- Email: [email protected]
Cyber terrorism prevention and counteraction workshop review
c o m p u t e r l a w & s e c u r i t y r e v i e w 2 7 ( 2 0 1 1 ) 1 0 6 e1 0 7
available at www.sciencedirect.com
www.compseconline.com/publications/prodclaw.htm
Cyber terrorism prevention and counteraction workshop review Oleksandr Pastukhov Computer/Law Institute, VU University, Amsterdam, The Netherlands
A NATO Advanced Training Course (ATC) on Cyber Terrorism Prevention and Counteraction, co-organized by the Computer/Law Institute (VU University Amsterdam) and the Center for E-Governance Initiatives (Kiev, Ukraine), took place in Kiev on September 27e29, 2010. The three-day ATC has become a unique opportunity for experts from four NATO member states (the Netherlands, Romania, the UK and the U.S.) to share their experiences with experts from Ukraine e a Partnership for Peace country e and to exchange with their Ukrainian colleagues ideas on the ways to clearly identify the threat posed by cyber terrorism, its political and socioeconomic roots, as well as ways to diminish the associated risks, to prevent cyber attacks and, should they happen, to mitigate their consequences. The specific topics that were explored at the ATC included socio-political roots of the phenomenon of cyber terrorism, interaction between cyber terrorism and organized crime, types of cyber terrorism attacks and risks associated therewith, persons and groups likely to get involved in cybercrime and to resort to cyber terrorism, offenders profiling, governments’ cooperation on cyber terrorism combating and prevention, network security measures, identity management, intrusion detection and integrity verification, data and system protection, technical and legal risk analysis, vulnerability management, data retention and privacy-friendly counteraction measures. Ukraine is a source of a growing number of cyber attacks, many of which can be used by politically motivated individuals and groups and thus become a “peacetime equivalent of a war crime”.1 Although during the short history as an independent nation, Ukraine has avoided armed conflicts or terrorist 1
activities within its borders, the threat e at least potentially e posed by information technologies in the skillful hands of radicals of all sorts should not be ignored in the country. Similar to most countries, in Ukraine cyber terrorism is not a separate corpus delicti. Terrorism as a crime envisaged in Art. 258 of Ukraine’s Criminal Code2 is defined in a narrower sense compared to the UN definition of terrorism as “[a]n anxietyinspiring method of repeated violent action, employed by (semi-) clandestine individual, group or state actors, for idiosyncratic, criminal or political reasons, whereby e in contrast to assassination e direct targets of violence are not main targets”.3 The UN definition covers all the repetitive crimes that utilize fear and include state (-sponsored) terrorism, while the Ukrainian definition stresses on non-materialistic, non-pecuniary motifs of the perpetrator and is concerned with physical persons only. It was recognized by the ATC participants, however, that the gap between the two definitions is being bridged by other corpae delicti contained in the country’s Criminal Code, such as extortion, sabotage, or assassination of a state official or a public figure. A separate article in the Code dealing with cyber terrorism per se should be considered, nevertheless, since this particular type of terrorism takes special kinds of response to tackle. A special response may be justifiable when a threat is emanating from a group with capacities to selforganize on a sustained basis, to engage in sophisticated plans and operations, and to operate independently from normal life or to have the capacity to cause considerably harm, both on- and off-line. While the Ukrainian material law on the subject seems to be adequate for now, it is the enforcement and the related
Yew Meng Hor, M., Vridar Ramraj V., Kent Roach, eds. (2005), Global Anti-Terrorism Law and Policy, Cambridge University Press, p. 52. Art. 258 reads: “An act of terrorism, that is the use of weapons, explosions, fire or any other actions that exposed human life or health to danger or caused significant pecuniary damage or any other grave consequences, where such actions sought to violate public security, intimidate population, provoke an armed conflict, or international tension, or to exert influence on decisions made or actions taken or not taken by government agencies or local government authorities, officials and officers of such bodies, associations of citizens, legal entities, or to attract attention of the public to certain political, religious or any other convictions of the culprit (terrorist), and also a threat to commit any such acts for the same purposes” [English translation of the OSCE Office for Democratic Institutions and Human Rights, available at http://www.legislationline.org/documents/section/criminal-codes]. 3 Siegel, L.J. (2009), Essentials of Criminal Justice, Wadsworth Cengage Learning, Exhibit 4.1, p.106. 0267-3649/$ e see front matter ª 2011 Oleksandr Pastukhov. Published by Elsevier Ltd. All rights reserved doi:10.1016/j.clsr.2010.11.005 2
c o m p u t e r l a w & s e c u r i t y r e v i e w 2 7 ( 2 0 1 1 ) 1 0 6 e1 0 7
