However, as more people get connected, the incidence of computer hacking also grows. The Computer Security Institute reported system penetration increased in 1999 for the third year in a row. (Calkins, 89 Geo. L.J. at 173-174). A survey of U.S. companies showed that 78% of those responding had suffered at least one network security breach and nearly 20% of the respondents were spending at least $500,000 per year on information security. (Id.) Even home users are advised to take precautions. Hacking is in full force.

Hacking is costly in terms of both the clean-up process after a cyberattack and in day-to-day security and prevention measures. Hacking bears similarity to other criminal phenomena in terms of prohibited behavior and the potentially large costs, but it has attracted special attention because of the novelty of cyberspace as a medium and the requirement of specialized regulations. (Id. at 174).

The definition of cyberterrorism is very broad, including "the use of computing resources against persons or property to intimidate or coerce a government, the civilian population, or any segment thereof, in furtherance of political or social objectives." (Clifford A. Wilke, "Infrastructure Threats from Cyber-Terrorists" (visited Feb. 12, 2000)). Cyberterrorism may be further down on our own anxiety lists because cyberattacks generally don't kill people. Many of us have been victims of cyberattacks. You may be familiar with worm attacks, which are used to overload the system by having the program reproduce itself on the server; domain-name-service hijackings, which are used to prevent Internet users from gaining access to a particular Internet site by rerouting all inquiries from that site to a completely different location; logic bombs which are programs that when triggered may disrupt the entire computer system by making the entire disk unreadable; or mail bombings bombarding a specific e-mail account with thousands of messages to shut down the recipient's e-mail server or e-mail access. E-mail attacks may also involve Trojan horse programs attached to e-mails that when run, can disrupt the user's PC or the entire network, or are designed to self-replicate themselves by automatically e-mailing a copy of the attacking message to everyone in the user's e-mail address book. (David Hueneman, "Privacy on Federal Civilian Computer Networks: A Fourth Amendment Analysis of the Federal Intrusion Detection Network", 18 J. Marshall J. Computer & Info. L. 1049 (200)).

What many people may not fully understand is that cyberterrorism may have an impact far beyond the relative inconveniences of these attacks. Unlike the computer viruses that have become such a prevalent nuisance, cyberterrorism can have a much more harsh affect. It can cause severe economic hardship, widespread loss of electricity and possibly physical and psychological suffering. Much attention has been given to what may be called Information Warfare. Information Warfare includes physical attack, hacking and software or data attack, much like the traditional hacking previously discussed. However, what has been termed Strategic Information Warfare (SIW) has not received the attention and poses some of the more lethal threats of cyberterrorism. (Bard R. Ferrall, "Criminal Law and Criminology: A Survey of Recent Books", 89 J. Crim. L. & Criminology 1499 (1999)). While SIW would employ some of the same tactics as Information Warfare, it would work towards larger objectives, such as the reduction of America's influence on a region. SIW favors long-range monitoring of information systems to determine where vulnerabilities lay and to develop a strategic attack at the optimum time. Moreover, because monitoring of information systems leave little or no traces, it may go undetected, leaving intelligence agencies unprepared for an attack. (Id.)

Who are the cyberterrorists?
One of the most frightening aspects of cyberterrorism is that virtually any coward can commit an act. Unlike the suicide missions of the terrorists on September 11, cyberterrorism can be accomplished remotely and anonymously. Anyone can be a cyberterrorist, from a disgruntled employee to a foreign spy, a fraud perpetrator, a political activist, a conventional criminal, and even a juvenile with a little bit of computer knowledge. With the growth of the Internet, the pool of potential cyberterrorists has grown and hacker tools and information are now readily available online. (Calkins, 89 Geo. L.J. at 176).

Cyberterrorism is made even more convenient by the fact that it is cheap in comparison to the extensive and expensive terrorist operations we've seen in previous history, requiring only a telephone, a computer, hacker software, and a modem. Examples of more serious acts of cyberterrorism include a sabotage of the stock exchange, the disabling of power and phone utilities, altering drug formulas at pharmaceutical plants, adjusting pressure in gas pipelines to cause valve failure, scrambling the software of major financial institutions, hospitals, or large corporations, and disrupting air and railroad traffic control. (Global Organized Crime Project, "Cybercrime…Cyberterrorism…Cyberwarfare")

State Regulation
All states currently have computer-crime-specific laws that mostly mirror the federal regulations. (Calkins, 89 Geo. L.J. at 184). State and local law enforcement authorities also face additional challenges in that they are less likely to have the training, interest or the resources to pursue hackers. (Id.) Given that the Internet is not confined to any one region, jurisdictional problems also arise in prosecuting hackers. (Id. at 185). Moreover, the emergence of large international data networks has also shifted responsibility for cybercrimes to the federal government. (Id.)

Federal Regulation
Given the immense threat of cyberterrorism, the federal government has acted to fend off any attacks. In 1984, Congress criminalized unauthorized computer use by passing the Counterfeit Access Device and Computer Fraud and Abuse Law. (Pub. L. No. 98-473, §2102(a), 98 Stat. 1837, 2190 (1984)). Initially, the law only covered computers involved in certain critical functions, such as classified government work and financial institution operations. However, following criticism for vagueness and narrowness, Congress passed the Computer Fraud and Abuse Act (CFAA) in 1986 to clarify the terms of the 1984 law and expand its scope. (Pub. L. No. 99-474, §2, 100 Stat. 1213 (1986)). Over time, Congress became concerned that some hackers were escaping punishment through loopholes in the statute. Furthermore, Congress wanted to give the government more expansive authority to capture hackers. As a result, Congress further expanded the scope of the CFAA in 1997 and 1996 to lower the punishable level of mens rea for unauthorized access and ensure wider application protecting computers and prosecuting hackers. (Calkins at 179-180; 18 U.S.C. § 1030(a)(4-5) (Supp. IV 1998)). The law was again amended in October of this year following the September 11 crisis in the USA Patriot Act. The Act calls for the creation of an Electronic Crimes Task Force for the purpose of preventing, detecting, and investigating various forms of electronic crimes, including potential terrorist attacks against critical infrastructure and financial payment systems. (Pub. L. No. 107-56, §105, 115 Stat 272 (2001)).

