ^te^llig^eⁿ^c^e^of^fⁱ^cⁱ^a^l^s^,^s^p^e^a^kⁱ^ng^on^ba^c^k^g^r^ound^{, e}^x^plaⁱ^ne^d^tha^t^the^y^ha^v^e^routine^l^y^pe^ne^tra^t^e^d^po^te^ntia^{l e}ⁿ^e^m^ie^s^’
^c^o^m^pute^r^ne^tw^or^k^s^{. T}^h^e^s^e^of^fⁱ^cⁱ^als^c^l^aⁱ^m^tha^t^thous^aⁿ^ds^of^a^tta^c^k^s^ha^v^e^ta^k^e^{n pl}^{ace an}^d^sen^s^itiv^{e in}^f^o^rm^atioⁿ^w^a^s
^s^t^oleⁿ^{. J}^o^hⁿ^Staⁿ^to^{n, “}^R^u^l^e^s^of^C^y^be^r^W^a^r^B^a^f^f^le^U^.^{S. G}^ove^rⁿ^m^e^{nt A}^g^eⁿ^cⁱ^e^s^,”^Nation^a^{l De}^fe^nse^{, F}^e^br^ua^r^y^2000,
^http:^//w^w^w^.na^tiona^lde^f^eⁿ^s^e^m^a^gazⁱ^ne^.or^g^/ⁱ^s^s^u^e^s^/²⁰⁰⁰^/^Fe^b/R^u^le^s^.^ht^m^.
⁴²^Je^a^nne^Me^se^rv^e^,^“^O^ff^ic^ia^{l: Inte}^rna^tiona^{l Ha}^c^k^e^r^{s G}^oⁱⁿ^g^af^te^r^U^.^{S. N}^e^tow^o^r^k^s^,^”^C^N^N^.^c^o^m^,^O^c^tobe^r^19,²⁰⁰⁷^,
^http:^//w^w^w^.c^nn.c^o^m^/²⁰⁰^7/^U^S^/10/^19/^cy^be^r^.^thr^e^a^t^s^/inde^x^.^htm^l^.

risk opportunities for espionage. In 2001, a Special Committee of Inquiry established by the
European parliament accused the United States of using its Echelon electronic spy network to
engage in industrial espionage against European businesses. Echelon was reportedly set up in
1971 as an electronic monitoring system during the Cold War. European-Union member Britain
helps operate the system, which includes listening posts in Canada, Australia, and New Zealand.
Echelon is described as a global spy system reportedly capable of intercepting wireless phone ⁴³
calls, e-mail, and fax messages made from almost any location around the world.
Figure 1. Diagram of Purported Echelon Spy System
Source: BBC News, July 6, 2000, at ^htt^p://news.b^{bc.co.uk/1/hi/world/europe/}⁸²⁰⁷⁵^8.stm.
The European parliament Special Committee reported that information gathered on Echelon may
have helped the United States beat the European Airbus Consortium in selling aircraft to Saudi ⁴⁴
Arabia in 1994. In 1995, France expelled five American diplomats and other officials,
reportedly including the Paris station chief for the CIA, because of suspected industrial espionage ⁴⁵
activities linked to Echelon.
The State Department denied that the U.S. government was engaged in industrial espionage.
However, former director of the U.S. Central Intelligence Agency, James Woolsey, has reportedly
justified the possibility of industrial espionage by the United States on the basis of the use of
bribery by European companies. Officials of the European parliament reportedly expressed ⁴⁶
outrage about the justification, while not denying that bribery is sometimes used to make sales.

⁴³^Ma^r^{tin A}^s^s^e^r^,^“^E^c^h^e^l^{on: B}ⁱ^g^br^ot^he^r^w^ithout^a^c^a^u^s^{e?” BBC Ne}^w^s^{, Ju}^ly⁶^,²⁰⁰⁰^,^h^t^t^p^://n^ew^s.b^b^c^.co^.^u^k^/1^/^h^i/^w^o^rld^/
^e^u^r^ope^/⁸²⁰⁷^58.s^t^m^.
⁴⁴^R^on^P^e^m^s^te^{in, “}^E^ur^ope^Spy^Sy^s^t^em^,”^G^l^oba^lSe^c^u^r^ity^.or^g^{, Ma}^r^c^h^30,²⁰⁰⁰^{, h}^ttp:^//w^w^w^.g^loba^ls^e^c^u^r^ity^.or^g^/ⁱ^nte^ll/
^libr^a^r^y^/ⁿ^e^w^s^/²⁰^00/⁰³^/⁰⁰⁰³³^0-^e^c^h^e^l^on1^.htm^.^P^a^ul^Me^lle^r^,^“^E^ur^ope^aⁿ^P^a^r^lia^m^e^{nt A}^dopts^‘^E^c^h^e^l^oⁿ^’^R^e^por^t,”^C^N^N^.^c^o^m^,
^Se^pte^m^be^r^{7, 20}⁰¹^{, h}^ttp:^//a^r^c^hiv^e^s^.^c^nn.c^o^m^/²⁰^01/^T^E^C^H^/inte^rⁿ^e^t^/^09/^07/^e^c^h^e^l^on.r^e^p^o^r^t^.i^dg^/.
⁴⁵^C^h^rⁱ^s^Ma^r^s^de^{n, “}^E^ur^ope^aⁿ^Uⁿⁱ^o^{n to}^Iⁿ^v^e^s^tig^a^t^e^U^S^-^R^{un Sa}^te^ll^ite^Spy^Ne^t^w^ork^,^”^W^o^{rld S}^o^cⁱ^a^list^W^e^bsite^{, July}^10,
²⁰⁰^{0, htt}^p^://w^ww^.^w^s^w^s.org^/^a^r^tic^le^s/200^0/^jul2⁰⁰^0/^e^c^h^e^-^j10.shtm^l.
⁴⁶^E^u^rop^ean^P^a^rlⁱ^a^m^eⁿ^t^reso^l^u^tⁱ^oⁿ^oⁿ^t^h^{e exi}^s^t^eⁿ^{ce o}^f^{a gl}^o^b^a^l^sy^st^e^m^f^o^{r t}^h^{e i}ⁿ^t^e^rcep^tⁱ^oⁿ^o^f^p^rⁱ^v^at^{e an}^d^co^m^m^erci^al
⁽^c^onti^nue^d.^..)

Some government officials warn that criminals now sell or rent malicious code tools for cyber
espionage, and the risk for damage to U.S. national security due to cyber espionage conducted by
other countries is great. One industry official, arguing for stronger government agency computer
security practices, stated that, “If gangs of foreigners broke into the State or Commerce
Departments and carried off dozens of file cabinets, there would be a crisis. When the same thing
happens in cyberspace, we shrug it off as another of those annoying computer glitches we must ⁴⁷
live with.”
In 2003, a series of cyberattacks designed to copy sensitive data files was launched against DOD
systems, and the computers belonging to DOD contractors. The cyber espionage attack apparently
went undetected for many months. This series of cyberattacks was labeled “Titan Rain,” and was
suspected by DOD investigators to have originated in China. The attacks were directed against
the U.S. Defense Information Systems Agency (DISA), the U.S. Redstone Arsenal, the Army
Space and Strategic Defense Installation, and several computer systems critical to military
logistics. Although no classified systems reportedly were breached, many files were copied
containing information that is sensitive and subject to U.S. export-control laws.
In 2006, an extended cyberattack against the U.S. Naval War College in Newport, Rhode Island, ⁴⁸
prompted officials to disconnect the entire campus from the Internet. A similar attack against the
Pentagon in 2007 led officials to temporarily disconnect part of the unclassified network from the
Internet. DOD officials acknowledge that the Global Information Grid, which is the main network
for the U.S. military, experiences more than three million daily scans by unknown potential ⁴⁹
intruders.
Accurate attribution is important when considering whether to retaliate using military force or
police action. Some DOD officials have indicated that the majority of cyber attacks against DOD
and U.S. civilian agency systems are suspected to originate in China, and these attacks are
consistently more numerous and sophisticated than cyberattacks from other malicious actors. The
motives appear to be primarily cyber espionage against civilian agencies, DOD contractors, and
DOD systems. The espionage involves unauthorized access to files containing sensitive industrial
technology, and unauthorized research into DOD operations. Some attacks included attempts to ⁵⁰
implant malicious code into computer systems for future use by intruders.

^(...c^on^tin^ue^d)
^c^o^m^m^unic^a^tions⁽^E^C^H^EL^O^N^inte^r^c^e^p^tion^s^y^s^t^em⁾⁽²⁰⁰¹^/2⁰⁹⁸⁽^I^N^I⁾⁾^,^Eur^ope^aⁿ^P^a^r^lia^m^e^{nt a}^ppr^ov^e^d^on^Se^pte^m^be^r^5,
²⁰⁰^1,^by^{367 v}^o^t^e^s^f^o^{r, 15}^{9 a}^g^aⁱⁿ^s^{t, a}^nd³⁹^a^b^s^t^eⁿ^ti^ons^,^htt^p^://w^w^w^.c^y^b^e^r-rig^h^ts^.org^/inte^rc^e^p^tio^n/^e^c^he^lon^/
^Eur^o^pe^aⁿ^_^p^a^r^lia^m^e^nt_r^e^s^olutio^n.^htm^.^G^e^r^h^a^r^{d SC}^H^M^I^D^R^e^po^rt^on^t^h^{e exi}^st^en^{ce o}^f^a^g^l^o^b^a^l^syst^{em f}^o^{r t}^h^{e i}ⁿ^t^e^rcep^tⁱ^oⁿ
^{of pr}^iv^ate^a^{nd c}^o^m^m^e^r^c^{ial c}^o^m^m^unic^a^tio^ns⁽^E^C^H^ELO^N^inte^r^c^e^p^ti^{on s}^y^s^t^e^m⁾^{, D}^o^c^.^{: A}⁵^-⁰²⁶^4/2⁰⁰¹^,^Ma^y^{9, 200}^1,
^http:^//w^w^w^.s^ta^tew^a^tc^h.or^g^/^ne^w^s^/²⁰⁰^1/^s^e^p/02e^c^h^e^l^on.^htm^.^J^a^m^e^s^W^ools^e^y^,^Inte^lligeⁿ^c^e^Ga^the^rⁱⁿ^g^and^De^moc^r^ac^ie^s:
^The^I^s^s^u^e^of^Ec^o^nom^ic^an^{d I}ⁿ^dus^t^r^{ial Es}^pⁱ^oⁿ^a^g^e^{, Fe}^de^ra^tioⁿ^of^Am^e^r^ic^aⁿ^Sc^ie^{ntists, Ma}^rc^h^7,²⁰⁰⁰^,^http:^//f^tp.f^a^s^.org^/
^ir^p/^ne^w^s^/²⁰⁰^0/^03/^w^ool03^00.^htm^.
⁴⁷^J^a^m^e^s^L^e^wⁱ^s^,^te^s^tⁱ^m^ony^bef^o^r^e^the^H^ous^e^C^o^m^m^itte^e^{on H}^o^m^e^laⁿ^d^Se^c^u^r^ity^{, Su}^bc^om^m^itte^e^{on Em}^e^r^gⁱ^ng^T^h^r^e^a^t^s^,
^C^y^be^r^s^e^c^u^rⁱ^t^y^{, a}^{nd Sc}^ie^nc^e^aⁿ^d^T^e^c^hnol^og^y^,^A^p^r^{il 15,}²⁰⁰⁷^.
⁴⁸^C^h^rⁱ^s^J^o^hns^on,^N^a^v^a^{l W}^a^r^C^o^lleg^e^N^e^t^w^or^k^,^“W^e^b^Site^B^a^c^k^U^p^Foll^ow^ing^Iⁿ^tr^usⁱ^on,”^Iⁿ^si^d^e^t^h^e^Na^vy^,^Dece^m^b^er
^{18, 20}⁰⁶^.
⁴⁹^Som^e^e^s^ti^m^a^te^s^say^tha^t^{up t}^o⁹⁰^%^of^c^o^m^pute^r^s^o^f^t^w^a^r^e^us^e^dⁱⁿ^C^h^ina^is^pir^a^te^d,^aⁿ^d^th^us^o^p^eⁿ^t^o^hija^c^k^thr^o^ug^h
^co^m^p^u^t^{er viru}^ses.^Ja^m^e^s^L^e^wⁱ^s,^C^o^m^pute^r^Es^pioⁿ^a^g^e^,^T^ita^{n R}^aⁱⁿ^and^C^hⁱⁿ^a^{, C}^e^nte^r^f^o^r^Str^a^te^gⁱ^c^a^{nd I}ⁿ^te^rⁿ^a^tⁱ^ona^l
^Stud^ie^s^,^D^e^c^e^m^b^e^r^14,²⁰^05.
⁵⁰^Jo^sh^R^o^giⁿ^,^“Cy^b^{er o}^f^fⁱ^ci^al^s:^Chⁱⁿ^{ese h}^{ackers at}^t^a^c^k^‘an^y^t^hⁱⁿ^{g an}^{d ever}^y^t^hⁱⁿ^g^,^’^{” F}^C^W^.^co^m^,^F^e^b^r^{ary 1}³^,²⁰⁰⁷^,
^http:^//w^w^w^.f^cw^.c^o^m^/^a^r^tic^le⁹⁷⁶⁵⁸^-^02-^13-^07-^W^e^b&^pr^intL^a^y^out.

Security experts warn that all U.S. federal agencies should now be aware that in cyberspace some
malicious actors consider that no boundaries exist between military and civilian targets.
According to an August 2005 computer security report by IBM, more than 237 million overall ⁵¹
security attacks were reported globally during the first half of that year. Government agencies
were targeted the most, reporting more than 54 million attacks, while manufacturing ranked
second with 36 million attacks, financial services ranked third with approximately 34 million, and
healthcare received more than 17 million attacks. The most frequent targets for these attacks, all
occurring in the first half of 2005, were government agencies and industries in the United States
(12 million), followed by New Zealand (1.2 million), and China (1 million). These figures likely
represent an underestimation, given that most security analysts agree that the number of incidents
reported are only a small fraction of the total number of attacks that actually occur.
The proportion of cybercrime that can be directly or indirectly attributed to terrorists is difficult to
determine. However, linkages do exist between terrorist groups and criminals that allow terror
networks to expand internationally through leveraging the computer resources, money laundering
activities, or transit routes operated by criminals. For example, the 2005 U.K. subway and bus
bombings, and the attempted car bombings in 2007, also in the U.K., provide evidence that
groups of terrorists are already secretly active within countries with large communication
networks and computerized infrastructures, plus a large, highly skilled IT workforce. London
police officials reportedly believe that terrorists obtained high-quality explosives used for the ⁵²

2005 U.K. bombings through criminal groups based in Eastern Europe.

A recent trial in the U.K. revealed a significant link between Islamic terrorist groups and
cybercrime. In June 2007, three British residents, Tariq al-Daour, Waseem Mughal, and Younes
Tsouli, pled guilty, and were sentenced for using the Internet to incite murder. The men had used
stolen credit card information at online web stores to purchase items to assist fellow jihadists in
the field—items such as night vision goggles, tents, global positioning satellite devices, and
hundreds of prepaid cell phones, and more than 250 airline tickets, through using 110 different
stolen credit cards. Another 72 stolen credit cards were used to register over 180 Internet web
domains at 95 different web hosting companies. The group also laundered money charged to
more than 130 stolen credit cards through online gambling websites. In all, the trio made
fraudulent charges totaling more than $3.5 million from a database containing 37,000 stolen
credit card numbers, including account holders’ names and addresses, dates of birth, credit ⁵³
balances, and credit limits.
Cybercriminals have made alliances with drug traffickers in Afghanistan, the Middle East, and
elsewhere where illegal drug funds or other profitable activities such as credit card theft, are used

⁵¹^T^h^{e G}^l^o^b^a^l^Bu^siⁿ^e^{ss S}^ecu^ri^t^y^In^d^e^{x rep}^o^r^t^s^w^o^rl^d^wⁱ^d^{e t}^r^en^d^sⁱⁿ^c^o^m^p^u^t^{er secu}^ri^t^y^f^r^o^mⁱⁿ^ci^d^eⁿ^t^{s t}^h^at^{are co}^l^l^ect^ed
^a^{nd a}ⁿ^a^l^y^z^e^d^by^I^B^{M a}^{nd ot}^he^r^s^e^c^u^r^ity^or^g^a^niz^a^tions^{. I}^B^{M pr}^e^s^s^r^e^le^a^s^e^,^I^B^M^Re^por^t:^G^o^v^e^r^nm^eⁿ^t^,^Fin^ancⁱ^a^l
^Se^r^v^ic^e^s^{and M}^a^nuf^ac^turⁱ^ng^Se^c^t^or^s^To^{p T}^a^r^g^e^t^s^o^f^Se^c^u^r^ity^Attac^k^s^{in Fir}^s^t^H^a^{lf o}^f²⁰⁰⁵^{, I}^B^{M, A}^u^g^u^s^t^2,²⁰^05.
⁵²^Wa^l^s^h^,^T^e^rro^{rism o}ⁿ^th^{e Ch}^e^a^p^.^Rollie^L^a^{l, “}^T^e^{rrorists a}^{nd Or}^g^a^niz^e^d^Crim^e^{Join Forc}^e^s^,”^Inte^rn^ati^ona^{l He}^rald
^Tr^ibuⁿ^e^{, Ma}^y^25,²⁰^05,^a^t^ht^tp:/^/^w^w^w^.iht.c^om^/^a^r^tic^le^s^/²⁰⁰⁵^/^05/²³^/opi^nioⁿ^/^e^dla^l^.p^hp.^B^a^r^b^a^r^a^P^o^r^t^e^r^{, “}^F^or^um^Lⁱ^nk^s
^Organⁱ^zed^Cri^m^{e an}^d^T^e^rro^ri^sm^,^”^By^G^e^or^ge^!^s^u^m^m^e^r²⁰⁰⁴^htt^p^://^w^w^w^2.gw^u.e^du/~by^g^e^o^r^g^e^/⁰⁶⁰⁸^04/
^c^r^im^e^t^e^rroris^m^.htm^l.
⁵³^Bri^aⁿ^Kreb^s,^“T^h^r^{ee W}^o^rked^t^h^e^W^e^b^t^o^Hel^p^T^e^rro^ri^st^s,^”^T^h^{e Wash}ⁱⁿ^gt^on^Po^st^{, J}^u^ly^6,²⁰^07,^p.^D⁰^1.

