|
Homeland defense
July 2007
By Breanne Wagner
Experts Downplay Imminent Threat of Cyberterrorism
 In early 2000, along the Sunshine Coast of Queensland, Australia, 49-year-old Vitek Boden broke into a local waste management computer system and altered the pump station operations, unleashing more than 264,000 gallons of raw sewage into public parks and creeks. The spill killed marine life, contaminated the water and left an unbearable stench. It marked the most serious reported attack against a critical infrastructure, said Dorothy Denning, a cyber security expert at the Naval Postgraduate School.
U.S. officials in recent years have warned about the threat of a terrorist attack against civilian and government computer systems. They say one of the most plausible scenarios is an assault on critical infrastructures, such as water systems or financial networks.
Boden’s scheme was a surprising and unexpected attack that had disastrous results. But can it be defined as cyberterrorism?
Denning doesn’t think so. She believes such an attack must be “sufficiently destructive or disruptive to generate fear comparable to that from physical acts of terrorism and it must be conducted for political and social reasons.”
Boden’s motives were neither political nor social. He was a former employee of the company that had installed the system and was angry about being rejected for a council job, Denning said.
Cyberterrorism has become a buzzword of sorts because the severity — and existence — of the threat is debated. Experts have difficulty agreeing on what it means, largely because no agency, group or institution has been seriously debilitated by an electronic attack. The “terrorism” in cyberterrorism infers that it will be lethal or at least catastrophically damaging. Despite varying opinions on the subject, cyberterrorism does not yet pose an imminent danger, either in the government or private sector, some analysts contend.
“Although cyberspace is constantly under attack from non-state actors, the attacks so far are generally not considered to be acts of terrorism,” said Denning. “There is some desire to conduct more damaging attacks, but there are no plans or capability to conduct devastating attacks against critical infrastructure or digital control systems,” she said.
Military and government officials say terrorists could wreak havoc on computer systems, compromising critical intelligence and commerce, the result of which would be a catastrophic scenario. “Airplanes will literally fall out of the sky,” warned Lani Kass, former director of the Air Force cyberspace task force, during a conference last year.
The Defense Department considers cyberspace the “fifth operating domain for war fighting,” said Lt. Gen. Robert Elder, commander of the 8th Air Force, which is responsible for cyber warfare. “The Air Force does not currently differentiate terrorism by the domain in which the effects occur,” he wrote in an e-mail to National Defense.
Cyberspace threats, he added, range from a “simple disruption of communications systems to loss of combat capability.”
Clay Wilson, a technology and national security specialist at the Congressional Research Service, said that tighter physical security measures in the United States may encourage terrorist groups in the future to explore cyber attacks.
Extremists also could turn to cyber warfare as a way to engage in a cause without resorting to physical violence, Denning said. “But they haven’t pursued this kind of attack because it’s not bloody,” Denning explained. “Terrorism is built around physical attacks with bombs.”
Another reason why large-scale cyberterrorism has not materialized is because extremists may be lacking in advanced technical expertise.
In one case, a computer science student at Bradley University, named Ali S. Marri, was allegedly assigned by al-Qaida to find ways of hacking into U.S. computer systems. He had met and trained with Osama bin Laden in Afghanistan and was named an enemy combatant by President Bush in 2003, Denning said. However, he has not been tied to any cyber attacks.
A more common practice is for extremists to carry out politically or religiously motivated intrusions, such as denial-of-service attacks or web defacements, often in retaliation for web sites that are offensive to Islam, she said.
In October 2006, a denial-of-service attack was planned against a Vatican web site in response to comments by Pope Benedict about the Prophet Mohammad.
Jihadi web sites called for volunteers, saying “We ask all our brothers to be present at the hour of the attack for a joint action, because they [Catholics] have struck our religion,” Denning said.
However, the attack had little impact.
Denning also pointed to online training in cyber attacks, which could be a cause for concern. Al-Qaida University for Jihad Sciences opened in late 2003, with a college on electronic jihad.
An al-Qaida safe house in Pakistan was reportedly used to train jihadists in computer hacking and to conduct reconnaissance on supervisory control and data acquisition systems, which manage critical infrastructures, Denning said. The Federal Bureau of Investigation found suspicious software on the computer of a person with ties to bin Laden.
Cyber attacks are annoying and sometimes disruptive, but not overwhelmingly destructive, Denning said. They can be “characterized as hacktivism, cyber jihad or electronic jihad.”
