While the U.S. was contemplating military action against the Syrian government for its alleged use of chemical weapons in Damascus, The New York Times found itself under attack. In late August, hackers sympathetic to Syrian President Bashar Assad disrupted service to the newspaper’s website. At one point, the group even redirected users to a page that read “Hacked by the Syrian Electronic Army.”
As this outage demonstrates, hackers can wrest control of powerful organizations without so much as picking up a weapon, entering enemy territory or even leaving their desks.
With cyberattacks on the rise, security experts such as Richard Matthew, UC Irvine professor of planning, policy & design and political science, have become increasingly concerned about the threats they pose to nations and individuals. Matthew, who directs the university’s Center for Unconventional Security Affairs, now views cyberattacks – along with climate change and economic globalization – as having the potential to seriously impact daily life, affecting private industry, government services, travel, power, and other critical infrastructure and operations.
“We have this cyberworld that’s growing extremely fast. We’re moving toward the day when everyone will be able to connect to the Internet,” Matthew says. “It’s accessible, inexpensive and fairly easy for users to maintain a high level of anonymity.
“There are all kinds of ways for people to use this technology, some good and some not. Espionage, fraud, theft – all of these are taking place in cyberspace, and we’re scrambling to figure out what to do in response.”
In July, the McAfee security firm reported that malicious online activity – including service disruptions, piracy and loss of sensitive business information – costs the U.S. economy about $100 billion annually and more than 500,000 jobs. The toll on the global economy is estimated to be as high as $500 billion.
Internet crime pays for myriad reasons. Cybercriminals, Matthew notes, operate in a world where borders don’t matter and laws can often be circumvented. They don’t need to set up a phony bricks-and-mortar business to scam customers. They don’t need firearms, fake passports or cash.
Governments and antigovernment groups alike, organized crime cartels, individual profiteers and unethical corporations, teenage malcontents and terrorists – anyone with the tech capability can get in on the action. Many perpetrators, such as the infamous “Mafiaboy” who launched denial-of-service attacks against CNN, Yahoo and eBay, aren’t even old enough to drive.
“It’s hard to know how to respond or even identify where the attacks are coming from,” Matthew says. “Our security apparatus is far more geared to dealing with physical threats.”
In the past, countries like the U.S. were largely protected by their geography, but the Internet has exposed them to intrusions from around the globe. In May, for instance, Bloomberg reported that Chinese bloggers had stolen valuable drone technology from the U.S. military by infiltrating the computers of a key defense contractor.
“For a long time, our borders were easier to control,” Matthew says. “We’re separated on the east and west by two oceans. We have a like-minded country to the north, while to the south we have a neighbor we know well, although there’s always been tension on that border. The Internet has changed geopolitics and made it possible for people to enter our country through thousands and thousands of invisible pathways.”
Cyberattacks can come from virtually anywhere. Hackers can commandeer computers halfway around the globe, masking the origin of an attack and making it harder to catch and convict the perpetrators.
“We also face the problem of how to prosecute cybercriminals, because people can move around cyberspace fairly easily,” Matthew says. “If someone breaks into your house, we know [which agency] has jurisdiction. But if someone breaks into your bank account on the Internet, we have to find out who has the authority to prosecute the crime – and this can be difficult and costly.”
Then there’s proving the case.
“If you shoot someone, there’s a bullet with unique markings; there are fingerprints on the gun. But this is digital evidence,” Matthew notes. “The tracks are there but can be hard to follow and easy to change. This is not the physical evidence we’re used to using to convict people. As a result, criminals have figured out that they can make a lot of money on the Internet and not get punished.”
Defending computer users against online theft, fraud and abuse presents a conundrum for policymakers, he says. Both the European Union and the United States have taken steps to toughen penalties for cybercrime, but hackers can simply move their operations to countries with more lenient – or nonexistent – laws.
“The entire world doesn’t agree on what constitutes a crime,” Matthew says. What’s illegal in one country might be permissible in another, especially in such areas as intellectual property rights.
In addition, tighter regulations and intrusive policies could reduce access to the Internet and raise costs, undermining some of its most attractive features. They could squelch the free exchange of information, disrupt research and invade people’s privacy as well.
“Right now, we have a very porous, open system,” Matthew says. “How much do we want to regulate it? What will be the threshold to, say, give the government access to your email? Should we require that all interactions on the Internet be made available [to the government]? It’s a real big issue.”
The auction site eBay illustrates the difficulty of policing cyberspace, he says. It’s become a magnet for those hawking fake designer clothes, pirated CDs, stolen goods and other illegal merchandise. Rare maps and artwork stolen from libraries have turned up on eBay.
“But it also has allowed people to start a business at a very low cost,” Matthew notes. “We don’t want to lose this highly accessible marketplace by adding all sorts of regulations and requirements for licenses. The more layers of scrutiny you add, the less efficient the system will be. At this point, we just don’t know what to do, where the equilibrium is between security and freedom.”
He believes more resources should be devoted to improving cybersecurity. He and his colleagues at CUSA’s Transformational Media Lab have been exploring the issue, but political and economic leaders – not just academic researchers – need to get more involved in finding solutions.
“Those with decision-making authority need an in-depth understanding of the Internet to develop the right policies and deal with questions such as jurisdiction and prosecution,” Matthew says. “Until we have better responses, criminals will have it easy.”