to support terrorist groups.⁵⁴ Drug traffickers are reportedly among the most widespread users of
encryption for Internet messaging, and are able to hire high-level computer specialists to help
evade law enforcement, coordinate shipments of drugs, and launder money. Regions with major
narcotics markets, such as Western Europe and North America, also possess optimal technology
infrastructure and open commercial nodes that increasingly serve the transnational trafficking ⁵⁵
needs of both criminal and terrorist groups. Officials of the U.S. Drug Enforcement Agency
(DEA), reported in 2003 that 14 of the 36 groups found on the U.S. State Department’s list of
foreign terrorist organizations were also involved in drug trafficking. A 2002 report by the Federal
Research Division at the Library of Congress, revealed a “growing involvement of Islamic
terrorist and extremists groups in drug trafficking”, and limited evidence of cooperation between ⁵⁶
different terrorist groups involving both drug trafficking and trafficking in arms. Consequently,
DEA officials reportedly argued that the war on drugs and the war against terrorism are and ⁵⁷
should be linked.
State Department officials, at a Senate hearing in March 2002, also indicated that some terrorist
groups may be using drug trafficking as a way to gain financing while simultaneously weakening ⁵⁸
their enemies in the West through exploiting their desire for addictive drugs. The poppy crop in
Afghanistan reportedly supplies resin to produce over 90 percent of the world’s heroin,
supporting a drug trade estimated at $3.1 billion. Reports indicate that money from drug
trafficking in Afghanistan is used to help fund terrorist and insurgent groups that operate in that
country. Subsequently, U.S. intelligence reports in 2007 have stated that “al Qaeda in
Afghanistan” has been revitalized and restored to its pre-September 11, 2001 operation levels, ⁵⁹
and may now be in a better position to strike Western countries.
Drug traffickers have the financial clout to hire computer specialists with skills for using
technologies which make Internet messages hard or impossible to decipher, and which allow
terrorist organizations to transcend borders and operate internationally with less chance of
detection. Many highly trained technical specialists that make themselves available for hire
originally come from the countries of the former Soviet Union and the Indian subcontinent. Some

⁵⁴^P^e^te^r^B^e^r^g^eⁿ^{, “}^T^he^T^a^libaⁿ^{, R}^e^gr^ou^pe^{d a}ⁿ^{d R}^e^a^r^m^e^d,”^The^W^a^s^hⁱ^ngt^on^Pos^t^,^Se^pte^m^be^r^10,²⁰⁰⁶^,^{p. B}¹^{. H}^e^leⁿ
^C^oope^r^,^“^N^A^T^O^C^h^ie^f^Say^s^Mor^e^T^r^oops^A^r^e^N^e^e^d^e^d^{in A}^f^g^h^aⁿ^is^ta^n,”^Th^{e New Y}^o^{rk Times}^{, Se}^pte^m^be^r^{22, 2}⁰⁰⁶^,^p.
^10.
⁵⁵^G^l^enⁿ^Cu^rtⁱ^s^and^T^a^{ra Karacan}^,^T^h^{e Nexu}^{s Amon}^g^T^e^rro^rists,^Na^r^c^o^{tics T}^r^a^ffickers,^Wea^p^oⁿ^s^Proli^f^era^t^o^rs,^an^d
^O^r^ganiz^e^d^C^r^im^e^N^e^tw^or^k^s^{in W}^e^s^t^e^r^{n Eur}^o^pe^,^{a st}^ud^y^p^r^ep^ared^b^y^t^h^{e F}^e^d^e^ral^Research^Di^vi^si^oⁿ^,^Lⁱ^b^r^ary^o^f
^Cong^re^s^s^,^D^e^c^e^m^b^e^r²⁰⁰²^{, p}^.²²^,^a^t^http^://w^w^w^.loc^.g^ov^/^rr/f^r^d/pdf^-file^s^/^W^e^s^t^Europe^_N^E^X^U^S^.^pdf^.
⁵⁶^L^.^B^e^r^r^y^,^G^.^{E. C}^u^r^tis^,^R^.^A^.^H^uds^{on, a}^{nd N}^.^A^.^K^o^lla^r^s^,^{A G}^l^ob^al^O^v^e^r^vⁱ^e^w^{of N}^a^r^c^otic^s^-^Fun^d^e^d^Te^r^r^o^rⁱ^s^t^an^{d O}^t^he^r
^Ex^tr^e^m^is^{t G}^r^oups^,^Fe^de^r^a^{l R}^e^s^e^a^r^c^h^Dⁱ^vⁱ^sⁱ^on,^Lⁱ^br^a^r^y^o^f^C^ong^r^e^s^s^,^W^a^s^h^ing^t^{on, D}^C^,^Ma^y²⁰⁰²^.
⁵⁷^A^u^thor^iz^a^tio^{n f}^o^r^c^oor^di^na^ting^t^h^e^f^e^de^r^a^l^w^a^r^{on dr}^ug^s^e^x^pir^e^d^on^Se^pte^m^be^r^30,²⁰^03.^F^o^r^m^o^r^eⁱⁿ^f^o^r^m^a^{tion, s}^e^e
^C^R^S^R^e^por^t^R^L³²³^52,^W^a^r^oⁿ^D^r^ugs^:^Re^a^u^th^or^iz^at^io^{n a}ⁿ^d^O^v^e^r^sⁱ^ght^{of t}^h^e^O^ffic^e^o^f^N^a^tⁱ^o^nal^D^r^ug^C^ontr^o^{l P}^o^lic^y^,
^by^Ma^r^k^Eddy^.^A^l^s^o^{, s}^e^e^D^.^C^.^P^r^é^f^ontaⁱ^ne^{, Q}^C^a^{nd Y}^v^oⁿ^D^aⁿ^dur^a^nd,^T^e^rro^{rism a}ⁿ^d^Orga^nized^Cri^m^{e Reflectio}ⁿ^s^on
^{an I}^l^lusⁱ^v^e^Li^nk^a^nd^its^I^m^plic^atio^{n for Crimi}ⁿ^a^l^L^a^{w Re}^form^,^Iⁿ^te^rⁿ^a^tio^na^{l Soc}ⁱ^e^t^y^f^o^r^C^r^im^ina^l^L^a^w^R^e^f^o^r^m^A^nnua^l
^Me^e^ting^—^Mont^r^e^a^l^{, A}^u^g^u^s^t^8—¹²^{, W}^o^r^k^s^h^o^p^D^-³^Se^c^u^r^ity^Me^a^s^ur^e^s^a^{nd L}ⁱ^nk^s^{to O}^r^g^a^niz^e^d^C^r^im^{e, A}^u^g^u^s^t^11,
²⁰⁰^{4, a}^t^htt^p^://w^ww^.ic^c^l^r.la^w^.^ubc^.c^a^/^Public^a^tⁱ^ons/^R^e^ports^/^I^nte^r^na^ti^ona^l%²⁰^Socⁱ^e^t^y^%^20P^a^p^e^r^%²^0of^%^20T^e^rrorism^.pdf^.
⁵⁸^Ran^d^{Beers an}^{d F}^r^an^ci^s^X^.^T^a^y^l^o^r^,^U.^S^.^S^t^at^{e Dep}^a^rt^m^eⁿ^t^,^Na^rco^-^T^e^rro^{r: T}^h^{e Wo}^rl^d^wⁱ^d^{e Con}ⁿ^ectⁱ^oⁿ^B^e^t^w^een
^D^r^ugs^a^nd^Te^r^r^o^r^{, te}^s^tim^ony^bef^o^r^e^the^U^.^S.^Se^na^te^J^u^dicⁱ^a^r^y^C^o^m^m^itte^e^,^Subc^om^m^itte^e^{on T}^e^c^hnol^ogy^{, T}^e^r^r^o^rⁱ^sm^,
^a^{nd G}^o^v^e^rⁿ^m^e^{nt I}ⁿ^f^o^r^m^a^{tion, Ma}^r^c^{h 13}^{, 2}⁰⁰²^.
⁵⁹^M^a^t^t^h^ew^L^e^{e an}^d^Kat^h^eriⁿ^e^S^h^ra^d^e^r,^Al-Qaⁱ^d^a^h^a^{s re}^bu^{ilt, U.}^S.^int^e^{l warns}^,^A^sso^ciated^P^r^ess,^Ju^ly¹²^,²⁰⁰⁷^,
^http:^//ne^w^s^.^y^a^hoo.c^o^m^/^s^/^a^p^/20⁰⁷⁰⁷¹^2/^a^p_o^n_g^o^_pr^_w^h/
^us^_te^r^r^o^r^_^thr^e^a^t^_³²^;^_y^lt=A^u^U^R^r²^e^P^8A^hB^r^f^Hy^T^O^d^w^714G^w^_^I^E^{. A}^s^s^o^cⁱ^a^t^e^d^P^r^e^s^s^,^“^A^f^g^ha^nis^t^aⁿ^’^s^pop^py^c^r^{op c}^o^u^l^d
^yⁱ^e^l^{d m}^o^re^thaⁿ²⁰⁰⁶^{’s re}^c^o^rd^ha^{ul, UN sa}^y^s^,”^Inte^rna^tiona^{l He}^ra^l^d^T^r^ibuⁿ^e^,^Ju^ne²⁵^,²⁰^07,^htt^p^://w^ww^.iht.c^om^/
^a^r^tic^le^s^/^a^p^/200^7/^06/^25/^a^s^ia^/A^S-^G^E^N^-^A^f^g^h^aⁿ^-^D^r^u^g^s^.ph^p^.

of these technical specialists reportedly will not work for criminal or terrorist organizations
willingly, but may be misled or unaware of their employers’ political objectives. Still, others will
agree to provide assistance because other well-paid legitimate employment is scarce in their ⁶⁰
region.
Links between computer hackers and terrorists, or terrorist-sponsoring nations may be difficult to
confirm. Membership in the most highly-skilled computer hacker groups is sometimes very
exclusive and limited to individuals who develop, demonstrate, and share only with each other,
their most closely-guarded set of sophisticated hacker tools. These exclusive hacker groups do not
seek attention because maintaining secrecy allows them to operate more effectively. Some hacker
groups may also have political interests that are supra-national, or based on religion, or other
socio-political ideologies, while other hacker groups may be motivated by profit, or linked to
organized crime, and may be willing to sell their computer services, regardless of the political
interests involved.
Information about computer vulnerabilities is now for sale online in a hackers’ “black market”.
For example, a list of 5,000 addresses of computers that have already been infected with spyware
and which are waiting to be remotely controlled as part of an automated “bot network” reportedly
can be obtained for about $150 to $500. Prices for information about computer vulnerabilities for
which no software patch yet exists reportedly range from $1,000 to $5,000. Purchasers of this
information are often organized crime groups, various foreign governments, and companies that ⁶¹
deal in spam.
Some experts estimate that advanced or structured cyberattacks against multiple systems and
networks, including target surveillance and testing of sophisticated new hacker tools, might
require from two to four years of preparation, while a complex coordinated cyberattack, causing
mass disruption against integrated, heterogeneous systems may require 6 to 10 years of ⁶²
preparation. This characteristic, where hackers devote much time to detailed and extensive
planning before launching a cyberattack, has also been described as a “hallmark” of previous
physical terrorist attacks and bombings launched by Al Qaeda.
It is difficult to determine the level of interest, or the capabilities of international terrorist groups
to launch an effective cyberattack. A 1999 report by The Center for the Study of Terrorism and
Irregular Warfare at the Naval Postgraduate School concluded that it is likely that any severe

⁶⁰^L^ouis^e^She^lly^,^O^r^ganiz^e^d^C^r^im^e^,^C^y^be^r^c^rⁱ^m^e^{and Te}^r^r^o^rⁱ^s^m^,^C^o^m^p^u^t^{er Cri}^m^{e Research}^Cen^t^er,^S^e^p^t^em^b^e^{r 2}⁷^,
²⁰⁰^{4, htt}^p^://w^ww^.c^ri^m^e^-re^se^a^r^c^h^.org^/a^rtic^le^s/T^e^rroris^m^_C^y^b^e^r^c^rⁱ^m^e^/^.
⁶¹^{Hackers s}^e^l^l^t^h^ei^{r i}ⁿ^f^o^rm^atⁱ^oⁿ^anoⁿ^y^m^o^u^s^l^y^t^h^ro^u^g^h^secretⁱ^v^e^w^e^b^sⁱ^t^e^s.^Bo^b^F^r^an^ci^s,^“Kno^w^T^h^y^H^acker,^”
^In^fo^w^o^rld^,^Jan^u^a^ry²⁸^,²⁰⁰⁵^at^h^t^t^p^://w^ww^.in^f^o^w^o^r^ld^.co^m^/^a^rticle/0⁵^/⁰¹^/²⁸^/⁰⁵^O^P^s^ecad^vⁱ^se_¹^.^h^t^m^l^.
⁶²^Dorot^h^y^De^nning^{, “}^L^e^v^e^l^{s of}^C^y^be^rte^{rror Ca}^pa^bi^lity^{: T}^e^{rrorists a}^{nd the}^Iⁿ^te^rne^t^,”^htt^p^://w^ww^.c^s.g^e^o^r^g^e^towⁿ^.e^du/
^~deⁿ^ning^/ⁱ^nf^os^e^c^/^D^e^nning^-^C^y^b^e^r^te^r^r^o^r^-^S^R^I^.p^pt,^pr^e^s^eⁿ^ta^ti^on,^aⁿ^d^Za^c^k^P^h^il^lips^,^“^H^om^e^l^a^{nd T}^e^c^h^Shop^W^a^nts^to
^Ju^m^p^{-Start Cy}^b^e^rs^ecu^rit^y^Id^eas,”^{CQ Home}^lan^d^Se^c^u^rity^,^Se^pte^m^be^r^14,²⁰⁰⁴^a^t^ht^tp:/^/h^om^e^l^a^nd.c^q^.^c^om^/^h^s^/
^dis^p^la^y^.^do?^docⁱ^d⁼¹³³⁰¹⁵⁰^&^s^our^c^e^t^y^p^e⁼^31&^binde^r^N^a^m^e⁼ⁿ^ew^s^-^a^l^l.

cyberattacks experienced in the near future by industrialized nations will be used by terrorist ⁶³
groups simply to supplement the more traditional physical terrorist attacks.
Some observers have stated that Al Qaeda does not see cyberattack as important for achieving its ⁶⁴
goals, preferring attacks which inflict human casualties. Other observers believe that the groups
most likely to consider and employ cyberattack and cyberterrorism are the terrorist groups
operating in post-industrial societies (such as Europe and the United States), rather than
international terrorist groups that operate in developing regions where there is limited access to
high technology.
However, other sources report that Al Qaeda has taken steps to improve organizational secrecy
through more active and sophisticated use of technology, and evidence suggests that Al Qaeda ⁶⁵
terrorists used the Internet extensively to plan their operations for September 11, 2001. In past
years, Al Qaeda groups reportedly used new Internet-based telephone services to communicate
with other terrorist cells overseas. Khalid Shaikh Mohammed, one of the masterminds of the
attack against the World Trade Center, reportedly used special Internet chat software to
communicate with at least two airline hijackers. Ramzi Yousef, who was sentenced to life
imprisonment for the previous bombing of the World Trade Center, had trained as an electrical
engineer, and had planned to use sophisticated electronics to detonate bombs on 12 U.S. airliners
departing from Asia for the United States. He also used sophisticated encryption to protect his ⁶⁶
data and to prevent law enforcement from reading his plans should he be captured.
Tighter physical security measures now widely in place throughout the United States may
encourage terrorist groups in the future to explore cyberattack as way to lower the risk of ⁶⁷
detection for their operations. However, other security observers believe that terrorist
organizations might be reluctant to launch a cyberattack because it would result in less immediate
drama and have a lower psychological impact than a more conventional bombing attack. These
observers believe that unless a cyberattack can be made to result in actual physical damage or
bloodshed, it will never be considered as serious as a nuclear, biological, or chemical terrorist ⁶⁸
attack.
In March 2007, researchers at Idaho National Laboratories (INL) conducted an experiment
labeled the “Aurora Generator Test” to demonstrate the results of a simulated cyberattack on a
power network. In a video released by the Department of Homeland Security, a power generator
turbine, similar to many now in use throughout the United States, is forced to overheat and shut
down dramatically, after receiving malicious commands from a hacker. The researchers at INL

⁶³^Re^{port w}^a^{s pub}^lishe^dⁱⁿ¹⁹⁹⁹^{, a}^v^a^ila^ble^a^t^htt^p^://w^ww^.nps.na^v^y^.^mⁱ^l/c^tiw^/^r^e^ports/.
⁶⁴^T^h^e^A^s^hla^{nd Institu}^te^f^o^{r Stra}^te^gⁱ^c^Stu^d^ie^{s ha}^{s o}^b^se^rv^e^d^tha^t^A^l^Qa^e^d^a^{is m}^o^re^fⁱ^x^a^t^e^{d on}^phy^sic^a^l^thre^a^t^{s tha}ⁿ
^el^ect^roⁿⁱ^{c on}^es.^Jo^hn^S^w^art^z^,^“Cyb^ert^e^rro^{r Im}^p^act^,^Defen^s^{e Un}^d^e^r^S^c^ru^tⁱⁿ^y^,^”^US^{A T}^o^da^y^,^A^u^g^u^s^t^{3, 200}^{4, p. 2B}^.
⁶⁵^Davi^d^Kap^l^an^,^“^P^l^a^yⁱⁿ^g^Offen^s^e:^T^h^{e In}^si^d^e^S^t^o^r^y^o^f^Ho^w^U.^S^.^T^e^rro^ri^st^Hun^t^{ers A}^r^e^G^oⁱⁿ^{g af}^t^e^r^Al^Qaed^a,^”^U.^S^.
^N^e^w^s^&^W^o^r^l^d^Re^por^t^,^J^u^ne^2,²⁰^03,^pp^{. 1}⁹^-²^9.
⁶⁶^Robe^{rt W}ⁱⁿ^d^re^m^,^“⁹^{/11 De}^ta^ine^e^{: A}^tta^c^k^Sc^a^l^e^d^Ba^c^k^,”^Se^pte^m^be^r^21,²⁰⁰³^,^htt^p^://w^ww^.^m^snbc^.c^om^/ne^w^s/
⁹⁶⁹⁷⁵^9.a^s^p.
⁶⁷^“^T^e^rroris^m^:^Aⁿ^Intro^duc^ti^on,”^A^p^ril^4,²⁰^{03 a}^t^htt^p^://w^ww^.te^rroris^m^aⁿ^swe^r^s.c^o^m^/^te^rrorism^.
⁶⁸^J^a^m^e^s^L^e^wⁱ^s^,^“A^s^s^e^s^sⁱ^ng^the^Rⁱ^s^k^s^of^C^y^be^r^T^e^r^r^o^rⁱ^sm^{, C}^y^be^r^W^a^r^a^{nd O}^t^he^r^C^y^be^r^T^h^r^e^a^t^s^,^”^De^c^e^m^b^e^r^{2002 a}^t
^http:^//w^w^w^.c^sⁱ^s^.^or^g^/^te^c^h^/⁰²¹^1_le^w^is^.pdf^.

