Strategy to Combat Cyberterrorism - Part 1

This piece covers the following five points of a proposed congressional strategy to combat cyberterrorism:

• What is Cyberterrorism?
• Risks of an Attack to Our Nation’s Public Entities and Private Sector
• Measures That Can be Implemented to Address the Threat
• Problems with Past Government Programs
• Policy Recommendations That Would be Beneficial and Associated Reasoning

The ensuing sections detail each of these five points to assist the Congressional House Committee on Cyber-Threats and Infrastructure Protection in developing a strategy to combat cyberterrorism.

What is Cyberterrorism?

One thing for sure, there is no uniform consensus on a universal definition of the word cyberterrorism.  Do you wonder why there is difficulty in obtaining international agreement by what we mean when we speak of cyberterrorism?  In the following paragraphs, we list several definitions found in the open literature.

Definition #1. Once the terrorists have gained control of the system, they can abuse it in such a way as to cause major damage to human life and the government.  Their actions, thereby, create major economic disruption.  To cause this harm, it is not necessary for the terrorists to be physically co-located within the system facilities or even within the United States.  This type of terrorist behavior is called cyberterrorism (Bullock, Haddow, Coppola, Ergin, Westerman, & Yeletaysi, 2006).

Definition #2. Cyberterrorism is the malicious conduct in cyberspace to commit or threaten to commit acts dangerous to human life.  Concurrently, these acts may be against a nation’s critical infrastructure (CI) such as energy, transportation, or government operations.  Terrorists commit these acts in order to intimidate or coerce a government or civilian population, or any sequence thereof, in furtherance of political or social objectives (Bullock, Haddow, Coppola, Ergin, Westerman, & Yeletaysi, 2006).  What is interesting here is that definitions #1 and #2 come from the same authors and the same book!  They could not even agree on a single definition for cyberterrorism that they use in the same book.

Definition #3. Cyberterrorism (effects-based) exists when computer attacks result in effects that are disruptive enough to generate fear comparable to a traditional act of terrorism, even if done by criminals (Rollins & Wilson, 2007).

Definition #4. Cyberterrorism (intent-based) exists when unlawful or politically motivated computer attacks are conducted to intimidate or coerce a government or people to further a political objective, or to cause grave harm or severe economic damage (Wilson, n.d.; Rollins & Wilson, 2007).

Definition #5. Cyberterrorism is terrorism that involves computers, networks, and the information they contain (Cereijo, 2006).

Definition #6. Cyberterrorism involves the use of computer systems to carry out terrorist acts, which are, in turn, defined by reference to specific criminal statutes.  True cyberterrorism is characterized by large-scale destruction (or the threat of such destruction) coupled with an intent to harm or coerce a civilian population or government (Malcolm, 2004).

Definition #7.  According to the U.S. Federal Bureau of Investigation (FBI), cyberterrorism is any “premeditated, politically-motivated attack against information, computer systems, computer programs, and data which result in violence against non-combatant targets by sub-national groups or clandestine agents” (Pollitt, n.d.).

Definition #8.  According to the U.S. National Infrastructure Protection Center (NIPC), cyberterrorism is a criminal act perpetrated by the use of computers and telecommunications capabilities.  This act results in violence, destruction, and/or disruption of services to create fear by causing confusion and uncertainty within a given population.  All of this is done with the goal of influencing a government or population to conform to a particular political, social, or ideological agenda (Garrison & Grand, 2001; Kerr, 2004).

Conclusion.  There you go.  There are many, many more definitions for cyberterrorism that you can find in the general literature.  Like its predecessor, terrorism, we would be hard pressed to develop a definition that every nation in the United Nations (UN) would agree upon.  It would be an exercise in futility.  At any rate, we move forward in our analysis of cyberterrorism.

Risks of an Attack to Our Nation’s Public Entities and Private Sector

Cyberterrorism Risks. The roots of the notion of cyberterrorism can be traced back to the early 1990s.  The rapid growth in Internet use and the debate on the emerging “information society” sparked several studies on the potential risks faced by the highly networked, high-tech-dependent United States.  As early as 1990, the National Academy of Sciences began a report on computer security.  They used the words: “We are at risk.  Increasingly, America depends on computers. … Tomorrow’s terrorist may be able to do more damage with a keyboard than with a bomb.”  At the same time, the prototypical term “electronic Pearl Harbor” was coined, which linked the threat of a computer attack to an American historical trauma (Weimann, 2004).