Other forms of cyber activity Denning has observed include shared email accounts and password-protected web sites as repositories of information about planned physical attacks.
Cyber jihadists will often write e-mails to each other and save the documents in an electronic folder, but they are careful not to send them, she said, because they know that U.S. authorities have the means to intercept those messages.
During the preparatory stages of the 9/11 attacks, Khalid Shaikh Mohammad, one of the masterminds, reportedly used Internet chat software to communicate with at least two airline hijackers, Wilson said.
Terrorists are not yet mobilizing to carry out extensive cyber attacks, Wilson said. Although the possibility remains, it is extremely difficult to know if they will take their current cyber activity to the next level to inflict physical harm, said Wilson.
In October 2000, the Naval Postgraduate School hosted a conference to determine if terrorist groups would engage in cyberterrorism, Denning said. Participants included academics, United Nations representatives, and most interestingly, a hacker and five representatives of “violent sub-state groups.” The groups included the Palestine Liberation Organization, the Liberation Tigers of Tamil Eelan, the Basque Fatherland and Liberty Political/Military Army, and the Revolutionary Armed Forces of Colombia. The group authorized an actual cyber attack during the game against the Russian stock exchange, Denning explained.
After the war game, the participants concluded that terrorists have not integrated cyber attacks into their tactics. But experts cautioned that cyber terror could become attractive as a non-lethal weapon. A follow-up war game was never conducted because the U.S. government became nervous about engaging the controversial participants again, Denning said.
Another simulated attack took place in July 2002 during a war game also hosted by the Naval War College. Called the “digital Pearl Harbor,” it simulated cyber warfare through mock attacks conducted by computer security experts against critical infrastructure systems, said Wilson. The group decided that the Internet is the most vulnerable technology, as well as financial computers. It also determined that a major attack was only a slight possibility, said Wilson.
However, a vulnerability was discovered in the Internet in 2002, which the FBI determined could have caused significant problems, including bringing down telephone networks and flight control systems, Wilson said.
Although vulnerabilities exist and computer intrusions will continue, Denning doesn’t believe people should fear large-scale strikes.
“Any cyber attacks originating from terrorists or cyber jihadists in the near future are likely to be conducted either to raise money or to cause damage comparable to that which takes place daily from web defacements, viruses and worms, and denial-of-service attacks,” Denning asserted.
Electronic invasions such as identity theft and viruses and worms have, in some cases, been more damaging to the average person than religiously motivated hacking.
In January 2003, the “slammer” worm shut down emergency 911 systems, ATM machines and at least one airline booking system, Denning said. The worm could not be traced, but its code referenced a major Chinese hacking group, she said.
Although the Naval Postgraduate School war game determined that several barriers prevent hackers and terrorists from uniting, it is certainly probable that they could share information to further individual causes.
Both groups are interested in credit card and identity theft because they realize the potential financial gain.
The FBI estimated that computer-related crimes cost U.S. businesses $67 billion per year.
Information about computer vulnerabilities abound in the hacker “black market,” Wilson said. A list of 500 addresses of computers that have already been infected by “spyware” can be bought for $150 to $500, he continued.
There have been 100 million cases of privacy rights breaches since February 2005, said Kevin Richards, head of federal government relations with computer security firm Symantec. Cyber criminals are becoming more consolidated and are often funded by organized crime, he noted. Richards didn’t know if these criminals could be labeled as terrorists or hackers. “Today’s attackers want to be silent,” he said.
In a nod to increasing cyber security threats, Congress introduced new legislation in May that would increase funds for law enforcement and allow the Department of Justice to impose stricter penalties for computer criminals. The House judiciary subcommittee on courts, the Internet and intellectual property introduced the cyber crime enhancement act of 2007. If passed, the law would allocate $10 million per year to federal law enforcement through 2011. The money would be given to the U.S. Secret Service, the attorney general’s office and the FBI to combat identity theft and other cyber crimes.
The law would also increase the penalty for botnet herding — sending out software robots to deny service or otherwise attack computer systems — by up to five years in jail, Richards said.
Active botnet computers have increased by 11 percent since late 2006, he said. In addition, more than a quarter of malicious code Symantec observes on affected computers has never been seen before, Richards said.
“If people don’t lock their back door, criminals will find their way in, both at home and on the Internet,” Richards said.
Please email your comments to BWagner@ndia.org
Back To Top
|
Search Tips
