A wild week in cybercrime
None of those things actually happened this week, and Ickistan only exists as a term used by some folks I know at a three-letter agency to refer generically to “lawless nations outside America's sphere of influence, to which you do not want to get posted.” But, if I review some of the real cybercrime-related news this week, you may spot the inspiration for my imaginary headlines.
- The Pentagon let the world know it reserves the right to use military force against cyberattacks, laying out “a more specific role for the U.S. military in the event computer-generated attacks threaten the nation's economy, government, or armed forces.” The use of missile-launching unmanned aerial vehicles (UAVs or drones) in response to cyberattacks was not specifically mentioned, but such a scenario is not hard to imagine.
- An increase in the penalties for cybercrimes was among the amendments to the National Defense Authorization Act that Senate Judiciary Committee Chairman Patrick Leahy (D-Vt.) filed last Thursday. Also included, making it a felony to damage a computer than controls systems critical to national security. This seems fair to me, and I have said for some time that cybercrime needs to be punished severely because it is a crime against society, as well as those persons specifically victimized by the crime.
- The Department of Justice (DoJ) wants to be able to prosecute cybercriminal activity under racketeering law aid, possibly modifying the Computer Fraud and Abuse Act (CFAA) to allow offenses to be subject to Racketeering Influenced and Corrupt Organizations Act (RICO) statutes. DoJ Deputy Section Chief Richard Downing said the change is needed because “advancing computer technology has become a substantial tool for organized crime.” In a hearing on Tuesday, he said that “criminal organizations are operating today around the world to: hack into public and private computer systems, including systems key to national security and defense; hijack computers for the purpose of stealing identity and financial information; extort lawful businesses with threats to disrupt computers; and commit a range of other cybercrimes.”
- Security experts expressed strong concerns this week about certain provisions in the Stop Online Piracy Act (SOPA), which had a House Judiciary hearing on Wednesday. SOPA's sweeping provisions to target websites hosting copyright-infringing content or tools would “allow the United States government to order companies to cut off revenue to the site, force search engines to suppress all mention of the site in search results and blacklist the site containing infringing material using Domain Name System (DNS) filtering techniques similar to those used by totalitarian regimes abroad, such as China and Iran.
- Several observers, myself included, remarked on the irony of the United States government creating, via legislation like SOPA and PIPA, the ability for some companies to force changes to DNS, while the FBI and DoJ are trying to catch and convict cybercriminals who distribute DNSChanger malware.
- The recent addition of new UAVs or drones to the hardware deployed by the Department of Homeland Security is prompting fresh discussion of the many legal issues raised by domestic use of a technology associated with military campaigns.
- A survey about copyright infringement sponsored by The American Assembly at Columbia University, with support from a research award from Google, found that “46 percent of adults have bought, copied, or downloaded unauthorized music, TV shows or movies,” but large-scale digital piracy is rare, limited to two percent of adults.
So, we have a push to come down harder on cybercriminals, and some interesting technology options under consideration. But we clearly have some issues to address in the area of proportional response. I hesitate to employ a phrase that has been tainted by over-use and undermined by political abuse, but what we need in cybercrime is a fair and balanced response.
While it is wrong for kids to download pirated movies, and even more wrong for parents to condone or indulge such behavior, that is still a far cry from building a botnet of compromised hosts and using it to orchestrate identity theft, credit card fraud, click-jacking or denial-of-service attacks (whether for ransom or revolution). Hopefully, folks in positions of power and influence will bear that in mind as the fight against cybercrime rages on.