Cyberspace, Cybersecurity, and Cybercrime
2
3
Cyberspace, Cybersecurity, and Cybercrime
Janine Kremling
California State University, San Bernardino
Amanda M. Sharp Parker
Campbell University
4
FOR INFORMATION:
SAGE Publications, Inc.
2455 Teller Road
Thousand Oaks, California 91320
E-mail: order@sagepub.com
SAGE Publications Ltd.
1 Oliver’s Yard
55 City Road
London EC1Y 1SP
United Kingdom
SAGE Publications India Pvt. Ltd.
B 1/I 1 Mohan Cooperative Industrial Area
Mathura Road, New Delhi 110 044
India
SAGE Publications Asia-Pacific Pte. Ltd.
3 Church Street
#10-04 Samsung Hub
Singapore 049483
Copyright © 2018 by SAGE Publications, Inc.
All rights reserved. No part of this book may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying, recording, or by any information storage and retrieval
system, without permission in writing from the publisher.
Printed in the United States of America
Library of Congress Cataloging-in-Publication Data
Names: Kremling, Janine, 1977- author. | Parker, Amanda M. Sharp.
Title: Cyberspace, cybersecurity, and cybercrime / Janine Kremling, California State University, San Bernardino, Amanda M. Sharp Parker,
Campbell University.
Description: First Edition. | Thousand Oaks : SAGE Publications, [2017] | Includes bibliographical references and index.
Identifiers: LCCN 2017018240 | ISBN 9781506347257 (pbk. : alk. paper)
Subjects: LCSH: Information society. | Information technology—Management. | Computer crimes. | Computer crimes—Prevention.
Classification: LCC HM851 .K74 2017 | DDC 303.48/33—dc23 LC record available at https://lccn.loc.gov/2017018240
This book is printed on acid-free paper.
Acquisitions Editor: Jessica Miller
Editorial Assistant: Jennifer Rubio
Content Development Editor: Laura Kirkhuff
Production Editor: Tracy Buyan
Copy Editor: Diane Wainwright
Typesetter: C&M Digitals (P) Ltd.
5
Proofreader: Eleni-Maria Georgiou
Indexer: Robie Grant
Cover Designer: Michael Dubowe
Marketing Manager: Jillian Oelsen
6
Brief Contents
1. Preface
2. Acknowledgments
3. Chapter 1 • Cyberspace, the Internet, and the World Wide Web
4. Chapter 2 • What Is Cybersecurity?
5. Chapter 3 • Threat Factors—Computers as Targets
6. Chapter 4 • Threats to Cybersecurity by Criminals and Organized Crime
7. Chapter 5 • Threats to Cybersecurity by Hacktivists and Nation-States
8. Chapter 6 • National Security: Cyberwarfare and Cyberespionage
9. Chapter 7 • Cyberterrorism
10. Chapter 8 • An Evolving Threat: The Deep Web
11. Chapter 9 • Cybersecurity Operations
12. Chapter 10 • Cybersecurity Policies and Legal Issues
13. Chapter 11 • What the Future Holds
14. Appendix: Cybersecurity-Related Organizations
15. Glossary
16. Notes
17. Index
18. About the Authors
7
Detailed Contents
Preface
Acknowledgments
Chapter 1 • Cyberspace, the Internet, and the World Wide Web
• Case Study 1.1: The Dark Side of the Internet
The Beginning of the Internet and Cyberspace
• Case Study 1.2: The First-Ever Web Server
The Purpose of the Internet
Operations and Management Aspect
Social Aspect
Commercialization Aspect
• Legal Issue 1.1: Napster: The First File Sharing Program
Vulnerabilities of the Internet
What Is a Vulnerability?
Time and Space
Lack of Barriers to Entry
Anonymity/Identity
Asymmetries of Cyberspace
1s and 0s
• Think About It 1.1
What Distinguishes Cyberspace, the Internet, and the World Wide Web?
• Legal Issue 1.2: Is It a Crime to Link to Infringed/Illegal Content?
• What Can You Do? Preparing for the Job of the Future: Careers in Cybercrime and
Cybersecurity
➢ Summary
➢ Key Terms
➢ Discussion Questions
➢ Internet Resources
➢ Further Reading
Chapter 2 • What Is Cybersecurity?
• Think About It 2.1: What Is Cybersecurity and Why Is It Important?
Origins and Nature of Cybersecurity
• Think About It 2.2: War Games
Definitions
Definition of Cybersecurity
• Case Study 2.1: The Original Hacker: Kevin Mitnick
Cybersecurity Policies
• Case Study 2.2: FusionX
8
Overview of Cyberspace Intrusions
Network-Based Attacks
• Case Study 2.3: Vitek Boden
Wireless Attacks
Man-in-the-Middle Attacks
• Legal Issue 2.1: Hacking . . . With a Body Count?
➢ Securing Your Wi-Fi in a Wireless World
➢ Summary
➢ Key Terms
➢ Discussion Questions
➢ Internet Resources
➢ Further Reading
➢ Appendix 2A
Chapter 3 • Threat Factors—Computers as Targets
• Case Study 3.1: The Top 10 Data Breaches
The Evolution of Cybercrime
Phases of Convergence
Main Targets in Information Technology
• Think About It 3.1: Russian Cyberspies and the 2016 Presidential Election
Computers as a Target
Threats to Mobile Devices
• Case Study 3.2: Democratic Election Campaign—Hackers Steal Campaign Information
Viruses, Worms, and Trojan Horses
Viruses
Risks Created by Viruses
Risks to Mobile Devices
• Case Study 3.3: The First Viruses
Worms
• Legal Issue 3.1: The Morris Worm
Risks Created by Worms
Trojan Horses
Risks Created by Trojan Horses
• Case Study 3.4: The U.S. Government Firewall Virus
Preventing Malware Intrusions
Antivirus Software
Firewall
Thoughtful User Behavior
• Think About It 3.2: Pokémon Go, Cybercriminals, and Cybersecurity
Encryption
• What Can You Do? Encrypting Your Computer
9
Future Developments
➢ Summary
➢ Key Terms
➢ Discussion Questions
➢ Internet Resources
➢ Further Reading
Chapter 4 • Threats to Cybersecurity by Criminals and Organized Crime
Cybercrimes
Norse Attack Map
Why Do People Commit Cybercrimes?
Fraud and Financial Crimes
Consumer Crimes
Identity Theft
• What Can You Do? Counter Measures—Protecting Your Identity
Phishing Scams
• Case Study 4.1: Advance Fee Fraud—Nigerian Phishing Scam
• What Can You Do? Countermeasures to Phishing Scams
Spam
Banks and Financial Corporations
Botnets
Logic Bombs
Viruses
Internet-Initiated Sexual Offending and Exploitation
Internet-Initiated Sexual Offending
Child Pornography
• Legal Issue 4.1
Snuff Films
Trafficking in Persons
• Think About It 4.1: Countermeasures to Child Pornography—Operation Predator and
Operation Globe
Mail-Order Brides
Cyberbullying
Cyberharassment
Cyberstalking
Online Denigration
Online Impersonation
Online Exclusion
Tools Used
Social Media
YouTube
10
Gaming
• Case Study 4.2: Cyberbullying and Suicide
➢ Summary
➢ Key Terms
➢ Discussion Questions
➢ Internet Resources
➢ Further Reading
Chapter 5 • Threats to Cybersecurity by Hacktivists and Nation-States
• Think About It 5.1: Cyberattacks on the Power Grid
Threats to Cybersecurity
Local Threats
Types of Insider Threats
• Legal Issue 5.1: Corporate Espionage—Inside Security Breach at AMSC
National Threats
Displeasure With the Government
Specific Causes
• Case Study 5.1: Edward Snowden—Going Dark
International Threats
• Case Study 5.2: The Hacked Company Graveyard
• Case Study 5.3: Inside the Office of Personnel Management Cyber Attack
• Think About It 5.2: Setting Up a Cyberheist
Hackers
Evolution of the Term Hacker
The Hacker Community
“Black Hats,” “White Hats,” and “Gray Hats”
The Internet and the Transparent Citizen
• Legal Issue 5.2: Privacy Versus Security
What Motivates Hackers?
• Think About It 5.3: Why Do People Have a House Alarm?
• Legal Issue 5.3: California’s Breach Notification Statute
➢ Summary
➢ Key Terms
➢ Discussion Questions
➢ Internet Resources
➢ Further Reading
Chapter 6 • National Security: Cyberwarfare and Cyberespionage
Cyberwarfare
Nation-State Threats by Region
Syrian Electronic Army
Chinese
11
Russia and Eastern Europe
• Case Study 6.1: North Korea and the Sony Hack
Cyberespionage
Economic Cyberespionage
• Legal Issue 6.1: Misappropriation of Information or Espionage?
Political Cyberespionage
The Threat of Insiders
• Case Study 6.2: GhostNet
• Legal Issue 6.2: The Fourth Amendment
Cyberintelligence
Cybersabotage
Denial-of-Service Attacks
• Case Study 6.3: Rutgers State University—DDoS Attack
➢ Summary
➢ Key Terms
➢ Discussion Questions
➢ Internet Resources
➢ Further Reading
Chapter 7 • Cyberterrorism
• Think About It 7.1: The Future of Terrorist Attacks
Cyberterrorism Defined
The Role of the Media
• Case Study 7.1: Defining Cyberterrorism Within the Academic Context
• Legal Issue 7.1: The Role of Violence
Evolution of the Threat
Technology Use by Extremists
Al-Qaeda
Boko Haram
The Islamic State (also known as ISIS/ISIL/Daesh)
Targets of Cyberterrorism
Probable Versus Possible
• Case Study 7.2: The 2003 New York City Blackout
Vulnerability of Critical Infrastructures
Risk Management
Risk = Threat × Asset × Vulnerability
Asset Value Assessment
Threat Assessment
Vulnerability Assessment
Damage Potential
• Think About It 7.2: Critical Infrastructure Risk Assessment
12
➢ Summary
➢ Key Terms
➢ Discussion Questions
➢ Internet Resources
➢ Further Reading
Chapter 8 • An Evolving Threat: The Deep Web
• Think About It 8.1: Surface Web and Deep Web
The Surface Web
The Deep Web and Darknets
Accessibility
The Onion Router
Products Available
• Think About It 8.2: Black Market Blood
The Hidden Wiki
The Silk Road
• Think About It 8.3: Dread Pirate Roberts and the Silk Road
Payment: Cryptocurrency
Bitcoins (BTC or )
Dash
Law Enforcement Response
Operation Onymous
Anonymous and “Vigilante Justice”
• Think About It 8.4: Online Vigilante Justice
Terrorist Presence on the Deep and Dark Web
• Case Study 8.1: ISIS and the Threat of the Darknet
Legal Issues
• Legal Issue 8.1: Anonymity and the First Amendment
➢ Summary
➢ Key Terms
➢ Discussion Questions
➢ Internet Resources
➢ Court Cases
Chapter 9 • Cybersecurity Operations
Theoretical Operations
Routine Activity Theory
Role of Guardianship
Learning Theory
Differential Association Theory
Subculture Theory
The Hacker Subculture
13
DEF CON Convention
• Case Study 9.1: The Hacker’s Manifesto
Law Enforcement Operations
Federal Agencies
National Security Agency (NSA)
Department of Homeland Security
Federal Bureau of Investigation
Local Agencies
Cyberterrorism Prevention Training
Private-Sector Collaboration
• Case Study 9.2: One Hat, Two Hat, White Hat, Red Hat . . .
