Strategy to Combat Cyberterrorism Part 2

Problems with Past Government Programs

Three Cyber-gaps. Many cyber security observers are concerned that U.S. government efforts to date effectively have not prepared the nation for a catastrophic cyber-attack.  A Business Roundtable report issued in June 2006 found three “cyber-gaps” that are keeping the United States from being prepared to recognize and respond to a cyber-attack (Anonymous, 2006; Rollins & Wilson, 2007):

• Indicators –The lack of established indicators that would indicate an attack is underway
• Responsibility –A failure to identify who is responsible for restoring affected infrastructure
• Resources –A lack of dedicated resources to assist in returning cyber operations to a pre-attack condition

Evidence in the general literature indicates that these gaps are currently being addressed by the government and private sector.  These evidences include installed alert and warning systems, published strategies and plans, and increased funding for countering cyber-threats.

A Failure to Communicate. One of the most difficult challenges facing the field of critical infrastructure protection (CIP) is the lack of shared terminology.  There are too many people using too many ill-defined terms for the community of homeland security experts to communicate properly.  The lack of widely accepted definitions of terms used in homeland security leads to reinvention of the wheel, false starts, and more detours (Lewis & Darken, 2005).  Perfect examples are the existence of myriad definitions of terrorism and cyberterrorism…among others.  Obviously, a need exists for a standardization organization, industry standards, and common practices for the homeland security industry.  We need organizations similar to the following…but for homeland security:

• International Organization for Standardization (ISO)
• International Telecommunication Union (ITU)
• American National Standards Institute (ANSI)
• American Society for Testing and Materials (ASTM)
• Institute of Electrical & Electronics Engineers (IEEE)
• Society of Automotive Engineers (SAE)
• Software Engineering Institute (SEI)

There are as many definitions of vulnerability and risk as there are agencies in federal, state, and local governments…combined!  Before we can take the first step in a 1,000-mile journey, we need a compass.  Currently, there is no universally accepted definition of the most basic measures of criticality—vulnerability and risk (Lewis & Darken, 2005).

Increasing Use of the Internet. Increased security measures are being applied to physical facilities.  Additionally, increased efforts are being made by the U.S. government to track and engage groups in their home countries.  Hence, many believe that the Internet will increasingly play a larger role in terrorist support and operational efforts.  Many observers that monitor the Internet suggest that, due to the effects of intensified counterterrorism efforts worldwide, Islamic extremists are gravitating toward the Internet.  Furthermore, they are succeeding in organizing online where they have been failing in the physical world.  Terrorist groups increasingly use online services for covert messaging through steganography, anonymous e-mail accounts, and encryption (Tendler, 2005; Rollins & Wilson, 2007).  Steganography is a means of protecting data confidentiality by hiding it within a larger data file.

Our Defense Cannot Keep Up with the Offense. At a recent computer security conference in San Francisco in April 2008, now former Department of Homeland Security (DHS) Secretary Michael Chertoff said the government has taken some strides in making its computer networks more secure since the DHS was created in 2003.  However, with constantly evolving threats and computer networks becoming increasingly important, the government must take steps comparable to the World War II Manhattan Project effort to create the atomic bomb, he said (Keefe, 2008).  Again, Congress sits on its collective gluteus waiting for a major cyber-attack to motivate them to action.  By then, it will be too little too late.

In March 2008, a Government Accountability Office (GAO) report found that computer security problems are common—and growing—throughout federal agencies.  According to the report, software used by government agencies contain as many as 29,000 security vulnerabilities that could allow a hacker to compromise government computers.  Meanwhile, according to the GAO, the number of computer attacks and related incidents reported by government agencies has soared by nearly 260 percent over the years 2005 through 2007 (Keefe, 2008).  What is the Administration and Congress doing about these startling facts?  Nothing much.  In the past 40 years, we have never had a Congress that did so little to advance national computer security as the 111^thCongress.  Hopefully, the 112^thCongress will be more productive in this important area of concern.

Deficiencies of Government Systems. Although government systems may have deficiencies, a greater vulnerability may lie with critical infrastructures.  Finance, utilities, and transportation systems are predominately managed by the private sector and are far more prone to attacks because those organizations are simply unprepared.  A survey by the United Kingdom (UK)-based research firm, Datamonitor, shows that businesses have been massively under-spending for computer security.  Datamonitor estimates that $15 billion is lost each year through E-security breaches, while global spending on defense is only $8.7 billion.  Moreover, even if business were to improve its security spending habits and correct the weaknesses in its computer systems, it is impossible to eliminate all vulnerabilities.  Administrators often ignore good security practices or are unaware of weaknesses when they configure systems.  Furthermore, there is always the possibility that an insider with knowledge may be the attacker (Gabrys, 2002).

Federal Grants. Improving the partnership among federal and nonfederal officials is vital to achieving important national goals.  The task facing the nation is daunting and federal grants will be a central vehicle to improve and sustain preparedness in communities throughout the nation.  While funding increases for combating terrorism have been dramatic, the GAO’s report reflects concerns that many people maintain about the adequacy of current grant programs to address the homeland security needs (Posner, 2003).