procedural rules that caused the participants’ concerns. The slow and bureaucratized procedures, the excessive secrecy of sources and surveillance techniques are prominent among these concerns, as well as the problems inevitably caused by investigating activities of terrorist networks, dealing with which requires cooperation of many jurisdictions at home and abroad, many of which are incompetent and uncooperative. In this regard, the ‘shortcuts’ provided by the Cybercrime Convention were seen by the ATC participants as particularly instrumental. Since most of the information networks and many objects of utilities and critical infrastructure are in private hands these days, a growing number of companies in Ukraine, just like their counterparts abroad, find themselves in a position whereby protecting themselves they protect society at large. Such self-help techniques as non-disclosure agreements with employees, personnel trainings and certification, identity management, intrusion detection, internal procedures for containment and recovery, as well as technical vulnerability and legal risk management were recognized by the participants as extremely effective and efficient. Finally, the need to preserve individual rights and freedoms when investigating, prosecuting, or trying to prevent cyber attacks, including those that amount to acts of cyber terrorism, was stressed throughout the event. The law enforcers in attendance were urged to strictly follow the rules of the Code of Criminal Procedure and the requirements of the recently adopted Law of Ukraine on the Protection of Personal Data that is coming into force on January 1, 2011. While any democratic society has the right to defend itself, the European Human Rights Convention, to which Ukraine is party,
107
expressly prohibits “for any State, group or person any right to engage in any activity or perform any act aimed at the destruction of any of the rights and freedoms set forth herein or at their limitation to a greater extent than is provided for in the Convention”.4 After all, strictly following the letter and the spirit of law is in the officers’ own interests: when the case reaches the court, a defence lawyer can argue that the evidence was obtained in an unlawful manner and is thus inadmissible, rendering many days of scrupulous work of many agents futile. Given the low approval rates of Ukraine’s NATO membership by Ukrainian citizens and the recently changed attitude of Ukraine’s officials towards the Organization, the ATC has considerably contributed to improving NATO’s public image in the country. The event, which was financially supported by the NATO Science for Peace and Security Programme, has demonstrated to Ukrainian law enforcers, academics, lawyers, computer network specialists and laymen that NATO is not a purely military alliance, but also a modern international organization that deals with problems of security at all levels and whose activities are relevant to people’s everyday lives. More details on the ATC, including selected slide shows and readers, are available at http://cli.vu/nieuws/nieuws.php. Some thoughts of the Romanian lecturer, Mr. Cristian Driga, inspired by the event have been posted on the Romanian blog dedicated to cybercrime issues at http://www.en.criminalitate. info/2010/10/cyber-terrorism-from-fiction-to-reality.html. Dr. Oleksandr Pastukhov ([email protected]) Post-Doctoral Researcher, Computer/Law Institute VU University Amsterdam.
4
Convention for the Protection of Human Rights and Fundamental Freedoms as amended by Protocols No. 11 and No. 14, Rome, 4.XI.1950, Art. 17, available at http://conventions.coe.int/ treaty/en/treaties/html/005.htm.
available at www.sciencedirect.com
www.compseconline.com/publications/prodclaw.htm
Cyber terrorism prevention and counteraction workshop review Oleksandr Pastukhov Computer/Law Institute, VU University, Amsterdam, The Netherlands
A NATO Advanced Training Course (ATC) on Cyber Terrorism Prevention and Counteraction, co-organized by the Computer/Law Institute (VU University Amsterdam) and the Center for E-Governance Initiatives (Kiev, Ukraine), took place in Kiev on September 27e29, 2010. The three-day ATC has become a unique opportunity for experts from four NATO member states (the Netherlands, Romania, the UK and the U.S.) to share their experiences with experts from Ukraine e a Partnership for Peace country e and to exchange with their Ukrainian colleagues ideas on the ways to clearly identify the threat posed by cyber terrorism, its political and socioeconomic roots, as well as ways to diminish the associated risks, to prevent cyber attacks and, should they happen, to mitigate their consequences. The specific topics that were explored at the ATC included socio-political roots of the phenomenon of cyber terrorism, interaction between cyber terrorism and organized crime, types of cyber terrorism attacks and risks associated therewith, persons and groups likely to get involved in cybercrime and to resort to cyber terrorism, offenders profiling, governments’ cooperation on cyber terrorism combating and prevention, network security measures, identity management, intrusion detection and integrity verification, data and system protection, technical and legal risk analysis, vulnerability management, data retention and privacy-friendly counteraction measures. Ukraine is a source of a growing number of cyber attacks, many of which can be used by politically motivated individuals and groups and thus become a “peacetime equivalent of a war crime”.1 Although during the short history as an independent nation, Ukraine has avoided armed conflicts or terrorist 1
activities within its borders, the threat e at least potentially e posed by information technologies in the skillful hands of radicals of all sorts should not be ignored in the country. Similar to most countries, in Ukraine cyber terrorism is not a separate corpus delicti. Terrorism as a crime envisaged in Art. 258 of Ukraine’s Criminal Code2 is defined in a narrower sense compared to the UN definition of terrorism as “[a]n anxietyinspiring method of repeated violent action, employed by (semi-) clandestine individual, group or state actors, for idiosyncratic, criminal or political reasons, whereby e in contrast to assassination e direct targets of violence are not main targets”.3 The UN definition covers all the repetitive crimes that utilize fear and include state (-sponsored) terrorism, while the Ukrainian definition stresses on non-materialistic, non-pecuniary motifs of the perpetrator and is concerned