Interagency Operations
Target Hardening
Firewalls
SCADA Systems
Honeypots, Nets, and Tokens
• Think About It 9.1: The Honeynet Project
• Legal Issue 9.1: The Fourth Amendment
➢ Summary
➢ Key Terms
➢ Discussion Questions
➢ Internet Resources
➢ Further Reading
Chapter 10 • Cybersecurity Policies and Legal Issues
• Think About It 10.1: Mirai: A Shot Across the Bow—Distributed Denial-of-Service Attack
• Case Study 10.1: A Holistic Approach to Cybersecurity
National Cybersecurity Policies
Comprehensive National Cybersecurity Initiative, 2008
Cybersecurity Workforce Act of 2014
• Case Study 10.2: Ransomware—California Hospital Pays $17,000
National Cybersecurity and Critical Infrastructure Protection Act of 2014
• Think About It 10.2: Ransomware
International Cybersecurity Policies
• Legal Issue 10.1: The Cyberwars in the Middle East
Legal Issues
Civil Rights
Security Versus Privacy
USA PATRIOT Act
• Legal Issue 10.2: United States v. Warshak
Jurisdictional Issues
14
Universal Jurisdiction
Budapest Convention on Cybersecurity (2001)
Network and Information Security Directive (2016)
Issues With Enforcement/Jurisdiction
• Legal Issue 10.3: Law of the Sea
➢ Summary
➢ Key Term
➢ Discussion Questions
➢ Internet Resources
➢ Further Reading
Chapter 11 • What the Future Holds
• Think About It 11.1: Pizzeria “Comet Ping Pong” Is a Child Pornography Ring
Data Is the New Oil
Data Mining
Dataveillance
Google
Manipulation of Data: The Screen Is Always Right
Censorship
Spoofing
E-Mail Spoofing
Stock Market Spoofing
• Case Study 11.1: High-Frequency Trading—“Flash Boys”
Emerging Threats
Internet of Things
Real-Time Location Services
Vulnerable Targets
GPS Jammers and Spoofers
Naval System
Aircraft
Army Bases
Women’s Shelters
• Think About It 11.2: Dangerous Criminal or Researcher Trying to Save Lives?
• Legal Issue 11.1: Health Care Records Are Worth Millions
Potential/Emerging Perpetrators
Man in the Middle
Swatting
Crime Inc.
The Organizational Structure of Crime Inc.
➢ Summary
➢ Key Terms
15
➢ Discussion Questions
➢ Internet Resources
➢ Further Reading
Appendix: Cybersecurity-Related Organizations
Glossary
Notes
Index
About the Authors
16
17
Preface
Hey Android, where is my car? Hey Siri, where is my boyfriend? Android and iPhones know: They know
where you are, they know where you have been, they know who you talk to and for how long, they know who
you sleep with, and they know when and where you go for lunch and dinner. They may know more about you
than your family. And they keep it to themselves—that is, until a hacker plants a malware on your phone and
then has access to all of that information. Your iPhone will also willingly give up all of your stored contacts to
the hacker so that the fraudster can now send phishing e-mails infected with malware to your family and
friends. And your friends and family will click on the link because it’s coming from you—or so they thought.
Your phone also knows your banking information through your mobile banking app, your Facebook and
Twitter login, your airline login, your e-mail password, and the list goes on. All of that information is worth
real money on the darknet—the criminal marketplace. The same is true for your computer. Imagine you are
working on your term paper, trying to access a web link, when your computer sends you a reminder that you
need to update Adobe Flash if you want to access the file. What do you do? You hit “download.” You
immediately realize that your computer has just been hijacked by a malware because your computer locks up
and you see a message on your screen saying, “Your data has been encrypted. You will not be able to access
your data until you pay the ransom of $150.” Would you pay? Well, it depends on how badly you want your
computer files back. What if the attack was against a hospital? Would they pay? Of course—because the
consequences of shutting down the hospital would be much worse. Cybercriminals are well aware of the
predicament the hospital faces. The same is true for banks and other institutions. Ransomware has become
one of the main threats to hospitals because they are highly vulnerable.
The emergence of computers and the Internet has changed our lives in ways that nobody could have
imagined, and it will continue to change future lives. Many of these changes have greatly contributed to life
conveniences, such as online shopping, banking, communicating, and working from our home office. It also
includes going to your doctor’s office and having all of your records stored and shared electronically. You can
start and heat or cool your connected car from your iPhone. You can use your phone to change the thermostat
in your house and turn your house alarm on and off. GPS always finds the right way for you—and so do
stalkers who have access to your location data provided to them by your GPS. By now, you already know that
the Internet and digital world not only greatly increase the convenience of our lives, they have also greatly
increased the vulnerabilities we are exposed to.
The economy has also profited from the digital evolution. With the ability to collect data and monitor
people’s behaviors and habits, companies can now market their products much more specifically to certain
population groups, and scientists can conduct studies that enhance and sometimes save people’s lives. At the
same time, criminals also quickly realized the advantages of the Internet for their purposes, and governments
found great improvements in their ability to spy on people and other countries. The boundaries between what
is public and what is private have become blurred, and some argue that true privacy has become a myth. For
instance, Google Earth enables anyone to zoom into your house and backyard, the National Security Agency
18
is listening in on millions of people around the globe, companies monitor e-mail correspondence of
employees, and websites track consumer behaviors by planting cookies on personal computers. Many tasks can
now only be completed online, thereby removing the possibility to stay completely private or to protect your
personal information.
In this age where reliance on computers and the Internet has become inevitable, cybercriminals are developing
fraudulent schemes at a rapid pace—attempting to avoid detection by law enforcement and cybersecurity
companies. In the early 1990s, computer crimes began to rise due to the increase in the prevalence and use of
electronics. Criminal organizations, especially drug traffickers, began to build their own communication
network and quickly started to take advantage of the available technologies. They realized the potential
benefits of computers and networks for their illegal activities much faster than the people who developed these
technologies, and they were quick to use it for their purposes, outpacing law enforcement for the past decades.
When security companies such as McAfee are putting out their updates for virus detection software,
cybercriminals have long moved on to a new type of virus not detectable by the software. The criminals are
always one step ahead. Similarly, when law enforcement shuts down a child pornography website, the
criminals can easily move the content to other websites. It’s an elusive chase in which the criminals are the
ones leading the way. Data and identity theft is rampant, and most people know very little about how to
protect their private data, even if they are aware of the risks. In fact, data theft has become one of the most
persistent threats because our data holds our lives—our mortgages, loans, retirement savings, health benefits,
Social Security—and if that data gets into the criminals’ hands, lives can be ruined. Few people think about
this threat as they access their online banking account or submit their credit card number on a website. The
convenience of online transactions is more important to many people than the security of their lives.
Criminals know this and exploit it.
The U.S. government has made some strides toward increased cybersecurity. In March 2016, the Department
of Homeland Security created an automated information-sharing system, thereby increasing the ability of
agencies and organizations to share information in real time. This new system also includes private companies.
The ability of the United States to defend cyberspace will depend on the successful cooperation between
private and government organizations. In fact, it’s the private corporations, such as Dell, Microsoft, and
McAfee, who are leading the cybersecurity efforts. Much of the success of cybersecurity efforts will also
depend on the preparedness of companies and the government for major cyberattacks. It is impossible to
secure all devices and networks 100% from attacks. We must accept that certain vulnerabilities will always
remain. One such vulnerability is the human factor, whether it be by accident or on purpose. The better
prepared companies and government agencies are, the faster the recovery will be from an attack.
These are only a few examples of what this book discusses. This book is not only about the past and present of
cybercrime and cybersecurity but also about the future, and how cybercrime and cybersecurity may impact
people’s everyday lives, and how criminal justice professionals must be prepared to confront the changing
nature of cybercrime. Everyone is vulnerable. The way computers have been used to connect people,
companies, governments, and criminals is a great threat that most individuals are unaware of. More
19
frightening, many companies are unaware of the threat cybercriminals pose for critical infrastructures such as
the electric grid. And even if the company is aware of the threat, they often do too little to safeguard
infrastructures and products, whether it’s because of the economic costs associated with such safeguards, the
inconveniences safeguards may cause, or because they don’t have effective safeguards.
This book introduces criminal justice and other social science students to the world of cybercrime and
cybersecurity. It provides a basic overview of cybercrime, cyberthreats, and vulnerabilities of individuals,
businesses, and governments. The book discusses strategies to reduce vulnerabilities through cybersecurity
measures, and ends by looking into the future to see what may be ahead and how it may change our lives.
20
Overview
The book is designed to enhance student learning by providing case studies and examples, engaging students
through exercises, and encouraging students to critically think about the various topics. The first part of the
book provides a basic understanding of the Internet, vulnerabilities, and cybersecurity. Chapter 1 deals with
how and why the Internet developed and the main vulnerabilities we currently face. Chapter 2 introduces
students to the nature and origin of cybersecurity and cyberspace intrusions.
