In 1996, Jamie Gorelick, Deputy Attorney General under President Clinton, was quoted as saying “A cyber threat can disrupt the provision of services and disrupt our society, disable our society, even more so than a well placed bomb.” The complexity of networks, the connectivity among secure and insecure networks, and the lack of training of cyber security experts causes national information and systems to be more vulnerable to attack than ever before. Although the United States critical infrastructure is vulnerable to attack, could cyber terrorism be used as an effective form of warfare?
I) There exists a national defense plan against cyber-terrorism, however there are strong doubts as to the strength of this plan and its ability to defend against the multitude of known and possible unknown attacks against our national critical infrastructure.
a) The tools of a Cyber Terrorist
i) Distributed Denial of Service (DDoS)
(1) Distributed use of multiple (thousands) computers to continually request data from a particular server so as to deny legitimate users access.
ii) Political Misdirection
(1) Making a particular cyber terrorist act look like it came from another source
iii) Cyber Terrorist communication networks
(1) Al Qaeda emails about fundraising and resource movement to further their goals
(1) Nimda, Love Bug, etc.
v) Undetected intrusion
(1) Infiltration for use at a specified later date or to spy on a particular network
(2) Compromise the SCADA system (Systems control and Data acquisition)
(a) System design to mitigate damage from a cyber terrorist attack
(i) Used as a last defense which involved physically shutting down affected systems to prevent disaster
1. Shutting down an oil pipeline to prevent a spill
2. Prevents ecological disaster, but created economic and - supply to consumer havoc.
vi) Social Engineering
(1) Employment by attacks of employees and either willingly or unknowingly share important/secret documents and network access codes. Usually leads to a root compromise
vii) Root Compromise
(1) Gain control of the core of a particular computer system or network. This grants attacker complete access to all subsystems.
viii) Domain Name Service Spoofing
(1) The server is compromised and forced to redirect all incoming traffic to a different IP of the attackers choosing. Usually a web server with information on their particular cause.
II) The critical infrastructure is the backbone to our technological society. There are different organizations, responsible for different areas, all connected through one network, the Internet. Some of these organizations are more vulnerable to attack then others.
a) Department of Homeland Security
i) Information and Telecommunications
(1) Vulnerable to proprietary software attacks from insiders familiar with technical details of the system
ii) Transportation (aviation, rail, mass transit, waterborne commerce, pipelines, and highways)
(1) Networks rely on elderly equipment and use proprietary software which makes them difficult to hack for outsiders
(2) The high level of human involvement in the control and decision making process reduce the risks
(a) A young hacker interrupted local phone service in New England, cutting off a regional airport’s control tower and the ability to turn on the runway lights for 6 hours, and there were no accidents as a result.
(b) Other cases of hackers entering the FAA mail server and no accidents as a result.
iii) Postal and Shipping
iv) Emergency Services
(1) Does not use one system, instead uses several thousand local systems using different technologies and procedures.
(2) No major attack to date but is possible to send a flood of email messages instructing people to call 911, thus overloading the system. Used in conjunction with a physical attack could act as a “force multiplier.”
(3) Vulnerable to insider attacks.
v) Continuity of Government
b) Department of the Treasury
i) Banking and Finance
(1) Utilize infrastructures that are vulnerable to cyber attacks due to their dependence on networks.
(2) Operates largely on private networks and intranets with limited access, limiting vulnerability from external attacks
c) Department of Health and Human Services
i) Public Health
ii) Food (all except for meat and poultry)
d) Department of Energy
i) Energy (electric power, oil, and gas production, and storage)
(1) Electrical infrastructures have sensors that assist engineers in shutting down components of the national grid in times of natural disaster, which could become vulnerable to cyber manipulation, potentially resulting in mass power outages
(2) Oil and gas infrastructures rely heavily on the use of computerized Supervisory Control and Data Acquisition (SCADA) and Energy Management Systems (EMS). These systems are vulnerable to cyber attack with the potential of affecting numerous economic sectors, such as manufacturing and transportation.
e) Environmental Protection Agency
(1) Water levels controlled by sensors and remote means
ii) Chemical Industry and Hazardous Materials
f) Department of Agriculture
(1) Food (meat and poultry)
g) Department of Defense
i) Defense Industrial Base
(1) May 2001, Chinese hackers gained access to an Air Force site that contained medical statistics and records.
III) As new threats arise in the field of cyber terrorism the need for new governmental policy drastically increases. Terrorists have begun to discover revolutionary ways to attack the American infrastructure so it’s obvious why the US government needs to put a tremendous emphasis on combating the new-fangled attacks. And in the past decade our government has shown their efforts in the policies that they have signed into law.
i) The Cybersecurity Research and Education Act of 2002
(1) This act showed that congress was beginning to accept the severity of a cyber attack.
(2) With the signing of this act, congress allowed the NSF and the NSA to establish programs that increased the number of professors teaching and researching cyber terrorism. The increased number of professors will help educate more people so that the US government employees will be fully prepared to deal with most any cyber attack.
ii) The National Information Infrastructure Protection Act of 1996
(1) With computer technology becoming more accessible and widespread in 1996, criminals and terrorist began to realize the potential of this untapped resource. Crimes were beginning to appear that authorities have never seen in the past and had barely any laws to prevent. Congress therefore passed the Information Infrastructure Act to protect America and prosecute these cyber crimes.
(2) The act made strict penalties for people who committed these crimes in order to deter any would be criminals from attempting an attack.
(3) Probably the most important aspect of the Act was that the act itself would be able to change as new technology was invented, so that it could stay as current as possible.
IV) Along with policies that were implemented by the US government to combat cyber terrorism, specific government agencies were created in order to insure that the country was fully prepared to defend against a cyber attack. These agencies hail from all different aspects of the US government, but each play an equally important role in prevention. These agencies are the major stakeholders in the cyber terrorism defense.
i) Federal Bureau of Investigations
(1) The FBI can be considered the central agency in the fight against cyber terrorism.
(2) They have an enormous computer security department and are continuously searching for the best and the brightest agents to help in their fight.
(3) The FBI can also be accredited with the training of most of the computer specialist that are used by the other agencies.
ii) National Infrastructure Protection Center
(1) The NIPC was created in 1998 and is comprised of agents from almost every governmental department and even members of private industry.
(2) The main responsibilities of NIPC include investigating computer intrusions, responded to computer attacks, and the prevention of future attacks.
iii) Computer Security Institute
(1) One of the leading private security agencies, CSI provides training to private corporations in order to help them prevent cyber attacks against their respective companies.
(2) CSI allows pairs with the FBI annually to compile a survey on the specific threats and instances of cyber crime.
(a) This survey is highly regarded and beneficial for seeing the specific vulnerabilities that exist in computer security.
a) International cooperation and disclosure regarding cyber terrorist attacks.
b) Government training programs and accreditations for National Cyber Security Experts.
c) Improved reporting of incidents of cyber terrorism.
d) Continued degree of human involvement to mitigate damages.