were investigating results of a possible cyberattack directed against a vulnerability that, ⁶⁹
reportedly, has since been fixed. The video, however, implied that other multiple power
generators sharing similar cyber vulnerabilities could potentially be disabled the same way.
In July 2002, the U.S. Naval War College hosted a war game called “Digital Pearl Harbor” to
develop a scenario for a coordinated cyberterrorism event, where mock attacks by computer
security experts against critical infrastructure systems simulated state-sponsored cyberwarfare.
The simulated cyberattacks determined that the most vulnerable infrastructure computer systems ⁷⁰
were the Internet itself, and the computer systems that are part of the financial infrastructure. It
was also determined that attempts to cripple the U.S. telecommunications infrastructure would be
unsuccessful because built-in system redundancy would prevent damage from becoming too
widespread. The conclusion of the exercise was that a “Digital Pearl Harbor” in the United States ⁷¹
was only a slight possibility.
However, in 2002, a major vulnerability was discovered in switching equipment software that
threatened the infrastructure for major portions of the Internet. A flaw in the Simple Network
Management Protocol (SNMP) would have enabled attackers to take over Internet routers and
cripple network telecommunications equipment globally. Network and equipment vendors
worldwide raced quickly to fix their products before the problem could be exploited by hackers,
with possible worldwide consequences. U.S. government officials also reportedly made efforts to
keep information about this major vulnerability quiet until after the needed repairs were ⁷²
implemented on vulnerable Internet systems. According to an assessment reportedly written by
the FBI, the security flaw could have been exploited to cause many serious problems, such as
bringing down widespread telephone networks and also halting control information exchanged ⁷³
between ground and aircraft flight control systems.
Security experts agree that a coordinated cyberattack could be used to amplify the effects of a
conventional terrorist attack, including a nuclear, biological, or chemical (NBC) attack. However,
many of these same experts disagree about the damaging effects that might result from an attack

⁶⁹^R^obe^r^t^L^e^m^o^s^,^D^H^S^Vide^o^Sh^ow^s^Pote^nti^a^{l I}^m^pac^t^{of C}^y^be^r^a^ttac^k^{, Se}^c^u^r^ity^Foc^u^s^.^c^o^m^,^Se^pte^m^be^r^27,²⁰⁰⁷^,
^h^t^t^p^:^/^/^www^.^s^ecu^ri^t^y^f^o^cu^s.^co^m^/^b^rⁱ^e^f^/⁵⁹⁷^.
⁷⁰^A^t^the^a^nnua^{l c}^onf^e^r^eⁿ^c^e^of^the^Ce^nte^r^f^o^{r Conf}^lic^{t Stu}^d^ie^s^,^Phil^W^illiam^s^{, D}ⁱ^re^c^t^{or of}^the^P^r^og^ra^m^{on T}^e^rroris^m^a^nd
^T^r^aⁿ^s-Na^tiona^{l Crim}^e^a^{nd the}^Un^iv^e^r^sit^y^of^P^ittsb^u^rg^{h, sa}^id^aⁿ^a^tta^c^k^{on the}^g^l^o^b^a^l^fⁱ^na^nc^ia^{l sy}^ste^m^w^{ould lik}^e^l^y^f^o^c^u^s
^{on k}^e^y^node^sⁱⁿ^the^U^.^S^.^fⁱ^na^nc^ia^{l inf}^r^a^s^tr^uc^tur^e^{: Fe}^dw^ir^e^a^{nd Fe}^dn^e^t^{. Fe}^dw^ir^e^is^the^fⁱ^na^nc^ia^{l f}^unds^t^r^aⁿ^s^f^e^r^sy^s^t^em
^t^h^at^exch^an^ges^m^oⁿ^e^y^a^m^oⁿ^g^U.^S^.^b^aⁿ^k^s,^w^hⁱ^l^e^F^e^dn^etⁱ^s^t^h^{e el}^ect^roⁿⁱ^cⁿ^e^t^w^o^r^{k t}^h^at^h^a^nd^l^e^{s t}^h^{e t}^r^ansactⁱ^oⁿ^s^.^T^h^e
^s^y^st^e^m^h^a^{s o}ⁿ^e^p^rⁱ^m^ar^yⁱⁿ^st^al^l^a^tⁱ^oⁿ^and^t^h^{ree b}^acku^p^s^.^“You^can^fⁱⁿ^d^o^u^t^on^t^h^{e In}^t^e^rn^et^w^h^{ere t}^h^{e backu}^p^s^are.^If
^those^c^o^uld^be^ta^k^e^{n o}^u^t^by^a^mⁱ^{x of}^c^y^be^{r a}^{nd p}^h^y^s^ic^a^l^a^c^tiv^itie^{s, the}^{U.S. e}^c^o^nom^y^w^ould^ba^sic^a^lly^c^o^m^e^{to a}^ha^lt,”
^W^illiam^s^s^a^{id. “}^I^f^the^ta^k^e^do^wⁿ^w^e^r^e^{to inc}^l^u^d^e^t^h^e^inte^rⁿ^a^tio^na^{l f}^unds^traⁿ^s^f^e^r^ne^tw^ork^s^CH^IP^{S a}ⁿ^{d SW}^IFT^theⁿ^t^h^e
^eⁿ^tir^e^g^l^oba^{l e}^c^o^nom^y^c^ould^be^th^r^o^wⁿ^into^c^h^a^o^s^.^”^G^e^or^g^e^B^u^tte^r^s^{, “}^E^x^p^e^c^t^T^e^r^r^o^rⁱ^s^t^A^tta^ck^s^{on G}^l^oba^{l F}ⁱ^na^nc^ia^l
^Sy^s^t^em^,”^O^c^tobe^r^10,²⁰⁰³^a^t^h^ttp^://w^w^w^.the^r^e^gⁱ^s^t^e^r^.c^o.uk^/c^onteⁿ^t/^55/³³²⁶^9.h^t^m^l^.
⁷¹^T^h^e^sim^u^la^{tion inv}^o^lv^e^d^m^o^re^th^aⁿ¹⁰⁰^pa^rtic^ipaⁿ^ts^{. G}^a^rtne^r,^In^c.^,^“C^y^b^erat^t^ack^s:^T^h^{e Resu}^l^t^s^o^f^t^h^{e Gart}ⁿ^e^r/^U.^S^.
^N^a^v^a^l^W^a^r^C^o^lle^g^e^Si^m^u^la^tion,”^J^u^ly^2002,^a^t^ht^tp:/^/w^w^w^3.g^a^r^t^ne^r^.^c^o^m^/^2_e^v^e^nts^/^a^udioc^oⁿ^f^e^r^e^nc^e^s^/^dph^/^dph.^htm^l^{. W}^a^r
^ga^m^e^p^a^rtⁱ^cⁱ^p^an^t^s^w^e^r^e^dⁱ^vi^d^e^dⁱⁿ^t^o^cel^l^s^,^and^d^e^vi^sed^at^t^{acks agai}ⁿ^s^t^t^h^{e el}^ect^ri^cal^p^o^w^{er gri}^d^,^t^e^l^ecomm^uⁿⁱ^catⁱ^oⁿ^s
ⁱⁿ^f^r^ast^r^u^c^t^u^re,^t^h^{e I}ⁿ^t^e^rn^et^and^t^h^{e f}ⁱⁿ^aⁿ^cⁱ^a^l^servi^{ces s}^ect^o^r^.^It^w^a^{s d}^e^t^e^r^mⁱⁿ^ed^t^h^at^“p^eer-t^o^-^p^{eer n}^e^t^w^o^r^kiⁿ^g^,^”^{a sp}^eci^al
^m^e^thod^of^c^o^m^m^unic^a^ting^w^h^e^r^e^e^v^e^r^y^P^C^us^e^d^c^o^m^m^only^a^v^a^ila^ble^s^o^f^t^w^a^r^e^{to a}^c^t^a^s^both^a^s^e^r^v^e^r^a^{nd a}^c^lie^nt^{, p}^o^s^e^d
^a^poteⁿ^tⁱ^a^lly^c^r^itic^a^l^thre^a^t^{to t}^h^e^Iⁿ^te^rne^t^itse^l^f^.^W^illia^m^Ja^c^k^{son, “}^W^a^r^Colle^g^e^Ca^{lls Dig}^ita^{l P}^e^a^r^{l Ha}^{rbor Doa}^b^le^,”
^Go^vern^m^en^t^Co^mpu^t^{er News}^{, A}^u^g^u^s^t^23,²⁰⁰²^{, a}^t^htt^p^://w^w^w^.^g^cⁿ^.c^om^/^v^ol1_^no^1/^da^ily^-upda^te^s^/¹⁹⁷^92-^1.htm^l^.
⁷²^T^h^e^v^u^lne^r^a^b^ility^w^a^s^f^oundⁱⁿ^A^b^s^t^ra^c^t^Sy^nta^x^N^o^ta^{tion O}ⁿ^e^(A^SN^{.1) e}ⁿ^c^o^ding^{, a}^{nd w}^a^s^e^x^trem^e^l^y^wⁱ^de^s^p^re^a^d^.
^Elle^{n Me}^s^s^m^e^r^{, “}^P^r^e^sⁱ^de^nt’^s^A^d^vⁱ^s^o^r^P^r^e^d^ic^ts^C^y^be^r^-^c^a^t^a^s^tr^ophe^s^Uⁿ^le^s^s^Se^c^u^r^ity^I^m^pr^ov^e^s^,”^N^e^tw^or^k^W^o^r^l^{d F}^u^sⁱ^oⁿ^,
^July^{9, 20}^{02 a}^t^htt^p^://w^ww^.n^wf^usion.c^o^m^/^ne^w^s^/²⁰⁰²^/⁰⁷⁰^9sc^h^mⁱ^dt.htm^l.
⁷³^Bart^oⁿ^G^e^l^l^m^an^,^“C^y^b^er-^A^t^t^a^c^k^s^b^y^A^l^Qaed^{a F}^eared^,^”^Wa^shⁱⁿ^g^t^on^Po^st^{, J}^u^ne²⁷^,²⁰^02,^p.^A^01.

directed against control computers that operate the U.S. critical infrastructure. Some observers
have stated that because of U.S. dependency on computer technology, such attacks may have the
potential to create economic damage on a large scale, while other observers have stated that U.S.
infrastructure systems are resilient and would possibly recover easily, thus avoiding any severe or
catastrophic effects.
While describing possible offensive tactics for military cyber operations, DOD officials
reportedly stated that the U.S. could confuse enemies by using cyberattack to open floodgates, ⁷⁴
control traffic lights, or scramble the banking systems in other countries. Likewise, some of
China’s military journals speculate that cyberattacks could disable American financial markets.
China, however, is almost as dependent on these U.S. markets as the United States, and might
possibly suffer even more from such a disruption to finances. As to using cyberattack against
other U.S. critical infrastructures, the amount of potential damage that could be inflicted might be
relatively trivial compared to the costs of discovery, if engaged in by a nation state. However, this
constraint does not apply to non-state actors like Al Qaeda, thus making cyberattack a potentially ⁷⁵
useful tool for those groups who reject the global market economy.
Supervisory Control And Data Acquisition (SCADA) systems are the computers that monitor and
regulate the operations of most critical infrastructure industries (such as the companies that
manage the power grid). These SCADA computers automatically monitor and adjust switching,
manufacturing, and other process control activities, based on digitized feedback data gathered by
sensors. These control systems are often placed in remote locations, are frequently unmanned,
and are accessed only periodically by engineers or technical staff via telecommunications links.
However, for more efficiency, these communication links are increasingly connected to corporate
administrative local area networks, or directly to the Internet.
Some experts believe that the importance of SCADA systems for controlling the critical ⁷⁶
infrastructure may make them an attractive target for terrorists. Many SCADA systems also now
operate using Commercial-Off-The-Shelf (COTS) software, which some observers believe are
inadequately protected against a cyberattack. These SCADA systems are thought to remain
persistently vulnerable to cyberattack because many organizations that operate them have not ⁷⁷
paid proper attention to these systems’ unique computer security needs.

⁷⁴^S^e^b^a^stⁱ^aⁿ^S^p^ren^g^er,^“M^aj^.^G^en^.^L^o^rd^{Is a G}^r^o^uⁿ^d^b^r^eaker,^”^F^e^d^e^ra^l^Co^mpu^t^{er Week}^{, O}^c^tobe^{r 15}^{, 2}⁰⁰⁷^{, v}^o^l.²¹^,^no.
^{34, pp}^.⁴⁴^-⁴^5.
⁷⁵^J^a^m^e^s^L^e^wⁱ^s^,^“A^s^s^e^s^sⁱ^ng^the^Rⁱ^s^k^s^of^C^y^be^r^T^e^r^r^o^rⁱ^sm^{, C}^y^be^r^W^a^r^a^{nd O}^t^he^r^C^y^be^r^T^h^r^e^a^t^s^,^”^De^c^e^m^b^e^r^2002,^a^t
^http:^//w^w^w^.c^sⁱ^s^.^or^g^/^te^c^h^/⁰²¹^1_le^w^is^.pdf^.
⁷⁶^P^r^o^p^rⁱ^e^t^a^r^y^sy^s^t^em^s^a^r^e^uniq^u^e^,^c^u^s^t^om^built^s^o^f^t^w^a^r^e^pr^od^uc^ts^int^e^nde^{d f}^o^rⁱⁿ^s^t^a^lla^tio^{n o}ⁿ^a^f^e^w⁽^o^r^a^sⁱ^ng^le⁾
^co^m^p^u^t^ers,^an^d^t^h^ei^{r un}ⁱ^q^u^eⁿ^e^ss^make^{s t}^h^em^{a l}^e^s^s^at^t^r^actⁱ^v^{e t}^a^r^g^e^t^f^o^{r h}^ackers.^T^h^e^y^{are l}^e^{ss at}^t^r^actⁱ^v^{e b}^ecau^{se f}ⁱⁿ^dⁱⁿ^g
^a^se^c^u^rity^v^u^lne^r^a^b^ility^ta^k^e^{s ti}^m^e^{, a}^{nd a}^ha^c^k^e^r^m^a^y^usua^ll^y^{not c}^o^nside^r^it^w^o^{rth the}ⁱ^r^w^h^ile^{to i}ⁿ^v^e^{st the}^pre^-
^ope^ra^tiv^e^surv^e^illa^nc^e^a^{nd re}^se^a^r^c^h^ne^e^d^e^d^to^a^tta^c^k^a^proprie^ta^ry^sy^ste^m^{on a}^sing^le^c^o^m^pute^r^{. W}ⁱ^de^l^y^use^d
^Co^mmerci^a^l^-^O^f^f^-^T^h^e-S^h^el^f^(COT^S⁾^so^f^t^w^a^r^e^p^r^o^d^u^c^t^s^,^on^t^h^{e o}^t^h^e^r^h^aⁿ^d^,^{are m}^o^{re at}^t^r^actⁱ^v^{e t}^o^h^ack^{ers b}^ecau^{se a}
^sing^le^se^c^u^rity^v^u^lne^r^a^b^ility^{, onc}^e^disc^ov^e^r^e^dⁱⁿ^a^COT^S^pr^o^duc^t,^m^a^y^be^e^m^be^dde^{d in}^num^e^r^{ous c}^o^m^pute^r^{s tha}^t^ha^v^e
^the^s^a^m^e^C^O^T^S^s^o^f^t^w^a^r^e^pr^oduc^t^ins^t^a^lle^d.
⁷⁷^In^du^st^ri^al^co^m^p^u^t^{ers so}^m^e^tⁱ^m^e^s^h^a^{ve o}^p^e^ratⁱⁿ^{g req}^uⁱ^r^em^en^t^s^t^h^at^dⁱ^f^f^{er f}^r^o^m^b^u^sⁱⁿ^{ess o}^r^o^f^fⁱ^{ce co}^m^p^u^t^ers.^F^o^r
^e^x^am^ple^,^m^onitori^ng^a^c^h^e^m^ica^l^proc^e^s^s^,^{or a}^te^le^p^h^oⁿ^e^mⁱ^c^r^o^w^a^v^e^tow^e^r^m^a^y^r^e^quire^24-^ho^{ur c}^o^ntiⁿ^uous^a^v^a^ila^bility
^f^o^r^a^c^r^itic^a^l^indus^tr^ia^{l c}^o^m^pute^r^.^Ev^eⁿ^tho^u^g^hⁱⁿ^d^u^s^t^rⁱ^a^l^s^y^s^t^em^s^m^a^y^ope^r^a^te^us^ing^C^O^T^S^s^o^f^t^w^a^r^e⁽^s^e^e^a^bov^e⁾^{, it m}^a^y
^be^e^c^onom^ic^a^l^l^y^dif^f^ic^{ult to j}^u^s^tif^y^s^u^s^p^e^nding^the^ope^r^a^tioⁿ^of^aⁿ^indus^tr^ia^{l SC}^A^D^A^c^o^m^pute^r^{on a}^r^e^g^u^la^r^ba^sⁱ^s^to
⁽^c^onti^nue^d.^..)