The second part goes into much detail on cyberthreats to computers, individuals, businesses, and
governments. In Chapter 3, students learn about the cyberthreats to computers, such as worms and viruses.
Chapter 4 details threat factors in which computers are used as a tool. These threat factors include fraud and
financial crimes, pornography and exploitation, and cyberbullying. Chapter 5 discusses cyberthreats to local,
national, and international organizations. Students also learn about the different types of hackers. Chapter 6
follows with an overview of cyberwarfare, specifically cyberespionage and cybersabotage.
The third part of this book provides insight into the threat of cyberterrorism and the dark web, which has
become a much discussed topic in the media. Chapter 7 explains what cyberterrorism is, the technologies used
by terrorists, the targets, and damage potential. Chapter 8 dives into the deep web and darknets, how
criminals access and exploit it, and which products are available to “customers.”
The final section discusses cybersecurity operations and policies in more detail. Chapter 9 focuses on
cybersecurity operations and the role of law enforcement. Chapter 10 explains national and international
cybersecurity policies and legal issues arising from the policies. The last chapter looks into the future of
cybercrime and cybersecurity, focusing on evolving threats and perpetrators as well as evolving issues with
regard to the collaboration and training between law enforcement and the private industry.
21
Digital Resources
study.sagepub.com/kremling
22
Calling all instructors!
It’s easy to log on to SAGE’s password-protected Instructor Teaching Site for complete and protected access
to all text-specific Instructor Resources. Simply provide your institutional information for verification and
within 72 hours you’ll be able to use your login information for any SAGE title! Password-protected
Instructor Resources include the following:
Test banks provide a diverse range of prewritten options as well as the opportunity to edit any question
and/or insert personalized questions to effectively assess students’ progress and understanding.
Editable, chapter-specific PowerPoint slides offer complete flexibility for creating a multimedia
presentation for the course.
Use the Student Study Site to get the most out of your course! Our Student Study Site is completely openaccess and offers a wide range of additional features. The open-access Student Study Site includes the
following:
Mobile-friendly eFlashcards strengthen understanding of key terms and concepts.
Mobile-friendly practice quizzes allow for independent assessment by students of their mastery of course
material.
23
Acknowledgments
Janine Kremling
First of all, I would like to thank Jerry Westby and Jessica Miller from SAGE Publishing for their consistent
encouragement and help in getting this book finished within the established time frame. They have been
amazing to work with, and I am very grateful for their efforts. I would like to give a huge thank you to my
coauthor, Amanda M. Sharp Parker, for her dedication to the success of this book, and I would also like to
thank the chair of my department, Dr. Larry Gaines, for his continued support and inspiration. I have learned
much from him in the past 8 years. He is truly a role model, and I am very fortunate to have been able to work
with him.
Finally, I have to express my gratitude to my parents, who have always been there for me, believed in me, and
supported me throughout my life. Without their unconditional love, I would not have been able to accomplish
all my goals. They have also taught me that a positive attitude, enthusiasm, and hard work will pay off. I wrote
much of this book while I was in Germany during the summer, and I was able to focus solely on this project.
I’m deeply appreciative of their efforts to inspire me and challenge me to do my very best.
Amanda M. Sharp Parker
First and foremost, I have to thank my coauthor, Janine Kremling, who has attempted to rope me into this
project for the past 4 years. Two years ago when I agreed to coauthor the text, I had no idea what a whirlwind
it would be. So thank you, Janine, for your guidance, patience, and mentorship.
Thank you to all at SAGE Publishing who helped us complete this project on time, especially Jerry Westby
and Jessica Miller.
To the criminology department at the University of South Florida and the HCP department at Campbell
University: Thank you for all your support in my research endeavors, especially the development of my cyber
classes and subsequent projects that coincide with it.
Finally, to my kiddos, Tatiana and Jaxon, for their patience, love, and support. Thank you for putting up with
mommy’s long hours, early mornings, and countless afternoons of doing homework in my office while I was
writing. You two are my inspiration, and everything I do is for you. I love you to the moon and back.
SAGE and the authors would like to thank the following reviewers, whose input helped shape this book:
Mark H. Beaudry
K. A. Beyoghlow, American University
Terry Campbell, Kaplan University Online
Craig P. Donovan, Kean University, College of Business & Public Management
Mary Beth Finn, New Charter University
Steven H. Klein
24
Eugene Matthews, Park University, Missouri
Dennis W. McLean, E-campus, Homeland Security, Keiser University
Brooke Miller, University of North Texas
Marcos L. Misis, Northern Kentucky University
Barbara L. Neuby, Kennesaw State University
Matthew E. Parsons, Erie Community College, Buffalo, New York
Irmak Renda-Tanali
Pietro Savo, Daniel Webster College, and College of Health and Human Services, Trident University
Holli Vah Seliskar, Kaplan University
Jake Wilson, University of Cincinnati
25
1 Cyberspace, the Internet, and the World Wide Web
26
Learning Objectives
1. Explain how the Internet developed.
2. Explain the purpose of the Internet.
3. Describe what “vulnerabilities” are.
4. Discuss how criminals are benefiting from the Internet.
5. Discuss the difference between cyberspace, the Internet, and the World Wide Web.
When Stanford University students Bill Hewlett and Dave Packard built one of the first computers weighing
40 pounds in 1968, they could not foresee that 1 year later a computer at Stanford University would receive
the first message from another computer located some 350 miles away at the University of California, Los
Angeles (UCLA). They certainly could not foresee that 50 years later the economic competitiveness of the
United States would be closely tied to the digital economy created by the Internet, making trillions of dollars
every year. Much of the critical infrastructures, including the financial industry, health industry, and power
grid, are connected via the Internet.
Hewlett and Packard could not foresee that the Internet would become a normal and essential part of
everyday life for most Americans and people across the globe. According to the U.S. Census Bureau, more
than 74% of all American households were using the Internet in 2013, and overall, more than 3 billion people
are virtually connected.1 In 2017, there were 3 trillion Internet transactions every day processed by 220,000
servers across the globe. There are 80 million web application firewall (WAF) triggers per hour and 20
terabytes of attack data daily. About 30% of all login transactions, such as people logging into their e-mail
account or Amazon, are abuse attacks. With the increasing use of cyberspace by computers and connected
devices, the amount of data processed will continue to increase—and so will the amount of cyberattacks.2
Without the Internet, companies like Amazon, Facebook, and YouTube would not exist, and services we
perceive as necessary and convenient would not be available. For instance, ordering goods and services online,
downloading music, streaming audiobooks, reading textbooks on the computer, or “skyping” with friends
overseas would not be possible. The Internet has created a great amount of job opportunities and has
enhanced our lives in so many ways that it is hard to imagine what would happen if the Internet were to
disappear.3
As much as we value the upside of our connected world, where everything seems to be available at our
fingertips, the inventors of computers and the Internet also did not foresee that the users themselves would
employ it to attack one another. One of the founders of the Internet, David H. Crocker, stated, “I believe that
we don’t know how to solve these problems today, so the idea that we could have solved them 30, 40 years ago
is silly.”4
The capabilities of the Internet have attracted criminals and criminal organizations who are taking advantage
of the information and interaction infrastructure offered by the Internet and exploiting vulnerabilities inherent
to the Internet. Organized criminal gangs such as drug traffickers, human traffickers, the Mafia, and many
others very quickly discovered the opportunities a connected world offered. In addition to these traditional
27
organized crime groups, a whole new world of cybercriminals has developed where hackers rob companies by
using ransomware and taking virtual money as pay, or by stealing personal data and manipulating devices.
More than 100 million Americans have experienced breaches to their personal data. President Obama called
cybercrime “one of the most serious economic national security challenges that we face as a nation” and stated
that we are in a “cyber arms race.”5
Image 1.1 What Happens in One Internet Minute
Internet Minute Infographic by Intel Free Press,
https://www.flickr.com/photos/54450095@N05/6780720740. Licensed under CC BY 2.0,
https://creativecommons.org/licenses/by/2.0/legalcode.
Even though the development of cybersecurity measures has made great strides, it is still people who have to
create, implement, and enforce cybersecurity policies. The best technology is worthless if it’s not used or it is
used inappropriately. The criminals who attack these companies are very sophisticated and motivated. But it’s
not only criminals who are accessing private data; the government also spies on individuals and companies.
Revelations by Edward Snowden exposed what is likely the greatest eavesdropping in history by the National
Security Agency (NSA).
This book goes into great detail on the different types of cybercrime, the motivations and mind-set of the
criminals, and available cybersecurity measures. This first chapter lays the groundwork by giving you an
understanding of the history of the Internet, why cybercrime has been able to flourish, and why cybersecurity
still has a long way to go to catch up. President Obama said the Internet is the Wild West and cybersecurity is
the sheriff. There is much work to do for the sheriff.6
28
Case Study 1.1: The Dark Side of the Internet
The 2016 Data Breach Investigations Report7 shows that more than 4.2 billion personal records were exposed in 2016. This constitutes
an all-time high. The three biggest data breaches took place on Yahoo, MySpace, and FriendFinder networks with a total of 2.2 billion
records exposed. With more than 1 billion compromised records, Yahoo currently holds the number-one spot in the history of data
breaches. In September 2016, Yahoo announced that a “state-sponsored actor” stole the personal data of 500 million users in late 2014.
Three months later, Yahoo announced another data breach of about 1 billion accounts dating back to August 2013. Yahoo has notified its
users and urged them to create a new password and change security questions. The stolen data include names, account login credentials, email addresses, telephone numbers, birth dates, and other information users entered into their accounts.8
29
What Do You Think?
1. What could criminals do with the private information obtained from Yahoo?
2. Should companies like Yahoo, who store personal data, be held accountable if victims experience negative consequences such as
identity theft? If so, how would you hold them accountable?
3. If you were the CEO of Yahoo, what negative consequences would you expect in the aftermath of the data breach?
4. Do some research on Yahoo after the announcement. What were actual negative effects on the company?
30
The Beginning of the Internet and Cyberspace
The history of the Internet goes back to the first telegraph in 1836. The telegraph revolutionized the way
people communicated by using a code (the Morse code, which consisted of dots and dashes), which is similar
to the way computers communicate today using 0s and 1s. Between 1858 and 1866, the transatlantic cable was
the first cable to allow instantaneous communication across the Atlantic Ocean. Today, cables connect people
across the entire globe. Telephones were first used with computers in 1976 and later provided the basis for
Internet connections via modems that have to be plugged into the computer, or more currently wireless
connections.
