Comment: Hacking is not terrorism

[InfoSec News <isn () c4i org>]

http://www.vnunet.com/News/1126513

By Neil Barrett
VNU Business Publications 
[29-10-2001]

The Americans are, it would seem, determined to equate hackers with
terrorists: new legal proposals would make many system intrusions a
terrorist act.

On the face of it this is a surprising thing - some might say an
overreaction. There is, though, a form of logic behind it, but one I
believe the rest of us would be well advised to avoid.

In the US, the major law covering hacking is the Computer Fraud and
Abuse statute, which makes it a fraud-related offence, hence the
primary responsibility of the US Treasury and its investigative arm,
the Secret Service.

Yes, the men in dark suits and sunglasses, with hearing aids and
hidden guns, are responsible for tracking the night-pale brigade of
network freeloaders.

But a significant element of this act covers computers that are of
'federal interest': those that carry government traffic, operate
directly or indirectly on behalf of a federal agency, or whose
impairment would affect the operation of federal government. It's hard
to imagine a major hacking target that could not be shoehorned into
this loose specification.

With worries over the critical national infrastructure - that general
federation of networks and systems whose destruction or damage would
in turn damage national interests - resulting quite naturally from the
events of last month, it is no surprise that this topic is high on the
US Government's agenda. But it is hard to make a justification for
seeing hackers as terrorists in a legal framework that does not
provide this 'federal interest' contingency.

The UK's Computer Misuse Act, the nearest equivalent, makes no implied
or explicit distinction regarding the systems that are intruded on.
This is quite apart from the other major difference in the two laws:
that of fraud in the US versus 'unauthorised access', or trespass, in
the UK.

Because of this, in the UK it would be necessary to introduce computer
offences into the Terrorism Act - and indeed, the new version of that
act has clauses that would cover the use of terror tactics with
computers.

However, we have to recognise some simple truths. A significant
element of terrorism is that it causes terror. Sure, it has to be
politically motivated, performed by an identifiable sub-state group,
and illegal, but the major element is that it is intended to induce
political activity or changes as a result of terror.

Hacking does not cause terror. It makes people angry; it costs money;
it can be offensive; it induces trepidation. But no one is likely to
say a computer hack induces terror. Take a current TV advert, in which
the website of a cheese manufacturer is hacked by a French cheese
maker. It's funny! It's not terrifying, and that's what most hacking
is like.

I'm not saying we shouldn't take it seriously, but we shouldn't
reflexively lump hacking in with bombs, bullets and torture simply on
the basis of a belief that the terrorists of last month could have
done things with a computer, and that some security experts believe a
really clever, motivated hacker could intrude on some sensitive
control systems.

Let's instead make it clear just what we think of terrorism, in all
its forms. If hackers eventually start to act like terrorists, then
fine. We have laws to cover them. But let's not make a knee-jerk
response and automatically interpret hacking as a form of terrorism.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.