The following example may serve to illustrate the possible vulnerability of control systems and
highlight cybersecurity issues that could arise for infrastructure computers when SCADA controls
are interconnected with office networks. In August 2003, the “Slammer”Internet computer worm
was able to corrupt for five hours the computer control systems at the Davis-Besse nuclear power
plant located in Ohio (fortunately, the power plant was closed and off-line when the cyberattack
occurred). The computer worm was able to successfully penetrate systems in the Davis-Besse
power plant control room largely because the business network for its corporate offices was found ⁷⁸
to have multiple connections to the Internet that bypassed the control room firewall.
Other observers, however, suggest that SCADA systems and the critical infrastructure are more
robust and resilient than early theorists of cyberterror have stated, and that the infrastructure
would likely recover rapidly from a cyberterrorism attack. They cite, for example, that water
system failures, power outages, air traffic disruptions, and other scenarios resembling possible
cyberterrorism often occur as routine events, and rarely affect national security, even marginally.
System failures due to storms routinely occur at the regional level, where service may often be
denied to customers for hours or days. Technical experts who understand the systems would work
to restore functions as quickly as possible. Cyberterrorists would need to attack multiple targets
simultaneously for long periods of time to gradually create terror, achieve strategic goals, or to ⁷⁹
have any noticeable effects on national security.
For more information about SCADA systems, see CRS Report RL31534, Critical Infrastructure:
Control Systems and the Terrorist Threat, by Dana A. Shea.
An important area that is not fully understood concerns the unpredictable interactions between
computer systems that operate the different U.S. infrastructures. The concern is that numerous
interdependencies (where downstream systems may rely on receiving good data through stable
links with upstream computers) could possibly build to a cascade of effects that are unpredictable ⁸⁰
in how they might affect national security. For example, while the “Blaster” worm was
disrupting Internet computers over several days in August 2003, some security experts suggest
that slowness of communication links, caused by Blaster worm network congestion, may have
contributed to the Eastern United States power blackout that occurred simultaneously on August
14. The computer worm could have degraded the performance of several communications links

^(...c^on^tin^ue^d)
^ta^k^e^ti^m^e^{to insta}^{ll e}^v^e^r^y^ne^w^se^c^u^rity^sof^t^w^a^r^e^pa^tc^{h. S}^e^e^inte^rv^ie^w^w^{ith Mic}^h^a^e^l^V^a^tis,^dire^c^t^or^of^the^Instit^ute^f^o^r
^Se^c^u^r^ity^T^e^c^hnolog^y^Studie^s^r^e^la^te^{d to c}^o^uⁿ^te^r^t^e^r^r^o^rⁱ^s^m^a^{nd c}^y^be^r^s^e^c^u^r^ity^{. Sha}^r^{on G}^a^udin,^“^S^e^c^u^r^ity^Ex^pe^r^t^s^:^U^.^S.
^Co^m^p^anⁱ^e^{s Un}^p^r^ep^ared^f^o^{r Cy}^b^e^r^T^e^rro^r,^”^Da^ta^ma^tⁱ^on^{, Ju}^ly^{19, 2}⁰^{02 a}^t^htt^p^://itm^aⁿ^a^g^e^m^eⁿ^t.e^a^r^th^we^b.c^o^m^/^se^c^u^/
^a^r^tic^le^.php^/¹⁴²⁹⁸^51.^A^l^s^o^{, G}^o^v^e^rⁿ^m^e^{nt A}^c^c^ounta^b^ili^ty^Of^fⁱ^c^e^,^Information^S^e^c^u^rity^{: F}^u^rthe^{r Ef}^forts^Ne^e^d^e^d^{to F}^u^lly
^Imp^l^emen^t^S^t^a^t^ut^o^r^{y R}^e^quⁱ^r^emen^t^sⁱⁿ^DOD^{, G}^A^O^-^03-¹⁰^37T^{, J}^u^ly^24,²⁰⁰³^{, p}^.⁸^.
⁷⁸^K^e^vⁱ^{n Pou}^l^s^e^{n, “}^S^la^m^m^e^r^W^o^r^m^C^r^a^s^he^{d O}^hⁱ^o^N^u^k^e^P^l^aⁿ^{t N}^e^tw^or^k^,^”^S^ecu^ri^t^y^F^o^cu^s^{, A}^u^g^u^s^t¹⁹^,²⁰⁰³^{, a}^t
^http:^//w^w^w^.s^e^c^u^rⁱ^t^y^f^o^c^u^s^.^c^o^m^/^ne^w^s^/⁶⁷⁶^7.
⁷⁹^S^c^o^t^t^Nan^ce,^“Debuⁿ^kⁱⁿ^{g F}^ears:^E^x^erci^{se F}ⁱⁿ^d^s^‘Di^gⁱ^t^a^l^P^earl^Harb^o^{r’ Ri}^{sk S}^m^al^l^,^”^Defen^s^{e Wee}^k^,^A^p^rⁱ^l⁷^,²⁰⁰³^at
^http:^//w^w^w^.k^ing^publis^hi^ng^.c^om^/public^a^tⁱ^ons^/^d^w^/^.
⁸⁰^T^h^e^m^o^{st e}^x^pe^nsiv^e^na^tura^{l disa}^s^t^e^r^{in U.S}^.^hⁱ^story^,^Hurric^aⁿ^e^A^ndre^w^{, is re}^porte^{d to}^ha^v^e^c^a^u^se^{d $2}^{5 bi}^llio^{n i}ⁿ
^d^a^m^a^ge,^w^hⁱ^l^e^t^h^{e L}^o^{ve Bu}^{g vi}^ru^{s i}^s^estⁱ^m^at^ed^t^o^h^a^{ve co}^st^co^m^p^u^t^{er u}^s^{ers aro}^uⁿ^d^t^h^{e w}^o^rl^d^so^m^e^wh^{ere b}^e^t^w^een^$³
^billi^{on a}^nd^$1⁵^billi^on.^How^e^v^e^r,^the^L^o^v^e^Bug^vⁱ^{rus w}^a^{s c}^r^e^a^t^e^d^a^{nd la}^unc^he^{d by}^a^sing^le^univ^e^rsit^y^stude^{nt in t}^h^e
^Phili^ppi^ne^{s, re}^ly^ing^{on i}ⁿ^e^x^pe^nsi^v^e^c^o^m^pute^r^e^qui^pm^eⁿ^{t. Christo}^p^h^e^r^Mille^r,^G^A^O^Re^vⁱ^e^w^{of W}^e^ap^on^Sy^s^t^e^m^s
^Softw^ar^e^{, Ma}^r^c^h^3,²⁰⁰³^{, e}^-^m^a^il^c^o^m^m^unic^a^{tion, Mi}^lle^r^C^@^g^a^o^.g^ov^.

between data centers normally used to send warnings to other utility managers downstream on the ⁸¹
power grid.
DOD uses Commercial-Off-The-Shelf (COTS) hardware and software products in core
information technology administrative functions, and also in the combat systems of all services, ⁸²
as for example, in the integrated warfare systems for nuclear aircraft carriers. DOD favors the
use of COTS products in order to take advantage of technological innovation, product flexibility
and standardization, and resulting contract cost-effectiveness. Nevertheless, DOD officials and
others have stated that COTS products are lacking in security, and that strengthening the security
of those products to meet military requirements may be too difficult and costly for most COTS
vendors. To improve security, DOD Information Assurance practices require deploying several
layers of additional protective measures around COTS military systems to make them more ⁸³
difficult for enemy cyberattackers to penetrate.
However, on two separate occasions in 2004, viruses reportedly infiltrated two top-secret
computer systems at the Army Space and Missile Defense Command. It is not clear how the
viruses penetrated the military systems, or what the effects were. Also, contrary to security policy
requirements, the compromised computers reportedly lacked basic anti virus software ⁸⁴
protection. Security experts have noted that no matter how much protection is given to ⁸⁵
computers, hackers are always creating new ways to defeat those protective measures.
Networked computers with exposed vulnerabilities may be disrupted or taken over by a hacker, or
by automated malicious code. Botnets opportunistically scan the Internet to find and infect
computer systems that are poorly configured, or lack current software security patches.
Compromised computers are taken over to become slaves in a “botnet”, which can include
thousands of compromised computers that are remotely controlled to collect sensitive information
from each victim’s PC, or to collectively attack as a swarm against other targeted computers.
Even computers that have updated software and the newest security patches may still be
vulnerable to a type of cyberattack known as a “Zero-Day exploit.” This may occur if a computer

⁸¹^N^e^tw^or^k^c^ong^e^s^{tion c}^a^u^s^e^{d by}^the^B^l^a^s^te^r^w^o^r^m^r^e^por^te^dly^de^lay^e^{d the}^e^x^c^h^aⁿ^g^e^of^c^r^itic^a^l^pow^e^r^g^r^{id c}^o^ntr^o^l^da^ta
^a^c^r^os^s^the^pu^blic^te^le^c^o^m^m^unic^a^tions^ne^tw^or^k^,^w^h^ic^{h c}^ould^ha^v^e^ham^p^e^r^e^d^the^o^p^e^r^a^t^or^s^’^a^b^il^ity^{to pr}^e^v^eⁿ^{t the}
^c^a^s^c^a^d^ing^ef^f^e^c^t^of^the^bla^c^k^out.^D^a^{n Ve}^r^t^on,^“^B^la^s^t^e^r^W^o^r^m^Lⁱ^nke^{d to}^Se^v^e^rⁱ^t^y^of^B^l^a^c^k^out,”^Co^m^p^u^t^erwo^rl^d^{, A}^u^g^u^s^t
^{29, 20}⁰³^,^h^ttp:^//w^w^w^.c^o^m^pute^r^w^o^r^l^d.c^o^m^/^prⁱⁿ^tth^is^/²⁰⁰^3/^0,48¹⁴^,8⁴⁵¹^0,^00.^htm^l^.
⁸²^Som^e^s^h^ips^of^the^U^.^S^.^N^a^vy^us^e^Wⁱ^ndow^s^s^o^f^t^w^a^re^{. Bill Murra}^y^,^“^N^a^v^y^Ca^rrie^r^{to Run W}ⁱⁿ²⁰⁰⁰^,”^GCN.co^m^,
^Se^pte^m^be^{r 11, 2}⁰⁰⁰^,^htt^p^://w^w^w^.^g^cⁿ^.c^om^/^v^ol19^_n^o2^7/^dod/²⁸^68-^1.^htm^l^{. Ma}^{jor U}^.^K^.^na^v^a^{l s}^y^s^t^em^s^d^e^fe^ns^e^c^ontra^c^t^or,
^BA^{E S}^y^s^t^em^s^,^a^l^s^o^took^t^h^e^de^cⁱ^sⁱ^on^{to s}^t^aⁿ^da^rdiz^e^f^u^ture^de^v^e^lop^m^eⁿ^{t on}^Mic^r^os^of^{t W}ⁱ^ndow^s^.^J^o^hⁿ^L^e^ttic^e^,^“^O^SS
^T^o^rpe^doe^d:^Roy^a^{l Na}^vy^W^{ill Run on W}ⁱⁿ^dow^{s f}^o^{r W}^a^rships,”^Re^gi^ste^r^{, Se}^pte^m^be^r^{6, 20}⁰⁴^a^t
^http:^//w^w^w^.the^r^e^gⁱ^s^t^e^r^.c^o.uk^/200^4/^09/^06/^am^s^_^g^o^e^s^_^w^indow^s^_^f^o^r^_^w^a^r^s^hips^/.
⁸³^P^a^tie^nc^e^W^a^{it, “}^D^e^f^eⁿ^se^IT^Se^c^u^rity^Ca^{n’t Re}^{st on COT}^S^,”^GCN.co^m^{, Se}^pte^m^be^r²⁷^{, 2}⁰⁰⁴^{, a}^t^htt^p^://^w^w^w^.^g^cⁿ^.c^om^/
^23_²⁹^/ⁿ^e^w^s^/²⁷⁴^22-^1.h^t^m^l^.
⁸⁴^Dawⁿ^On^l^e^y^,^“^A^r^m^y^Urged^t^o^S^t^ep^Up^IT^S^ecu^ri^t^y^F^o^cu^s,^”^GCN.c^o^m^{, Se}^pte^m^be^r^2,²⁰⁰⁴^{, a}^t^h^ttp:^/^/^w^w^w^.^g^cⁿ^.c^om^/
^v^o^l1_ⁿ^o¹^/^d^a^ily^-^upda^te^s^/²⁷¹^38-^1.^htm^l^.
⁸⁵^P^a^tie^nc^e^W^a^{it, “}^D^e^f^eⁿ^se^IT^Se^c^u^rity^Ca^{n’t Re}^{st on COT}^S^,”^GCN.co^m^{, Se}^pte^m^be^r²⁷^{, 2}⁰⁰⁴^{, a}^t^htt^p^://^w^w^w^.^g^cⁿ^.c^om^/
^23_²⁹^/ⁿ^e^w^s^/²⁷⁴^22-^1.h^t^m^l^.

hacker discovers a new software vulnerability and launches a malicious attack to infect computers
before a security patch can be created by the software vendor and distributed to protect users.
Zero-day vulnerabilities in increasingly complex software are regularly discovered by computer
hackers. Recent news articles report that zero-day vulnerabilities are now available at online
auctions, where buyers and sellers negotiate with timed bidding periods and minimum starting
prices. This allows newly-discovered computer security vulnerabilities to be sold quickly to the
highest bidder. Computer security expert Terri Forslof, of Tipping Point, has reportedly said that
such practices will “...increase the perceived value of vulnerabilities, and the good guys already ⁸⁶
have trouble competing with the money you can get on the black market.”
A major threat for organizations is the ease with which data can now be copied and carried
outside using a variety of portable storage devices, such as small flash drives. Newer high-density
memory stick technology reportedly allows installed computer applications to be run entirely
from the flash drive. This means that the entire contents of a PC could possibly be copied to and ⁸⁷
stored on a small, easily portable, and easily concealed media device.
Employees with access to sensitive information systems can initiate threats in the form of
malicious code inserted into software that is being developed either locally, or under offshore
contracting arrangements. For example, in January 2003, 20 employees of subcontractors
working in the United States at the Sikorsky Aircraft Corporation were arrested for possession of
false identification used to obtain security access to facilities containing restricted and sensitive
military technology. All of the defendants pleaded guilty and have been sentenced, except for one ⁸⁸
individual who was convicted at trial on April 19, 2004.
Vulnerabilities in software and computer system configurations provide entry points for a
cyberattack. Vulnerabilities persist largely as a result of poor security practices and procedures, ⁸⁹
inadequate training in computer security, or technical errors in software products. Inadequate
resources devoted to staffing the security function may also contribute to poor security practices.
Home PC users often have little or no training in best practices for effectively securing home
networks and equipment.
Vendors for Commercial-Off-The-Shelf software (COTS) are often criticized for releasing new ⁹⁰
products with errors that create the computer system vulnerabilities. Richard Clarke, former

⁸⁶^Tⁱ^m^G^r^een^,^W^e^{b Site}^a^u^c^tio^{ns so}^ftware^v^u^lne^r^a^b^ili^tie^{s to}^hi^ghe^{st b}ⁱ^dde^r^{, N}^e^tw^or^k^W^o^r^l^{d, A}^u^g^u^s^t^8,²⁰⁰^7.
⁸⁷^Mc^Af^e^e^Vⁱ^rtua^{l Crim}^inolog^y^Re^port:^Org^a^niz^e^d^Crim^e^a^{nd the}^Int^e^rne^t^{, De}^c^e^m^b^e^r²⁰⁰^6,^http^://w^ww^.sigm^a^.c^o^m^.pl/
^plik^i/^a^l^bum^s^/^us^e^r^pic^s^/¹⁰⁰⁰^7/^Vir^t^ua^l_C^r^im^inolog^y^_^R^e^por^t_²⁰⁰⁶^.p^df^.
⁸⁸^{U.S. A}^ttorne^y^{s O}^f^fⁱ^c^e^,^Distric^t^{of Con}ⁿ^e^c^tic^{ut, a}^t^htt^p^://w^ww^.usdoj.g^ov^/usa^o/^c^t/a^ttf^.ht^m^l.
⁸⁹^T^h^e^SA^{NS Institute}^{, i}ⁿ^c^o^ope^ra^ti^{on w}^{ith t}^h^e^Na^tio^na^{l Inf}^r^a^s^truc^tur^e^P^r^ote^c^tio^{n Ce}^nte^r^(NI^P^C)^{, p}^u^b^lⁱ^s^he^{s a}ⁿ^aⁿⁿ^u^a^l
^lis^{t of}^the¹⁰^m^o^s^t^c^o^m^m^only^ex^ploite^{d v}^u^l^ne^ra^bil^itie^s^f^o^{r W}ⁱ^ndow^s^s^y^s^t^em^s^a^{nd f}^o^{r U}ⁿ^ix^s^y^s^t^em^s^.^The^SAN^S^/FBI
^Tweⁿ^ty^M^o^{st Critic}^al^Inte^rne^t^Se^c^u^rity^Vulⁿ^e^r^ab^ilitie^s,²⁰⁰³^,^SA^{NS, A}^p^{ril 15}^{, 2}⁰⁰³^a^t^htt^p^://w^ww^.s^aⁿ^s.org^/^top2^0/.
⁹⁰^Iⁿ^Se^pte^m^be^r²⁰⁰^{3, Mic}^r^os^of^{t C}^o^r^p^or^a^tio^{n a}ⁿ^no^unc^e^d^t^h^r^e^e^ne^w^c^r^itic^a^l^f^l^aw^s^{in its}^la^te^s^t^Wⁱ^ndow^s^ope^r^a^ti^ng
⁽^c^onti^nue^d.^..)