The Internet was born during the Cold War era, at a time when America was bracing for a nuclear war.
Donald Davies, a Welsh scientist, and Paul Baran, an American engineer, were working on communication
technologies from two different perspectives: war and peace. Baran focused on technologies that would
minimize the consequences of a nuclear attack by the Soviet Union by building a communication system with
redundant links that would allow people to communicate even after an attack. Davies focused on technologies
that would enable people to share data on computers continuously.9
In 1958, the Advanced Research Projects Agency (ARPA) was created by President Dwight D. Eisenhower
with the intent to outpace the Soviet Union in the technology sector after the Soviet Union surprised the
United States with two technological events. The Soviet Union had launched the first intercontinental
ballistic missile and the first satellite (Sputnik 1), which provided the ability for global communication via
satellites. The United States feared that the Soviet Union was technologically superior and could threaten
America’s national security. ARPA was created with the goal to turn the United States into a technology
superpower. In 1972, ARPA was renamed to the Defense Advanced Research Projects Agency (DARPA).10
In 1962, J. C. R. Licklider of Massachusetts Institute of Technology (MIT) published a document describing
the possibility of social interactions through networking—what he called the Galactic Network.11 One year
earlier, Leonard Kleinrock of MIT had published a paper on the feasibility of communication between
computers via packet switching (as opposed to the then-used circuit switching).12 Packet switching was
imperative for social interaction via networking because it enabled data to be stored and moved as packets
using a data path that many users could access. Packet switching set the stage for services such as Facebook
and Twitter. In contrast, circuit switching only allowed for communication between predetermined persons,
similar to a telephone call. Another crucial technological development with regard to social interactions via
networking was enabling computers to talk together.13
Jack Ruina from DARPA took an interest in Licklider’s paper and proposal. In October 1962, he asked
Licklider to connect the computers from the U.S. Department of Defense at Cheyenne Mountain to the
computers at the Pentagon and the Strategic Air Command. Licklider’s vision of the Galactic Network
inspired other researchers, including Larry G. Roberts.14
In 1967, Larry G. Roberts released his plans for the Advanced Research Projects Agency Network
31
(ARPANET), which first connected computers across university campuses, starting with the first node in
California at UCLA, and ultimately grew into the Internet. In 1972, Larry Roberts wrote the first e-mail
utility program, and over the next decade, e-mail became the largest network application. In 1981,
ARPANET was expanded with the help of the National Science Foundation (NSF) and the founding of the
Computer Science Network. Through this collaboration between NSF and the inventors of the Internet,
several technological developments took place that laid the groundwork for what we know today as the
Internet with all of its services. One of the main developments was the introduction of the Internet protocol
suite (IPS/IP) in 1982, which is still used today as the standard networking protocol. To further advance the
Internet, it was necessary to build smaller computers with greater capabilities that could also be used by
households. This happened quite rapidly and created issues in regard to operations and management of the
Internet.15
32
Case Study 1.2: The First-Ever Web Server
Image 1.2 First-Ever Web Server
First Web Server by Coolcaesar at the English Language Wikipedia,
https://commons.wikimedia.org/wiki/File:First_Web_Server.jpg. Licensed under CC BY-SA 3.0,
https://creativecommons.org/licenses/by-sa/3.0/deed.en.
Cyberspace, the Internet, and the World Wide Web are fairly recent inventions. Tim Berners-Lee, who was working for European
Organization for Nuclear Research (CERN), invented the first web server, the first web browser (World Wide Web) in 1989, and the
first web page in 1991.16 The intent was to create a service that would allow scientists to share information automatically rather than
having to inquire about what other institutes were working on. The World Wide Web was supposed to enable scientists around the globe
to access scientific knowledge instantaneously and freely, and contribute to the scientific knowledge by adding information. Hence, the
first web browser was called World Wide Web because Berners-Lee used a global hypertext system that would allow anything on the web
to link to anything else. It also allowed users to edit information, which served the goal of having as many people contribute to the
knowledge sharing as possible. The first website ever—http://info.cern.ch/hypertext/WWW/TheProject.html—was created in August
1991 for the sole purpose of explaining Berners-Lee’s website project. In 1993, CERN issued an official statement making the World
Wide Web available to the general public. In its statement, CERN asserted, “CERN relinquishes all intellectual property rights to this
code, both source and binary and permission is given to anyone to use, duplicate, modify and distribute it.” This sentence effectively made
the Internet an open-source environment where everyone could post anything they wanted to, develop apps, and programs. This, of
course, also created the vulnerabilities to cyberattacks as it opened the door for cybercriminals. Tim Berners-Lee left CERN in 1994 and
founded the World Wide Web Consortium (W3C) at MIT.
Image 1.3 First-Ever Website
European Organization for Nuclear Research
33
34
The Purpose of the Internet
“The Internet is at once a world-wide broadcasting capability, a mechanism for information dissemination,
and a medium for collaboration and interaction between individuals and their computers without regard for
geographic location.”17 The Internet developed around three distinct aspects: (1) operations and management,
(2) social, and (3) commercialization.
35
Operations and Management Aspect
With the spread of personal computers (PCs) and workstations to more people, and the growing number of
people who utilized the Internet, researchers had to make it easier for people to use. Until then, host names
were numeric addresses that users had to know and remember. This was not feasible for household users, so
Paul Mockapetris of the University of Southern California developed the Domain Name System, which
resolved hierarchical host names (e.g., www.fbi.gov) into an actual Internet address people could visit. Other
major issues were increasing the capabilities of routers, operating systems, and software. Finally, as more
households began using the Internet, it became necessary to separate the military network (MILNET) from
the research network (ARPANET). MILNET became its own network and ARPANET became the
Internet.18
36
Social Aspect
Several organizations, companies, and universities worked together to grow the Internet to become a major
part of our everyday life. In 1988, the National Research Council (NRC) in collaboration with the NSF
published the report “Toward a National Research Network.” This report was the basis for the development
of high-speed networks.19 Five years later, NRC published the report “Realizing the Information Future: The
Internet and Beyond,” which laid the groundwork for the information superhighway.20 The document also
included anticipated issues that would need to be addressed, including copyright, ethics, pricing, education,
and regulation of the Internet. The Internet was built to be a free and open-access tool, but the founders
realized that without some type of regulations it would not be feasible. We return to the fact that the Internet
was built as a free and open source in the next section when we discuss security vulnerabilities.
The social aspect of the Internet has become one of the most important purposes of the Internet. People go
shopping online, meet in online cafes, share pictures and opinions, search for partners, download music, get a
university degree, find a job, and participate in life-streaming events. The list of social events available to
people through the Internet is endless. Facebook, Twitter, Instagram, and millions of apps enable people to
engage with others in the virtual world. There is no need to meet someone in person because we can simply
use FaceTime or any other app that allows us to telephone with a live picture. Letters have been replaced by email, instant messages, and tweets. Real life has gone virtual in many ways. These technologies have brought
great conveniences for people, connected people around the globe, and provided economic opportunities that
were unthinkable when ARPANET was created. But because the Internet and these technologies were not
developed with security in mind, the evolution of the Internet has also created substantial dangers for people’s
lives. For instance, bullying has always been a concern for school children, parents, and administrators, but
cyberbullying has taken these concerns to a much higher level, even making it one of the top priorities of
policy makers. Another example is child pornography. Before the invention of the Internet, criminals had to
mail or exchange pictures. When police seized the pictures, they became inaccessible. Now there are millions
of child pornography pictures available on the Internet, and even if law enforcement shuts down a
pornography website, the pictures have already been shared with millions of people, and they remain on the
Internet forever.
37
Commercialization Aspect
As the Internet began to grow, other groups and companies began to see the potential the Internet had with
regard to commerce. The opportunity to create new businesses and markets was one of the strongest
incentives to advance the technology quickly. Private companies developed private network services, which
created competition and a push for working relationships between the inventors of the Internet and vendors
who were interested in developing services for Internet users. In 1988, the first Interop trade show was held
with 50 companies and 5,000 engineers. Today, there are seven Interop trade shows per year across the world
with more than 250,000 attendees. In sum, commercialization has had a great impact on the development of
the Internet since the 1980s and led to an increasing use of the Internet by people on a day-to-day basis.21
Businesses and private citizens started online shopping, online banking, online education, etc.
Legal Issue 1.1: Napster: The First File Sharing Program
The Internet provided a free and open access tool for information, data, and research, and also to music, films, and other copyrighted
products. This has become a major issue for the music and film industry. Until 1999, CDs and DVDs were the main product used
by the music and film industry to serve the customer market. As people around the globe started to realize the potential for sharing
files via the Internet, the way in which music was shared also started to change. The first file sharing program was Napster, a
program that provided free music as MP3 files to users.22 In 1999, college student Shawn Fanning began his online music sharing
program as a small project that quickly grew bigger and raised considerable concern in the music industry. As a response to the free
file sharing, the music industry filed a lawsuit for copyright infringement, and in 2001 Napster was shut down. This was not the end
of the file sharing business, however. To the contrary, it was the beginning. Since Napster, many other companies have started to
offer music and films for free on the Internet, which is a persistent challenge to the music and film industry and their desire to
protect their products and profit. But possibly even more important, companies such as Apple realized the business potential of these
MP3 and similar files and began to build their products to facilitate file sharing, including iPods, iPhones, iPads, and so forth.
Customers can now legally download music from iTunes with the ability to only buy the songs they really want or pay a low monthly
fee to companies such as Pandora to listen to music all day. Consumers can download films for a few dollars or subscribe to Netflix,
Hulu, Amazon Prime, and other subscription services.
38
What Do You Think?
The music and film industry believe that they cannot survive if people only buy music and films online because subscriptions and
download fees don’t generate as much money as CDs and DVDs. Customers argue that for too many years they paid too much
money for a CD with only one song they liked, or bought DVDs with movies for too much money to then find out that the movie
wasn’t really that great. What do you think could be done to solve the problem of protecting musicians and film makers but also give
consumers a fair deal?
