InfoSecurity India's First Magazine on Comprehensive IT Security
Menu Bar
InfoSecurity June 2009

Tech Trend

The Real Threat of Cyber Terrorism

The threat posed by cyber terrorism has grabbed headlines and attention of everyone worldwide. But, just how real is the threat? Could terrorists cripple critical military, financial, and Government systems? This article gives an insight on the rising threat of cyber terrorism and the hype created around it.

The threat posed by cyber-terrorism has grabbed headlines and the attention of politicians, security experts, and the public. But just how real is the threat? Could terrorists cripple critical military, financial, and service computer systems? This article deals with the rise of cyber-terrorism and examines the evidence cited by those who predict imminent catastrophe. While many of these fears are exaggerated as not a single case of cyber-terrorism has yet been recorded, hackers are regularly mistaken for terrorists, and cyber-defenses are more robust than is commonly supposed. Even so, the potential threat is undeniable and seems likely to increase, making it all the more important to address the danger without inflating or manipulating it.

Terrorist groups are increasingly using new information technology and the Internet to formulate plans, raise funds, spread propaganda and engage in secure communications. Cyber-terrorism explores the use of cyber-tools to shut down critical national infrastructures such as energy, transportation or government operations for the purpose of coercing or intimidating a government or civilian population. Today and in future, cyber-terrorism is clearly an emerging threat.

The Estonia Cyber-Attack

In May 2007 Estonia was subjected to a mass cyber-attack in the wake of the removal of a Russian World War II war memorial from downtown Talinn. The attack was a distributed denial of service (DoS) attack in which selected sites were bombarded with traffic in order to force them offline. Nearly all Estonian government ministry networks as well as two major Estonian bank networks were knocked offline. In addition, the political party website of Estonia's current Prime Minister Andrus Ansip featured a counterfeit letter of apology from Ansip for removing the memorial statue. Despite speculation that the attack had been coordinated by the Russian government, Estonia's defense minister admitted he had no evidence linking cyber attacks to Russian authorities. Russia called accusations of its involvement "unfounded," and neither NATO nor European Commission experts were able to find any proof of official Russian government participation. Later in January 2008 a man from Estonia was convicted for launching the attacks against the Estonian Reform Party website and fined.

The Growing Threat

To understand the growing sense of vulnerability caused by cyber-terrorism, let's delve into the 1997 exercise code-named "Eligible Receiver" conducted by the U.S. National Security Agency (NSA). The exercise began when NSA officials instructed a "Red Team" of thirty-five hackers to attempt to hack into and disrupt U.S. national security systems. They were told to play the part of hackers hired by the North Korean intelligence service, and their primary target was to be the U.S. Pacific Command in Hawaii. They were allowed to penetrate any Pentagon network but were prohibited from breaking any U.S. laws, and they could only use hacking software that could be downloaded freely from the Internet. They started mapping networks and obtaining passwords gained through "brute-force cracking" (a trial-and-error method of decoding encrypted data such as passwords or encryption keys by trying all possible combinations). Often they used simpler tactics such as calling somebody on the telephone, pretending to be a technician or high-ranking official, and asking for the password. The hackers managed to gain access to dozens of critical Pentagon computer systems. Once they entered the systems, they could easily create user accounts, delete existing accounts, reformat hard drives, scramble stored data, or shut systems down. They broke the network defenses with relative ease and did so without being traced or identified by the authorities.

The results shocked the organizers. In the first place, the Red Team had shown that it was possible to break into the U.S. Pacific military's command-and-control system and, potentially, cripple it. In the second place, the NSA officials who examined the experiment's results found that much of the private-sector infrastructure in the United States, such as the telecommunications and electric power grids, could easily be invaded and abused in the same way.

The vulnerability in the U.S. energy industry was also highlighted by security experts and the industry. Various security experts argue that America's energy sector would be the first domino to fall in a strategic cyber-terrorist attack against the United States. This threat explores the frightening detail how the impact of such an attack could rival, or even exceed, the consequences of a more traditional, physical attack.

Security experts are of the opinion that the energy industry and many other sectors have become potential targets for various cyber-disruptions by creating Internet links (both physical and wireless) between their networks and supervisory control and data acquisition (SCADA) systems. These SCADA systems manage the flow of electricity and natural gas and control various industrial systems and facilities, including chemical processing plants, water purification and water delivery operations, wastewater management facilities, and a host of manufacturing firms. A terrorist's ability to control, disrupt, or alter the command and monitoring functions performed by these systems could threaten regional and possibly national security.

In March 2000, Japan's Metropolitan Police Department reported that a software system they had procured to track 150 police vehicles, including unmarked cars, had been developed by the Aum Shinryko cult, the same group that gassed the Tokyo subway in 1995, killing 12 people and injuring 6,000 more. At the time of the discovery, the cult had received classified tracking data on 115 vehicles. Further, the cult had developed software for at least 80 Japanese firms and 10 government agencies. They had worked as subcontractors to other firms, making it almost impossible for the organizations to know who was developing the software. As subcontractors, the cult could have installed Trojan horses to launch or facilitate cyber terrorist attacks at a later date.

