Cyber terror

case5b.docx

Home >Computer Science homework help >Cyber terror

Dr. Tridib Bandyopadhyay is an Assistant Professor at Kennesaw State University. His major research interests are in information security investment issues in the private and public domains. At KSU, Dr. Bandyopadhyay teaches Systems Analysis, E-Business Systems, and Information Security in the BSIS, BSISA, and MSIS programs. Prior to his engagements in the academics, Dr. Bandyopadhyay has worked as an electrical engineer and later as a planning manager in the largest energy-generating company in India.

Overview

Terrorism is one major problem that plagues our world today. The memories of the bombings in the London subway (2005) and the Madrid commuter train (2004) are vivid in our mem- ory. The attack of the World Trade Towers in September 2001 has fundamentally changed the way we look at our lives. Unlike the religious extremism that has dominated the recent ter- rorism scenarios in the new millennium, the twentieth century saw much diverse extremism: the independence struggles of colonies, the ethnic clashes, and the revolutionary left/right wing separatist movements—all have had the dubious distinctions of being terrorism.

157

Copyright 2010 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Cyber Terrorism: Impacts,

158 Reading 5B

Introduction

While the reasons and rationales behind the terrorist movements could vary widely, there is one striking similarity in their immediate goals. The terrorists, by their acts and activities, attempt to create the maximum psychological impact among the general population.1 The largely imbalanced set of resources (in comparison to their adversaries, mostly the institutional forces) compels the terrorists to be in constant lookout for innovative ways of attack, which are not only cost effective but could also provide adequate anonymity and avoid easy detec- tion. This is where the networked economy of the twenty-first century offers an important avenue for attack—enter the age of cyber terrorism!

In what follows, we first define the concept of terrorism as it potentially impacts our economy (second section), before we qualify and explain the nuances of cyber terrorism (third section). Thereafter we discuss the vulnerabilities from cyber terrorism (fourth section) and present the general appreciation of the problem as evidenced in our federal policies (fifth section). Finally, we close the chapter with a reality check of the problem and some concluding thoughts.

Terrorism

The USA Patriot Act, 2001, defines terrorism as the “activities that (A) involve acts dangerous to human life that are a violation of the criminal laws of the U.S. or of any state, that (B) appear to be intended (i) to intimidate or coerce a civilian population, (ii) to influence the policy of a government by intimidation or coercion, or (iii) to affect the conduct of a govern- ment by mass destruction, assassination, or kidnapping, and (C) occur primarily within the territorial jurisdiction of the U.S.” Note that the high points of this definition include inten- tional intimidation and coercion of civilians and governments, as well as the mass disruption of business, life, and livelihood. The UK Terrorism Act of 2000 additionally notes the pur- poses of such acts: “. . . purpose of advancing a political, religious or ideological cause.”

The relatively small numerical toll of terrorism on human lives barely signifies the overall impact of terrorism on nations, states, and their economies and societies. As a matter of fact, many of our daily activities, including driving automobiles, regularly expose us to much higher risks of harm than the overall risks of terrorism!2 The immediate purpose of the acts of terror- ism is, however, to draw attention of the common people to their cause, often through gory and ghastly acts, and with the ultimate intention to exert indirect pressure on the authorities. This explains why terrorists seek high-visibility acts and attempt to create high psychological effect. Nevertheless, the long-term effects of terrorism are profound and multifaceted.

First, terrorist attacks destroy a country’s wealth much like what happened with the 9/11 attack on the twin trade towers at New York. Frequent terrorist attack on crude oil pipelines or important trade routes is another example in this category. The attacked countries/estab- lishments are often forced to replenish such economic wealth and bear the immediate effects of supply/demand distortions. For example, a nuclear attack on New York could cost our economy 3% of its productive capability with attendant increase in economic uncertainty and attrition in public confidence.3

Second, terrorism induces uncertainty in the economy and the society in general. This then alters individual consumption of goods and services, and changes the patterns and weights of savings and investments of households and firms. Terrorism also has immense impact on the financial climate; the 9/11 attack caused much turmoil and volatility in our financial systems

(Whitman 157-158)

Whitman, Michael E. Readings & Cases in Information Security: Law & Ethics. Cengage Learning, 20100623. VitalBook file.

and adjusted many of the indices of our economy. Social changes in terms of demographic

shifts and altered job preferences are also important to consider here.