39
Vulnerabilities of the Internet
The Internet was built to be a free and open source, with only a minimum of oversight. The original purpose
was to freely exchange data and messages among a limited number of researchers. The inventors gave little
thought to the possibility of criminals abusing the Internet. With the increased access and the evolution of the
Internet from a research tool to a more consumerist and social tool, the door has also opened for criminals.
The freedom and openness of the Internet provides many advantages for the users, such as ease of use, fast
access, and low-cost software, but it also has its drawbacks—that is, it is vulnerable to a wide variety of
cyberattacks that can create great damage for private users, companies, and governments. The next section of
the chapter explains what vulnerabilities are and provides an overview of the five main vulnerabilities.
40
What Is a Vulnerability?
“A security vulnerability is a weakness in a product that could allow an attacker to compromise the integrity,
availability, or confidentiality of that product.”23 For instance, computer administrators have the ability to
change the permission on any file on the computer, install software, delete files, etc. If an unprivileged user
were able to access the computer remotely and change permission on files, install software, delete files, etc.,
that would constitute a security vulnerability. Thus, in most companies, only the computer administrators
have the ability to do so. There are five distinct gateways that create vulnerabilities for anyone who uses the
Internet. These five gateways to vulnerability are (1) time and space, (2) lack of barriers to entry, (3)
anonymity/identity, (4) asymmetries of cyberspace, and (5) 1s and 0s. The Washington Post series “The Net of
Insecurity” discusses why the Internet is inherently vulnerable and why these vulnerabilities are inevitable.
Reference Article: Net of Insecurity
http://www.washingtonpost.com/sf/business/2015/05/30/net-of-insecurity-part-1/
Time and Space
In the past, personal interaction and criminal activity typically required physical proximity. For instance,
thieves had to get close to the victim to steal a purse with the money and credit card information. Today, a
thief can be on another continent and use the Internet to steal money or credit card information from
someone. Wars used to be fought with swords, and later with bows and arrows, siege canons, and artillery. As
technologies developed, airplanes now drop different types of bombs over countries. Furthermore, we can, and
do, use drones in war zones rather than soldiers. This development, moving away from social interaction at
close proximity to interaction from a far distance, is important for the understanding of cybercrime and
cybersecurity. When users have instantaneous access at a distance to the Internet, it is then also easy for
criminals to gain access to information users have on their computers or in a cloud. There are many
opportunities for criminals to access computers and sensitive information. Why is that?
The main purpose of the Internet is to move information quickly and reliably, and thus it was designed to be
open and frictionless. Users want instantaneous access to services from around the globe without any hassles
that could be caused by security measures.
We also have to remember that the founders of the Internet were mainly concerned with the technical
challenges of making the Internet available to as many people as possible; security simply was not their main
concern. Since criminals have the same global access to the Internet as noncriminal users, they don’t need to
be anywhere near the victim to perpetrate their crime. Also, criminals may be able to commit a greater
number of crimes because they don’t have to physically go anywhere.24
Lack of Barriers to Entry
41
Whereas countries have physical borders that serve to keep criminals out of the country, the Internet has no
such borders. For instance, when e-mails are sent from one country to another or even from one continent to
another, there are no checkpoints to see if the e-mail contains a malware or if the e-mail was sent by a
terrorist group who is planning a terrorist attack. This borderless Internet traffic threatens nation-states’
ability to control their territory and the flow of information and goods.
Different countries have developed different strategies to deal with this problem. Some countries, such as the
United States and Germany, have almost no restrictions on connectivity to the global network. This, of
course, makes it near impossible to control the Internet traffic or limit what users say and send. Other
countries, including New Zealand and Australia, try to maintain some control over the traffic by limiting
Internet connectivity to the global network. This allows them to control some of the traffic to and from their
residents. China has probably the most restrictive Internet strategy. Because China only has three undersea
Internet cable arrival points, its government is able to control what type of traffic can be received and sent.
This, of course, greatly limits what the Chinese citizens can do on the Internet and allows the government to
suppress information sharing when it is against their interest. For instance, when opponents of the Chinese
government try to share information about human rights violations, their posts never get sent and the senders
are at high risk of being arrested. Restricting the connectivity reduces vulnerabilities but greatly diminishes the
ability of people to use it freely.
Anonymity/Identity
Another problem is that users can remain completely anonymous if they choose to do so. The problem this
creates is that users don’t know with whom they are doing business, with whom they are talking, or whom
they can trust. For instance, in online chat rooms, young girls may believe that they are chatting with a
similarly aged boy, when in reality they may be chatting with a criminal who is trying to take advantage of
them. You can never be quite certain to whom you are talking because all of the identifying information could
be false, including pictures, names, age, profession, etc.
Since the initial purpose of the Internet was to transmit information quickly and without hurdles, requiring
identification was not a concern of the developers. Also, as discussed earlier, at the beginning there were only
a few users and they knew each other. Identification was not necessary. The game has changed, however.
Specifically, in 1969 there were only four nodes or devices (i.e., computers), whereas today there are more
than 2 billion nodes (devices including computers, cell phones, notepads, etc.), which is about one third of the
population, and growing. The substantial growth of the Internet occurred very quickly, and the problems
associated with the lack of identification did not become apparent until later, when more and more users were
victimized by criminals who were quick to take advantage of the opportunities the free and open Internet
provides.
The lack of identification also makes it easy for criminals, criminal organizations, and terrorist groups to hide
—making it very difficult for law enforcement to figure out who the criminals are, what they are planning to
do, and how to arrest them. This problem is compounded by the fact that the criminals often operate from
outside the jurisdiction where the crime occurred, raising issues of who has the authority to pursue the
42
criminals. For example, the United States has no jurisdiction in other countries if the criminal is operating
from outside the United States. So even if the police can identify the criminal and his or her location, they
would need the cooperation of the police in that country. Unfortunately, most of the time the police cannot
determine who the criminal is and where he or she is because criminals use aliases, hide identifying
information, use untraceable devices, or use the identities of innocent people.
Whereas criminals are very good at hiding their identifying information, many users are unaware of the risks
of leaving identifying and secret information while surfing the Internet. Every time we access the Internet we
leave traces of who we are, what we like, what we search for—and Internet websites use that information to
send targeted advertisements. They collect the user’s information for their purposes. This information, of
course, is also out there waiting to get snatched by criminals. Most users do not take enough precautions, such
as using encryption software, using programs to remove identifying information, using secure networks, and
using secure passwords. This leaves many users vulnerable to cybercriminals who are looking for the
information.
Asymmetries of Cyberspace
A small number of criminals can cause a great amount of damage because cybercrimes do not require a
sophisticated industrial base or significant financial resources. Criminals also know that their efforts will likely
lead to success because there are so many potential victims and so few barriers or oversight. For instance, you
probably have received occasional e-mails from a person from Nigeria or some other country offering millions
of dollars for help with a transaction using your bank account and the payment of a small transaction fee.
Most people realize that these e-mails are fraudulent and simply delete them. That doesn’t deter the senders
from continuing their mass e-mails though. Why is that? The senders believe (and rightfully so) that if they
send enough e-mails, some people will respond and send the transaction fee. Since the costs for sending the emails are so low, the sender will make a profit even if only very few respond every time he or she sends the
mass e-mail. If the sender had to mail traditional letters (snail mail) they would likely lose money, but via the
Internet it is free to send e-mails, multiple e-mails can be sent at one time, and it takes very little time as
compared to traditional letters.
The asymmetries of cyberspace are disconcerting not only for individual Internet users but also for
governments. It doesn’t take an army to take down a country. For instance, a small group of terrorists who
successfully block the electronic grid of the United States and therefore impair our daily life, which depends
on electricity, could create an incredible amount of damage. Or worse, a terrorist group invades the computers
of a nuclear power plant and blows up the power plant. Not much life would be left around the plant. To this
day, the nuclear catastrophe of Chernobyl in the Ukraine and Fukushima in Japan shows the damage that
could occur. The strength of a nation-state depends on its intellectual capabilities rather than its military
capabilities. Thus, any country could potentially challenge the United States and Europe if the country has the
intellectual capabilities—including North Korea, China, Russia, or Iran. This is also true for terrorists and
organized crime groups who have such intellectual capabilities.
43
1s and 0s
The logical layer (or the computer code) of the Internet consists of 1s and 0s. From the code of 1s and 0s, it is
not possible to determine what that specific code will do—that is, whether that code will execute the program
we meant to download or whether it will plant malicious software on our computer. It is also possible that the
downloaded program will do both—install the program we wanted and plant malicious software. Even though
the malware does have a specific signature, users cannot typically distinguish the malware from the innocent
Internet traffic. Rather, users find out after the incident that they have been attacked, their identity was stolen,
or that their computer was used to commit a crime. At that point, it is very difficult for the innocent user to
reverse the damage of the attack. It is also very difficult to prevent malicious software from invading a
computer because a user would have to treat all Internet traffic as malicious, which would greatly interfere
with the daily use of the Internet.
44
Think About It 1.1
Imagine you are the computer administrator at a large company. Several employees come to you complaining that they want to be able to
install software on their work computers and change permission to files. They are upset because every time they need to install an update
or new software for work purposes, they have to call you and wait for you to do the things they could do quickly by themselves.
45
What Would You Do?
1. How would you respond?
2. Would you give them administrator rights to their computers so they can make any changes they want? Why or why not?
46
What Distinguishes Cyberspace, the Internet, and the World Wide Web?
In order to understand cybercrime and cybersecurity, it is important to have a good grasp on the basic
terminology that will be used throughout the book. These definitions are important insofar as they ensure that
we have a common understanding when we discuss cybercrime and cybersecurity. Cyberspace is defined by the
National Security Presidential Directive 54/Homeland Security Presidential Directive 23 as “the
interdependent network of information technology infrastructures, and includes the Internet,
telecommunications networks, computer systems, and embedded processors and controllers in critical
industries.”25 In other words, cyberspace refers to the virtual environment in which people communicate and
interact with others. Cyberspace consists of four different layers: (1) physical layer, (2) logic layer, (3)
information layer, and (4) personal layer.26 The physical layer consists of the physical devices, such as PCs,
networks, wires, grids, and routers. These physical devices are located within jurisdictions, which is important
for law enforcement when they search for physical devices used to run criminal enterprises and other
cybercrimes, which is discussed in detail in coming chapters. The logic layer is where the platform nature of
the Internet is defined and created. Stated differently, cyberspace depends on the design of the Internet. It is
built out of components that provide services for users, such as social media, content, shopping, etc. The
information layer includes the creation and distribution of information and interaction between users. Users
can create information by building a website, linking to other websites, and posting information on social
media websites such as Twitter, Facebook, or Yelp. Users can also access information, including music, books,
videos, and pictures. The top layer consists of people—people who create websites, tweet, blog, and buy goods
online.
