Cybercrime is one of the fastest rising crimes in the world today. It has been described as an illegal activity that is perpetrated through the Internet. However, there is no universally accepted definition of cybercrime. This paper is a literature review that will analyze several concepts revolving around cyber-attacks.
Numerous definitions of the term cyber-attack have been suggested over the years. However, there appear to be some conflicts in determining one universally accepted definition of the term. The confusion is attributed to different definitions of the term from government sources.
As Hathaway, Crootof, Levitz, Nix, Nowlan, Perdue, and Spiegel (2012) explain, the first military definition of the term cyber-attack was published by the United States Cyber Command. The term was defined as an act of hostility that is launched using computer systems or systems that are computer operated with the intention of interfering or damaging cyber functions and systems.
A cyber-attack is aimed at interfering with data in a computer system or a network of computers. The attack may employ the use of electronic transmitters or other devices that are considered to be peripheral to the computer. An act of cyber crime may be executed from a given location and its effects be felt widely, far away from the point of execution (Hathaway, Crootof, Levitz, Nix, Nowlan, Perdue, and Spiegel, 2012).
Hathaway, Crootof, Levitz, Nix, Nowlan, Perdue, and Spiegel (2012) add that existing definitions of cyber-attacks and related terms vary widely. Some of the terms are also defined in ways that benefit the governments involved. The term has been used interchangeably with cyber-warfare and cyber-bullying.
Hathaway, Crootof, Levitz, Nix, Nowlan, Perdue, and Spiegel (2012) also reveal that there is a lack of accountability on the governments’ side in dealing with cyber-attacks.
For example, the Shanghai Cooperation Organization, an intergovernmental mutual security organization founded in 2001 by China, Kazakhstan, Kyrgyzstan, Russia, Tajikistan, and Uzbekistan adopted cyber-attack strategies that pose a threat to political stability. This was a setback in the fight against cybercrime.
Efforts to define cyber-attacks at an international level are significant, even though the results have been less promising. Gervais (2012) argues that workable definitions of cyber-attacks have been offered by other sources; for instance, the United States Department of Defense.
The author also adds that the involvement of other agencies in dealing with cyber-attacks will achieve what the governments have failed to do, more so to define cyber-attacks.
Gervais (2012) reveals that the only international agreement that gives a definition of cyber-attacks is the Council of Europe’s Convention on Cybercrime (CECC). CECC is a multilateral treaty that increases cooperation among signatories to combat cybercrime, such as fraud, child pornography, and copyright infringement.
There is also a gap in literature in defining cyber-attacks. Hathaway, Crootof, Levitz, Nix, Nowlan, Perdue, and Spiegel (2012) explain that there should be a distinction between cybercrime, cyber-attacks, and cyber warfare. The authors also suggest that in order to understand one type of crime, those involved with tackling cybercrime have to understand the other types of crime.
Table 1 shows a summary of the definitions and distinctions in cyber-attacks, cybercrime, and cyber warfare.
Table 1: Essential characteristics of different cyber-actions
|Cyber- attacks||Cyber- |
|Involves only non–state actors||√|
|A Violation of criminal law, committed by means of a computer system must exist||√|
|The objective must be to undermine the function |
of a computer network
|Must have a political or national security |
|Effects must be equivalent to an “armed attack,” or activity must occur in the context of armed conflict||√|
There are mixed reactions in regard to who is responsible for dealing with cyber-attacks. Scully and Cooper (2013) explain that industry leaders should not rely on governments to work towards improving cyber security. Blame has been put on organizations that do not try to secure their own cyber presence. Company CEOs have, therefore, been advised to speed up companies’ adoption rate of cyber security (Scully & Cooper, 2013).
There are several laws that can be applied when a cyber-attack constitutes an armed attack. Hathaway, Crootof, Levitz, Nix, Nowlan, Perdue, and Spiegel (2012) explain that applying the laws of war to a cyber-attack can be challenging. It is worth noting that the laws of warfare have not been revised since the World War II.
Using the laws to solve a cyber-attack becomes less effective or useless altogether. Additionally, the authors say that it is only possible to use the existing laws to solve cyber-attacks if the cyber-attacks involve property destruction. As summarized in table 1, however, the best term to use is cyber warfare and not cyber-attacks whenever there is destruction of property.