Third, a climate of terrorism affects the risk perceptions of external investors. This decreases foreign direct investments (FDI) and affects macroeconomic growth.

Fourth, constant danger of terrorism forces a country to become insulated from the outer world, restricting cross-border trades as well as the flows of the technological/managerial inno- vations. Economic, cultural, and social gains from international tourism suffer greatly as well.

Fifth, a general climate of fear discourages innovation in the native firms, promotes conserva- tism, and affects long-term growth.

Finally, acts of terrorism force governments/authorities to impose costly security measures and implement security controls/products at the expense of resources, which otherwise could have been utilized for productive purposes.

Cyber Terrorism

Defining cyber terrorism is not without problems. Some consider cyber terrorism as a subset of cyber crime where perpetrators are motivated by political agendas or are against sovereign countries. For example, Dorothy Denning4 defines cyber terrorism as “the convergence of cyberspace and terrorism. It refers to unlawful attacks and threats of attack against compu- ters, networks, and the information stored therein when done to intimidate or coerce a gov- ernment or its people in furtherance of political or social objectives. . . .”

The definition from the Federal Emergency Management Agency (FEMA) looks at the target as well as the goals of such attacks, “unlawful attacks and threats of attack against compu- ters, networks, and the information stored therein when done to intimidate or coerce a gov- ernment or its people in furtherance of political or social objectives.”

On the other hand, Pollitt5 defines cyber terrorism as “the premeditated, politically motivated attack against information, computer systems, computer programs, and data which result in violence against noncombatant targets by sub-national groups or clandestine agents.”

The definition of cyber terrorism is not limited to the targets as computer nodes or informa- tion assets. As we observe, the generally accepted commonalities in the definition of cyber ter- rorism are rather the facts that they are motivated by (eventual) political reasons, perpetrated by subnational or foreign groups, targeted against the assets of sovereign nations and geared toward creating highly visible, gory or catastrophic events that are able to create large-scale psychological effect utilizing an attack that, in any part of its inception, enablement, enact- ment, propagation, and/or effect include the cyber space, information assets, the Internet, and the computers and communication assets and networks of the interconnected world.

Technology Engagement and Capability Hierarchy

in Cyber Terrorism

The threats of cyber terrorism have been identified long before the recent (9/11) and more widespread realization and awakening toward the terrorism threats that we face here in the United States. The U.S. federal government started to analyze the cyber terrorism threats as early as in the mid-1990s. In 1996, John Deutch, the then-director of the Central Intelligence

160 Reading 5B

Agency (CIA), in a statement before the Permanent Subcommittee on Investigations, the U.S. Senate Governmental Affairs Committee, deposited the following: “International terrorist groups clearly have the capability to attack the information infrastructure of the United States, even if they use relatively simple means. Since the possibilities for attacks are not diffi- cult to imagine, I am concerned about the potential for such attacks in the future. The meth- ods used could range from such traditional terrorist methods as a bomb—directed in this instance against, say, a telephone switching or other communications node—to electronic means of attack. The latter methods could rely on paid hackers. The ability to launch an attack, however, is likely to be within the capabilities of a number of terrorist groups, which themselves have increasingly used the Internet and other modern means for their own communications.”

Likewise, in a later date, while defining cyber terrorism and the threats that we face from cyber terrorism, the then FBI Director Louis Freeh, in his statement before the U.S. Senate Committee on Appropriations, Armed Services, and Select Committee on Intelligence, May 10, 2001, reiterated threats of cyber terrorism that John Deutch pointed out in 2000, yet cat- egorically added the possibility of cyber terrorism as it could affect our infrastructural facili- ties, “The FBI believes cyber-terrorism, the use of cyber-tools to shut down, degrade, or deny critical national infrastructures, such as energy, transportation, communications, or govern- ment services, for the purpose of coercing or intimidating a government or civilian popula- tion, is clearly an emerging threat for which it must develop prevention, deterrence, and response capabilities.”