White House cyberspace advisor until 2003, has reportedly said that many commercial software ⁹¹
products have poorly written, or poorly configured security features. In response to such
criticism, the software industry reportedly has made new efforts to design products with
architectures that are more secure. For example, Microsoft has created a special Security
Response Center and now works with DOD and with industry and government leaders to improve
security features in its new products. However, many software industry representatives reportedly
agree that no matter what investment is made to improve software security, there will continue to ⁹²
be vulnerabilities in future software because products are becoming increasingly more complex.
Although software vendors periodically release fixes or upgrades to solve newly discovered
security problems, an important software security patch might not get scheduled for installation ⁹³
on an organization’s computers until several weeks or months after the patch is available. The
job may be too time-consuming, too complex, or too low a priority for the system administration
staff. With increased software complexity comes the introduction of more vulnerabilities, so
system maintenance is never-ending. Sometimes the security patch itself may disrupt the
computer when installed, forcing the system administrator to take additional time to adjust the
computer to accept the new patch. To avoid such disruption, a security patch may first require
testing on a separate isolated network before it is distributed for installation on all other regular
networked computers.
Because of such delays, the computer security patches installed in many organizations may lag
considerably behind the current cyberthreat situation. Whenever delays are allowed to persist in
private organizations, in government agencies, or among PC users at home, computer
vulnerabilities that are widely reported may remain unprotected, leaving networks open to
possible attack for long periods of time.

^(...c^on^tin^ue^d)
^s^y^ste^m^{s sof}^t^w^a^r^e^{. Se}^c^u^rity^e^x^pe^{rts pre}^d^ic^te^{d t}^h^a^t^c^o^m^pute^r^ha^c^k^e^r^s^m^a^y^possibly^e^x^{ploit the}^s^e^ne^w^vulne^ra^bil^itie^{s by}
^re^le^a^s^ing^m^o^re^a^tta^c^k^prog^ra^m^s^{, s}^u^c^h^a^s^the^“^B^la^ste^r^w^o^rm^”^tha^t^re^c^eⁿ^tly^ta^r^g^e^t^e^d^othe^{r W}ⁱ^nd^ow^{s v}^u^lne^r^a^b^ilitie^s
^c^a^u^sⁱ^ng^wⁱ^de^s^p^r^e^a^d^dis^r^upt^io^{n o}ⁿ^the^Iⁿ^te^rⁿ^e^t^{. J}^a^ik^um^a^r^Vija^y^a^{n, “A}^tta^ck^s^{on N}^e^w^Wⁱ^ndow^s^Fla^w^s^Ex^pe^c^t^e^d^Sooⁿ^,”
^Co^mp^u^t^erwo^rl^d^{, Se}^pte^m^be^r^{15, 2}⁰⁰³^,^v^o^l.³⁷^{, no.}³⁷^{, p. 1.}
⁹¹^A^g^eⁿ^cⁱ^e^s^ope^r^a^ting^na^tio^na^{l s}^e^c^u^r^ity^sy^s^t^em^s^m^u^s^t^pur^c^h^a^s^e^s^o^f^t^w^a^r^e^pr^od^uc^ts^f^r^om^a^lis^{t of}^la^b-^te^s^t^e^d^a^{nd e}^v^a^l^ua^te^d
^pr^o^duc^tsⁱⁿ^a^pr^og^r^a^m^tha^t^r^e^quir^e^s^v^e^ndor^s^to^s^u^bm^{it s}^o^f^t^w^a^r^e^f^o^r^r^e^vⁱ^ew^{in a}ⁿ^accredⁱ^t^e^d^l^a^b^,^{a p}^r^o^c^{ess (kn}^o^wⁿ^as
^certⁱ^fⁱ^c^atⁱ^oⁿ^and^accredⁱ^t^a^tⁱ^oⁿ^und^{er t}^h^{e C}^o^mm^oⁿ^Cri^t^e^ri^a,^{a t}^e^stⁱ^{ng p}^r^o^g^ram^ruⁿ^b^y^t^h^{e Nat}ⁱ^oⁿ^a^l^Iⁿ^f^o^rm^atⁱ^oⁿ
^A^s^s^u^r^a^nc^e^P^a^r^t^ne^r^s^hip)^tha^t^of^te^{n ta}^k^e^s^a^y^e^a^r^a^{nd c}^o^s^t^s^s^e^v^e^r^a^{l thous}^a^nd^dol^la^r^s^{. T}^h^e^r^e^vⁱ^ew^r^e^quir^e^m^e^{nt pr}^e^v^ious^ly
^ha^{s be}^eⁿ^lim^ite^{d to}^m^ilita^r^y^na^tiona^{l se}^c^u^rity^sof^t^wa^re^{, how}^e^v^e^r^{, th}^e^a^d^mⁱ^nistra^{tion ha}^{s sta}^t^e^d^tha^t^t^h^e^g^o^v^e^rn^m^e^{nt w}^ill
^unde^rta^k^e^a^re^vⁱ^ew^of^the^prog^ra^m^{in 200}^{3 t}^o^“^p^os^sⁱ^bly^e^x^te^nd”^{it a}^s^a^ne^w^re^quirem^e^{nt f}^o^{r c}ⁱ^v^ilia^{n a}^g^eⁿ^cⁱ^e^s^{. Elle}ⁿ
^M^e^ss^m^e^r,^W^hⁱ^t^e^Ho^u^s^{e i}^ssu^{e “Nat}ⁱ^oⁿ^a^l^S^t^rat^e^g^y^t^o^S^ecu^{re Cy}^b^e^rsp^ace,^”^N^e^tw^or^k^W^o^r^l^{d Fus}ⁱ^oⁿ^,^Fe^b^r^ua^r^y^{14, 20}⁰³^,
^http:^//w^w^w^.nw^f^us^ion.c^o^m^/^ne^w^s^/2003^/⁰²¹^4ntls^tr^a^t^e^g^y^.^htm^l^.
⁹²^S^c^o^t^t^C^h^arn^e^y^,^Chⁱ^e^f^S^ecu^ri^t^y^S^t^rat^e^gi^st^,^Mⁱ^cro^s^o^f^t^,^S^t^at^em^en^t^b^e^fo^{re t}^h^{e Hou}^s^{e Co}^mmⁱ^t^t^{ee o}ⁿ^A^r^med^S^e^rvi^ces,
^T^e^rroris^m^{, Unc}^onv^eⁿ^tio^na^{l T}^h^re^a^t^{s a}^{nd Ca}^pa^bilitie^{s S}^ubc^om^m^itte^e^,^Iⁿ^f^o^r^m^ati^on^Te^c^hⁿ^o^lo^gyⁱⁿ^the²¹^st^C^e^ntur^y
^Battle^sp^a^ce,^h^earⁱⁿ^g,^Jul^y²⁴^,²⁰⁰³^,^p.^9.
⁹³^A^s^u^r^v^ey^o^f²⁰⁰⁰^P^C^us^e^r^s^f^ound^tha^t^42%^ha^dⁿ^o^t^dow^nloa^de^{d th}^e^v^e^ndor^pa^tc^h^to^w^a^r^d^of^f^the^r^e^ce^{nt B}^l^a^s^te^r^w^o^r^m
^a^tta^c^k^{, 23%}^s^a^{id the}^y^{do n}^o^{t r}^e^g^u^l^a^r^l^y^dow^nloa^{d s}^o^f^t^w^a^r^e^upda^te^s^,^21%^d^o^not^up^da^te^theⁱ^r^aⁿ^ti-^vⁱ^r^u^s^sⁱ^gⁿ^a^t^ur^e^s^{, a}^nd
^70%^s^a^{id t}^h^e^y^w^e^r^e^{not not}^if^ie^{d b}^y^theⁱ^r^c^o^m^p^aⁿ^ie^s^a^bout^the^ur^g^e^{nt thr}^e^a^t^d^u^e^t^o^the^B^l^a^s^te^r^w^o^r^m^{. J}^a^ik^um^a^r^Vija^y^a^n,
^“IT^M^aⁿ^a^ger^s^S^a^y^T^h^e^y^{Are Bei}ⁿ^{g W}^o^rn^Do^wⁿ^b^y^W^a^v^e^o^f^A^t^t^ack^s,^”^Co^mp^u^t^erwo^rl^d^{, A}^u^g^u^s^t²⁵^,²⁰⁰³^{, v}^o^l.³⁷^,^no.
^{34, p. 1.}

There has yet been no published evidence showing a widespread focus by cybercriminals on
attacking the control systems that operate the U.S. civilian critical infrastructure. Disabling
infrastructure controls for communications, electrical distribution or other infrastructure systems,
is often described as a likely scenario to amplify the effects of a simultaneous conventional
terrorist attack involving explosives.
However, in 2006, at a security discussion in Williamsburg, Virginia, a government analyst
reportedly stated that criminal extortion schemes may have already occurred, where
cyberattackers have exploited control system vulnerabilities for economic gain. And, in
December 2006, malicious software that automatically scans for control system vulnerabilities
reportedly was made available on the Internet for use by cybercriminals. This scanner software
reportedly can enable individuals with little knowledge about infrastructure control systems to
locate a SCADA computer connected to the Internet, and quickly identify its security
vulnerabilities.
The Idaho National Laboratory is tasked to study and report on technology risks associated with
infrastructure control systems. Past studies have shown that many, if not most, automated control
systems are connected to the Internet, or connected to corporate administrative systems that are
connected to the Internet, and are currently vulnerable to a cyberattack. And, because many of
these infrastructure SCADA systems were not originally designed with security as a priority, in
many cases, new security controls cannot now be easily implemented to reduce the known ⁹⁴
security vulnerabilities. Following past trends, where hackers and cybercriminals have taken
advantage of easy vulnerabilities, some analysts now predict that we may gradually see new ⁹⁵
instances where cybercriminals exploit vulnerabilities in critical infrastructure control systems.
New, automated attack methods have outpaced current methods for tracking the number and
severity of cyberattacks and cybercrime intrusions. For example, according to a study by the
Cooperative Association for Internet Data Analysis (CAIDA), on January 25, 2003, the SQL
Slammer worm (also known as “Sapphire”) automatically spread to infect more than 90% of
vulnerable computers worldwide within 10 minutes of its release on the Internet, making it the
fastest-spreading computer worm in history. As the study reports, the Slammer worm doubled in
size every 8.5 seconds and achieved its full scanning rate (55 million scans per second) after
about 3 minutes. It caused considerable harm through network outages which led to numerous ⁹⁶
canceled airline flights and automated teller machine (ATM) failures.

⁹⁴^T^e^sti^m^on^y^of^A^a^{ron T}^u^rne^r^{, Ho}^u^s^e^Com^m^itte^e^{on Hom}^e^la^{nd Se}^c^u^rity^{, Subc}^om^m^itte^e^{on Em}^e^r^gⁱ^ng^T^h^re^a^t^s,
^C^y^b^e^rsecu^ri^t^y^an^d^S^cⁱ^eⁿ^{ce & T}^e^c^hⁿ^o^l^o^gy^,^Heariⁿ^{g o}ⁿ^“Cy^b^{er In}^se^cu^ri^t^y^:^Hac^k^{ers ar}^{e P}^eⁿ^e^t^r^atⁱⁿ^{g F}^e^d^e^ral^S^y^st^e^m^{s an}^d
^C^r^itic^a^l^Iⁿ^f^r^a^s^tr^uc^tur^e^,”^A^p^r^{il 19}^,²⁰⁰^7,^htt^p^://^hom^e^l^a^nd.h^ous^e^.^g^o^v^/^Site^D^o^c^u^m^e^nts^/²⁰⁰⁷⁰⁴¹⁹¹⁵³¹³⁰^-⁹⁵¹³^2.p^d^f^.
⁹⁵^T^e^sti^m^on^y^of^A^a^{ron T}^u^rne^r^{, Ho}^u^s^e^Com^m^itte^e^{on Hom}^e^la^{nd Se}^c^u^rity^{, Subc}^om^m^itte^e^{on Em}^e^r^gⁱ^ng^T^h^re^a^t^s,
^C^y^b^e^rsecu^ri^t^y^an^d^S^cⁱ^eⁿ^{ce & T}^e^c^hⁿ^o^l^o^gy^,^Heariⁿ^{g o}ⁿ^“Cy^b^{er In}^se^cu^ri^t^y^:^Hac^k^{ers ar}^{e P}^eⁿ^e^t^r^atⁱⁿ^{g F}^e^d^e^ral^S^y^st^e^m^{s an}^d
^C^r^itic^a^l^Iⁿ^f^r^a^s^tr^uc^tur^e^,”^A^p^r^{il 19}^,²⁰⁰^7,^htt^p^://^hom^e^l^a^nd.h^ous^e^.^g^o^v^/^Site^D^o^c^u^m^e^nts^/²⁰⁰⁷⁰⁴¹⁹¹⁵³¹³⁰^-⁹⁵¹³^2.p^d^f^.
⁹⁶^“^I^nte^r^ne^{t W}^o^r^m^K^e^e^p^s^Strⁱ^kⁱ^ng^,”^J^a^nua^r^y^{27, 2}⁰⁰³^,^CB^S^N^ews.^co^m^a^t^htt^p^://w^ww^.c^bsne^w^s^.c^o^m^/^s^tori^e^s^/200^3/^01/^28/
^te^c^h^/m^aⁱⁿ⁵³⁸²^00.s^h^tm^l.

The use of automated tools for cybercrime has had a dramatic affect on the Computer Emergency
Response Team/ Coordinating Center (CERT/CC). In 2004, CERT/CC announced that it had
abandoned its traditional practice of producing an annual report tracking the number of cyber
intrusions recorded for each year. For many years prior to 2004, CERT/CC had maintained a
database of statistics about security incidents that were reported to it anonymously by businesses
and individuals worldwide. The reason given for abandoning its annual tracking report was
because the widespread use of new, automated cyberattack tools had escalated the number of
network attacks to such a high level, that the CERT/CC organization determined that traditional
methods for counting security incidents had become meaningless as a metric for assessing the ⁹⁷
scope and effects of attacks against Internet-connected systems. The CERT-CC website
currently states, “Given the widespread use of automated attack tools, attacks against Internet-
connected systems have become so commonplace that counts of the number of incidents reported
provide little information with regard to assessing the scope and impact of attacks. Therefore, ⁹⁸
beginning in 2004, we stopped publishing the number of incidents reported.”
The FBI estimates that all types of computer crime in the U.S. now costs industry about $400
billion, while officials in the Department of Trade and Industry in Britain say computer crime has
risen by 50 percent from 2005 to 2006. As one example of costs associated with a recent
computer security breach, TJX, the parent company of TJ Maxx, took a $12 million charge in its
fiscal first quarter of 2008 due to the theft of more than 45 million credit and debit card numbers,
starting in 2006. The money reportedly went to investigating and containing the intrusion,
improving computer security, communicating with customers, and other fees. TJX estimates that,
adding damages from future lawsuits, the breach may eventually cost $100 per lost record, or a ⁹⁹
total of $4.5 billion.
It is estimated that only five per cent of cybercriminals are ever arrested or convicted because the
anonymity associated with web activity makes them hard to catch, and the trail of evidence
needed to link them to a cybercrime is hard to unravel. Studies also show that cybercrime
incidents are rarely reported, especially by companies that wish to avoid negative publicity
leading to possible loss of confidence by its customers. However, law enforcement officials argue
that “maintaining a code of silence” won’t benefit a company in the long-run. Steven Martinez,
deputy assistant director for the FBI’s cyber division, reportedly stated at the 2006 RSI Computer
Security Conference that partnerships between law enforcement, the academic community, and ¹⁰⁰
the private sector are key to understanding and reducing cybercrime.
Each year, the Computer Security Institute (CSI), with help from the FBI, conducts a survey of
thousands of security practitioners from U.S. corporations, government agencies, financial
institutions, and universities. The CSI/FBI Computer Crime and Security Survey, published
annually, is perhaps the most widely-used source of information about how often computer crime
occurs and how expensive these crimes can be. The 2006 survey indicated that the average
financial loss reported due to security breaches was $167,713, an 18% decrease from the previous
year’s average loss of $203,606.

⁹⁷^“^C^ERT^/^{CC Sta}^tistic^{s 198}^8-²⁰⁰⁴^”^a^t^http^://w^ww^.^c^e^r^t.org^/^sta^t^s/^c^e^r^t_sta^t^s.htm^l^.
⁹⁸^CERT^Coordi^na^tio^{n Ce}ⁿ^t^e^r^{, Ca}^rne^g^ie^Me^{llon U}ⁿ^iv^e^r^sity^{, http://w}^ww^.c^e^r^t.org^/^sta^t^s/.
⁹⁹^Sha^r^oⁿ^G^a^udin,^Brea^ch^C^o^{sts Soa}^{r a}^t^T^J^X^{, I}ⁿ^f^o^r^m^a^{tion W}^e^ek^{, Ma}^y^{21, 20}^07,^p.¹⁹^.
¹⁰⁰^Ma^rc^ia^Sa^v^a^g^e^{, “}^C^o^m^pa^nie^s^{Still Not Re}^p^o^rtiⁿ^g^A^tta^c^k^{s, FBI Dire}^c^t^{or Sa}^y^s^,”^Se^a^r^c^h^Se^c^u^rit^y^.c^o^m^{, Fe}^brua^ry^15,
²⁰⁰^{6, htt}^p^://se^a^r^c^h^se^c^u^rity^.te^c^h^ta^rg^e^t^.c^o^m^/origⁱ^na^lConteⁿ^t/
^0,2⁸⁹¹⁴²^,s^id¹⁴^_g^cⁱ¹¹⁶⁶⁸⁴^5,^00.^h^t^m^l^?^buc^k^e^t⁼^N^E^W^S^&^t^opic⁼²⁹⁹⁹^90.