In the United States of America, the law allows organizations to get the Comprehensive National Cyber-Security Initiative. This is defined as a twelve component program that protects computer networks from cyber-attacks.
The program protects the networks by improving the IT processes, reducing the connections between the federal agencies’ computers and other computers, and detecting intrusion (Owens, Dam & Herbert, 2009).
Owens, Dam and Herbert (2009) explain that the United Nations Charter states that a cyber-attack should be judged purely by the effect it has, rather than its modality. This means that even though the weapons that were used to do the attack should be considered by the law, the effects of the cyber-attack are more important.
On the other hand, Gervais (2012) argues that the laws of war in cyberspace can be controlled. The author adds that there are two things to consider when talking about the laws of war in cyberspace. The first thing that has to be considered is whether the crime resulted in the use of force. Gervais (2012) explains that if the crime resulted in the use of force, then the law is termed as jus ad bellum.
The second thing that has to be considered is whether the attack falls within the limits of acceptable warfare behavior. In the first scenario, if the attack conforms to jus ad bellum, then the law that governs criminal procedures will be used. However, if the attack is justifiable according to the conducts of warfare, then no repercussions of the law will be felt by any party.
Gervais (2012) also adds that international treaties can determine how cyber-attacks are categorized in the law. The international laws will apply if the cyber-attack is an international case or it threatens international relations. For example, if the cyber-attack is done by an individual in China and targets the United States government, then the international laws governing the two countries will have to be used to solve the crime.
Schmitt (2012) argues that cyber warfare has proven difficult to manage using normal law. He attributes this to the use of kinetic weapons, as opposed to normal weapons. Schmitt (2012) adds that the United States laws have to be revised to cater for cyber-attacks, crime, and warfare.
It is acknowledged that cyber-attacks and crimes can threaten the core fiber of the society without causing any physical damage to the society. This makes it difficult to manage the crime using the existing laws.
According to Schmitt (2012), the trans-border cyber-attacks also make it difficult for anyone to manage cyber-attacks. Different laws will apply to different regions, thus nothing can be done about cybercrime because there is no clear international law that can be used to control cyber-attacks.
Alperen (2011) also agrees that the law is insufficient in dealing with cyber-attacks. He explains that normal laws can be used when the attack is within the country.
Conversely, no laws can be applied when the cyber-attack is done from one country and targets another. International laws define crime as anything that causes physical damage and uses physical weapons. Contrary to this, cybercrime can cause a lot of physical damage, but it does not use physical weapons.
In conclusion, there are various definitions of the term cyber-attack. However, all the definitions that are in use lack one thing or another. The law does not specifically stipulate the punishment for committing a crime of cyber-attack. In fact, the laws do not stipulate what can be considered as cybercrime. However, many scholars seem to agree that if the attack conforms to jus ad bellum, then it should be punished using normal state laws.
However, if the attack is justified according to the laws of warfare, then the party involved should not be punished. This is one of the challenges that make it hard to fight cybercrime.
Moreover, most of the current strategies of fighting cybercrime are outdated and irrelevant, thus calling for the adoption of strategies that match the current level of technological development. Intergovernmental cooperation and the international law are pertinent in cracking down and punishing criminals involved in cybercrime because the effects of cybercrime may involve individuals in different countries.
Alperen, M. 2011. Foundations of homeland security: Law and policy. New York, NY: Wiley.
Gervais, M. 2012. Cyber-attacks and the laws of war. Berkley Journal of International Law, 30(2): 525-541.
Hathaway, O. A., Crootof, R., Levitz, P., Nix, H., Nowlan, A., Perdue, W., & Spiegel, J. 2012. The law of cyber-attack. California Law Review, 100: 817-839.
Owens, W. A., Dam, K. W., & Lin, H. S. 2009. Technology, policy, law, and ethics regarding U.S. acquisition and use of cyber-attack capabilities. Washington, DC: The National Academies Press.
Schmitt, M. 2012. Classification of cyber conflict. Journal of Conflict and Security Law, 17(2): 245-260.
Scully, P. C., & Cooper, T. G. 2013. Current trends in coverage for cyber liability risks. <http://www.cooperscully.com/uploads/file/Cyber%20Risk.pdf>.