A sense of comparative escalation to higher degree and more intense exposure of our econ- omy to the threats of cyber terrorism are evident from the above. The same is evident in the new interest among the researchers of terrorism as they attempt to define and juxtapose the technology capabilities, interconnectivity of the networked world, and the threats of terror- ism facing sovereign countries. The Center for the Study of Terrorism and Irregular Warfare, Monterey, CA, in their 1999 whitepaper “Cyberterror, Prospects and Implications,” attempts to provide a sense of the progression of the capabilities of the cyber terrorists through the fol- lowing set of definitions and a hierarchy of capabilities:

● Cyberterror support: Include capabilities to use information systems to support, augment, or enhance other terrorist acts, but may not have own capability to inflict terror.

● Simple-Unstructured: Include capabilities for one or more of the following but does not have the capacity to analyze target or advance learning capabilities:

● Execute basic hacking and disruption, and ● Utilize hacking tools independently that have been created by others

● Advanced-Structured: Include capabilities for: ● Target analysis

● Attacks against multiple systems or networks, including sequential attacks

● Modification of hacking tools.

● Assimilation of new knowledge (technologies) and dissemination through training

(Whitman 159-160)

Whitman, Michael E. Readings & Cases in Information Security: Law & Ethics. Cengage Learning, 20100623. VitalBook file.

Complex-Coordinated: Include capabilities for: ● Coordinated attacks leading to mass disruption.

● Creation of attack tools.

● Analyze vulnerabilities and penetrate defenses.

● Target analysis.

● Build and maintain strong command and control structure.

● Unleash simultaneous attacks.

● High learning capacity to acquire and assimilate latest technology, and diffuse such knowledge through training programs.

● Utilize indoctrination to enhance all the above capabilities.

In the working paper Cyberterrorism: Hype and Reality, Conway6 has distinguished between the use, misuse, and abuse of the technological capabilities from the perspective of the goal orientation of the user and provided a contrasting set of definitions for users, hackers, hack- tivists, crackers, and cyber terrorists (Table 5B-1). Further expanding on the types and goals of attacks, Ballard Hornik, and McKenzie present an attack typology (categories of attack) of the cyber terrorists in their paper Technological Facilitation of Terrorism: Definitional, Legal and Policy Issues.7 In this work, they define and differentiate between information attacks, infrastructure attacks, technological facilitation, and fund raising as the most prominent cate- gories in cyber terrorism (Table 5B-2).

However, scholars and researchers have differed in their focus and detail in the way they have attempted to identify and isolate the varied usage of the Internet for cyber terrorist pur- poses. Conway (2005) in another work, Terrorist Use of the Internet and Fighting Back,8 compares four prominent works to present the whole spectrum of possible use of the Internet for terrorist purposes (Table 5B-3). In the article, The Networking of Terror in the Informa- tion Age,9 Zanini and Edwards have critically analyzed the relative merits and demerits of

Table 5B-1 Typology of Cyber Activism and Cyber Attacks

Source: Conway, M. (www.ir.dcu.ie/501/02/cybert_hype_reality_2007.doc)

Action

Definition

Source

Example

Use

Using the Internet to facilitate the expression of ideas and communication(s)

Internet users

Emails, mailing lists, newsgroups, websites

Misuse

Using the Internet to disrupt or compromise Web sites or infrastructure

Hackers, Hacktivists

Denial-of-Service (DoS) attacks

Offensive use

Using the Internet to cause damage or engage in theft

Crackers

Stealing data (e.g., credit card details)

Cyber terrorism

An attack carried out by terrorists via the Internet that results in violence against persons or severe economic damage

Terrorists

A terrorist group using the Internet to carry out a major assault on the New York Stock Exchange

162 Reading 5B

Category

Definition and Explanation

Information attacks

Cyber terrorist attacks focused on altering or destroying the content of electronic files, computer systems, or the various materials therein.

Infrastructure attacks

Cyber terrorist attacks designed to disrupt or destroy the actual hardware, operating platform, or programming in a computerized environment.

Technological facilitation

Use of cyber communications to send plans for terrorist attacks, incite attacks, or otherwise facilitate traditional terrorism or cyber terrorism.

Fund raising and promotion

Use of the Internet to raise funds for a violent political cause to advance an organization supportive of violent political action, or to promote an alternative ideology that is violent in orientation.