with physical persons only. It was recognized by the ATC participants, however, that the gap between the two definitions is being bridged by other corpae delicti contained in the country’s Criminal Code, such as extortion, sabotage, or assassination of a state official or a public figure. A separate article in the Code dealing with cyber terrorism per se should be considered, nevertheless, since this particular type of terrorism takes special kinds of response to tackle. A special response may be justifiable when a threat is emanating from a group with capacities to selforganize on a sustained basis, to engage in sophisticated plans and operations, and to operate independently from normal life or to have the capacity to cause considerably harm, both on- and off-line. While the Ukrainian material law on the subject seems to be adequate for now, it is the enforcement and the related
Yew Meng Hor, M., Vridar Ramraj V., Kent Roach, eds. (2005), Global Anti-Terrorism Law and Policy, Cambridge University Press, p. 52. Art. 258 reads: “An act of terrorism, that is the use of weapons, explosions, fire or any other actions that exposed human life or health to danger or caused significant pecuniary damage or any other grave consequences, where such actions sought to violate public security, intimidate population, provoke an armed conflict, or international tension, or to exert influence on decisions made or actions taken or not taken by government agencies or local government authorities, officials and officers of such bodies, associations of citizens, legal entities, or to attract attention of the public to certain political, religious or any other convictions of the culprit (terrorist), and also a threat to commit any such acts for the same purposes” [English translation of the OSCE Office for Democratic Institutions and Human Rights, available at http://www.legislationline.org/documents/section/criminal-codes]. 3 Siegel, L.J. (2009), Essentials of Criminal Justice, Wadsworth Cengage Learning, Exhibit 4.1, p.106. 0267-3649/$ e see front matter ª 2011 Oleksandr Pastukhov. Published by Elsevier Ltd. All rights reserved doi:10.1016/j.clsr.2010.11.005 2
c o m p u t e r l a w & s e c u r i t y r e v i e w 2 7 ( 2 0 1 1 ) 1 0 6 e1 0 7
procedural rules that caused the participants’ concerns. The slow and bureaucratized procedures, the excessive secrecy of sources and surveillance techniques are prominent among these concerns, as well as the problems inevitably caused by investigating activities of terrorist networks, dealing with which requires cooperation of many jurisdictions at home and abroad, many of which are incompetent and uncooperative. In this regard, the ‘shortcuts’ provided by the Cybercrime Convention were seen by the ATC participants as particularly instrumental. Since most of the information networks and many objects of utilities and critical infrastructure are in private hands these days, a growing number of companies in Ukraine, just like their counterparts abroad, find themselves in a position whereby protecting themselves they protect society at large. Such self-help techniques as non-disclosure agreements with employees, personnel trainings and certification, identity management, intrusion detection, internal procedures for containment and recovery, as well as technical vulnerability and legal risk management were recognized by the participants as extremely effective and efficient. Finally, the need to preserve individual rights and freedoms when investigating, prosecuting, or trying to prevent cyber attacks, including those that amount to acts of cyber terrorism, was stressed throughout the event. The law enforcers in attendance were urged to strictly follow the rules of the Code of Criminal Procedure and the requirements of the recently adopted Law of Ukraine on the Protection of Personal Data that is coming into force on January 1, 2011. While any democratic society has the right to defend itself, the European Human Rights Convention, to which Ukraine is party,
107
expressly prohibits “for any State, group or person any right to engage in any activity or perform any act aimed at the destruction of any of the rights and freedoms set forth herein or at their limitation to a greater extent than is provided for in the Convention”.4 After all, strictly following the letter and the spirit of law is in the officers’ own interests: when the case reaches the court, a defence lawyer can argue that the evidence was obtained in an unlawful manner and is thus inadmissible, rendering many days of scrupulous work of many agents futile. Given the low approval rates of Ukraine’s NATO membership by Ukrainian citizens and the recently changed attitude of Ukraine’s officials towards the Organization, the ATC has considerably contributed to improving NATO’s public image in the country. The event, which was financially supported by the NATO Science for Peace and Security Programme, has demonstrated to Ukrainian law enforcers, academics, lawyers, computer network specialists and laymen that NATO is not a purely military alliance, but also a modern international organization that deals with problems of security at all levels and whose activities are relevant to people’s everyday lives. More details on the ATC, including selected slide shows and readers, are available at http://cli.vu/nieuws/nieuws.php. Some thoughts of the Romanian lecturer, Mr. Cristian Driga, inspired by the event have been posted on the Romanian blog dedicated to cybercrime issues at http://www.en.criminalitate. info/2010/10/cyber-terrorism-from-fiction-to-reality.html. Dr. Oleksandr Pastukhov ([email protected]) Post-Doctoral Researcher, Computer/Law Institute VU University Amsterdam.
4
Convention for the Protection of Human Rights and Fundamental Freedoms as amended by Protocols No. 11 and No. 14, Rome, 4.XI.1950, Art. 17, available at http://conventions.coe.int/ treaty/en/treaties/html/005.htm.