However, some observers argue that the analyses reported in the CSI/FBI survey may be ¹⁰¹
questionable, because the survey methodology is not statistically valid. This is because the
survey is limited only to CSI members, which reduces the likelihood that respondents are a
representative sample of all security practitioners, or that their employers are representative of
employers in general. In addition, the 2006 CSI/FBI survey points out that most companies are
continuing to sweep security incidents under the rug.
With the apparent absence of statistically valid survey results concerning the financial costs of
computer crime, and with an accompanying lack of clear data about the number and types of
computer security incidents reported, it appears that there may be no valid way to currently
understand the real scope and intensity of cybercrime. The growing use of botnets and
sophisticated malicious code also suggests that the percentage of unreported cybercrime, plus the
percentage undetected, may both be going up.
The challenge of identifying the source of attacks is complicated by the unwillingness of
commercial enterprises to report attacks, owing to potential liability concerns. CERT/CC ¹⁰²
estimates that as much as 80% of all actual computer security incidents still remain unreported.
Law enforcement officials concede they are making little progress in tracing the profits and
finances of cybercriminals. Online payment services, such as PayPal and E-Gold, enable
criminals to launder their profits and exploit the shortcomings of international law enforcement.
Recently, Intermix Media was fined $7.5 million in penalties for distribution of spyware which
silently captures personal information from user’s PCs. However, some adware and spyware
purveyors reportedly can still make millions of dollars per year in profits. Many companies who
distribute spyware are difficult to pursue legally because they typically also offer some legitimate
services. In many cases, the finances that back cybercrimes are so distributed they are hard for ¹⁰³
law enforcement to figure out.
Some large cybercriminal groups are transnational, with names like Shadowcrew, Carderplanet,
and Darkprofits. Individuals in these groups reportedly operate from locations all over the world,
working together to hack into systems, steal credit card information and sell identities, in a very ¹⁰⁴
highly structured, organized network. Organized crime is also recruiting teenagers who indicate
they feel safer doing illegal activity online than in the street. A recent report from the McAfee
security organization, titled the “Virtual Criminology Report”, draws on input from Europe’s
leading high-tech crime units and the FBI, and suggests that criminal outfits are targeting top

¹⁰¹^{Bill Bre}ⁿ^ne^{r, “}^S^e^c^u^rity^Blog^L^{og: Ha}^{s CSI/FBI S}^u^rv^e^y^Jum^p^e^d^the^Sha^r^k^?^”^Se^a^r^c^h^Se^c^u^rity^.c^o^m^{, July}^{21, 20}^06,
^http:^//s^e^a^r^c^h^s^e^c^u^r^ity^.te^c^h^ta^r^g^e^t^.c^om^/^c^olum^nI^tem^/^0,29⁴⁶⁹⁸^,s^id1^4_g^cⁱ¹²⁰²³²⁸^,0^0.htm^l^.
¹⁰²^M^aⁿ^y^c^y^b^e^rat^t^a^{cks ar}^{e u}ⁿ^r^ep^o^r^t^e^d^u^s^u^a^l^l^y^b^ecau^{se t}^h^{e o}^r^ganⁱ^zatⁱ^oⁿⁱ^s^un^ab^l^e^t^o^reco^gnⁱ^{ze t}^h^atⁱ^t^h^a^{s b}^een^at^t^acked^,
^o^r^b^ecau^{se t}^h^e^o^r^ganⁱ^zatⁱ^o^{n i}^s^rel^u^ct^an^t^t^o^reveal^p^u^b^lⁱ^c^l^y^t^h^atⁱ^t^h^a^{s exp}^e^ri^en^ced^{a c}^y^b^e^rat^t^a^c^k^,^G^o^v^e^rn^m^eⁿ^t
^A^c^c^ounta^b^il^ity^Of^fⁱ^c^e^,^Iⁿ^for^m^ati^o^{n Se}^c^u^r^ity^:^F^u^r^t^he^r^E^ffor^t^s^N^e^e^d^e^d^to^Ful^l^y^I^m^ple^m^eⁿ^t^Sta^t^ut^or^y^Re^quir^e^m^e^ntsⁱⁿ
^DOD^,^GAO-0³^-¹⁰³⁷^T^,^Ju^ly²⁴^,²⁰⁰³^,^p.^6.
¹⁰³^M^a^t^t^Hiⁿ^e^s,^“M^al^w^a^{re M}^oⁿ^e^y^T^h^o^u^{gh t}^o^T^r^ace,^”^Ewe^e^k^{, Se}^pte^m^b^e^r^18,²⁰⁰⁶^{, p}^.¹⁴^.
¹⁰⁴^K^e^vⁱ^{n Pou}^l^s^e^{n, “}^F^e^d^s^Sq^ua^r^e^of^f^w^{ith O}^r^g^a^niz^e^d^C^y^be^r^C^r^im^e^,^”^Sec^u^r^ity^Foc^u^s^,^Fe^br^ua^r^y^17,²⁰⁰⁵^,
^http:^//w^w^w^.s^e^c^u^rⁱ^t^y^f^o^c^u^s^.^c^o^m^/^ne^w^s^/¹⁰⁵²⁵^.

students from leading academic institutions and helping them acquire more of the skills needed to ¹⁰⁵
commit high-tech crime on a massive scale.
In the future, we may see new and different modes of criminal organization evolve in cyberspace.
Cyberspace frees individuals from many of the constraints that apply to activities in the physical
world, and current forms of criminal organization may not transition well to online crime.
Cybercrime requires less personal contact, less need for formal organization, and no need for
control over a geographical territory. Therefore, some researchers argue that the classical
hierarchical structures of organized crime groups may be unsuitable for organized crime on the
Internet. Consequently, online criminal activity may emphasize lateral relationships and networks ¹⁰⁶
instead of hierarchies.
Instead of assuming stable personnel configurations that can persist for years, online criminal
organization may incorporate the “swarming” model, in which individuals coalesce for a limited
period of time in order to conduct a specific task, or set of tasks, and afterwards go their separate
ways. The task of law enforcement could therefore become much more difficult. If cybercriminals
evolve into the “Mafia of the moment” or the “cartel of the day,” police will lose the advantage of
identifying a permanent group of participants who engage in a set of routine illicit activities, and ¹⁰⁷
this will only contribute to the future success of organized cybercrime.
The federal government has taken steps to improve its own computer security and to encourage
the private sector to also adopt stronger computer security policies and practices to reduce
infrastructure vulnerabilities. In 2002, the Federal Information Security Management Act
(FISMA) was enacted, giving the Office of Management and Budget (OMB) responsibility for ¹⁰⁸
coordinating information security standards and guidelines developed by federal agencies. In
2003, the National Strategy to Secure Cyberspace was published by the Administration to
encourage the private sector to improve computer security for the U.S. critical infrastructure ¹⁰⁹
through having federal agencies set an example for best security practices.
The National Cyber Security Division (NCSD), within the National Protection and Programs
Directorate of the Department of Homeland Security (DHS) oversees a Cyber Security Tracking,
Analysis and Response Center (CSTARC), tasked with conducting analysis of cyberspace threats
and vulnerabilities, issuing alerts and warnings for cyberthreats, improving information sharing,
responding to major cybersecurity incidents, and aiding in national-level recovery efforts. In

¹⁰⁵^{Bill Bren}ⁿ^e^{r, “Crim}ⁱⁿ^a^{ls Fin}^d^Sa^f^e^t^yⁱⁿ^C^y^b^e^rsp^{ace,” Sear}^ch^Secu^rity^.co^m^{, Dec}^e^m^b^e^{r 1}⁸^,²⁰⁰⁶^,
^http:^//se^a^r^c^h^se^c^u^rity^.te^c^h^ta^rge^t^.c^om^/^o^rigⁱ^na^lCon^te^nt/
^0,2⁸⁹¹⁴²^,s^id¹⁴^_g^cⁱ¹²³⁵⁴⁵^5,^00.^h^t^m^l^?^buc^k^e^t⁼^N^E^W^S^&^t^opic⁼²⁹⁹⁹^90.
¹⁰⁶^C^o^uⁿ^c^{il of}^Eur^ope^O^c^t^o^p^u^s^P^r^og^r^a^m^m^e^,^Sum^m^a^r^y^{of t}^h^e^O^r^ga^nis^e^{d C}^r^im^e^Sit^uat^io^{n Re}^p^o^r^t²⁰⁰⁴^:^F^o^c^u^s^oⁿ^t^h^e
^Thr^e^{at of}^C^y^be^r^c^rⁱ^m^e^{, Str}^a^us^bo^ur^g^,^Se^pte^m^be^r^{6, 20}⁰⁴^{, p}^.⁴⁸^.
¹⁰⁷^S^u^san^Brenn^e^r,^“Organⁱ^zed^Cy^b^e^rcri^{me? Ho}^w^C^y^b^e^rsp^{ace M}^a^y^Aff^e^ct^t^h^{e S}^t^ru^ct^u^r^{e o}^f^Cri^mⁱⁿ^al^Rel^a^tⁱ^oⁿ^s^hⁱ^p^s^,^”
^N^o^r^t^h^C^a^r^o^li^na^J^our^{nal of Law}^a^{nd Te}^c^hno^lo^gy^{, 2}⁰⁰²^,^htt^p^://w^ww.jolt.^unc^.e^du/^Vol4^_I1/^W^e^b/Breⁿⁿ^e^r-V^4I^1.h^t^m^.
¹⁰⁸^G^A^O^ha^s^note^d^t^h^a^t^m^aⁿ^y^f^e^de^r^a^{l a}^g^eⁿ^cⁱ^e^s^ha^v^e^{not im}^plem^eⁿ^te^{d s}^e^c^u^r^ity^r^e^quir^e^m^e^nts^f^o^r^m^o^s^t^of^theⁱ^r^s^y^s^t^em^s^,
^a^{nd m}^u^{st m}^e^e^t^ne^w^re^quire^m^e^{nts unde}^r^FISMA^.^Se^e^GA^{O Re}^port^GAO-03-8^52T^,^Iⁿ^f^o^r^m^ati^oⁿ^Se^c^u^r^ity^:^C^onti^nue^d
^E^f^f^o^rt^{s Need}^ed^t^o^F^u^l^l^y^Im^p^l^ement^S^t^a^t^u^t^o^r^{y R}^e^quⁱ^r^emen^t^s^{, J}^u^ne²⁴^{, 20}⁰³^.
¹⁰⁹^Tⁱ^na^be^{th B}^u^r^t^oⁿ^,^I^T^{AA Fi}^nds^M^u^c^h^to^Pr^ais^eⁱⁿ^N^a^ti^on^{al C}^y^be^r^s^e^cur^ity^Plaⁿ^,^Ma^y^{7, 20}^03,
^http:^//w^w^w^.f^inda^r^tic^le^s^.^c^o^m^/^p/^a^r^tic^le^s^/^mⁱ^_g^o1965/^is^_2⁰⁰³⁰^3/^aⁱ^_n7⁴¹⁸⁴⁸^5.

addition, a new Cyber Warning and Information Network (CWIN) has begun operation in 50 ¹¹⁰
locations, and serves as an early warning system for cyberattacks. The CWIN is engineered to
be reliable and survivable, has no dependency on the Internet or the public switched network ¹¹¹
(PSN), and reportedly will not be affected if either the Internet or PSN suffer disruptions.
In January 2004, the NCSD also created the National Cyber Alert System (NCAS), a coordinated
national cybersecurity system that distributes information to subscribers to help identify, analyze,
and prioritize emerging vulnerabilities and cyberthreats. NCAS is managed by the United States
Computer Emergency Readiness Team (US-CERT), a partnership between NCSD and the private
sector, and subscribers can sign up to receive notices from this new service by visiting the US-¹¹²
CERT website.
Cybercrime is also a major international challenge, even though attitudes about what comprises a
criminal act of computer wrongdoing still vary from country to country. However, the Convention
on Cybercrime was adopted in 2001 by the Council of Europe, a consultative assembly of 43
countries, based in Strasbourg. The Convention, effective July 2004, is the first and only
international treaty to deal with breaches of law “over the internet or other information
networks.” The Convention requires participating countries to update and harmonize their
criminal laws against hacking, infringements on copyrights, computer facilitated fraud, child ¹¹³
pornography, and other illicit cyber activities.
Although the United States has signed and ratified the Convention, it did not sign a separate
protocol that contained provisions to criminalize xenophobia and racism on the Internet, which ¹¹⁴
would raise Constitutional issues in the United States. The separate protocol could be
interpreted as requiring nations to imprison anyone guilty of “insulting publicly, through a
computer system” certain groups of people based on characteristics such as race or ethnic origin,
a requirement that could make it a crime to e-mail jokes about ethnic groups or question whether
the Holocaust occurred. The Department of Justice has said that it would be unconstitutional for
the United States to sign that additional protocol because of the First Amendment’s guarantee of
freedom of expression. The Electronic Privacy Information Center, in a June 2004 letter to the
Foreign Relations Committee, objected to U.S. ratification of the Convention, because it would
“create invasive investigative techniques while failing to provide meaningful privacy and civil ¹¹⁵
liberties safeguards.”

¹¹⁰^{Bara V}^aⁱ^d^a,^“W^arnⁱⁿ^g^Cen^t^{er f}^o^r^Cy^b^e^r^A^t^t^a^c^k^{s i}^s^On^lⁱⁿ^e,^Of^fⁱ^ci^al^S^a^y^s^,^”^Daily^Brie^fing^{, G}^o^v^E^x^e^c^.^c^o^m^,^J^une^25,
²⁰⁰^3.
¹¹¹^T^h^e^C^y^be^r^W^a^rⁿ^ing^Iⁿ^f^o^r^m^a^tion^N^e^tw^or^k⁽^C^W^I^N⁾^pr^ov^ide^s^v^o^ic^e^a^{nd da}^ta^c^o^nne^c^tiv^ity^{to g}^o^v^e^rⁿ^m^e^{nt a}ⁿ^dⁱⁿ^dus^tr^y
^pa^rtic^ipaⁿ^ts^{in s}^u^p^port^of^c^r^itic^a^l^inf^r^a^s^truc^ture^pr^ote^c^tⁱ^{on, htt}^p^://w^w^w^.public^s^e^c^t^orins^tit^ute^.^ne^t/^EL^e^tte^rs^/
^H^o^m^e^la^ndSe^c^u^r^ity^Str^a^tegⁱ^e^s^/^V^ol^um^e¹^N^o1/C^y^be^r^W^a^r^ning^N^e^tLa^unc^h.ls^p^.
¹¹²^htt^p^://w^ww^.us-c^e^r^t.^g^o^v^/^c^a^s^/.
¹¹³^Full^te^x^t^f^o^r^the^C^o^nv^eⁿ^tioⁿ^{on C}^y^be^r^C^rⁱ^m^e^m^a^y^be^f^ound^a^t^ht^tp:/^/c^onv^eⁿ^tio^ns^.c^oe^.i^nt/^T^r^e^a^t^y^/^C^o^m^m^un/
^Q^u^e^V^o^u^le^z^V^ous^.a^s^p^?^N^T⁼^185&^C^M⁼⁸^&^D^F=^18/^06/^04&^C^L⁼^E^N^G^.
¹¹⁴^T^h^e^U^.^{S. Se}^na^te^C^o^m^m^itte^e^{on F}^o^r^e^ig^{n R}^e^la^tions^he^ld^a^he^a^r^ing^oⁿ^the^C^onv^eⁿ^ti^on^oⁿ^J^u^ne¹⁷^,²⁰⁰⁴^{. C}^R^S^R^e^por^t
^R^S²¹²⁰^8,^C^y^be^r^c^rⁱ^m^e^:^The^C^o^uⁿ^c^{il of E}^u^r^o^pe^C^o^nv^eⁿ^tioⁿ^,^by^Kris^{tin A}^r^c^h^ic^k^.^Este^lle^Durno^u^t,^C^o^uⁿ^c^{il of}^Eur^ope
^Ratifie^{s Cy}^be^rc^rime^Tre^a^ty^{, ZDN}^e^{t, Ma}^rc^{h 2}²^,²⁰⁰⁴^{, a}^t^h^ttp:^//ne^w^s.z^dne^t.c^o^.uk^/^busine^ss/^le^g^a^l/
^0,3⁹⁰²⁰⁶⁵¹^,3⁹¹⁴⁹⁴⁷^0,^00.^htm^.
¹¹⁵^htt^p^://w^ww^.e^pic^.^org^/^priv^a^c^y^/intl/^se^na^te^le^tte^r-061⁷⁰^4.p^d^f^.

On August 3, 2006, the U.S. Senate passed a resolution of ratification for the Convention. The
United States will comply with the Convention based on existing U.S. federal law; and no new
implementing legislation is expected to be required. Legal analysts say that U.S. negotiators
succeeded in scrapping most objectionable provisions, thereby ensuring that the Convention ¹¹⁶
tracks closely with existing U.S. laws.
Department of Defense (DOD) officials have stated that, while the threat of cyber attack is “less
likely” to appear than conventional physical attack, it could actually prove more damaging
because it could involve disruptive technology that might generate unpredictable consequences ¹¹⁷
that give an adversary unexpected advantages. The Homeland Security Presidential Directive 7
required that the Department of Homeland Security (DHS) coordinate efforts to protect the
cybersecurity for the nation’s critical infrastructure. This resulted in two reports in 2005, titled
“Interim National Infrastructure Protection Plan,” and “The National Plan for Research and
Development in Support of Critical Infrastructure Protection”, where DHS provided a framework
for identifying and prioritizing, and protecting each infrastructure sector.
However, some observers question why, in light of the many such reports describing an urgent
need to reduce cybersecurity vulnerabilities, there is not an apparent perceived sense of national
urgency to close the gap between cybersecurity and the threat of cyberattack. For example,
despite Federal Information Security Management Act of 2002 (FISMA), some experts argue that
security remains a low priority, or is treated almost as an afterthought at some domestic federal ¹¹⁸
agencies. In 2007, the Government Accountability Office issued a report, titled “Critical
Infrastructure Protection: Multiple Efforts to Secure Control Systems Are Under Way, but
Challenges Remain,” which states that cybersecurity risks have actually increased for
infrastructure control systems because of the persistence of interconnections with the Internet,
and continued open availability of detailed information on the technology and configuration of
the control systems. The report states that no overall strategy yet exists to coordinate activities to
improve computer security across federal agencies and the private sector, which owns the critical ¹¹⁹
infrastructure. Some observers argue that, as businesses gradually strengthen their security
policies for headquarters and administrative systems, the remote systems that control critical
infrastructure and manufacturing may soon be seen as easier targets of opportunity for
cybercrime.
Cybercrime is obviously one of the risks of doing business in the age of the internet, but
observers argue that many decision-makers may currently view it as a low-probability threat.