Table 5B-2 Cyber Incident Typology

Source: Ballard et al., American Behavioral Scientist, 2002

Table 5B-3 Terrorist Use of the Internet

Source: Conway, M., Terrorist ‘Use’ of the Internet and Fighting Back, 2005

the cyber enablement of terrorism. They argue that the new (cyber) enablement and the networked world do not offer unblemished advantage to the terrorists. The cyber terrorists, by the utilization of open source and pervasive technologies of the Internet, also expose them to a different set of detection and identification methodologies and capabilities that the institutional authorities are able to master and operationalize (Table 5B-4).

Vulnerability from Cyber Terrorism

In general, vulnerability can be defined as the fallibility of a system at one or more suscepti- ble points. However, depending on the field of concern, very many versions of the definition of vulnerability exist. Because cyber terrorism is in the interface of attack against the sover- eignty of a nation through or directed at the nation’s computer systems, the definition from

(Whitman 161-162)

Whitman, Michael E. Readings & Cases in Information Security: Law & Ethics. Cengage Learning, 20100623. VitalBook file.

IT use

Facilitating

Mitigating

Organizational

●

● ●

Enables dispersed activities with reasonable secrecy, anonymity

Helps maintain a loose and flexible network Lessens need for state sponsorship

● Susceptibility to wire and wireless tapping ● Digitally stored information can be easily

retrievable unless well protected

● Cannot by itself energize a network; common ideology and direct contact still essential

Offensive

● Generally lower entry costs ● Eradication of national boundaries ● Physically safer

● Spillover benefits for recruitment and fund- raising

● Current bombing techniques already effective

● Significant technical hurdles for disruptive and destructive IO

● Unique computer security risks impose recurring costs

Table 5B-4 Benefits and Drawbacks of IT Use for Netwar Terrorists

Source: Zanini et al., Rand Research Publication, Document #MR-1382-OSD

both the military as well as the computer security areas are pertinent here. The U.S. military defines vulnerability as “The susceptibility of a nation or military force to any action by any means through which its war potential or combat effectiveness may be reduced or its will to fight diminished,”10 whereas in computer security, the term vulnerability could be defined as “a security exposure in an operating system or other system software or application software component.”11 The vulnerability to cyber terrorism in this chapter refers to the susceptibility of a nation’s assets, interests, and (its) subjects’ livelihood, from a motivated and/or directed attack, which is vectored though the Internet-worked computing and communication networks of today. Ozeren argues that the vulnerabilities to cyber terrorism stem from technical, legal, cultural, and political reasons and circumstances as explained in the following bullet points:12

● Technological Aspect of Vulnerability: The increased dependence of a nation and its infrastructure on the information systems is the underlying premise for technical vul- nerability to cyber terrorism. The infrastructure sectors today utilize commercially available off-the-shelf software (COTS), as well as popular operating systems in building their information assets and networks. Thus, the native vulnerabilities of these commercial systems also get embedded in the strategic infrastructure systems. In certain infrastructure sectors, communication networks and computing assets mesh with the manufacturing/production processes through Supervisory Control and Data Access (SCADA) type applications and systems (e.g., energy sector). This exposes a direct level cyber terrorism vulnerability to critical infrastructural facilities. In general, the computing and telecommunication networks are now highly connected across the globe; thus, the threats to the systems of a nation are much interconnected. Major General James D. Bryan, U.S. Army, Commander, Joint Task Force—Computer Net- work Operations, U.S. Strategic Command and Vice Director, Defense Information Systems Agency, in his deposition before the House Armed Services Subcommittee on Terrorism, Unconventional Threats and Capabilities stated, “The battlespace of the cyber war consists of the globally interconnected grid of complex information networks. . . .”13 As a result, it is now possible that the vulnerability could be

164 Reading 5B

compromised from anywhere in the world. On the other hand, this also makes it possible that a breach/compromise to a critical system could now propagate to more interconnected systems, giving rise to the interdependent (and more difficult) nature of vulnerability to cyber terrorism. Such interdependent vulnerability is further exacerbated by the rapid adoption of Web technologies and services (open standards of the Internet technologies) in the infrastructure sector. Knowing that we transact a huge amount of wealth over the interconnected data networks and that a large

part of our intellectual capabilities and physical properties are now accessible through interconnected networks, technical vulnerability to cyber terrorism is quite stupendous.

