Chief UK police officers are asking the government for new powers that would allow them to attack terrorist Web sites.
A list of anti-terror recommendations from the Association of Chief Police Officers (ACPO) has been handed to MPs in the wake of the London bombings this month, as the government is reviewing laws on how to tackle terrorism.
Under the proposals, it would become an offence to fail to disclose encryption keys and to use the Internet to facilitate acts of terrorism.
In a press statement, Ken Jones, chairman of the ACPO Terrorism and Allied Matters Committee, said: "[The] evolving nature of the current threat from international terrorism demands that those charged with countering the threat have the tools they need to do the job. Often there is a need to intervene and disrupt at an early stage those who are intent on terrorist activity in order to protect the public. Clearly our legislation must reflect the importance of such disruptive action."
The list of recommendations does not detail how police would attack Web sites but in many cases remotely disabling a Web server involves a DoS attack. Police added that the measure would help police stop the spread of child abuse images on the Web.
The ACPO statement said: "This power has significant benefits for counterterrorism and overlaps with other police priorities namely domestic extremism and paedophilia. This issue goes beyond national borders and requires significant international co-operation. The need for appropriate authority and warranty is implicit."
One former policeman who now works in computer forensics was concerned about the international implications of making cyberattacks legitimate.
Simon Janes, international operations manager for data-recovery firm Ibas, said: "It's no different to parachuting officers into another country to investigate something. There would have to be some international consent but I can't see a way around it. It does pose the question, what if that [target] is another government Web site?"
A spokesman for public technology pressure Web site spy.org.uk also warned that attacks on foreign Web sites could backfire.
In an email to ZDNet UK sister site silicon.com he wrote: "Who exactly is going to define what a 'terrorist Web site' is? There are none of these hosted in the UK, so the targets must be abroad. Will a blog or discussion forum be attacked because one or more of the posters puts up a message gleefully praising some terrorist atrocity or other?
"The only people who seem to have a legal hacking law at the moment are the Australians but it does not appear that they have dared to use it against overseas targets. Hackers will delight in faking their IP addresses, or using UK government systems which they have compromised to launch 'legal' cyberattacks on their victims — how is anybody going to tell the difference?"
While the police admitted that the time it takes to break some encryption standards has slowed investigations, moves to stop people hiding encryption keys have already been included in the Regulation of Investigatory Powers Act. However, this has yet to be signed off by the Home Office and the police have asked for further updates on its progress.
ACPO said: "Recent investigations have been made more complex by difficulties for investigating officers in ascertaining whereabouts of encryption keys to access computers etc. An amendment to part three of the Regulation of Investigatory Powers Act to make it an offence to fail to disclose such items would provide some sanction against suspects failing to cooperate with investigations."
But Ibas' Janes said this law could overlook cases where people forget their passwords. "It only works if you make the penalty the same for that which you are being investigated. Why would you be compelled to hand over an encryption key unless you were performing acts of terrorism? But people do forget their passwords of course," he said.
Spy.org.uk challenged this point. The spokesman wrote: "Presumably what ACPO are trying to do is to remove the existing defence of 'I have genuinely forgotten my PGP pass-phrase', which is simply unfair, and it still does not acknowledge the existing weaknesses of the part three regulations with regard to opportunistic encryption keys."
Talkback
Counterstrike through aggressive defence
The concept of counterstrike through aggressive defence presupposes the adoption and use of information technology to produce legitimate and legalised disabling and reasonably destructive effects. Some adopted measures completely destroys the functioning of the offending computer while others simply disable the computer for the time being by either shutting it down or making it temporarily non-functional. Thus, the adopted measure to gain public support and legitimacy must be “proportionate” to the harm that could have caused had that measure not been adopted. For instance, the shutting down of the computer of the person using the malware is permissible whereas the destruction or procurement of data and information stored in such computer, having no connection and association with that malware, may not be commensurate with the protection requirements. Such destruction or procurement of data may be unlawful and perhaps exceed the limits of self-defence. Thus, technology adopted must not only be safe and effective, but it must also be “legal and law-abiding”. A countermeasure, which is not very accurate, and law abiding would be a remedy worst than the malady and hence it should be avoided. For instance, if a virus has been launched by using a public server, then by disabling that server the genuine and legitimate users will be unnecessarily harassed and they would be denied the services which they are otherwise entitled to. Thus, the countermeasure measure adopted must be job specific and not disproportionate to the injury sought to be remedied.
The problems associated with the use of malware are not peculiar to any particular country as the menace is global in nature. The countries all over the world are facing this problem and are trying their level best to eliminate this problem. The problem, however, cannot be effectively curbed unless popular public support and a vigilant judiciary back it. The legislature cannot enact a law against the general public opinion of the nation at large. Thus, first a public support has to be obtained not only at the national level but at the international level as well. The people all over the world are not against the enactment of statutes curbing the use of malware, but they are conscious about their legitimate rights. Thus, the law to be enacted by the legislature must take care of public interest on a priority basis. This can be achieved if a suitable technology is supported by an apt legislation, which can exclusively take care of the menace created by the computers sending the malware. Thus, the self-help measures recognised by the legislature should not be disproportionate and excessive than the threat received by the malware. Further, while using such self-help measures the property and rights of the general public should not be affected. It would also not be unreasonable to demand that such self-help measures should not themselves commit any illegal act or omission. Thus, a self-help measure should not be such as may destroy or steal the data or secret information stored in the computer of the person sending the malware. It must be noted that two wrongs cannot make a thing right. Thus, a demarcating line between self-help and taking law in one’s own hand must be drawn. In the ultimate analysis we must not forget that self-help measures are “watchdogs and not blood-hounds”, and their purpose should be restricted to legitimate and proportionate defensive actions only. In India, fortunately, we have a sound legal base for dealing with malware and the public at large has no problem in supporting the self-help measures to combat cyber terrorism and malware. If still there remains any doubt or objection, then it will be sufficient to mention that only a computer can react fast enough to take care of the menace of malware and the traditional methods of law enforcement are helpless in this regard. The problems of lack of harmonisation, doubt rega
The problems of lack of harmonisation, doubt regarding jurisdiction, lack of a uniform extradition law between various countries of the world, etc can be solved only by using a legitimate, proportionate and reasonable mechanism of self-help, which is not only instant but also free from technicalities and formalities.
Kindly see http://perry4law.blogspot.com/2005/07/preventing-violations-by-aggressive.html for complete discussion.