¹¹⁶^For^m^o^r^e^inf^o^r^m^a^{tion a}^b^o^u^{t t}^h^e^C^onv^eⁿ^tioⁿ^{on C}^y^be^r^c^rⁱ^m^e^{, s}^e^e^C^R^{S R}^e^por^t^R^S²¹²⁰⁸^,^C^y^be^r^c^rⁱ^m^e^:^The^C^o^uncⁱ^l^of
^Eur^ope^C^onv^eⁿ^tⁱ^oⁿ^,^by^{Kristin A}^r^c^h^ic^k^.
¹¹⁷^A^d^v^a^nta^g^e^s^of^E^A^a^{nd C}^N^A^mⁱ^{ght de}^rⁱ^v^e^f^r^om^Uⁿ^ite^{d Sta}^t^e^s^r^e^lia^nc^e^{on a}^c^o^m^pute^r^-^c^ontr^o^lle^{d c}^r^itⁱ^c^a^l
^inf^r^a^s^tr^uc^tur^e^{, a}^l^ong^w^ith^unp^r^e^di^c^t^a^b^le^r^e^s^u^lts^de^pe^ndi^ng^on^s^e^v^e^r^ity^o^f^the^a^tta^c^k^{. J}^a^s^{on She}^r^m^a^{n, “}^B^r^a^cⁱ^ng^f^o^r
^Mode^rⁿ^B^r^a^nds^of^W^a^r^f^a^r^e^,^”^{Air Forc}^e^Time^s^{, Se}^pte^m^be^{r 27,}²⁰⁰⁴^{, htt}^p^://w^w^w^.a^ir^f^o^rc^e^tⁱ^m^es^.c^om^/^s^tory^.php?^f⁼^1-
^A^I^R^P^A^P^E^R^-³⁵⁸⁷²^7.^ph^p^.
¹¹⁸^Sta^t^e^m^eⁿ^{t of}^J^a^m^e^s^A^.^Lewⁱ^s^,^Se^nior^Fe^llow^a^{nd D}ⁱ^r^e^c^t^or^{, T}^e^c^hno^log^y^a^{nd Public}^Polⁱ^c^y^P^r^og^r^a^m^,^C^e^nte^r^f^o^r
^Str^a^te^gⁱ^c^a^{nd I}ⁿ^te^rⁿ^a^tio^na^{l St}^udie^s^{, C}^o^m^m^itte^e^{on H}^ous^e^O^v^e^r^sⁱ^g^h^{t a}^{nd G}^o^v^e^rⁿ^m^e^{nt R}^e^f^o^r^m^Subc^o^m^m^itte^e^on
^G^o^v^e^rⁿ^m^e^{nt Ma}^na^g^e^m^e^{nt, O}^r^g^a^niz^a^{tion, a}^nd^Pr^oc^ur^e^m^eⁿ^{t, Su}^bc^o^m^m^itte^e^{on I}ⁿ^f^o^r^m^a^tion^P^o^lic^y^,^C^e^ns^us^{, a}ⁿ^{d N}^a^tio^na^l
^A^r^c^h^ive^s^{, J}^une^7,²⁰⁰⁷^.
¹¹⁹^G^A^O^-^08-¹¹^9T^,^Critic^{al I}ⁿ^frastr^uc^ture^Pr^ote^c^tⁱ^{on: M}^u^l^tiple^Effort^{s to Se}^c^u^re^C^ontr^o^{l Sy}^ste^m^{s are}^Unde^{r W}^a^y^,^b^u^t
^Challeⁿ^g^e^s^Re^maiⁿ^{, O}^c^to^be^r¹⁷^,²⁰⁰^7.

Some researchers suggest that the numerous past reports describing the need to improve
cybersecurity have not been compelling enough to make the case for dramatic and urgent action
by decision-makers. Others suggest that even though relevant information is available, future
possibilities are still discounted, which reduces the apparent need for present-day action. In
addition, the costs of current inaction are not borne by the current decision-makers. These
researchers argue that IT vendors must be willing to regard security as a product attribute that is
coequal with performance and cost; IT researchers must be willing to value cybersecurity
research as much as they value research for high performance or cost-effective computing; and,
finally, IT purchasers must be willing to incur present-day costs in order to obtain future ¹²⁰
benefits.

Policy issues for cybercrime and cyberterrorism include a need for the following:
• increase awareness about changing threats due to the growing technical skills of
extremists and terrorist groups;
• develop more accurate methods for measuring the effects of cybercrime;
• help to determine appropriate responses by DOD to a cyberattack;
• examine the incentives for achieving the goals of the National Strategy to Secure
Cyberspace;
• search for ways to improve the security of commercial software products;
• explore ways to increase security education and awareness for businesses and
home PC users; and
• find ways for private industry and government to coordinate to protect against
cyberattack.
Congress may also wish to consider ways to harmonize existing federal and state laws that
require notice to persons when their personal information has been affected by a computer
security breach, and that impose obligations on businesses and owners of that restricted ¹²¹
information.
Seized computers belonging to Al Qaeda indicate its members are becoming more familiar with ¹²²
hacker tools and services that are available over the Internet. Could terrorist groups find it
advantageous to hire a cybercrime botnet tailored to attack specific targets, possibly including the

¹²⁰^Se^y^m^our^G^oodm^aⁿ^a^{nd H}^e^r^b^e^r^Lⁱ^{n, e}^d^itor^s^,^T^o^w^a^r^d^a^Saf^e^r^a^{nd M}^o^r^e^Se^c^u^r^e^C^y^be^r^s^p^ace,^C^o^m^m^itte^e^{on I}^m^pr^ovⁱⁿ^g
^Cy^be^rse^c^u^rity^Re^se^arc^h^{in the}^Uⁿ^ite^{d St}^ate^s^{, N}^a^tio^na^{l Re}^s^e^ar^c^h^C^o^unc^il,²⁰⁰⁷^{, pp. 26}^1-²⁶^7,^h^ttp:^//b^ook^s^.^na^p^.^e^du/
^o^p^e^nb^oo^k.^p^h^p^?ⁱ^s^bn⁼⁰³⁰⁹¹⁰³⁹⁵^9.
¹²¹^{For m}^o^re^inf^o^rm^a^{tion a}^b^o^u^{t la}^w^s^re^la^te^{d to}^ideⁿ^t^ity^the^f^{t, se}^e^CRS^Re^{port RL}³⁴¹²^0,^Fe^de^{ral I}ⁿ^form^atioⁿ^Se^c^u^rity
^and^Dat^a^Bre^a^c^h^Noti^fic^ati^oⁿ^La^ws^,^b^y^Gⁱⁿ^a^M^a^ri^{e S}^t^even^s.
¹²²^Ric^h^a^r^{d Cla}^r^k^e^{, “}^V^ulne^ra^bi^lity^{: W}^h^a^t^A^r^e^A^l^Qa^e^d^a^’^{s Ca}^pa^bilitie^s?^”^{PBS Fr}^oⁿ^tli^ne^:^C^y^be^r^w^ar^,^A^p^rⁱ^l²⁰⁰³^,^at
^http:^//www^.pbs.org^.

civilian critical infrastructure of Western nations? Could cybercrime botnets, used strategically,
provide a useful way for extremists to amplify the effects of a conventional terrorist attack using
bombs?
As computer-literate youth increasingly join the ranks of terrorist groups, will cyberterrorism
likely become increasingly more mainstream in the future? Will a computer-literate leader bring
increased awareness of the advantages of an attack on information systems, or be more receptive
to suggestions from other, newer computer-literate members? Once a new tactic has won
widespread media attention, will it likely motivate other rival terrorist groups to follow along the ¹²³
new pathway?
Experiences at CERT/CC show that statistical methods for measuring the volume and economic
effects of cyberattacks may be questionable. Without sound statistical methods to accurately
report the scope and effects of cybercrime, government and legal authorities will continue to have
unreliable measures of the effectiveness of their policies and enforcement actions.
Figures from several computer security reports now used for measuring annual financial losses to
U.S. industry due to intrusions and cybercrime are believed by some observers to be limited in ¹²⁴
scope or possibly contain statistical bias. Is there a need for a more statistically reliable analysis
of trends in computer security vulnerabilities and types of cyberattacks to more accurately show
the costs and benefits for improving national cybersecurity? Congress may wish to encourage
security experts to find more effective ways to collect data that will enable accurate analysis of
trends for cyberattacks and cybercrime. Congress may also wish to encourage security
researchers to find better ways to identify the initiators of cyberattacks.
If a terrorist group were to use a cybercrime botnet to subvert computers in a third party country,
such as China, to launch a cyberattack against the United States, the U.S. response to the
cyberattack must be carefully considered, in order to avoid retaliating against the wrong entity.
Would the resulting effects of cyberweapons used by the United States be difficult to limit or
control? Would a cyberattack response that could be attributed to the United States possibly
encourage other extremists, or rogue nations, to start launching their own cyberattacks against the
United States? Would an attempt by the U.S. to increase surveillance of another entity via use of
cyberespionage computer code be labeled as an unprovoked attack, even if directed against the
computers belonging to a terrorist group? If a terrorist group should subsequently copy, or
reverse-engineer a destructive U.S. military cyberattack program, could it be used against other

¹²³^Jerro^l^d^M^.^P^o^st^,^Keviⁿ^G^.^Rub^y^,^an^d^E^rⁱ^c^D.^S^h^aw^,^“F^ro^m^{Car Bo}^m^b^{s t}^o^L^o^gi^{c Bo}^m^b^s:^T^h^{e G}^r^o^wⁱⁿ^{g T}^h^reat^F^r^o^m
^In^f^o^rmatioⁿ^T^e^rro^rism^,”^Te^rroris^m^an^{d P}^o^litic^a^l^Vi^oleⁿ^c^e^{, s}^u^m^m^e^r²⁰^00,^v^o^l.¹²^{, n}^o^.^2,^pp^{. 9}⁷^-¹²²^.
¹²⁴^A^w^e^{ll k}^now^{n s}^our^c^e^of^inf^o^r^m^a^{tion a}^b^o^u^{t t}^h^e^c^o^s^t^s^of^c^y^be^r^a^tta^cks^is^the^aⁿ^nua^{l c}^o^m^pute^r^s^e^c^u^r^ity^s^u^r^v^ey
^pub^lishe^d^by^the^Com^pute^r^Se^c^u^r^ity^Institute^{(CSI), w}^h^ic^h^u^tiliz^e^s^da^ta^c^o^lle^c^t^e^d^by^the^FBI.^How^e^ve^{r, re}^spon^de^{nts t}^o
^t^h^{e CS}^I/^F^B^I^su^rvey^o^f^co^m^p^u^t^{er secu}^ri^t^yⁱ^ssu^{es ar}^{e gen}^e^ral^l^y^lⁱ^mⁱ^t^e^d^on^l^y^t^o^CS^{I m}^e^m^b^ers,^w^hⁱ^c^h^ma^y^creat^{e st}^atⁱ^s^tⁱ^cal
^bⁱ^{as t}^h^at^af^f^e^ct^{s t}^h^{e su}^rve^y^fⁱⁿ^dⁱⁿ^g^s.^Recen^t^l^y^,^CS^{I h}^a^{s al}^so^con^ceded^w^e^a^kⁿ^e^{sses i}ⁿⁱ^t^s^an^al^y^tⁱ^c^al^ap^p^r^o^ach^and^h^a^s
^sug^g^e^ste^d^tha^t^{its surv}^e^y^o^f^c^o^m^p^ute^r^se^c^u^rity^v^u^lne^r^a^b^ilitie^{s a}ⁿ^dⁱⁿ^cⁱ^de^{nts m}^a^y^be^m^o^re^illustra^tiv^e^thaⁿ^sy^ste^m^a^tic^.
^H^o^w^e^v^e^r^,^the^C^S^I^/^FB^I^s^u^r^v^ey^r^e^m^a^ins^us^e^f^{ul de}^s^p^ite^its^im^pe^r^f^e^c^t^m^e^thodolog^y^.^B^r^uc^e^B^e^r^k^ow^itz^{and R}^obe^r^t^W^.
^Hahⁿ^,^“Cy^b^ersecu^ri^t^y^:^W^h^o^’^{s W}^a^t^c^hⁱⁿ^g^t^h^e^S^t^o^r^e?”^I^s^s^u^e^sⁱⁿ^Sc^ieⁿ^c^e^and^Te^c^hⁿ^o^lo^gy^{, s}^p^ri^ng²⁰⁰³^.

countries that are U.S. allies, or even turned back to attack civilian computer systems in the ¹²⁵
United States? If the effects become widespread and severe, could the U.S. use of ¹²⁶
cyberweapons exceed the customary rules of military conflict, or violate international laws.
Commercial electronics and communications equipment are now used extensively to support
complex U.S. weapons systems, and are possibly vulnerable to cyberattack. This situation is ¹²⁷
known to our potential adversaries. To what degree are military forces and national security
threatened by computer security vulnerabilities that exist in commercial software systems, and
how can the computer industry be encouraged to create new COTS products that are less
vulnerable to cyberattack?
Does the National Strategy to Secure Cyberspace present clear incentives for achieving security
objectives? Suggestions to increase incentives may include requiring that all software procured
for federal agencies be certified under the “Common Criteria” testing program, which is now the
requirement for the procurement of military software. However, industry observers point out that
the software certification process is lengthy and may interfere with innovation and ¹²⁸
competitiveness in the global software market.
Should the National Strategy to Secure Cyberspace rely on voluntary action on the part of private
firms, home users, universities, and government agencies to keep their networks secure, or is
there a need for possible regulation to ensure best security practices? Has public response to
improve computer security been slow partly because there are no regulations currently ¹²⁹
imposed? Would regulation to improve computer security interfere with innovation and