Attacks on cyberspace can occur at each of the four levels. Communication and interaction can be identified
(known) or anonymous. The anonymity of cyberspace creates opportunities for cybercrime that would
otherwise not exist and which are different and unique compared to other forms of crime. For instance,
hackers would not be able to break into a computer and steal information without cyberspace. The term
cyberspace is used because other terms used by the government, such as cybercrime, cyberattack, cyberthreat, or
cybersecurity, are derived from the term cyberspace.
As you can tell from the definition above, the Internet is a part of cyberspace:
The Internet is a global system of interconnected computer networks that are set up to exchange
various types of data. This ‘network of networks’ connects millions of computers, including those in
academic, business, and government networks, transcending geographic and national boundaries.27
Without this global data communication system, people would not be able to interact and exchange
information. The term Internet is often used interchangeably with the term web or World Wide Web. The
Internet and the web are distinctly different, however.
Whereas the Internet refers to hardware and software infrastructure that connects computers around the
47
globe, the World Wide Web refers to a service that can be accessed via the Internet.28 This service consists of
interconnected documents and a variety of resources. The documents and resources are connected and
accessible via hyperlinks and uniform resource locators (URLs). Several web browsers (i.e., Safari, Firefox,
Explorer) allow users to access the information available on the web. A hyperlink is
a reference or navigation element in a hypertext document that offers direct access to another
section of the same document or to another hypertext document that is on or part of a (different)
domain.29
For instance, the hyperlink https://www.fbi.gov/about-us/investigate/cyber takes you to the FBI’s cybercrime
website. A hyperlink could also be embedded in words, such as FBI cybercrime website, which is called
hypertext. Users can simply click on the word(s) or the link and are directed to the FBI cybercrime website.
These hyperlinks provide easy access to information relevant to the content the reader is interested in.
Hyperlinks are unidirectional—that is, a user can link from their content to another website’s content without
asking for approval from the owner of the destination page or any action by the owner of the destination page.
This unidirectional system allows anybody who has a website to link to other users’ websites.
A hyperlink is one way to get to more content, but users also have other options. For instance, if you are
searching for information on the web, you may often use URLs, which provide a reference to a resource on
the Internet.30 URLs have two main components: the protocol identifier and the resource name. For example,
for the website https://www.fbi.gov, the protocol identifier is “https” and the resource name is “fbi.gov.” In
this sense, the URL is comparable to the address you would put on a letter to tell the postal service to whom
to deliver your letter.
Legal Issue 1.2: Is it a crime to link to infringed/illegal content?
Under the Digital Millennium Copyright Act (DCMA), Universal City Studios, Inc. brought a lawsuit against three hackers who
had provided software that could decrypt digitally encrypted movies on DVDs. The hackers also provided hyperlinks to other
websites with decryption software. At the time, motion picture companies were using encrypted DVDs as the main method of
distributing movies to consumers. The hackers argued that providing decryption information on their website was protected under
the First Amendment, which guarantees the freedoms of speech and press, thus the hyperlinks to websites with infringed/illegal
content is also protected by the First Amendment. The U.S. District Court disagreed and stated that by providing decryption
software and hyperlinks to websites with decryption software, the hackers had violated copyright laws, specifically the DCMA.31
Imagine you are the judge on the U.S. District Court and you have to decide a case where the defendant is accused of violating the
DCMA by providing hyperlinks from his legal website to a website that sells stolen goods. How would you rule in this case? What
would be the mitigating or aggravating factors you would consider?
48
What Can You Do?: Preparing for the Job of the Future: Careers in
Cybercrime and Cybersecurity
1. FBI Cyber Division
A job in the cyber division includes safeguarding classified information; examining forensic information related to computers,
technology devices, and data storage media; and disrupting the actions of data thieves and saboteurs. The FBI also employs a
Cyber Action Team (CAT) that is deployed to any place in the world where criminals attempt to compromise government
security. The CAT team includes highly trained tactical personnel who monitor, pursue, and apprehend criminals. A BA or MA
in criminology or criminal justice may be expected.32
2. Cyber Police Officer
Cyber police officers create, maintain, and protect law enforcement databases. They also protect the computer network and
connected devices. Applicants may have a degree in forensics or information networking and telecommunications with a minor in
justice studies.33
3. Computer Crime Investigator
The computer crime investigator is responsible for recovering file systems that have been hacked, gathering evidence and
computer system information, testifying in court, and training law enforcement on computer-related issues. Corporations typically
hire applicants with degrees in computer forensics and computer sciences.34
4. Department of Homeland Security (DHS) Cybersecurity
Cybersecurity professionals work on cyber incident response, cyber risk and strategic analysis, vulnerability assessment and
detection, intelligence and investigation, and digital forensics and forensic analysis. The DHS also has a cyber student volunteer
initiative where students work alongside cyber leaders in the DHS. The Department also offers scholarships for service to students
who are interested in becoming cybersecurity experts and want to work for DHS.35
5. Department of Justice
Officers working for the Department of Justice work on threats to national security, economic prosperity, and public safety. The
key priorities are currently cyberstalking, computer hacking, and intellectual property theft.36
6. The U.S. Secret Service
The Secret Service investigates and prevents counterfeiting, as well as securing critical infrastructures. The Secret Service also
employs an Electronic Crime Task Force and a Financial Crime Task Force.37
7. Threat Intelligence Analyst
The Threat Intelligence Analyst collects, analyzes, identifies, and escalates security incidents for all business units, including
employees and customers.
Summary
The purpose of this chapter is twofold: First, the chapter provides a basic overview of the origin and development of the Internet,
cyberspace, and the World Wide Web. The authors discuss how the Internet has changed in the past 20 years and provide some
examples of the dangers of the Internet. The chapter also explains the key terms students need to understand and be able to
distinguish.
Second, the chapter aims to provide students with an overview of the five security vulnerabilities and the key causes of these
vulnerabilities. Students should be able to explain what vulnerability means and how these five gateways create security vulnerabilities
for anybody who accesses the Internet.
49
50
Key Terms
Cyberspace 1
Digital Millennium Copyright Act 14
Domain Name System 6
Hyperlink 13
Hypertext 13
Internet 1
Internet Protocol Suite 5
Malware 10
Personal Computer 6
Uniform Resource Locator 13
Vulnerability 9
World Wide Web 1
51
Discussion Questions
1. How does the Internet differ from cyberspace?
2. Describe the four different layers of cyberspace. How does each layer contribute to the function of the Internet?
3. Discuss how the Internet developed. What was its original purpose? How has that purpose changed in the past 20 years? How do
you see the future of the Internet, or stated differently, what do you think will change in the next 20 years?
4. What are the main security vulnerabilities? Which of the vulnerabilities do you think is the most difficult to address for security
experts? Explain your answer.
5. Imagine you are the manager of a nuclear power plant near New York. You have to do computer updates in your plant just like on
your private computer. What are the risks/vulnerabilities you are facing with every computer update? What would be some
possible consequences if your computer was infected with a malware? What precautions would you take to keep your computers
safe?
Internet Resources
European Organization for Nuclear Research
http://home.cern/about/topics/birth-web/where-web-was-born
Massachusetts Institute for Technology, Computer Science and Artificial Intelligence Laboratory
https://www.csail.mit.edu/
Washington Post, Net of Insecurity: A Flaw in the Design.
http://www.washingtonpost.com/sf/business/2015/05/30/net-of-insecurity-part-1/
Defense Advanced Research Projects Agency
http://www.darpa.mil/about-us/about-darpa
Further Reading
Leiner, B. M., Cerf, V. G., Clark, D. D., Kahn, R. E., Kleinrock, L., Lynch, D. C., . . . Wolff, S. (2017). Brief history of the Internet.
Retrieved from http://www.internetsociety.org/internet/what-internet/history-internet/brief-history-internet
Witt, S. (2015, April 27). The man who broke the music business. The dawn of online piracy. New Yorker. Retrieved from
http://www.newyorker.com/magazine/2015/04/27/the-man-who-broke-the-music-business
Digital Resources
Want a better grade?
Get the tools you need to sharpen your study skills. Access practice quizzes and eFlashcards, at study.sagepub.com/kremling.
52
2 What Is Cybersecurity?
Ignorance is not bliss when it comes to cybersecurity.
—Singer and Friedman1
53
Learning Objectives
1. Understand the evolving nature of the term cybersecurity and the challenges presented with it.
2. Analyze the origin of cyberspace legislation and the direction it is headed in the future.
3. Differentiate between private and public-sector cybersecurity, and the pros and cons of each.
4. Discuss the role that wireless networks (Wi-Fi) have played in making the issue of cybersecurity even more complex.
Companies spend millions of dollars on firewalls, encryption, and secure access devices and it’s
money wasted because none of these measures address the weakest link in the security chain: the
people who use, administer, operate and account for computer systems that contain protected
information.
—Kevin Mitnick2
54
Think About It 2.1: What Is Cybersecurity and Why Is It Important?
Imagine a hacked planet. Our modes of communication are taken hostage. Nobody knows for sure where they are going when they get
into their self-driving car or onto the self-driving bus or train because they have no control. Rather, it’s hackers who control people’s
movements. There can be no trust in infrastructure. Without trust, there is no banking, trading, or economy. Nothing is predictable
because reality is constantly changed by hackers who blend true with fake news. In such a hacked society, democracy fails and our medical
system fails because doctors don’t know whether medical records are correct or even accessible. The critical infrastructures are constantly
under attack such that they fail. When the power grids fail, traffic lights don’t work, alarm systems go out, store cash registers stop
working, banks can’t open, and people live in a world of chaos. When the water systems fail, people cannot drink the water that comes out
of their faucet, or maybe no water will come out of the faucet anymore. When the power goes out, debit and credit cards are worthless,
ATM and banking systems shut down, and individuals without cash are in big trouble.
