[ISN] Comment: Hacking is not terrorism

From: InfoSec News (isnat_private)
Date: Tue Oct 30 2001 - 01:40:09 PST

  • Next message: InfoSec News: "[ISN] IEEE thing in NYC"

    By Neil Barrett
    VNU Business Publications 
    The Americans are, it would seem, determined to equate hackers with
    terrorists: new legal proposals would make many system intrusions a
    terrorist act.
    On the face of it this is a surprising thing - some might say an
    overreaction. There is, though, a form of logic behind it, but one I
    believe the rest of us would be well advised to avoid.
    In the US, the major law covering hacking is the Computer Fraud and
    Abuse statute, which makes it a fraud-related offence, hence the
    primary responsibility of the US Treasury and its investigative arm,
    the Secret Service.
    Yes, the men in dark suits and sunglasses, with hearing aids and
    hidden guns, are responsible for tracking the night-pale brigade of
    network freeloaders.
    But a significant element of this act covers computers that are of
    'federal interest': those that carry government traffic, operate
    directly or indirectly on behalf of a federal agency, or whose
    impairment would affect the operation of federal government. It's hard
    to imagine a major hacking target that could not be shoehorned into
    this loose specification.
    With worries over the critical national infrastructure - that general
    federation of networks and systems whose destruction or damage would
    in turn damage national interests - resulting quite naturally from the
    events of last month, it is no surprise that this topic is high on the
    US Government's agenda. But it is hard to make a justification for
    seeing hackers as terrorists in a legal framework that does not
    provide this 'federal interest' contingency.
    The UK's Computer Misuse Act, the nearest equivalent, makes no implied
    or explicit distinction regarding the systems that are intruded on.
    This is quite apart from the other major difference in the two laws:
    that of fraud in the US versus 'unauthorised access', or trespass, in
    the UK.
    Because of this, in the UK it would be necessary to introduce computer
    offences into the Terrorism Act - and indeed, the new version of that
    act has clauses that would cover the use of terror tactics with
    However, we have to recognise some simple truths. A significant
    element of terrorism is that it causes terror. Sure, it has to be
    politically motivated, performed by an identifiable sub-state group,
    and illegal, but the major element is that it is intended to induce
    political activity or changes as a result of terror.
    Hacking does not cause terror. It makes people angry; it costs money;
    it can be offensive; it induces trepidation. But no one is likely to
    say a computer hack induces terror. Take a current TV advert, in which
    the website of a cheese manufacturer is hacked by a French cheese
    maker. It's funny! It's not terrifying, and that's what most hacking
    is like.
    I'm not saying we shouldn't take it seriously, but we shouldn't
    reflexively lump hacking in with bombs, bullets and torture simply on
    the basis of a belief that the terrorists of last month could have
    done things with a computer, and that some security experts believe a
    really clever, motivated hacker could intrude on some sensitive
    control systems.
    Let's instead make it clear just what we think of terrorism, in all
    its forms. If hackers eventually start to act like terrorists, then
    fine. We have laws to cover them. But let's not make a knee-jerk
    response and automatically interpret hacking as a form of terrorism.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Tue Oct 30 2001 - 03:37:19 PST