Ultimately, the “bottom line” question is this: What impact will the grant system make in protecting the nation and its communities against terrorism?  At this time, it is difficult to know since we do not possess clearly-defined national standards or criteria defining existing or desired levels of preparedness across the country.  Our grant structure is not well-suited to provide assurance that scarce federal funds are, in fact, enhancing the nation’s preparedness in the places that are most at risk (Posner, 2003).  The lack of “clearly-defined national standards or criteria” again rears its ugly head.

There is a fundamental need to rethink the structure and design of assistance programs, streamline/simplify programs, improve targeting, and enhance accountability for results.  Federal, state, and local governments alike own a stake in improving the grant system.  This must be done to reduce burden and tensions and promote the level of security that can only be achieved through effective partnerships.  The sustainability and continued support for homeland security initiatives rest in no small part on all of us.  It depends on our ability to demonstrate to the public that scarce public funds are in fact improving security in the most effective and efficient manner possible (Posner, 2003).

$844 Million in CIP Grants for FY 2008. The DHS distributed $844 million in FY 2008 in infrastructure protection grants for security at ports, trucking, bus systems, ferry systems, and other critical infrastructure (CI) facilities.  This is a significant increase of nearly $189 million over 2007’s amount in funding for security programs (Anonymous, 2008).

These grants are part of the Administration’s efforts to strengthen the security of the country’s CI.  Most of America’s CI is owned and/or operated by state, local, and private sector partners.  The DHS’ Infrastructure Protection Activities grants are set aside for state and local agencies, port authorities, and owners and operators of transit systems (Anonymous, 2008).

Since 2002, $3 billion has been spent on infrastructure protection grants.  In prior years, the government used grants to fund response and recovery capabilities, capital equipment, and assets.  Funding increases for FY 2008 are for prevention of improvised explosive devices (IEDs); information sharing; communication; and more regionally-based security cooperation and exercising (Anonymous, 2008).

Policy Recommendations that would be Beneficial

National Policy Needed. The lack of a national policy on Internet reconstitution could undermine the economy and the security of the nation.  The identified gaps and possible solutions do not require extensive funding.  In addition, solution implementation does not require massive government reorganization.  Instead, both the public and private sectors must commit and focus their efforts and funding on specific capabilities to put strategies and plans in place to reconstitute the Internet following a significant disruption.  A coordinated response will help our nation and our economy recover quickly following a cyber-attack (Anonymous, 2006).

Adopt Policies that Ensure Critical Government Services. Federal, state, and local governments have unique roles in ensuring vital government services—national defense, rule of law, and emergency services readiness—even under the stressful conditions of information warfare (IW) attack.  Maintaining continuity in these areas can prove to be challenging and expensive.  Government officials need to identify those functions that only government can perform and ensure that government has secure information systems and processes to maintain these functions.  This approach requires updating and expanding government plans for the Information Age and securing the essential infrastructures upon which all levels of government depend (Anonymous, 2001-2002).

Director of National Intelligence (DNI). The ability exists of a catastrophic cyber-attack to disrupt a significant portion of the nation’s infrastructure.  Some national security observers suggest that the DNI should be responsible for monitoring these capabilities.  Additionally, he should monitor the identities of the countries and groups that may wish to cause our nation harm through cyber-attacks.  The DNI is our nation’s chief intelligence officer.  He possesses the ability to coordinate all known cyber-threat-related information.  Then, he tasks the intelligence community to collect information to understand better the groups that may wish to cause the United States harm and to forecast their intentions and capabilities (Rollins & Wilson).

Security Policy. A security policy also should specify the technologies and procedures that will provide the protection.  Security likely will include antivirus software, firewalls, intrusion detection, and data backup systems.  The policy also should include details such as how employees identify themselves and how often they must change passwords (Misra, 2003).

Ideal Policy Directions. Ideal policy directions have been nicely mapped out.  These include (Bullwinkel, 2005):

• Laws. The enactment of substantive and procedural laws, which are adequate to cope with current and anticipated manifestations of cybercrime.
• Forensics. The development of forensic computing skills by law enforcement and investigative personnel and judicial officers.
• Legal Harmony. The achievement of a modicum of legal harmonization (ideal at a global level).
• Cooperation. The creation of mechanisms for operational cooperation among law enforcement agencies from different countries—24/7 points of contact (POCs) for investigators and mechanisms for mutual assistance in cyber-criminal matters generally.

Policy Adjustment Required. Terrorism is not only a criminal activity…it is a military assault on the entire population.  Hence, we must disavow the notion that local law enforcement agencies are capable of preventing acts of violence against CI assets.  An attack on the Weston building telecom hotel located in Seattle is not a criminal activity against Seattle, but a military action against the entire country.  It must be dealt with as such (Lewis & Darken, 2005).