In order to reduce our technological vulnerability toward cyber terrorism, several actions could be taken: taking more than one action generally adds to the relative impregnability of our assets and systems. We may isolate our critical resources from direct access through interconnected networks. This is specifically important for some of our infrastructural and intellectual assets. For example, infrastructure firms may like to use proprietary protocols to effectively isolate control systems of physical infrastructural operations, or isolate intellectual property, especially proprietary processes that could run from systems that are not at all accessible from outside networks. When such isolation is impossible, creating a DMZ (demi- litarized zone) between the outer world (untrusted network) and the trusted network through use of proxy servers is helpful. This then creates a first line of defense against cyber terrorists. Even when such defense is in place, it is often recommended to utilize encryption technologies while storing and communicating sensitive information. Although algorithms of popular encryption technologies are common knowledge, intelligent deployment and management of encryption keys effectively lowers the probability of code breakage and/or add time and resource requirement for code breakage and thus increases the probability of detection. Lastly, adding the capabilities of detection generally increases the deterrence aspect of a cyber attack and is helpful in general.

● Legal and Control Aspect of the Vulnerability: Vulnerabilities to cyber terrorism also arise in the areas of law, governance, practices, and provisions among the countries in the world. The very first problem arises from the fact that many countries do not have any appropriate laws that can define and fix responsibilities for behaviors that amount to cyber terrorism. Once this is the case, the authorities of these countries lack legal authorities to pursue or punish cyber terrorists. In still some other countries, either legal provisions are minimal or resources are meagerly allocated, making it dif- ficult to combat such problems. Because the essence of combating cyber terrorism lies in the countries’ technological capabilities to detect such machinations, even when some legal provisions may exist, many economically and technologically disadvan- taged nations find it very difficult to combat the vulnerabilities in their systems to cyber terrorism. Yet in another level, a second-degree legal vulnerability to cyber ter- rorism arises from the disparity of the legal provisions across the nations. “While the international legal system contains some rules for allocation of prescriptive jurisdic- tion, these rules are unclear and incomplete.”14 Absence of a common set of laws and legal provisions makes it very hard to address the vulnerability of cyber terrorism in a global/cross-national level. Because vulnerability to cyber terrorism can be exploited through interconnected networks/economies of today’s world, the need to realize a common set of standard laws and prosecution provisions is truly critical. Somewhat intuitively though, countries that are more industrialized and economically developed

(Whitman 163-164)

Whitman, Michael E. Readings & Cases in Information Security: Law & Ethics. Cengage Learning, 20100623. VitalBook file.

are also the ones who are better equipped with legal provisions, albeit they remain

more vulnerable to cyber terrorism in general.15

As apparent, addressing legal vulnerability to cyber terrorism is not only a national but an international issue. First, we need legal provisions that can clearly define a cyber attack as it involves computing and communicating assets as the subjects, conduits, and/or objects of such attacks, and we need such provisions in every nation that effectively joins the Internet- worked map of this world. Second, we need parity of these legal provisions to make mis- interpretation of these laws improbable/unlikely. Third, we need legal provisions of cyber terrorism to be exercised through the Interpol as we have similar abilities for other criminal activities. Finally, awareness and training programs across law enforcement agencies all over the world must also include the above understandings such that proper appreciation of the vulnerabilities to cyber terrorism can be ensured across the globe.

● Cultural Aspects of Vulnerability: In order to achieve an adequate level of protection against cyber terrorism, it is imperative that both the government as well as the pri- vate sector work toward minimizing the technical and other vulnerabilities in today’s interconnected systems. While the elected governments tend to look at cyber security as an economic (security) product, and are influenced by the general apprehension of the citizens, the same may not be true for the private sector. Where profit motive and stakeholder wealth maximization are the primary goals, it is as such difficult for the private sector to justify budget allocation for remediation of vulnerability to cyber terrorism. That we have not seen any large-scale incident of cyber terrorism till now and that the corporate responsibilities in this regard are not clearly understood at the decision makers’ end are also major debilitating factors. A section of the business leaders argue that the real possibilities of large-scale cyber terrorism are extremely unlikely, and they do not see economic justification for allocation of funds and resources toward cyber terrorism vulnerability management programs.