Risk Assessment. The first and most crucial step is to perform an accurate risk assessment.  Risk is a variable that cannot be applied equally to every threat.  Each has a different level of risk dependent on a broad range of circumstances, factors, and variables.  Hence, a different level of protection is required for each threat (Ashenden, 2003).

Information at Risk. The current state of cyberspace is such that information is seriously at risk.  The impact of this risk to the physical health of mankind is, at present, indirect.  At present, computers do not control sufficient physical processes (without human intervention) to pose a significant risk of terrorism in the classic sense.  Therein rests the following two lessons (Pollitt, n.d.):

• The definition of terrorism needs to address the fundamental infrastructure upon which civilization is increasingly dependent.
• A proactive approach to protecting the information infrastructure is necessary to prevent its becoming a more serious vulnerability.

As we build more and more technology into our civilization, we must ensure that there is sufficient human oversight and intervention to safeguard those whom the technology serves.

Cyberterrorist Attack. Michael Vatis, director of the Institute for Security Technology Studies (ISTS) at Dartmouth College works to identify top vulnerabilities.  To the question, do you expect a cyberterrorist attack, he said, “Given that there has been evidence of Al-Qaeda planning for it and there still are Al-Qaeda members on the loose, I think we definitely could see direct cyberterrorist attacks.  Professionally, I think a stand-alone cyber-attack is the most likely, rather than a coordinated effort with a physical attack.  It definitely could be coupled with a physical attack, but it’s easier to plan and execute a cyber-attack than plan the timing of a physical and cyber-attack” (Gaudin, 2002).

Kinds of Cyber-attacks.  Cyber-attacks can be malicious or accidental.  They can involve attacks by other nation states, organized groups, or individuals.  They can be motivated by monetary gain, ill will, or political interests.  Cyber-attacks can be directed at governments, firms, or individuals.  Cyber-attacks can involve the theft or destruction of information, the theft of services or financial assets, or the destruction of hardware or software infrastructure (Anonymous, n.d.).

Cyber-attacks can result in financial loss, business or service interruption, or infrastructure destruction.  Cyber-attacks can be aimed directly at disrupting business or government services or can be launched in conjunction with physical attacks in order to magnify effects or prevent effective response.  Developing effective law enforcement or national security policies to deal with cyber threats is a national priority (Anonymous, n.d.).

Threats and Attackers. Security threats and attackers are turning professional.  Network managers still need to stop the script-kiddies from defacing their websites, but it is becoming increasingly important to stop the professionals who want to steal valuable information.  The new attackers search for vulnerabilities in the application and exploit these weaknesses.  Attackers are bypassing traditional network-layer firewall and intrusion detection system (IDS) defenses.  Their exploits appear as legitimate traffic to the network layer defense.  However, hiding in the application layer are deadly attacks (Layland, 2006).

Working to counter these threats includes a number of security vendors—some established and some new.  Well-known security vendors such as Cisco and Radware have been joined by new security players such as NetContinuum, Imperva, Citrix, Breach Security, Protegrity, and ConSentry Networks.  Additional players are expected to join the field.  Their goal is to take security to the next level and protect both the network and applications (Layland, 2006).

The new application threats come primarily from three areas (Layland, 2006):

• Viruses, worms, malware, and rootkits, i.e., malware that hides in the operating system’s (OS’s) kernel
• Attackers exploiting Web application vulnerability
• Internal users gone bad or external attackers stealing valuable data

Viruses and worms have been around for awhile.  Malicious programs—malware—have become increasingly popular, and rootkits are a new threat.  The problem is that all of these threats hide in the application payload, while they bypass traditional network security.  Nevertheless, enterprise managers need to ensure that these attacks are not spread by the network (Layland, 2006).

A Cyber Jihad Going on Right Now. John Arquilla, associate professor of defense analysis at the Naval Postgraduate School, is an expert on unconventional warfare.  He said, “When we think about Al-Qaeda and its potential for cyberterror or other sympathetic Muslim groups, we’re now in an area that’s very proprietary in nature.  All I can say on this subject is that there is a cyber jihad going on right now against Israel.  We see some people that we associate with modern terrorism who are trying to use [a] cyberspace-based means to pursue their ends.  Beyond that, I’m afraid we’re in a much classified area” (Arquilla, 2003).