Issues for Congress. Policy issues for cybercrime and cyberterrorism include a need for the following (Wilson, 2008):

• Threats. Increase awareness about changing threats due to the growing technical skills of extremists and terrorist groups.
• Metrics. Develop more accurate methods for measuring the effects of cybercrime.
• Response. Help to determine appropriate responses by DoD to a cyber-attack.
• Incentives. Examine the incentives for achieving the goals of the National Strategy to Secure Cyberspace.
• Software. Search for ways to improve the security of commercial software products.
• Education. Explore ways to increase security education and awareness for businesses and home personal computer (PC) users.
• Coordination. Find ways for private industry and government to coordinate to protect against cyber-attack.

Congress may also wish to consider ways to harmonize existing federal and state laws.  These laws require notice to persons when their personal information has been affected by a computer security breach.  Additionally, these laws impose obligations on businesses and owners of that restricted information (Wilson, 2008).

Conclusion

There is no uniform consensus on a universal definition of the word cyberterrorism.  We would be hard pressed to develop a definition that every nation in the UN would agree upon.  So, we move forward anyway.

Frank Cilluffo, an analyst at the Center for Strategic and International Studies in Washington, DC, testified to the Senate Government Affairs Committee in October 2001.  He said, “Bits, bytes, bugs, and gas will never replace bullets and bombs as the terrorist weapon of choice,” However, “while [Osama] bin Laden may have his finger on the trigger, his grandson may have his finger on the mouse” (Verton, 2002)  Tomorrow’s terrorist may be able to do more damage with a keyboard than with a bomb (Weimann, 2004).

Developing effective law enforcement or national security policies to deal with cyber threats is a national priority.  However, the private sector must undertake most of the responsibility for fixing weaknesses in key Internet assets.  We must understand that it is impossible to eliminate all vulnerabilities.  Finally, terrorism is not only a criminal activity—it is a military assault on the entire population, and it must be dealt with accordingly.

References

Anonymous (2001-2002). Cyberterrorism and cyberwarfare thus become a plausible alternative: Summary of recommendations. Computer Crime Research Center (CCRC). Retrieved from http://www.crime-research.org/library/Judge3.htm.

Anonymous (2006, June). Essential steps to strengthen America’s cyberterrorism preparedness: New priorities and commitments from Business Roundtable’s Security Task Force. Business Roundtable, 24 pp. Retrieved from http://www.businessroundtable.org/pdf/20060622002CyberReconFinal6106.pdf.

Anonymous (2008, May 28). $844 million in infrastructure protection grants. Homeland Defense Journal Weekly Newsletter, Issue 22.

Bullwinkel, J. (2005). International cooperation in combating cybercrime in Asia: Existing mechanisms and new approaches. In R. Broadhurst, & P. Grabosky (Eds.), Cybercrime: The challenge in Asia (pp. 269-302). Hong Kong: Hong Kong University Press.

Gabrys, E. (2002, September/October). The international dimensions of cybercrime, part 1. Information Systems Security, 11(4), 21-32. Retrieved from http://firstsearch.oclc.org.proxy1.ncu.edu/images/WSPL/wsppdf1/HTML/06470/M3D8X/TSG.HTM.

Keefe, B. (2008, April 8). Government trying to improve internet security. Cox News Service. Retrieved from http://homelandsecurity.osu.edu/focusareas/cyberterrorism.html.

Lewis, T. G., & Darken, R. (2005). Potholes and detours in the road to critical infrastructure protection policy. Homeland Security Affairs Journal, I(2), Article 1. Retrieved from http://www.hsaj.org/hsa/volI/iss2/art1.

Misra, S. (2003, June). High-tech terror: Cities and counties need plans to respond to criminal efforts to destroy government computer networks and data. The American City & County, 118(6), p. HS6.

Posner, P. L. (2003, September 3). Homeland security: Reforming federal grants to better meet outstanding needs. Statement of Paul L. Posner, managing director Federal Budget Issues and Intergovernmental Relations, Strategic Issues, before the Subcommittee on Terrorism, Technology, and Homeland Security, Committee on the Judiciary, US Senate. United States Government Accountability Office (GAO) Report Number GAO-03-1146T, 24 pp. Retrieved from http://www.gao.gov/cgi-bin/getrpt?GAO-03-1146T.

Rollins, J., & Wilson, C. (2007, January 22). Terrorist capabilities for cyberattack: Overview and policy issues. Congressional Research Service (CRS) Report for Congress, Order Code RL33123.

Tendler, S. (2005, July 20). Encrypted files frustrate police. Times Online. Retrieved from http://technology.timesonline.co.uk/article/0,,20409-1701405,00.html, CryptoHeaven at http://www.cryptoheaven.com, and SecretMaker at http://www.secretmaker.com/emailsecurer/steganography/default.html.

Verton, D. (2002, January 7). Critical infrastructure systems face threat of cyberattacks. Computerworld, 36(2), p. 8. Retrieved from http://www.computerworld.com/printthis/2002/0,4814,67135,00.html.

Weimann, G. (2004, December). Cyberterrorism: How real is the threat? United States Institute of Peace Special Report No. 119. Retrieved from http://www.usip.org/pubs/specialreports/sr119.html.

Wilson, C. (2008, January 29). Botnets, cybercrime, and cyberterrorism: Vulnerabilities and policy issues for Congress. Congressional Research Service (CRS) Report for Congress, Order Code RL32114, 43 pp.

###