Recognizing that truly global mindsets and pervasive alliances are required to combat the multifaceted vulnerabilities of cyber terrorism that threatens the networked world of today, a new global initiative to combat cyber terrorism, the International Multilateral Partnership Against Cyber Terrorism (IMPACT), was announced in May 2008. The organization is headquartered in Cyberjaya, Malaysia, and aims to create an international platform that could fight cyber terrorism by bringing together private companies, governments, and aca- demics from around the world. IMPACT believes that “An isolated cyber attack can have global consequences, and therefore, governments and businesses alike have an interest to work together to ensure protection against cyber terrorism. IMPACT recognizes that private companies have a particularly critical role in fighting cyber terrorism because professionals are often at the forefront of current information technology (IT) research and development. Most importantly, the private sector could benefit from increased network security and deeper insight into government priorities, trends, and needs. . . .”16

● Political Aspects of Vulnerability: As we have already discussed, “terrorism” stems from political reasons, aspirations, and circumstances. Thus, a system’s vulnerability to cyber terrorism bears implications of political agenda of the perpetrators against the owners of the system. A country’s vulnerability to cyber terrorism depends on the country’s relative position in the world’s power game, its multilateral relationships, and overall actions and influences on other economies and sociopolitical groups. The influence and prominence that the United States enjoys globally also become the

166

Reading 5B

reason why groups of population in lands and countries far distant could be affected (in a real or perceived sense) by the U.S. decisions in the international social, political, and economic arenas. Because terrorists in the eye of country-X could be the religious fighters in the eye of the citizens of country-Y, the political aspect of vulnerability to cyber terrorism is itself a tricky issue to consider.

Cyber Terrorism and U.S. National Policy

The United States is one of the forerunners in proactive planning for securing cyber space as well as creating a strategic comprehensive cyber vulnerability management program that cuts across the public and private sectors. The Commission on Critical Infrastructure Protection (PCCIP) in 1996 was charged to assess the vulnerabilities of the infrastructure sector viz. energy (electrical power, and oil and gas distribution and storage), civic services (water supply and transportation) telecommunications, banking and finance, and the government services. Through a Presidential Directive, the general policymaking and overseeing bodies in the federal government for counterterrorism measures were established, which included responsi- bilities to ensure protection, and response capabilities of the computer-based systems that were fast becoming integrated in the business processes of our economy. The above efforts culminated in the publication of The National Strategy to Secure Cyberspace by the federal government, which is described as “an implementing component of the National Strategy for Homeland Security and is complemented by a National Strategy for the Physical Protection of Critical Infrastructures and Key Assets....”17

The National Strategy to Secure Cyber Space delineates three strategic objectives that should guide our priorities:18

1. Preventing cyber attacks against critical infrastructures,

2. Reducing vulnerability to cyber attacks, and

3. Minimizing both damage and recovery time from cyber attacks when such eventualities are realized.

Under those strategic objectives, this document provides five (5) national cyberspace security priorities, which, in turn, include detailed action points for each of these priorities. In what follows, we provide a brief précis of these action points in the priorities:

1. A National Cyberspace Security Response System

a. b. c.

Creation of a single point of contact between government and industry Installation of intelligence network and warning systems

Raise cyber awareness, cooperation in information dissemination, and ensure better preparedness among private and public sectors

2. A National Cyberspace Security Threat and Vulnerability Reduction Program a. Improve information sharing and investigative coordination within the enforcement

communities, and develop a National Threat Assessment Program

b. Enhance security of Distributed Control Systems/ Supervisory Control and Data Acquisition Systems in infrastructure sector

(Whitman 166)

Whitman, Michael E. Readings & Cases in Information Security: Law & Ethics. Cengage Learning, 20100623. VitalBook file.

