Cyber-terrorism: Capability and drawbacks
Wiki WICKRAMARATHNA
To understand the potential threat of cyber-terrorism, two factors
must be considered: first, whether there are targets vulnerable to
attack that could lead to violence or severe harm, and second, whether
there are actors with the capability and motivation to carry them out.
Looking first at vulnerabilities, several studies have shown that
critical infrastructures are potentially vulnerable to cyber-terrorist
attack. Eligible Receiver, a ‘no notice’ exercise conducted by the
Department of Defence in 1997 with support from NSA red teams, found the
power grid and emergency 911 systems had weaknesses that could be
exploited by an adversary using only publicly available tools on the
Internet. Although neither of these systems was actually attacked, study
members concluded that service on these systems could be disrupted.
Cyber-terrorism does not seem to pose an imminent threat.
watblog.com |
Also in 1997, the President’s Commission on Critical Infrastructure
Protection issued its report warning that through mutual dependencies
and interconnectedness, critical infrastructures could be vulnerable in
new ways, and that vulnerabilities were steadily increasing, while the
costs of attack were decreasing.
Although many of the weaknesses in computerized systems can be
corrected, it is effectively impossible to eliminate all of them. Even
if the technology itself offers good security, it is frequently
configured or used in ways that make it open to attack. In addition,
there is always the possibility of insiders, acting alone or in concert
with other terrorists, misusing their access capabilities. According to
Russia’s Interior Ministry Col. Konstantin Machabeli, the state-run gas
monopoly, Gazprom, was hit by hackers who collaborated with a Gazprom
insider. The hackers were said to have used a Trojan horse to gain
control of the central switchboard which controls gas flows in
pipelines, although Gazprom, the world’s largest natural gas producer
and the largest gas supplier to Western Europe, refuted the report.
Consultants and contractors are frequently in a position where they
could cause grave harm. This past March, Japan’s Metropolitan Police
Department reported that a software system they had procured to track
150 police vehicles, including unmarked cars, had been developed by the
Aum Shinryko cult, the same group that gassed the Tokyo subway in 1995,
killing 12 people and injuring 6,000 more.
At the time of the discovery, the cult had received classified
tracking data on 115 vehicles. Further, the cult had developed software
for at least 80 Japanese firms and 10 Government agencies. They had
worked as subcontractors to other firms, making it almost impossible for
the organizations to know who was developing the software. As
subcontractors, the cult could have installed Trojan horses to launch or
facilitate cyber-terrorist attacks at a later date. Fearing a Trojan
horse of their own, last February, the State Department sent an urgent
cable to about 170 embassies asking them to remove software, which they
belatedly realized had been written by citizens of the former Soviet
Union.
If we take as given that critical infrastructures are vulnerable to a
cyber-terrorist attack, then the question becomes whether there are
actors with the capability and motivation to carry out such an
operation. While many hackers have the knowledge, skills, and tools to
attack computer systems, they generally lack the motivation to cause
violence or severe economic or social harm. Conversely, terrorists who
are motivated to cause violence seem to lack the capability or
motivation to cause that degree of damage in cyberspace.
Terrorists do use cyberspace to facilitate traditional forms of
terrorism such as bombings. They put up Web sites to spread their
messages and recruit supporters, and they use the Internet to
communicate and coordinate action. However, there are few indications
that they are pursuing cyber-terrorism, either alone or in conjunction
with acts of physical violence. In February 1998, Executive Director of
the Emergency Response and Research Institute in Chicago Clark Staten
testified before the Senate Judiciary Committee Subcommittee on
Technology, Terrorism and Government Information that it was believed
“members of some Islamic extremist organizations have been attempting to
develop a ‘hacker network’ to support their computer activities and even
engage in offensive information warfare attacks in the future.”
And in November, the Detroit News reported that a member of the
militant Indian separatist group Harkat-ul-Ansar had tried to buy
military software from hackers who had stolen it from Department of
Defence computers they had penetrated.
The Provisional Irish Republican Army employed the services of
contract hackers to penetrate computers in order to acquire home
addresses of law enforcement and intelligence officers, but the data was
used to draw up plans to kill the officers in a single ‘night of the
long knives’ if the British Government did not meet terms for a new
ceasefire. As this case illustrates, terrorists may use hacking as a way
of acquiring intelligence in support of physical violence, even if they
do not use it to wreak havoc in cyberspace.
In August 1999, the Center for the Study of Terrorism and Irregular
Warfare at the Naval Postgraduate School in Monterey, California, issued
a report titled ‘Cyber-terror: Prospects and Implications.’ Their
objective was to articulate the demand side of terrorism. Specifically,
they assessed the prospects of terrorist organizations pursuing
cyber-terrorism. They concluded that the barrier to entry for anything
beyond annoying hacks is quite high, and that terrorists generally lack
the wherewithal and human capital needed to mount a meaningful
operation. Cyber-terrorism, they argued, was a thing of the future,
although it might be pursued as an ancillary tool.
The Monterey group defined three
levels of cyber-terror capability
Simple-Unstructured: The capability to conduct basic hacks against
individual systems using tools created by someone else. The organization
possesses little target analysis, command and control, or learning
capability.
Advanced-Structured: The capability to conduct more sophisticated
attacks against multiple systems or networks and possibly, to modify or
create basic hacking tools. The organization possesses an elementary
target analysis, command and control, and learning capability.
Complex-Coordinated: The capability for a coordinated attacks capable
of causing mass-disruption against integrated, heterogeneous defences
(including cryptography). Ability to create sophisticated hacking tools.
Highly capable target analysis, command and control, and organization
learning capability.
They estimated that it would take a group starting from scratch two
to four years to reach the advanced-structured level and 6 to 10 years
to reach the complex-coordinated level, although some groups might get
there in just a few years or turn to outsourcing or sponsorship to
extend their capability.
The study examined five terrorist group types: religious, New Age,
ethno-nationalist separatist, revolutionary and far-right extremists.
They determined that only the religious groups are likely to seek the
most damaging capability level, as it is consistent with their
indiscriminate application of violence.
New Age or single-issue terrorists, such as the Animal Liberation
Front, pose the most immediate threat, however, such groups are likely
to accept disruption as a substitute for destruction. Both the
revolutionary and ethno-nationalist separatists are likely to seek an
advanced-structured capability.
The far-right extremists are likely to settle for a
simple-unstructured capability, as cyber-terror offers neither the
intimacy nor cathartic effects that are central to the psychology of
far-right terror. |