Experts are divided on the dangers presented by Internet-based terror attacks
In a November 2012 article, Peter W. Singer, the director of the Center for 21st Century Security and Intelligence at the Brookings Institution, made an interesting point. More than 31,000 magazine and journal articles had been published documenting the dark and darker aspects of cyberterrorism. The number of casualties, fatal or otherwise, linked to cyberterror trauma stood at zero. Singer compared the hype spotlighting cyberterrorism to the glamor of “Shark Week.” The chances of dying from a shark attack in your lifetime are 1 in 3.7 million, but the sheer gore of the concept seems to dazzle the odds.
Death or dismemberment from a cyberterrorist operation might seem even more remote, yet cyberterrorism continues to chill the public imagination because the stakes are so high. No one shark is capable of killing thousands or crippling an economy in a single attack. The same can’t be said for a cyberterrorist. (FYI: The odds of getting zapped by a lightning bolt in a given year are 1 in 700,000; over the last five years, the odds of dying in a conventional terrorist attack in the U.S. ran around 1 in 20 million.)
Definitions of cyberterrorism vary according to the source. The narrow definition assigns cyberterrorism to the same category as traditional terrorism, meaning cyberterror attacks are confined to direct threats on lives or property. Cyberterrorism exploits a quarry’s computers, data networks and information systems, usually via the Internet, to cause physical, real-world damage, or severe disruption of infrastructure or services. This definition applies to Singer’s observation and includes catastrophic cyber-raids on financial institutions, military installations, power grids, nuclear facilities, chemical plants, dams, water and waste treatment utilities, ports of entry, air traffic control centers, oil industry operations, telecommunications and navigation satellites, and you name the critical, high-profile target.
The broad definition is adeptly composed by the National Conference of State Legislatures: “The use of information technology by terrorist groups and individuals to further their agenda. This can include use of information technology to organize and execute attacks against networks, computer systems and telecommunications infrastructures, or for exchanging information or making threats electronically. Examples are hacking into computer systems, introducing viruses to vulnerable networks, website defacing, denial-of-service attacks, or terroristic threats made via electronic communication.”
To make matters more murky, the FBI differentiates between information warfare and cyberterrorism. The former is conducted between the militaries and intelligence agencies of nation-states. Stuxnet, the computer worm that targeted the Iranian uranium enrichment infrastructure in 2010, is an obvious example if you believe the rumors that insist the U.S. and Israel created and unleashed the infectious malware. Iran now claims to field the world’s fourth largest cyber-army, a detachment of talented hackers under the control of the country’s Revolutionary Guards.
President Obama identified cybersecurity as one of the most serious economic and national security challenges facing the United States. The president also noted that the federal government and the nation as a whole are not prepared to counter this threat. Obama ordered a thorough review of federal efforts to defend U.S. information and communications assets, an order that led to the development of the Comprehensive National Cybersecurity Initiative, or CNCI, which is composed of mutually reinforcing initiatives with the following major goals designed to help protect U.S. interests in cyberspace (courtesy of the White House):
- To establish a front line of defense against today’s immediate threats by creating or enhancing shared situational awareness of network vulnerabilities, threats, and events within the Federal Government—and ultimately with state, local, and tribal governments and private sector partners—and the ability to act quickly to reduce our current vulnerabilities and prevent intrusions.
- To defend against the full spectrum of threats by enhancing U.S. counterintelligence capabilities and increasing the security of the supply chain for key information technologies.
- To strengthen the future cybersecurity environment by expanding cyber education; coordinating and redirecting research and development efforts across the Federal Government; and working to define and develop strategies to deter hostile or malicious activity in cyberspace.
Note: The president met with top CEOs Oct. 29, 2013, to discuss the national cybersecurity framework; learn more by reading: “Obama, CEOs pledge cooperation on cybersecurity” in USA TODAY.
In 2012, hackers from a group called the Cutting Sword of Justice took responsibility for ambushing Aramco, the $10 trillion dollar national oil company of Saudi Arabia, using a computer virus known as Shamoon to the utterly cleanse the hard drives of 30,000 computers while flooding each computer screen with the image of a burning American flag. The apparent goal of the attack, stopping all oil and gas production in Saudi Arabia, the largest OPEC exporter, did not succeed, but Aramco was forced to shut down the company’s internal communications network. As it happens, U.S. intelligence experts believe the Aramco attack was perpetrated by Iran in retaliation for Stuxnet and another hot-zone computer virus named Flame.