Cyber Terrorism and U.S. National Policy 167 c. Facilitate communication between research communities to a ensure steady stream

of emerging security technologies

A National Cyberspace Security Awareness and Training Program

a. Evaluation of the security of large enterprise networks that may impact the security of the nation’s critical infrastructures

b. Implement training programs for cyber security professionals in the United States, and facilitate graduate, postdoctoral, and faculty development programs

c. Build foundations for the development of security certification programs

Securing Governments’ Cyberspace a. Install systems that can continuously check for unauthorized connections/access to

federal networks

b. Provide encouragement and support for IT security programs in state and local government departments and agencies

National Security and International Cyberspace Security Cooperation

a. Improve ability to quickly attribute sources of attacks and take effective response

b. Develop capabilities to prevent cyber attacks reaching infrastructures systems

c. Encourage APEC, EU, and OAS to form a committee for cyber security

d. Ensure that North America is a “Safe Cyber Zone” by identifying and securing crit- ical common networks in United States, Canada, and Mexico

While actions stipulated in The National Strategy to Secure Cyber Space are implemented on a continued basis, newer system vulnerabilities and cyber exploits emerge in regular intervals as well. One major concern in this area has been the criminalization of cyber attacks, further complicated by the distributed nature of the attacks (DDoS) on the information networks. The CRS report for Congress, “Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress,” which is one of the latest documents that addresses the cyber ter- rorism issues in the global policy perspective, provides an update of the states of affairs in cyber crime and cyber terrorism in the following words: “Cybercrime is becoming more orga- nized and established as a transnational business. High technology online skills are now avail- able for rent to a variety of customers, possibly including nation states, or individuals and groups that could secretly represent terrorist groups. . . . Cybercriminals have reportedly made alliances with drug traffickers in Afghanistan, the Middle East, and elsewhere where profitable illegal activities are used to support terrorist groups. In addition, designs for cybercrime bot- nets are becoming more sophisticated, and future botnet architectures may be more resistant to computer security countermeasures. . . .”19

Following several cyber security incidents in 2006–07, the Center for Strategic and Informa- tion Studies (CSIS) Commission on cyber security for the 44th presidency was formed in late 2007.20 The commission was charged to assess the existing plans and strategies for combating cyber terrorism, and advise improvement avenues to the administration. The commission released its findings including its recommendations in December 2008. This report delineates the very latest state of affairs in the security measures against cyber terrorism. We will con- clude this section with an abridged synopsis of the findings and the recommendations of the commission (Table 5B-5):

168 Reading 5B

Findings

Recommendations

1. Cyber security is now a major national security problem for the United States

2. Decisions and actions must respect privacy and civil liberties

3. Only a comprehensive National Security

strategy that embraces both the domestic and international aspects of cyber security will make the United States more secure

1. Create a comprehensive national security strategy for cyber space

●

Diplomatic, Intelligence , Military and Economic (DIME), including law enforcement

2. Lead from the White House

●

Create a new office for cyber space in the executive office of the President

3. Reinvent the public-private partnership

Emphasis on building trust, and focus on operational activities 4. Regulate cyber space

●

Voluntary action is not enough 5. Authenticate digital identities

●

Privacy and civil liberties must be protected at the core 6. Modernize authorities

●

US laws need to be rewritten in view of the interconnected world of today

7. Use acquisition policies to improve security

●

Create guidelines for secure products and procure only secure products and services

8. Build capabilities

●

Provide federal support for focused research, education, training, development in cyber security

9. Do not start over

●

Begin with the advances already made by CNCI (Comprehensive National Security Initiative)

Table 5B-5 Summary Findings and Recommendations of the CSIS Commission, 2008

Source: http://www.csis.org/media/csis/pubs/081208_securingcyberspace_44.pdf

Reality Checks and Concluding Remarks

Although information systems are attacked regularly (more recently for financial gains or other criminal motives) or the fact that highly sensitized hypothetical scenarios of cyber terror- ism often feature in popular media, there is no recorded event of cyber terrorism attack on critical infrastructure of United States as yet. There are some who think that cyber terrorism is quite possible and is within the capabilities of some of the terrorist groups in this world, while others argue that cyber terrorism is not possible in any large scale. As of today, most experts believe that the terrorists are neither capable nor contemplating to unleash large-scale cyber attacks of major proportion on any national infrastructure. For instance, Jim Lewis, in his 2002 report for the Center for Strategic and International Studies Assessing the Risks of Cyberterrorism, Cyber War, and Other Cyber Threats, opines that the nation’s infrastructures are more robust than what the early analysts assumed them to be. He also points out to the fact that the infrastructure sector regularly deals with system failures of various natures as well as from myriad sources (the systems are as such capable to absorb partial failure with

(Whitman 167-168)

Whitman, Michael E. Readings & Cases in Information Security: Law & Ethics. Cengage Learning, 20100623. VitalBook file.

redundancy and other design features) such that a cyber attack would be unlikely to inflict a

very high level of damage to our infrastructure.

