Michael Morgenstern
The Truths of Cyber-Terrorism
Cyber-terrorism has become a recent media and government buzzword. t brings to many people's minds images of teenage boys sitting in front of their home computers, brandishing joysticks to fly planes into buildings. Fortunately, this is not a realistic scenario. Unfortunately, most members of the crowds harping on cyber terrorism are completely missing the boat. Various news reports have shown that Al Qaeda clearly has an interest in cyberspace. The U.S. House of Representatives Subcommittee on Government Efficiency held a hearing on July 24, 2002 entitled "Cyber- terrorism: Is the Nation's Critical Infrastructure Adequately Protected?" The Subcommittee and its two panels also missed the boat.
Of the eleven witnesses, only Ronald Dick (director of the NIPC) came close to clearly vocalizing the true threat - computers currently provide intelligence that aids terrorists. In the near future, they may also be used to magnify the impact of physical attacks. News stories and testimony have not, however, discovered the few warning signs that have already occurred. Two short vignettes that were told to Congressional staff (by confidential sources close to our firm) but not heard before Congress should demonstrate these threats.
In early 1998, a man later traced to the Middle East began frequenting the electronic hangouts of several prominent teenage hackers. He promised two of them money and computer equipment in exchange for "logins and passwords to any military or government computers" (which they provided despite never receiving compensation). It is important to note that he did not ask them to do anything beyond breaking in. He simply requested that they hack the computers and provide him with access. Is this terrorism? No. Would it aid terrorism? Most definitely.
On Saturday, December 18, 1999, a hijacked Indian Airlines jet landed in Kandahar Afghanistan. Several months earlier another young hacker had been approached online by a Middle Easterner with a disheartening proposal. He requested architectural schematics to an Airbus A300 (the model that was later hijacked). In exchange for the promise of $10,000, the hacker agreed. He provided the plans but was never paid. Coincidence? Perhaps. But the story worsens. In January 2001, the same hacker was approached again by the same man, who promised double the initial payment in exchange for schematics on another plane. The hacker, horrified after the events in December 1999, adamantly refused. Nine months later, four planes were again hijacked.
These stories may sound like overblown conspiracy theories, until weighed against recent government reports of Al Qaeda scanning power and water utilities and other critical infrastructure. They should clearly illustrate both the capacity and the intent to use computers to facilitate conventional attacks. Hackers do not have to be Al Qaeda operatives. They do not even have to fully understand anything beyond their assigned role. On the other side of the arrangement, as security analysts and the Defense Department claim, Al Qaeda operatives (currently) have nothing like the proficiency in information war of the most sophisticated nations. Thus it would seem that the pairing of hackers and terrorists is a dangerous union. The CIA recently issued a Directorate of Intelligence Memorandum also attesting to these desires and capabilities.
What then of the security of Critical U.S. infrastructure? The security industry itself offers a wide range of opinions from doom and gloom to safety assurances. Some experts claim that since distributed control systems (DCS) and supervisory control and data acquisition systems (SCADA) are supposedly not connected to the Internet, that they are safe. Furthermore, they rally against the notion that somebody armed with a laptop could bring down the power grid. The reality is that SCADA systems have been breached, and that once inside, terrorists could indeed bring down a section of the power grid. Cyber-security Czar Richard Clarke confirmed that 18 exercise attacks conducted against large regional utilities all succeeded. And to make matters worse, there is funding available to meet these needs. Over a billion dollars is floating around Washington being misappropriated. The National Science Foundation is distributing almost $600 million for research. The National Institute of Standards and Technology has over $300 million, also for universities and research programs.
While such funding has promise, money should first go toward protecting already known threats, before being pumped into Academia. Many agencies imperative to homeland security are vulnerable. The Nuclear Regulatory Committee and the Department of Defense both failed security audits last year. The Federal Emergency Management Agency received a "D" grade. Governor Ridge has outlined a Health Data Network proposal to defend against bio terrorism. To eliminate the risks of penetration, and false information causing a national scare, such a system needs massive security - as a foundation, not an after-the-fact addition. Computer attacks have never caused a high consequence event, but the bottom line is simple - computers have aided (and will continue to aid) physical attacks. Congress must wake up to this possibility and provide for the safety of all Americans.
Michael Morgenstern is the Managing Partner of Global InterSec LLC, an international
computer security firm and may be reached at [email protected]