- Anonymous: Decentralized, leaderless global network of activist hackers; critics call Anonymous a cyber lynch mob; supporters view its membership as digital Robin Hoods
- WikiLeaks: International nonprofit with a website that publishes secret information, news leaks and classified documents from undisclosed sources
- Julian Assange: WikiLeaks founder and editor-in-chief; he currently lives at the Ecuadorian embassy in London as a political asylee
- The Fifth Estate: Major motion picture about Assange and WikiLeaks released October 2013
- Hacktivist: Portmanteau of hack and activism coined Cult of the Dead Cow member, Omega, in 1996; hacktivists typically employ computers and the Internet to promote a given ideology
- Blue Army: Elite unit of Internet specialists that focuses on cyber-defensive and possibly cyber-offensive strategies in the People’s Republic of China
- Operation Olympic Games: Unacknowledged U.S. and Israeli covert campaign to disrupt by cyber means the Iranian nuclear program
- White hat: Ethical hacker who penetrates computer systems with the goal of improved security
- Black hat: Malicious hacker who penetrates computer systems with the goal of destruction, defacement, subversion or theft
- Worm: Standalone malware that replicates itself and spreads to other computers without human help
- Virus: Malware that propagates by inserting a copy of itself into a program; spreads infection from computer to computer with human help
- Crimeware: Automated malware designed to perpetrate identity theft through social engineering or technical stealth
- Cyberwarfare: U.S. military strategy states that an attack by a cyberterrorist organization is considered casus belli, or a reason to declare war; “digital Pearl Harbor” is the phrase commonly applied to such an attack
An actual, narrow-definition cyberterror strike by an organization such al-Qaeda or al-Shabaab or Shining Path has never been documented. (The recent Syrian Electronic Army incursions, defacing the U.S. Marine Corps recruitment website and hacking the Associated Press Twitter account, don’t make the grade—although the latter inserted a tweet reporting the White House had been bombed, precipitating a $136.5 billion sag on the S&P 500 index.) Even without a bona fide case of cyberterrorism, outgoing Homeland Security Secretary Janet Napolitano told the National Press Club in August 2013 that the United States needed to prepare for a “major cyber event that will have a serious effect on our lives, our economy and the everyday functioning of our society.” A month earlier, Louis Freeh, former FBI director, told an AP reporter that the potential for “mass destruction” is a clear and present danger. The terrorists just need to skill up enough manipulate the vast infrastructure control systems already in place.
Singer at Brookings might see that imminent skilling up as somewhat far-fetched, noting that computerized skullduggery is only one aspect of a large-scale cyberterrorist action. Expertise in engineering, logistics and physics are linchpins of any infrastructure assault. He points to Naval Academy Professor George R. Lucas Jr., who believes pulling off a colossal terrorist offensive via cyber pathways “simply outstrips the intellectual, organizational and personnel capacities of even the most well-funded and well-organized terrorist organization, as well as those of even the most sophisticated international criminal enterprises.”
Closer to home, Scott Determan, an Information Systems instructor at Dakota County Technical College, teaches students in his Security I course about threats to computers and network systems that might exploit a vulnerability, breach security and cause harm, including stolen, deleted and altered data. Cyberterrorism might keep intelligence higher-ups awake at night, but for IT experts like Determan, cybercrime is a 24/7 hazard that costs individuals, organizations and companies massive amounts of money. In a 2013 report, the Center for Strategic and International Studies and McAfee placed annual losses due to malicious cyber activity, including corporate espionage by the People’s Republic of China, at $140 billion.
“Threats to networks, computers, tablets and mobile devices are always out there,” Determan said, referring to malware such as viruses, worms, Trojan horses, keyloggers, dialers, spyware and rogue security software. “We teach our students about the five fundamental cybersecurity principles: Layering, Limiting, Diversity, Obscurity and Simplicity. Layering provides comprehensive protection. Limiting reduces the number of people who have access to your system. Diversity means your layers must be different and should include firewalls, intrusion detection, antivirus software and more. Obscurity is about not revealing what type of operating system or network connection you use. Simplicity refers to keeping your security system complex on the outside, but simple enough for people on the inside to understand and use. Not easy to do, but it’s worth it. You need all five principles to defend against attacks.”
Cybercrime attacks can come in any of six threat categories according to a Microsoft classification model called STRIDE:
- Spoofing of user identity
- Example: Stealing someone’s username and password
- Example: Unauthorized changes made to a database
- Example: Denying performing an illegal operation in a system that cannot prove otherwise
- Information disclosure
- Examples: Edward Snowden, WikiLeaks and Bradley Manning
- Denial of Service
- Example: Anonymous hacked the official CIA website and took the site down for several hours
- Elevation of privilege
- Example: Penetrating all system defenses to become a trusted user of the system itself, one of the most dangerous threat outcomes
“Social engineering is a very effective form of cybercrime,” Determan added. “Criminals target employees or customers, looking for psychological weaknesses to exploit rather than trying to beat the technical side of a security system. They manipulate their targets into revealing valuable information. Phishing is a great example.”
As for cyberterrorism or information warfare, Determan doesn’t see the upside for sovereign governments. “Disrupting the infrastructure of a country like the U.S. would disrupt the entire global economy. China doesn’t want the U.S. to go under and vice versa. Everything is interconnected. The real danger is from terrorist groups that have nothing to lose and just want to cause chaos.”
One thing’s for sure. With the proliferation of cloud computing, social platforms, big data, BYOD (bring your own device), mass surveillance, militarization of the Internet and who knows what’s next, the cybercops (military, public agency and corporate) and the hackers (terrorist, criminal and activist) will have plenty to keep them busy.