In such a dystopian society, no one can be trusted, not our government, not our transportation system, not our power system—nothing in
our “smart” world will work as we would expect. This is the world without cybersecurity. We need cybersecurity so that we can have trust
that our connected cars drive where we want them to drive, to keep our water safe, to ensure that we have power and medical services, and
so people can buy goods with their credit cards and withdraw money from the bank. The cybersecurity of the future will be highly
integrated with business technology, and some professionals are already referring to it as business security.
There are many definitions of cybersecurity, but what is it exactly?
When you think of cybersecurity, think of a fire extinguisher. Even though most businesses have never had a fire, they still have fire
extinguishers in case there is one. Schools and universities have fire extinguishers and perform fire drills to practice what to do in case of a
fire. And because everyone is aware of the dangers of fire, many private citizens also have fire extinguishers in their homes. Most people
share a common knowledge about fire. First, it is an opportunistic threat. If you leave a candle burning on the Christmas tree (which is
likely very dry) and forget to blow it out, the tree may well catch on fire and the fire will spread very quickly. Second, a fire does not care
what you did yesterday. Even if you blew out the candle on the tree yesterday, today is a new opportunity for the candle to set the tree on
fire. Third, fire exploits the smallest vulnerabilities. If the candle is touching any few needles of the tree, the fire will catch onto those few
needles and then spread to the entire tree. Finally, fire does not stop until it owns everything—that is, until the entire tree is on fire. The
fire extinguisher is a security measure. If the house does not have a fire extinguisher, then it may not be possible to stop the fire from
spreading from the tree to other parts of the house, and the house will likely be on fire long before the firefighters arrive. Had there been
an immediate response to the fire using a fire extinguisher, the damage would have been much less. Cyberattacks are very similar to a
fire.3
55
What Would You Do?
1. So how do you prevent such an attack?
2. What exactly is cybersecurity?
3. How does it affect our everyday lives?
4. What are the biggest threats associated with cybersecurity?
56
Origins and Nature of Cybersecurity
The origin of cybersecurity dates back to the 1970s. In 1977, the federal government recognized that open
access to computer systems could create security breaches; however, the proposed Federal Computer Systems
Protection Act did not pass congressional scrutiny. In the 1980s, specifically 1983, there was a rise in hacking
attempts, which some credit to the release of the movie WarGames (see Think About It 2.2). The deputy
assistant FBI director pushed for antihacking legislation, but it was not until 1987 when the Computer
Security Act was signed into law that security measures for online systems were strengthened. Specifically, the
Computer Security Act was one of the first legislations to establish minimum security practices in federal
computer systems and advance protection of these systems.4
The following year, the U.S. Computer Emergency Readiness Team (CERT) Communication Center was
founded by the Defense Advanced Research Projects Agency (DARPA). CERT, which now boasts the goal
of striving “for a safer, stronger Internet for all Americans by responding to major incidents, analyzing threats,
and exchanging critical cybersecurity information with trusted partners around the world,”5 was created to
ensure readiness in the case of a major cyberattack. However, in the late 1980s this was not a top priority
within national security. In February 1991, the White House asserted that data theft “is a serious strategic
threat to national security,”6 but it was not until 1996 when President Bill Clinton established the first
commission on critical infrastructure that identified infrastructures vulnerable to both physical attacks and
cyberattacks—specifically, infrastructures that use computer systems, making them especially vulnerable to
hackers.
The late 1990s gave rise to concern about the millennial change from the year 1999 to 2000 and how the
change would affect electronic devices. The issue, referred to as Y2K, resulted in the president signing the
Year 2000 Readiness and Responsibility Act, and spending billions of dollars in preparation for the change.7
However, in the end, there were very few major problems associated with Y2K. Using the information
gathered during the Y2K preparedness phase, the government was able to examine cybersecurity issues prior
to the clocks changing from 1999 to 2000 and address potential problems before they occurred.
In the aftermath of September 11, 2001, President Bush charged a committee with creating a strategy for
cybersecurity and named Richard Clarke as the National Cybersecurity Advisor to examine the vulnerabilities
in cyberspace and the interest of terrorist groups in recruiting individuals with advanced cyber capabilities.
Following the attacks of 9/11, Osama bin Laden told an Arab newspaper “hundreds of Muslim scientists were
with him” that would use their technological skills against “the infidels.”9 Furthermore, Omar Bakri
Muhammad, a supporter of the now-deceased Osama bin Laden, claimed that al-Qaeda had the technology
to launch a cyberattack and should use those skills to defend and fight in the name of Islam. Muhammad
went on to list the New York, London, and Tokyo stock markets as optimal targets and said: “I would not be
surprised if tomorrow I hear of a big economic collapse because of somebody attacking the main technical
systems in big companies.”10 Since 9/11, terrorists have continued to increase their knowledge and skills in
cyberspace.
57
58
Think About It 2.2: War Games
The 1983 movie War Games tells the story of a young computer hacker (David Lightman, played by Matthew Broderick) who, on a quest
to play a video game that had not yet been released, accidently accesses the North American Aerospace Defense Command’s (NORAD)
computer system. His hacker curiosity kicks in, and as he explores the computer system, he accesses the game mainframe and chooses to
play a game, Global Thermonuclear War, between the United States and the Soviet Union. Lightman does not realize that the computer
has been specially programmed and does not understand the difference between reality and fantasy (the computer believes that global war
is about to begin and overrides all of NORAD’s codes in order to launch nuclear missiles on the Soviets).
Lightman’s exploits into the NORAD system result in mass chaos, and he is hunted and apprehended by the FBI. However, his unique
knowledge of the computer system allows him to assist NORAD directors (and the program’s creator) in trying to stop the computer
from playing the game and releasing missiles on the Soviet Union. The seemingly innocent curiosity of Lightman’s actions comes close to
resulting in the actual release of nuclear missiles and the potential beginning of World War III.8 Although not intending to be malicious,
the hacking incident could have had severe physical repercussions.
59
What Would You Do?
1. What would you do if your curiosity about something led to a national security threat? How do you think this would play out in a
post-9/11 world?
2. Watch War Games and discuss what can be learned from the movie. What vulnerabilities (as mentioned in Chapter 1) are still
prevalent today? How can we prevent activities such as the ones in the movie from occurring?
60
Definitions
Cybersecurity is a term that is often used broadly. The conceptualization of this broad, and at times vague, term
is cause for discussion. Like many aspects of the criminal justice system, how cybersecurity is defined often
depends on the individual or entity doing the defining. Definitions vary across government organizations,
nation-states, academics, and the private sector, leading to confusion about what actually constitutes
cybersecurity. The conceptualization is a continuous and evolving issue. Some definitions concentrate more on
defining cyberspace, while others have more of a security focus. The term cybersecurity is frequently used in
policy titles and directives, but the use of the word has lagged behind in terms of accurately defining what it
means. In other words, the term is being utilized without a clear meaning of what constitutes cybersecurity.
We explore a variety of definitions below.
The conceptualization issue can be addressed in multiple ways; however, Agresti suggests that as the meaning
of security is somewhat established, it is the term cyber that must be defined.11 From a criminal justice
standpoint, this could encompass tactics of the perpetrator(s) and protection techniques as well as the
jurisdiction (cyberspace) in which the criminals are operating.
61
Definition of Cybersecurity
One of the first legislations to include specific cybersecurity provisions was created in direct response to the
terrorist attacks on September 11, 2001, and the subsequent anthrax attacks that fall (Anthrax, a bacterial
disease, weaponized in powder form and able to cause severe respiratory distress, was sent via U.S. mail to
multiple television studios and congressional offices on Capitol Hill. The attack resulted in five deaths and a
renewed fear of biological attacks). In an amendment to this document, Subtitle E of the Homeland Security
Act of 2002 (Cybersecurity Programs) was added. SEC 242 includes definitions of cybersecurity services and
cybersecurity threat (See Table 2.1) but not cybersecurity by itself.12
Table 2.1 Defining Cybersecurity
Document/Agency Term
Definition
Products, goods, or services used to detect or prevent activity
intended to result in unauthorized access to, manipulation of, or
Homeland
Cybersecurity impairment to the integrity, confidentiality, or availability of an
Security Act 2002
Services
information system or information stored on or transiting an
information system, or unauthorized exfiltration of information
stored on or transiting an information system
Any action that may result in unauthorized access to,
Homeland
Cybersecurity
Security Act 2002
Threat
manipulation of, or impairment to the integrity, confidentiality,
or availability of an information system or information stored on
or transiting an information system, or unauthorized exfiltration
of information stored on or transiting an information system
Executive Order
13636
Cybersecurity
Information
Sharing
Timely production of unclassified reports of cyber threats to the
U.S. homeland that identify a specific targeted entity. The
instructions shall address the need to protect intelligence and law
enforcement sources, methods, operations, and investigations
Prioritized, flexible, repeatable, performance-based, and costeffective approach, including information security measures and
controls, to help owners and operators of critical infrastructure
identify, assess, and manage cyber risk, focus on identifying
Executive Order
Cybersecurity cross-sector security standards and guidelines applicable to
13636
Framework
critical infrastructure, provide guidance that is technology neutral
and that enables critical infrastructure sectors to benefit from a
competitive market for products and services that meet the
standards, methodologies, procedures, and processes developed
62
to address cyber risks
On an ongoing basis, facilitate and support the development of a
Cybersecurity
Enhancement Act
voluntary, consensus-based, industry-led set of standards,
Cybersecurity guidelines, best practices, methodologies, procedures, and
of 2014
processes to cost-effectively reduce cyber risks to critical
infrastructure
The organization and collection of resources, processes and
Craigen, DiakunThibault, and
Cybersecurity
Purse (2014)
structures used to protect cyberspace and cyberspace-enabled
systems from occurrences that misalign de jure from de facto
property rights
Cyberthreats are the top priority of multiple federal agencies. The National Security Agency (NSA) is charged
with providing security to the United States via interception of signals intelligence and decrypting threats both
physical and cyber. The FBI has 60 cyber squads that work together with other federal, state, local, and
private-sector agencies to increase cybersecurity. Their ability to improve cybersecurity depends on a better
understanding of cyberthreats and vulnerabilities in the United States.