In reality, only a fraction of a percent of the hackers who employ exploits over the Internet or other interconnected networks are actually sophisticated enough to launch any serious cyber attacks. Apart from this, the requirement of high technical capabilities, strong motivation, brazen recalcitrance, low fear of apprehension and complete apathy to physical/social conse- quences are simultaneously required in a perpetrator before a successful cyber terrorist activity could take place. Even when all of these are present and there is availability of funds and other resources, it would still be quite difficult to access/destroy very sensitive information retained by the FBI, CIA, or the Pentagon; or control the physical assets like the nuclear reac- tors because of what is known as the air-gapping policy, which effectively isolates these criti- cal resources from all interconnected networks, including the Internet.

Can our air traffic or the interconnected train systems, or our gas or power line and other connected systems be jeopardized by cyber terrorists, should they desire to do so? In order to launch a successful large-scale attack on these systems, cyber terrorists would require added knowledge and sophistication of these engineering systems on top of all the other cyber skills that we had discussed in the last paragraph, making such possibilities even more unlikely. However, if cyber terrorists could recruit disgruntled insiders or ex-hires to fill the skill and knowledge gap, theoretically, such possibilities of exploit could exist. In 2002, the Australian police investigated an insider’s21 attempt to use the Internet to release a huge amount of raw sewage in the coastal waters. Although this created a health/ecological scare for some time, even this would not possibly qualify as a disaster because such leakages may not remain unde- tected for a long time! As we have already argued, the critical infrastructure systems are pur- posely designed and built with high redundancies and localization schemes, and the personnel are trained and prepared to combat disasters from natural (e.g., hurricane) or system failures (e.g., cascading energy failure). It is not easily comprehensible how a new threat vectored through the Internet could destabilize the system and personnel preparedness so substantially as to create widespread devastation in the effectual damages. The joint war game simulation exercise “Digital Pearl Harbor” of 2002 also demonstrated that only sporadic damages on the Internet were realistically possible and that too when hundreds of millions of dollars and years of preparation time are allowed to a very large group of the sophisticated technologists.

There is another level of difficulty in our assessment and address of the threat of cyber terror- ism; the reality and science fiction often face each other. Bendrath points out, “Sometimes it is hard to tell what is science and what is fiction. . . . Even renowned cyber-war theoreticians like John Arquilla have not hesitated to publish thrilling cyber-terror scenarios for the general audience. But these works are not only made for entertainment. They produce certain visions of the future and of the threats and risks looming there.”22

Although we have argued that cyber terrorism attacks are highly improbable in recent times, there is an important aspect of the equation that we must appreciate in the right perspective and with enough seriousness. Such eventualities of cyber terrorism could generate fear psycho- sis in the minds of the citizens. Research in social sciences suggests when outcomes of a disas- ter or attack on public life and property are vivid, gory, or evoke memory that is strong in terms of effect, we are prone to assign higher than actual probability for a realization of the event.23 For example, a terrorist attack leading to large-scale loss of life and property (like that of 9/11) causes us to ascribe a higher probability of such acts of terrorism, higher than

170 Reading 5B

what a rational analysis of the situation/scenario in hand could justify. Social researchers call this phenomenon probability neglect. Doomsday prognostics, media hype, science fictions, etc. paint these possible events in a vivid fashion, which, in turn, can bolster probability neglect. Such probability neglect, on a mass scale, can have far-reaching effect. For example, among others, this could give rise to a general need for higher protection to obviate such events. Such needs, in turn, translate to demand for stricter regulation and/or higher government/cor- porate spending to mitigate such risks. Finally, through elected representatives, popular proba- bility neglect may eventually cause higher than optimal investment/regulation in the mitigation of risks of cyber terrorism. Thus, although in reality we may face only a miniscule threat from cyber terrorism, it is appropriate that we assess the impact of cyber terrorism not only from the damage of our assets and systems, but also from the larger socioeconomic impacts.

(Whitman 169-170)

Whitman, Michael E. Readings & Cases in Information Security: Law & Ethics. Cengage Learning, 20100623. VitalBook file.