Reliance on Cyberspace Makes U.S. Uniquely Vulnerable. Lani Kass, director of the Air Force’s Cyberspace Task Force, spoke at an Air Force Association-sponsored conference in Washington, DC, in September 2006.  She said that “Groups like al-Qaeda and other extremist organizations can be effective using cyberspace” because “as a warfighting domain, it’s different than the land, air, and space domains.”  In the symmetrical domain, we use expensive weapon systems like fighters, bombers, advanced ground vehicles, or aircraft carriers.  However, in the cyberspace domain, everything one needs “[to] cause chaos from afar very cheaply … is available off the shelf,” she said at the conference.  Air Force leaders want to beef up the service’s ability to guard against Internet-based attacks.  The reason is because the United States “is uniquely vulnerable because of our reliance on cyberspace,” both militarily and “in our everyday lives,” she said.  Cyberspace offers advantages to those who do not want to deal with U.S. forces in a symmetric fight, Kass added (Bennett, 2006).

Measures to Implement to Address the Threat

Dartmouth College Recommendations. One of the most timely and comprehensive studies on the subject is “Cyber-attacks During the War on Terrorism,” prepared by the Dartmouth College Institute for Security Technology Studies.  It was published just 11 days after the Trade Center disaster.  Among its recommendations included the following (Harper, 2002):

• Operating systems and software should be updated regularly.
• Strong password policies should be enforced.
• Systems should be “locked down” whenever possible.
• Anti-virus software should be kept up-to-date.
• High fidelity intrusion detection systems and firewalls should be employed.
• All vital data should be backed up regularly and stored off-site to prevent loss in the case of a physical or cyber-attack.
• All the measures to secure CI assets should be clearly explained in an enforceable security policy.

The Dartmouth study emphasizes that security measures previously considered excessive should now be considered a minimum effort.  Since 2002, most government agencies and private sector companies (primarily high-tech businesses) implement all or most of these recommendations to some degree or other.  We need to do more and strive to be better at it.

GAO Recommendations. Another analysis conducted in 2003 by the U.S. Government Accountability Office (GAO) found significant information security weaknesses at 24 major government agencies.  The GAO report said, “Further information security improvement efforts are needed at the government-wide level.”  “These efforts need to be guided by a comprehensive strategy in which roles and responsibilities are clearly delineated, appropriate guidance is given, adequate technical expertise is obtained, and sufficient agency information security resources are allocated” (Rothman, 2003).

The GAO identified several areas of weakness among the systems and issued the following recommendations (Rothman, 2003):

• Develop a comprehensive and coordinated national critical infrastructure protection (CIP) plan.
• Improve information sharing on threats and vulnerabilities both among government agencies and between the private sector and the federal government.
• Improve analysis and warning capabilities for both cyber and physical threats.
• Encourage entities outside the federal government to increase their CIP efforts.

Since 2003, all of these recommendations are being implemented in varying degrees by many agencies of the federal government and companies within the private sector.  Again, we just need to do more and strive to be better at it.

Private Sector is Key. The private sector must undertake most of the responsibility for fixing weaknesses in key Internet assets.  Business executives are dependent on a patchwork of public- and private-response programs to restore Internet infrastructure services.  In many cases, these programs are not fully coordinated via a central organization.  Immediate- and long-term commitments to change the current reality should include the following steps (Anonymous, 2006):

• Establish a single point of contact (POC) and responsibility for government interaction.
• Set strategic needs and direction.
• Consolidate early warning and response organizations.
• Agree on an information-sharing mechanism.

We need the private sector to be fully engaged in these activities.

Adversarial Neutrality Required.  In recent congressional testimony, Director of National Intelligence Michael McConnell named Russia and China as among the most important cyber-adversaries of the United States.  Shawn Henry, the FBI’s deputy assistant director of its cyber-division, said it is important to be “adversary neutral” in combating cyber-threats.  “A network can be attacked by a terrorist group, a foreign power, or a hacker kid from Oklahoma City.  Networks need to be protected from all threats because once [sensitive] data has been stolen, it can be transferred anywhere,” he said (Waterman, 2008).

In recent testimony, Mr. McConnell said the U.S. government is “not prepared to deal with” the cyber-threats it faces.  Additionally, former Homeland Security Secretary Michael Chertoff told a bloggers roundtable in March 2008 that cyber security is “the one area in which I feel we’ve been behind where I would like to be” (Waterman, 2008).  Hence, we should protect simultaneously against cybercrime, cyberterrorism, and cyberwarfare.  We must be adversary neutral and prepare for all adversaries whether criminals, terrorists, and/or cyber-warriors of enemy nations.

