BY CLAIRE RUMLER — The New York Times, one of the most prominent newspapers in the United States, fell victim to a group of Syrian hackers in late August 2013. The attack came as governments in several countries considered taking military action against Syrian President Bashar Al-Assad, amidst reports that he had utilized chemical weapons against his own citizens in order to quell an uprising. The Syrian Electronic Army (“SEA”), a group of hackers loyal to Al-Assad, later claimed credit for the cyber attack, which caused outages on the NYT website and mobile apps for a period of about 20 hours. The group has made a number of similar attacks on other news outlets, including CNN [1] and the Washington Post [2]. New York Times chief information officer Marc Frons described the sophistication of the attacks: “It’s sort of like breaking into the local savings and loan versus breaking into Fort Knox.”[3]
These attacks raise a serious question: how is the United States prepared for these kinds of attacks? The answer is uncomfortable. The reality is that, although the Patriot Act provided mechanisms for the federal government to investigate and prosecute cyber attacks, those provisions were not extended in 2011, when the original Patriot Act expired. Those provisions should be extended in order for the government to have some type of legal leverage in investigating and prosecuting these crimes.
Under Title VIII of the Patriot Act,[4] as it was passed in 2001, the certain types of cyber attacks could be classified as “terrorist attacks,” which had serious implications for how they could be prosecuted and investigated. Section 814 specified the types of cyber crimes that were considered acts of terrorism and broadens punishments for those acts. The attacks on the New York Times constitute terrorism under the section 814, which criminalizes the attempted illegal use or access of protected computers. These attacks absolutely constitute terrorism under that definition. The hackers of the SEA were not authorized users of either the computers at the Times’ domain name registrar, Melbourne IT, or the New York Times computers that were accessed with the information stolen from Melbourne IT. Furthermore, the SEA hackers attacked the New York Times website twice, offenses which, under Section 814 of the Patriot Act, could have subjected the culprits to not more than 20 years imprisonment.
Section 816 of the Patriot Act also included provisions that would aid in the investigation of these cyber crimes, providing resources that are no longer in existence after the Act expired. Section 816 directed the Attorney General to establish regional computer forensic laboratories that perform examinations of cyber criminal activity and cyberterrorism. The existence of these kinds of facilities could, arguably, have prevented the numerous attacks that the SEA has made on various news facilities in the United States. In light of the increasingly sophisticated attacks, cyber forensic facilities are an integral part of national security.
Clearly, the United States needs more protection against cyber threats. The increasing level of sophistication in the recent cyber attacks on the New York Times illustrates that need. Although the Patriot Act provided both legal leverage over cyber terrorists and the means to investigate and prevent those crimes, this legislation was not extended when the Patriot Act expired. Currently, the existing legal structure in the United States is inadequate to address the serious threat of cyber crime. New legislation, such as sections 814 and 816 should be re-enacted.
[1] http://www.cnn.com/2013/08/27/tech/web/new-york-times-website-attack/index.html
[2] http://www.nytimes.com/2013/08/28/business/media/hacking-attack-is-suspected-on-times-web-site.html?_r=0
[3] Id.
[4] UNITING AND STRENGTHENING AMERICA BY PROVIDING APPROPRIATE TOOLS REQUIRED TO INTERCEPT AND OBSTRUCT TERRORISM (USA PATRIOT ACT) ACT OF 2001, PL 107–56, October 26, 2001, 115 Stat 272