Under the current version of the statute, intentional unauthorized access of government computers is generally a criminal act even if no damage is caused. Non-government "protected computer[s]" also fall under the statute. A "protected computer" is defined as one exclusively for the use of a financial institution or the U.S. Government, or if not exclusive, one that is used by or for a financial institution or the U.S. Government and the offense affects that use. A "protected computer" can also be one that is used in interstate or foreign commerce or communication. (18 U.S.C. §§1030(e)(2)(A)-(B)). Under this definition, because the Internet is frequently used for interstate or foreign commerce and communication, almost any public or private computer on the net would likely be considered a "protected computer" under the statute.

Non-government "protected computers" are covered by the statute if a person "knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer," or if an outsider "intentionally accesses a protected computer without authorization," and as a result, "recklessly causes damage" or merely negligently "causes damage." (Id. §1030(a)(5)).

Damage under the statute can be the loss of $5,000 over a year, any actual or potential modification or impairment of medical examination, diagnosis, treatment or care, physical injury to a person, or a threat to public health and safety. (Id. §1030(e)(8)(A)). Even if there is no damage as defined by the statute, unauthorized access can still be punished as a crime if certain type of information is obtained including information from financial or credit files, a department or agency of the U.S. government, or from a protected computer if the conduct involves an interstate or foreign communication. (Id.) The statute also criminalizes other computer offenses; such as unauthorized access in the commission of a fraud; obtaining or disseminating classified information; trafficking computer passwords; and extortion based on a threat of damage. (18 U.S.C. §1030(a)(1), (4), (6), (7)).

In the CFAA, Congress deals with the hacker with the statutory criminal intent. What is not addressed, however, is the hacker who does it just for "fun" or just because he can. Somewhere in the middle is the religious or political activist who does it as an outcry and statement of his own personal belief. Without first detaining the offender, it is difficult to know whether there is the statutory mens rea under the CFAA. As a practical matter, it is likely that the offender would first be arrested and his intent would be resolved through interrogation and further investigation before proceeding to a criminal trial. (Calkins, 89 Geo. L.J. at 182).

Given the limitations on law enforcement, under the CFAA, only a handful of hackers would be prosecuted. There are over 50 million American computers connected to the Internet and falling under the statute as "protected computers". (Calkins, 89 Geo. L.J. at 183). Furthermore, a vast number of hacking incidents are not reported or go undetected. The number of successful intrusions detected has been estimated at a maximum of ten percent, with roughly one to seventeen percent of detected intrusions being reported. Therefore, under the most optimistic assumptions of this data, only about two percent of all intrusions ever reach the initial attention of law enforcement. (Id.)

Most critics of the CFAA have focused on its criminalization of hacking that causes negligent, rather than reckless or intentional damage. (Calkins, 89 Geo. L.J. at 189). A reckless damage offense is a felony, punishable by a fine and/or imprisonment of up to five years if there are no prior convictions or attempts. (See 18 U.S.C. §1030(c)(3)(A)). The negligent damage offense is a misdemeanor, punishable by a fine and/or imprisonment of up to one year if there are no prior convictions or attempts. (See Id. §1030(c)(2)(A)). If there are prior convictions under this section, or attempts to commit another offense punishable under the subparagraph, imprisonment may reach up to 10 years regardless of whether the offense was reckless or negligent. (See Id. §1030(c)(3)(B)).

Recent Developments
Evidencing the U.S. government's dedication to protection against cyberterrorism, Congress established a loan guarantee program giving up to $10,000,000 to qualified borrowers. (10 USCA § 2541). Under this law, the government will fund the establishment of programs in cyberterrorism prevention in order to meet the national security objectives. Moreover, President Bush has established the President's Critical Infrastructure Protection Board to coordinate federal efforts and programs that relate to the protection of information systems. (Executive Order No. 13231, 66 FR 53063, Oct. 16, 2001). The goal is to work for the protection of the critical infrastructure of the private sector, federal departments and agencies, national security programs and state and local governments, and the support of programs in corporate and academic organizations. (Id.)

Protection
There has been much debate over the best way to protect against cyberterrorism. The threat of cyberterrorism has been used to justify increased federal surveillance, however critics argue that it is merely an excuse to violate 4th Amendment privacy rights. (See Cassidy Sehgal, "The Power of the Federal Government in the Electronic Age", (discussing the potential dangers of the loss of privacy presented by government surveillance) 4 Tex. Rev. L. & Pol. 77 (1999)). Cryptography and encryption - the ability to scramble data -- are heralded as some of the best protection against cyberterrorism. (See Stewart Baker, "Regulating Technology for Law Enforcement", (discussing the policy considerations behind these tools) 4 Tex. Rev. L. & Pol. 53 (1999)).

The fact that most information technology is developed, controlled and owned by private business means that implementing security against cyberterrorism requires collaboration between business and government. In light of recent events, there will likely be less resistance to government interference for the sake of national security. We have already seen conflict over the balance of governmental interests and individual privacy interests. However, we have also witnessed the damage that can be down when our defenses our down. Faced with the reality of our own vulnerability, building a solid offense against cyberterrorism is the only way to ensure our security.