The former director of the CIA, General Michael Hayden, asserted that there is a cybersecurity knowledge
gap between the youthful generation that has grown up with technological advances and the older generations
who do not have the knowledge or understanding of the Internet or technological capabilities. This gap results
in a vulnerable population, ripe to be targeted by cybercriminals.
In 2013, President Barack Obama approved Executive Order 13636: Improving Critical Infrastructure
Cybersecurity. EO 13636 also details elements of cybersecurity information sharing and cybersecurity
framework (Table 2.1), but again, cybersecurity is not specifically defined. In this document, the biggest
cyberthreat discussed is that to critical infrastructures, including the electric grid system, banking/finance, and
transportation.
A year later, the Cybersecurity Enhancement Act of 2014, which did define cybersecurity (as shown in Table
2.1), was passed with the goal of
providing for an ongoing, voluntary public-private partnership to improve cybersecurity, and to
strengthen cybersecurity research and development, workforce development and education, and
public awareness and preparedness, and for other purposes.
Furthermore, in regard to cybersecurity, this document amended the National Institute of Standards and
Technology Act (NIST; 15 U.S.C. 271) to extend the role of the Secretary of Commerce so that he or she
may continuously develop new methods of cybersecurity (see Appendix 2A). Specifically, the secretary of
commerce should continuously develop new methods of cybersecurity that follow industry-led standards,
63
guidelines, best practices, methodologies, procedures, and processes. The goal is to reduce the risk
cyberthreats pose to critical infrastructures, such as power grids or water supplies. This is important because if
cybercriminals were to attack our power grid, for example, they could cause major damage throughout the
country. Anything that uses electric power (street lights, banking systems, transportation) would be affected.
Government policy doctrines are not the only writings that do not clearly define cybersecurity. Academic
writings are full of varying and, at times, contradicting definitions. This contentious issue, as discussed by
Craigen, Diakun-Thibault, and Purse, may lead to confusion and is often “subjective, and at times,
uninformative.”13 In their research, Craigen and his team reviewed multiple definitions of cybersecurity in
order to find recurring themes in the conceptualization in order to produce a “new, more inclusive, and
unifying definition of cybersecurity” that would be applicable across “academia, industry, and government and
non-government organizations.”14
Definitions reviewed by this research team ranged from extremely general, as found in the Committee on
National Security Systems’ 2010 conceptualization, “The ability to protect and defend the use of cyberspace
from cyber-attacks,” to very detailed, as defined by the Department of Homeland Security (DHS). The DHS
definition reads:
The activity or process, ability or capability, or state whereby information and communications
systems and the information contained therein are protected from and/or defended against damage,
unauthorized use or modification, or exploitation.15
After reviewing the literature, nine current definitions were chosen to help construct a new definition of
cybersecurity.
Upon review, the research team was able to identify five dominant themes within the cybersecurity
conceptualization literature:
1. Technological solutions
2. Events
3. Strategies, procedures, and methods
4. Human engagement
5. Referent objects (of security)
Using a focus group of academics and cybersecurity experts, the research team proposed and had critiqued
multiple newly proposed definitions of cybersecurity. Based on this information, Craigen and his team
produced a comprehensive definition of cybersecurity:
Cybersecurity is the organization and collection of resources, processes, and structures used to
protect cyberspace and cyber-space enabled systems from occurrences that misalign de jure from de
facto property rights.16
64
65
Case Study 2.1: The Original Hacker: Kevin Mitnick
Kevin Mitnick is famous in the hacker subculture. Growing up in Los Angeles in the 1970s, Mitnick’s curiosity and extensive
memorization ability paved the way for his interest in cyberspace. While in high school, Mitnick learned how to phone phreak. Phone
phreaking allows an individual to exploit the telephone system, making calls for free. He quickly switched to the more complex world of
hacking, gaining access to classified/protected information, with relative ease.
Mitnick went on to study computers in college. He quickly was able to identify the vulnerabilities in the school’s computer system and
gained complete administrative privileges. While today that would be cause for expulsion, Mitnick was given the opportunity to stay in
school and complete a project in order to avoid punishment. This specialized project was to examine the vulnerabilities of the system that
Mitnick had already illegally accessed and then update the security of the school’s system. In one of the first examples of “white-hat
hacking,” Mitnick assisted the school and graduated cum laude with honors.17
Mitnick continued to hack into systems, knowing that it was wrong but enjoying the challenge. As he detailed before a congressional
hearing years after he had retired from hacking, Mitnick asserted,
I have gained unauthorized access to computer systems at some of the largest corporations on the planet, and have successfully
penetrated some of the most resilient computer systems ever developed. I have used both technical and non-technical means to
obtain the source code to various operating systems and telecommunication devices to study their vulnerabilities and their inner
workings.18
In the mid-1990s, Mitnick went from a seemingly unknown hacker to “cyberspace’s most wanted” and landed on the front page of the
New York Times. Charged with 14 counts of wire fraud, eight counts of possession of unauthorized access devices, as well as interception
of wire or electronic communications, unauthorized access to a federal computer, and causing damage to a computer, Mitnick pleaded
guilty to all charges.19 He was sentenced to 3 years, 10 months in prison. While incarcerated, he was viewed as such a threat (it was
believed that he could whistle into a phone and set off a nuclear missile) that he was placed in solitary confinement. Upon his release,
Mitnick was placed on probation for 3 years, one of the conditions being he could have no access to computers.
After successfully completing his probationary period, Mitnick went on to use his skills to positively enhance security. He now runs
Mitnick Security, a security service specializing in penetration testing.
For further reading on Kevin Mitnick’s story, see The Art of Intrusion and The Art of Deception.
66
Cybersecurity Policies
As previously mentioned, President Obama signed into effect Executive Order 13636: Improving Critical
Infrastructure Cybersecurity with the goal of increasing the cybersecurity measures to each of the 16 sectors
identified by Presidential Policy Directive-21. Order 13636 states the framework will “identify areas for
improvement that should be addressed through future collaboration with particular sectors and standardsdeveloping organizations.”20 President Obama had identified cyberattacks as the number-one threat facing
the United States. As cybersecurity measures continue to sophisticate, so do the methods of penetration. The
National Cybersecurity and Communications Integration Center is charged with 24/7 information sharing of
cyberthreats with both the public and private security sector agencies in order to reduce both probability of
and the damage caused by cyberattacks.21
Cybersecurity information sharing with the private sector is extremely imperative, as critical infrastructures are
extremely vulnerable to cyberattacks and 80% of U.S. critical infrastructure is owned by the private sector.
These infrastructures include dams, hospitals, railways, airlines, and power plants, all of which are susceptible
to cyberattacks. As the cyberthreat increases, collaboration between public and private sectors can strengthen
the role that cybersecurity plays in detection and mitigation. Private security corporations have much to offer
to the understanding of cybersecurity. These firms are often equipped with individuals (red teams) comprised
of white-hat hackers (nonmalicious hackers for hire) who possess the skills necessary to expose vulnerabilities
in the system and to provide cybersecurity solutions because they understand how cyberattacks are
perpetrated.
67
Case Study 2.2: FusionX
FusionX, a private cybersecurity firm, offers their services to companies and government organizations in an effort to reduce the
vulnerability of their systems. FusionX identifies threats to their clients by hacking into their system and attempting to “model and
replicate sophisticated adversary attacks.”22 Also known as a red team, or ethical hackers, the goal of FusionX is enhanced security. Using
a team of professionals skilled in the art of hacking, FusionX is hired to identify vulnerabilities in computer security and to offer solutions
to these problems. Using private-sector resources such as FusionX may help to increase cybersecurity to critical infrastructures. Along with
their skilled team of computer experts, FusionX offers the following services:
Annual enterprise vulnerability assessments
Tactical penetration texting activities
On-demand application (including mobile) security assessments
Recurring external vulnerability assessment scans
Spearphishing and other employee awareness exercises
On-demand incident response and threat analysis support
Infrastructure security design support
Annual risk management program reviews
On-demand access to subject matter experts
Annual security awareness training programs
68
What Do You Think?
1. What are the benefits associated with hiring someone from the private sector to perform security assessments on computers? Are
there risks associated with it?
2. If you were the CEO of a major corporation, what would you do to ensure that your vulnerable information was not passed to
individuals with malicious intent?
69
Overview of Cyberspace Intrusions
There are many ways that computer systems can be infiltrated and infected. Since the 1980s, when computer
viruses became increasingly prevalent, companies have spent millions of dollars to protect their systems from
malicious intrusions. One of the most famous first intrusions, Moonlight Maze gained notoriety due to the
complexity involved in the attack. In 1998, a computer technician at ATI Corporation noticed a strange
connection at 3 a.m. A computer at the company was connecting to Wright-Patterson Air Force Base;
however, the computer account’s owner was not using the system.
Upon investigation by the Air Force CERT, the attack was traced to Russia and was found to be one of
multiple attacks using business and university computer systems as proxies to obtain information. These
coordinated attacks were given the name Moonlight Maze. The Moonlight Maze attacks resulted in the theft
of thousands of documents containing information on military technologies. The attacks infiltrated “military,
governmental, educational, and other computer systems in the United States, United Kingdom, Canada,
Brazil, and Germany.”23 These attacks were significant, as they were some of the first to illustrate how
vulnerable our technology is to malicious infiltration.
Today, malicious software (malware) is readily available for purchase and/or download. This software is often
designed with a specific purpose, and often the host computers are unaware that they have been hit with an
attack. Some of the more common forms of cyberspace intrusions are detailed next.
70
Network-Based Attacks
A network intrusion occurs when a computer system is accessed without permission. Such intrusions may go
unnoticed depending on the level of firewalls and security associated with the system. Network-based attacks
are attractive because (1) they may often go undetected and (2) the perpetrator(s) are often difficult to trace.
Two main forms of network-based attacks are untargeted attacks and targeted attacks.24
Untargeted attacks are of concern for the public, as the attack indiscriminately chooses who the attack victims
are. ...
Purchase answer to see full
attachment