¹²⁵^Se^e^C^R^S^R^e^por^{t R}^L³¹⁷⁸⁷^,^Iⁿ^for^m^atio^{n O}^p^e^r^at^io^ns^{, Ele}^c^t^r^o^nic^W^a^r^f^ar^e^,^aⁿ^d^C^y^be^r^w^ar^:^C^a^pa^bili^ti^e^s^and^Re^late^d
^P^o^lⁱ^{cy Issu}^es^{, by}^C^l^ay^W^ils^on.
¹²⁶^T^h^e^la^{ws of}^w^a^{r a}^r^e^inte^rna^tiona^l^rule^{s tha}^t^ha^v^e^e^v^olv^e^d^{to re}^solv^e^pra^c^tic^a^l^pro^b^le^m^s^re^la^ting^{to m}^ilita^ry^c^onf^lic^t,
^su^ch^{as rest}^raiⁿ^t^s^t^o^p^r^even^t^mⁱ^sb^eh^avi^o^{r o}^r^at^ro^ci^tⁱ^e^s,^an^{d h}^a^{ve n}^o^t^b^een^l^e^gi^sl^at^ed^b^y^an^o^v^erarchⁱ^{ng cen}^t^r^al^au^t^h^o^rⁱ^t^y^.
^T^h^e^Uⁿ^ite^{d Sta}^t^e^s^is^pa^rty^{to v}^a^ri^ous^lim^iting^tre^a^tie^s^.^Som^e^tim^es^the^intr^od^uc^tioⁿ^of^ne^w^te^c^hnolog^y^te^nds^{to f}^o^rc^e
^c^h^aⁿ^g^e^s^{in the}^un^de^r^s^ta^ndi^ng^of^the^la^w^s^of^w^a^r^.^G^a^r^y^A^nde^r^s^{on a}^{nd A}^d^a^m^Gⁱ^f^f^or^{d, “}^O^r^d^e^r^O^u^t^of^Aⁿ^a^r^c^h^y^:^T^h^e
^Inte^rna^tio^na^{l L}^a^w^of^W^a^r,”^The^C^a^{to J}^ourⁿ^a^l^,^A^u^g^u^s^t²⁰^04,^v^o^l.¹⁵^{, no}^{. 1}^,^p^p^.^25-³⁶^.
¹²⁷^Staⁿ^le^y^Ja^k^ubia^k^a^{nd L}^o^we^{ll W}^{ood, “}^{DOD Use}^s^Com^m^e^r^cⁱ^a^l^Sof^t^w^a^r^e^a^{nd Eq}^uipm^eⁿ^{t in T}^a^c^tic^a^l^W^e^a^pons,”
^Sta^t^e^m^eⁿ^{ts be}^f^o^re^the^House^Mi^li^ta^r^y^Re^se^a^r^c^h^a^{nd De}^v^e^lopm^eⁿ^{t Subc}^om^m^itte^e^,^He^a^r^ing^{on EM}^{P T}^h^re^a^t^{s to t}^h^e^U.S.
^Milita^ry^a^{nd Civ}^ilia^{n Inf}^r^a^s^truc^tu^re^{, Oc}^tobe^{r 7}^,¹⁹⁹⁹^{. H}^ouse^A^r^m^e^{d Se}^rv^ic^e^s^Com^m^itte^e^,^Co^mmissi^oⁿ^t^o^{Assess th}^e
^Thr^e^{at t}^o^t^h^e^Uⁿ^ite^{d St}^ate^s^fr^o^m^E^l^ect^ro^ma^gn^etⁱ^c^P^u^l^s^{e A}^t^t^a^ck^,^he^a^r^ing^,^J^u^ly^22,²⁰^04.
¹²⁸^A^g^eⁿ^cⁱ^e^s^ope^r^a^ting^na^tio^na^{l s}^e^c^u^r^ity^sy^s^t^em^s^a^r^e^r^e^quir^e^{d t}^o^p^u^r^c^h^a^s^e^s^o^f^t^w^a^r^e^pr^od^uc^ts^f^r^om^a^lis^t^of^la^b-^te^s^t^e^d^a^nd
^e^v^a^l^ua^te^{d pr}^od^uc^tsⁱⁿ^a^pr^og^r^a^m^r^un^by^the^N^a^tiona^{l I}ⁿ^f^o^r^m^a^{tion A}^s^s^u^r^a^nc^e^P^a^r^t^ne^r^s^hip⁽^N^I^A^P⁾^{, a}^j^o^int^pa^r^t^ne^r^s^hi^p
^be^tw^e^eⁿ^the^Na^tiona^{l Se}^c^u^rity^A^g^eⁿ^c^y^a^{nd the}^Na^ti^ona^{l I}ⁿ^stit^ute^of^Sta^nda^r^d^s^a^{nd T}^e^c^hno^log^y^{. T}^h^e^N^I^A^P^is^the^U^.^S^.
^g^o^v^e^rⁿ^m^e^{nt pr}^og^r^a^m^tha^t^w^o^r^k^s^w^{ith or}^g^a^niz^a^tionsⁱⁿ^a^d^o^z^eⁿ^oth^e^r^c^ountrⁱ^e^s^a^r^ou^{nd t}^h^e^w^o^r^l^{d w}^hⁱ^c^{h ha}^v^e^e^ndor^s^e^d
^the^inte^rⁿ^a^tio^na^{l s}^e^c^u^r^ity^-^e^va^lua^{tion r}^e^gⁱ^m^e^{n k}^now^{n a}^s^the^“^C^om^m^{on C}^rⁱ^t^e^r^ia^.”^T^h^e^pr^og^r^a^m^r^e^quir^e^s^v^e^ndor^s^to
^su^b^mⁱ^t^so^f^t^w^a^re^f^o^{r revi}^e^wⁱⁿ^an^accredⁱ^t^e^d^l^a^b^,^{a p}^r^o^{cess t}^h^at^o^f^t^eⁿ^t^a^{kes a}^y^{ear an}^d^co^st^{s several}^t^hous^aⁿ^{d d}^o^lla^r^s^{. T}^h^e
^re^vⁱ^e^w^pre^v^iously^wa^{s li}^m^ite^{d to}^m^ilita^r^y^na^tiona^{l se}^c^u^rity^sof^t^wa^r^e^a^{nd e}^q^uipm^eⁿ^{t, h}^o^w^e^v^e^{r, the}^Admⁱ^nistra^tion^ha^s
^s^t^a^t^e^d^tha^t^t^h^e^g^o^v^e^rnm^e^{nt w}^{ill unde}^rta^k^e^a^re^vⁱ^ew^o^f^the^prog^ra^m^t^o^“^pos^sⁱ^bly^e^x^te^nd”^this^s^o^f^t^w^a^r^e^c^e^r^tif^ica^tion
^req^uⁱ^rem^eⁿ^t^to^civ^ilian^ag^en^{cies. Ellen}^M^e^ssm^{er, W}^h^{ite H}^o^u^s^{e issu}^{e “Natio}ⁿ^a^{l Strateg}^y^to^Secu^{re C}^y^b^e^rsp^ace,”
^N^e^tw^or^k^W^o^r^l^{d Fus}ⁱ^on^{, Fe}^br^ua^ry^14,²⁰⁰³^{, a}^t^http^://w^ww^.n^wf^us^ion.c^o^m^/^ne^w^s^/²⁰^03/⁰²¹⁴^ntlstra^t^e^g^y^.^htm^l^.
¹²⁹^B^u^sⁱ^ne^s^s^e^x^e^c^u^tiv^e^s^m^a^y^be^ca^utious^a^b^out^s^p^eⁿ^ding^f^o^r^la^r^g^e^ne^w^te^c^hnol^og^y^pr^oje^c^t^s^,^s^u^c^h^a^s^pla^cⁱ^ng^ne^w
^em^pha^sⁱ^s^{on c}^o^m^pute^r^s^e^c^u^r^ity^{. R}^e^s^u^lts^f^r^om^a^Fe^br^ua^r^y²⁰⁰³^s^u^r^v^ey^of^bus^ine^s^s^e^x^e^c^u^tiv^e^s^indic^a^t^e^d^tha^t⁴⁵^%^of
^r^e^s^pon^de^nts^be^lie^v^e^{d t}^h^a^t^m^aⁿ^y^lar^g^e^Iⁿ^f^o^r^m^a^{tion T}^e^c^hnolog^y⁽^I^T⁾^pr^oje^c^t^s^a^r^e^of^te^{n to}^{o e}^x^pe^ns^iv^e^t^o^jus^t^if^y^.
^Ma^na^g^e^r^s^{in the}^s^u^r^v^e^y^pointe^d^to^the^e^s^tim^a^t^e^d^$12^5.9^bil^lio^{n s}^p^eⁿ^{t on}^I^T^pr^oje^c^t^s^be^tw^e^eⁿ¹⁹⁷⁷^aⁿ^{d 2}⁰⁰⁰ⁱⁿ
^pr^e^p^a^r^a^tion^f^o^r^the^y^e^a^r²⁰⁰⁰⁽^Y²^K⁾^c^h^aⁿ^g^e^ov^e^r^{, now}^vⁱ^ew^e^d^by^som^e^a^s^a^non-^e^v^eⁿ^{t. So}^ur^c^e^s^r^e^po^r^t^e^d^tha^t^s^o^m^e
⁽^c^onti^nue^d.^..)

possibly harm U.S. competitiveness in technology markets? Two of the former cybersecurity
advisers to the president have differing views: Howard Schmidt has stated that market forces,
rather than the government, should determine how product technology should evolve for better
cybersecurity; however, Richard Clarke has stated that the IT industry has done little on its own ¹³⁰
to improve security of its own systems and products.
Some security experts emphasize that if systems administrators received the necessary training
for keeping their computer configurations secure, then computer security would greatly improve
for the U.S. critical infrastructure. However, should software product vendors be required to
create higher quality software products that are more secure and that need fewer patches? Could
software vendors possibly increase the level of security for their products by rethinking the
design, or by adding more test procedures during product development?
Ultimately, reducing the threat to national security from cybercrime depends on a strong
commitment by government and the private sector to follow best management practices that help
improve computer security. Numerous government reports already exist that describe the threat of
cybercrime and make recommendations for management practices to improve cybersecurity.
A 2004 survey done by the National Cyber Security Alliance and AOL showed that most home
PC users do not have adequate protection against hackers, do not have updated antivirus software
protection, and are confused about the protections they are supposed to use and how to use ¹³¹
them. How can computer security training be made available to all computer users that will
keep them aware of constantly changing computer security threats, and that will encourage them
to follow proper security procedures?
What can be done to improve sharing of information between federal government, local
governments, and the private sector to improve computer security? Effective cybersecurity

^(...c^on^tin^ue^d)
^boa^r^d^-^l^e^v^e^l^e^x^e^c^u^tiv^e^s^s^t^a^t^e^d^tha^t^the^Y²^K^pr^o^b^le^m^w^a^s^ov^e^r^blowⁿ^a^{nd ov}^e^r^f^unde^{d t}^h^eⁿ^{, a}ⁿ^{d a}^s^a^r^e^s^u^{lt, t}^h^e^y^a^r^e^now
^m^u^c^h^m^o^re^c^a^u^{tious a}^b^out^f^u^ture^spe^ndi^ng^f^o^{r a}ⁿ^y^ne^w^,^m^a^ssi^v^e^{IT initia}^tiv^e^s^{. G}^a^r^y^H.^Aⁿ^the^s^a^{nd T}^hom^a^s^Hoffm^aⁿ^,
^“T^arnⁱ^sh^ed^Image,^”^Co^mp^u^t^erwo^rld^{, Ma}^y^12,²⁰^03,^v^o^l.³⁷^{, n}^o^.¹⁹^{, p.}³⁷^.
¹³⁰^H^o^w^a^r^d^Sc^hm^{idt poi}^nts^o^u^t^tha^t^m^a^jor^te^c^hno^log^y^fⁱ^r^m^s^now^pr^om^ote^aⁿ^ti-^vⁱ^r^u^s^s^o^f^t^w^a^r^e^a^{nd e}ⁿ^c^our^a^g^e^be^tte^r
^c^y^b^e^rsecu^ri^t^y^p^r^actⁱ^ces.^{He st}^res^s^e^{s t}^h^at^m^a^r^k^et^f^o^rce^s^{are cau}^siⁿ^g^p^rⁱ^v^at^{e i}ⁿ^du^st^ry^t^oⁱ^m^p^r^o^v^{e secu}^ri^t^y^o^f^p^r^o^d^u^c^t^s^.
^M^a^rtⁱⁿ^Kad^y^,^“C^y^b^ersecu^ri^t^y^{a W}^eak^Lⁱⁿ^kⁱⁿ^Ho^m^e^l^aⁿ^d^’^{s A}^r^m^o^r,^”^{CQ Weekl}^y^{, Fe}^br^ua^r^y^14,²⁰^05.^Me^aⁿ^w^h^ile^,
^Rⁱ^c^h^a^r^{d C}^l^a^r^k^e^{, w}^{ho init}^ia^lly^opp^os^e^d^r^e^g^u^la^tio^{n d}^u^rⁱ^ng^his^teⁿ^u^r^e^{in t}^h^e^C^lint^oⁿ^aⁿ^d^B^u^s^h^a^d^mⁱ^nis^t^r^a^tions^,^now^s^t^a^t^e^s
^tha^t^the^ITⁱ^ndus^try^only^re^pon^ds^{to im}^prov^e^s^e^c^u^rity^of^its^produc^t^s^w^h^eⁿ^re^g^u^la^{tion is}^t^h^re^a^t^eⁿ^e^d^.^W^illiam^J^a^ck^s^oⁿ^,
^“^T^{o Re}^g^u^la^te^{or Not to}^Re^g^u^la^te^?^T^h^a^t^{Is the}^Que^s^tio^n,”^G^o^v^e^r^nm^eⁿ^{t C}^o^m^pute^r^N^e^w^s^,^Fe^br^ua^r^y^26,²⁰⁰^5.
¹³¹^A²⁰⁰⁴^s^u^r^v^e^y^o^f³²⁹^PC^us^e^r^s^r^e^v^e^a^l^e^d^tha^t^m^o^s^t^c^o^m^pute^r^us^e^r^s^think^t^h^e^y^a^r^e^saf^e^{but la}^c^k^ba^sⁱ^c^pr^ote^c^tio^ns
^a^g^aⁱ^{nst v}ⁱ^ruse^{s, spy}^w^a^r^e^,^ha^c^k^e^r^{s, a}^nd^othe^r^onl^ine^t^h^re^a^t^s.^{In a}^dditⁱ^on,^la^rg^e^m^a^joritie^{s of}^hom^e^c^o^m^pute^r^use^r^{s ha}^v^e
^b^eenⁱⁿ^f^ect^ed^wⁱ^t^h^vi^ru^{ses an}^d^{spyware an}^d^re^m^aⁱⁿ^hⁱ^gh^l^y^v^u^lne^r^a^b^le^to^f^u^ture^inf^e^c^{tions. A}^O^L^a^{nd the}^Na^tiona^l^Cy^be^r
^Se^c^u^rity^A^llia^nc^e^,^“^L^a^r^g^e^{st In-ho}^m^e^Study^of^Hom^e^Com^pute^r^Use^r^{s Show}^{s Ma}^{jor O}ⁿ^line^T^h^re^a^t^s,^Pe^rc^e^p^{tion G}^a^p,”
^Oc^tobe^{r 2}⁰⁰⁴^a^t^http^://www^.sta^y^s^a^f^e^online^.ⁱⁿ^f^o^/ⁿ^e^w^s/NCS^A^-^A^O^L^Iⁿ^-Hom^e^S^tudy^Re^le^a^s^e^.^pdf^.

requires sharing of relevant information about threats, vulnerabilities, and exploits.¹³² How can
the private sector obtain information from the government on specific threats which the
government now considers classified, but which may help the private sector protect against
cyberattack? And, how can the government obtain specific information from private industry
about the number of successful computer intrusions, when companies resist reporting because ¹³³
they want to avoid publicity and guard their trade secrets? Should cybercrime information
voluntarily shared with the federal government about successful intrusions be shielded from
disclosure through Freedom of Information Act requests?
How can the United States better coordinate security policies and international law to gain the
cooperation of other nations to better protect against a cyberattack? Pursuit of hackers may
involve a trace back through networks requiring the cooperation of many Internet Service ¹³⁴
Providers located in several different nations. Pursuit is made increasingly complex if one or
more of the nations involved has a legal policy or political ideology that conflicts with that of the ¹³⁵
United States.
Thirty-eight countries, including the United States, participate in the Council of Europe’s
Convention on Cybercrime, which seeks to combat cybercrime by harmonizing national laws,
improving investigative abilities, and boosting international cooperation. However, how effective
will the Convention without participation of other countries where cybercriminals now operate
freely? (For more on the Convention, see CRS Report RS21208, Cybercrime: The Council of
Europe Convention, by Kristin Archick.)

H.R. 1525—The Internet Spyware (I-SPY) Prevention Act of 2007, proposes penalties for
unauthorized access to computers, or the use of computers to commit crimes. On May 23, 2007,
this bill was received in the Senate and referred to the Committee on the Judiciary.
H.R. 1684—The Department of Homeland Security Authorization Act for Fiscal Year 2008
establishes within the Department of Homeland Security an Office of Cybersecurity and
Communications, headed by the Assistant Secretary for Cybersecurity and Communications, with
responsibility for overseeing preparation, response, and reconstitution for cybersecurity and to
protect communications from terrorist attacks, major disasters, and other emergencies, including
large-scale disruptions.
The bill directs the Assistant Secretary to do the following:

¹³²^G^o^v^e^rn^m^e^nt^A^c^c^ounta^b^ility^O^f^fⁱ^c^e^,^Home^land^Se^c^u^rity^{: E}^fforts^T^o^Impro^v^e^Iⁿ^forma^tio^{n S}^hariⁿ^g^N^e^e^d^{to Be}
^Str^e^ngt^he^ne^d^,^G^A^O^-^03-⁷⁶^{0, A}^u^g^u^s^t²⁰⁰³^.
¹³³^C^R^S^R^e^por^{t R}^L³⁰¹⁵³^,^Critic^a^l^Iⁿ^frastruc^t^u^re^{s: Bac}^k^g^ro^un^{d, P}^o^li^c^y^,^and^Imple^m^eⁿ^t^a^tioⁿ^{, by}^J^{ohn D}^.^Mote^f^f^.
¹³⁴^T^r^{ace b}^a^c^k^t^oⁱ^d^en^tⁱ^fy^{a c}^y^b^e^r^a^t^t^{acker at}^t^h^{e gran}^u^l^{ar l}^e^vel^re^m^aⁱⁿ^{s p}^r^ob^l^e^m^a^tⁱ^c^.^Do^ro^t^h^y^Denⁿⁱⁿ^g^,^Informat^ioⁿ
^W^a^r^f^ar^e^an^{d Se}^c^u^rⁱ^ty⁽^A^ddis^on-^W^e^s^l^ey^{, 199}⁹⁾^,^p.²¹^7.
¹³⁵^{In A}^r^g^e^ntina^,^a^g^r^ou^{p c}^a^lling^t^h^e^m^se^lv^e^s^the^X^-^T^e^a^m^{, ha}^c^k^e^d^into^the^w^e^bsite^of^tha^t^c^o^uⁿ^try^’^{s Sup}^r^e^m^e^{Court in}
^A^p^ri^l²⁰⁰²^.^T^h^{e t}^rⁱ^a^l^j^u^d^g^{e st}^at^ed^t^h^at^t^h^e^l^a^wⁱⁿ^hⁱ^{s cou}ⁿ^t^ry^co^{vers cri}^m^{e ag}^aiⁿ^s^t^p^e^op^l^e^,^t^hⁱⁿ^gs,^and^anⁱ^m^al^{s b}^u^tⁿ^o^t
^w^e^bs^ite^s^.^T^h^e^g^r^oup^{on t}^r^ia^{l w}^a^s^de^c^l^a^r^e^d^not^g^u^ilty^of^bre^a^k^ing^{into the}^w^e^bs^ite^.^P^a^ul^H^illbe^c^k^{, “}^A^r^g^eⁿ^tine^J^udg^e
^Rule^{s in}^Fa^v^o^{r of}^Com^pute^r^Ha^c^k^e^r^s,”^Fe^brua^ry^{5, 20}^02,^a^t^ht^tp:/^/www^.silic^onv^a^lle^y^.^c^o^m^/^m^l^d/^silic^on^v^a^lle^y^/^ne^w^s^/
^edⁱ^t^o^rⁱ^al^/3⁰⁷⁰¹⁹⁴^.^h^t^m^.

• Establish and maintain a capability within the Department for ongoing activities
to identify threats to critical information infrastructure to aid in detection of
vulnerabilities and warning of potential acts of terrorism and other attacks.
• Conduct risk assessments on critical information infrastructure with respect to
acts of terrorism.
• Develop a plan for the continuation of critical information operations in the event
of a cyber attack.
• Define what qualifies as a cyber incident of national significance for purposes of
the National Response Plan.
• Develop a national cybersecurity awareness, training, and education program that
promotes cybersecurity awareness within the Federal Government and
throughout the Nation.
• Consult and coordinate with the Under Secretary for Science and Technology on
cybersecurity research and development to strengthen critical information
infrastructure against acts of terrorism.
On May 11, 2007, this bill was referred to the Senate Committee on Homeland Security and
Governmental Affairs.
H.R. 3221—The New Direction for Energy Independence, National Security, and Consumer
Protection Act proposes establishment of the Grid Modernization Commission to facilitate the
adoption of Smart Grid standards, technologies, and practices across the Nation’s electricity grid.
The bill was passed in the House on August 4, 2007. On October 19, 2007, there was a
unanimous consent request to consider H.R. 3221 in the Senate, but objection was heard.
H.R. 3237—The Smart Grid Facilitation Act of 2007, proposes to modernize the Nation’s
electricity transmission and distribution system to incorporate digital information and controls
technology. “Smart grid” technology functions will include the ability to detect, prevent, respond
to, or recover from cyber-security threats and terrorism. The new Grid Modernization
Commission is directed to undertake, and update on a biannual basis, an assessment of the
progress toward modernizing the electric system including cybersecurity protection for extended
grid systems. On August 24, 2007, the bill was referred to House subcommittee on Energy and
Environment.
^Cla^y^Wⁱ^l^s^oⁿ
^Sp^{ecialist i}ⁿ^Militar^y^Iⁿ^f^o^r^m^at^ioⁿ^T^echⁿ^o^lo^g^y
^c^wⁱ^l^s^on@^crs^.^l^o^c.g^o^v^,^7-⁸⁷⁴⁸