Asked whether the U.S. government is resolving the problem, Mr. Henry said, “Our response has to change constantly and grow because the threat is constantly changing and growing.”  He said that one of the most worrisome aspects of cyber-threats is the extent to which “the offense outstrips the defense.”  “The pace of technological change—the increasing connectivity of networks—creates more opportunity for exploitation” of vulnerabilities, he said (Waterman, 2008).  It is obvious that we must continue our research and development (R&D) and develop new countermeasures to defend against new, more sophisticated cyber-threats.  Our enemies only need to be successful once; we need to be successful 100 percent of the time.

Continued on Part 2….

References

Anonymous (n.d.). The program on telecommunications and cyber security policy. The Global Information Society Project. Retrieved from http://www.global-info-society.org/PLENSIA/plensia.pdf.

Anonymous (2006, June). Essential steps to strengthen America’s cyberterrorism preparedness: New priorities and commitments from Business Roundtable’s Security Task Force. Business Roundtable, 24 pp. Retrieved from http://www.businessroundtable.org/pdf/20060622002CyberReconFinal6106.pdf.

Arquilla, J. (2003, April 24). Cyber war!: Interviews: John Arquilla. Frontline, Public Broadcasting System. Retrieved from http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/interviews/arquilla.html.

Ashenden, D. (2003, January). Protect and survive: Communication networks can only be protected against cyberterrorist attacks if telcos, governments, and end users work together. Telecommunications International, 37(1), pp. 29-31.

Bennett, J. T. (2006, October 4). Air Force to establish new Cyberspace Operations Command. World Politics Review. Retrieved from http://www.worldpoliticsreview.com/articlePrint.aspx?ID=233.

Bullock, J. A., Haddow, G. D., Coppola, D., Ergin, E., Westerman, L., & Yeletaysi, S. (2006). Introduction to Homeland Security, Second Edition. Oxford, United Kingdom: Elsevier Butterworth-Heinemann.

Cereijo, M. (2006, May 9). Cyberterrorism. Retrieved from http://www.canf.org/2006/1in/ensayos/2006-may-09-cyberterrorism.htm.

Garrison, L., & Grand, M. (ed., 2001). Cyberterrorism: An evolving concept. NIPC Highlights. Retrieved from http://www.nipc.gov/publications/highlights/2001/highlight-01-06.htm.

Gaudin, S. (2002, July 19). Security expert: US companies unprepared for cyberterror. IT Management. Retrieved from http://itmanagement.earthweb.com/secu/print.php/1429851.

Harper, D. (2002, January). Cyberterror: A fact of life: Experts anticipate a rise in terrorist attacks on and through computer systems. Industrial Distribution, 91(1), p. 68. Retrieved from http://www.accessmylibrary.com/coms2/summary_0286-24952945_ITM.

Kerr, K. (2004, October 9). Putting cyberterrorism into context. Computer Crime Research Center, Source: AusCERT. Retrieved from http://www.crime-research.org/articles/putting_cyberterrorism.

Layland, R. (2006, September 29). Application security: Countering the professionals. RedOrbit NEWS. Retrieved from http://www.redorbit.com/modules/news/tools.php?tool=print&id=674569.

Malcolm, J. (2004, February 24). Virtual threat, real terror: Cyberterrorism in the 21st century. Testimony to the United States Senate Committee on the Judiciary. Retrieved from http://www.globalsecurity.org/security/library/congress/2004_h/040224-malcolm.htm.

Pollitt, M. M. (n.d.). Cyberterrorism – Fact or Fancy? Washington, DC: FBI Laboratory. Retrieved from http://www.cs.georgetown.edu/~denning/infosec/pollitt.html.

Rollins, J., & Wilson, C. (2007, January 22). Terrorist capabilities for cyberattack: Overview and policy issues. Congressional Research Service (CRS) Report for Congress, Order Code RL33123.

Rothman, P. (2003, May 1). How can we protect our critical infrastructure from cyber-attack? Government Security. Retrieved from http://govtsecurity.com/mag/protect_critical_infrastructure/.

Waterman, S. (2008, April 21). FBI organizes defense against cyber-attacks. The Washington Times. Retrieved from http://homelandsecurity.osu.edu/focusareas/cyberterrorism.html.

Weimann, G. (2004, December). Cyberterrorism: How real is the threat? United States Institute of Peace Special Report No. 119. Retrieved from http://www.usip.org/pubs/specialreports/sr119.html.

Wilson, C. (n.d.). Computer Attack and Cyberterrorism: Vulnerabilities and Policy Issues for Congress. CRS Report RL32114. This version was cited in Rollins & Wilson (2007).

###