Appeal of Cyber-terrorism

Cyber-terrorism is an attractive option for modern terrorists for several reasons. Some of them are:

1. It is cheaper than traditional terrorist methods. All that the terrorist needs is a personal computer and an online connection. Terrorists do not need to buy weapons such as guns and explosives; instead, they can create and deliver computer viruses through a telephone line, a cable, or a wireless connection.

2. Cyber-terrorism is more anonymous than traditional terrorist methods. Like many Internet surfers, terrorists use online nicknames like "screen names" or log on to a website as an unidentified "guest user," making it very hard for security agencies and police forces to track down the terrorists' real identity. And in cyberspace there are no physical barriers such as checkpoints to navigate, no borders to cross, and no customs agents to outsmart.

3. The variety and number of targets are enormous. The cyber-terrorist could target the computers and computer networks of governments, individuals, public utilities, private airlines, and so forth. The sheer number and complexity of potential targets guarantee that terrorists can find weaknesses and vulnerabilities to exploit. Several studies have shown that critical infrastructures, such as electric power grids and emergency services, are vulnerable to a cyber-terrorist attack because the infrastructures and the computer systems that run them are highly complex, making it effectively impossible to eliminate all weaknesses.

4. Cyber-terrorism can be conducted remotely, a feature that is especially appealing to terrorists. Cyber-terrorism requires less physical training, psychological investment, risk of mortality, and travel than conventional forms of terrorism, making it easier for terrorist organizations to recruit and retain followers.

5. As the I LOVE YOU virus showed, cyber-terrorism has the potential to affect directly a larger number of people than traditional terrorist methods, thereby generating greater media coverage, which is ultimately what terrorists want.

Is Cyber-terror Threat Exaggerated?

To a certain extent it is fair to say that the current threat posed by cyber-terrorism has been exaggerated. No single instance of cyber-terrorism has yet been recorded. The U.S. defense and intelligence computer systems are air-gapped and thus isolated from the Internet; the systems run by private companies are more vulnerable to attack but also more resilient than is often supposed; the vast majority of cyber-attacks are launched by hackers with few, if any, political goals and no desire to cause the mayhem and carnage of which terrorists dream. So, then, why has so much concern been expressed over a relatively minor threat?

The reasons are many. First, as many security experts has observed, cyber-terrorism and cyber-attacks are high profile information for the public. Cyber-terrorism is a sort of novel, it captures people's imagination. Second, the mass media frequently fail to distinguish between hacking and cyber-terrorism and exaggerate the threat of the latter by reasoning from false analogies such as the following: "If a sixteen-year-old could do this, then what could a well-funded terrorist group do?" Ignorance is a third factor. Experts argue that cyber-terrorism merges two spheres - terrorism and technology. Many people, including most lawmakers and senior administration officials in the government, do not fully understand and therefore tend to fear. Moreover, some groups are eager to exploit this ignorance. Numerous technology companies, still reeling from the collapse of the high-tech bubble, have sought to attract research grants by recasting themselves as innovators in computer security and thus vital contributors to national security. Law enforcement and security consultants are likewise highly motivated to have us believe that the threat to our nation's security is severe. A fourth reason is that some politicians, whether out of genuine conviction or out of a desire to stoke public anxiety about terrorism in order to advance their own agendas, have played the role of prophets of doom. And a fifth factor is ambiguity about the very meaning of "cyber-terrorism," which has confused the public and given rise to countless myths.

In a so-called "digital Pearl Harbor" exercise sponsored by the U.S. Naval War College in August 2002, analysts posing as terrorists were able to simulate a large-scale cyber-attack on the U.S. infrastructure. But to do so they needed $200 million, high-level intelligence and five years of preparation time. The college concluded that such an offense could cripple communications in a heavily populated area but would not result in deaths or other catastrophic consequences.

Yet the hyperbole about an Internet attack frequently overshadows common sense. On Sept. 11, it took less than 24 hours after four passenger jets were used as weapons of mass destruction for cries of cyber-terrorism to emerge as the next great threat, triggering calls for new legislation to broaden the authority of law enforcement agencies.

Points to Ponder

  • The potential threat posed by cyber-terrorism has provoked considerable alarm. Numerous security experts, politicians, and others have publicized the danger of cyber-terrorists hacking into government and private computer systems and crippling the military, financial, and service sectors of advanced economies.

  • The potential threat is, indeed, very alarming. And yet, despite all the gloomy predictions, no single instance of real cyber-terrorism has been recorded. This raises the question: just how real is the threat?

  • Psychological, political, and economic forces have combined to promote the fear of cyber-terrorism. From a psychological perspective, two of the greatest fears of modern time are combined in the term "cyber-terrorism." The fear of random, violent victimization blends well with the distrust and outright fear of computer technology.

  • Even before 9/11, a number of exercises identified apparent vulnerabilities in the computer networks of the U.S. military and energy sectors. After 9/11, the security and terrorism discourse soon featured cyber-terrorism prominently, promoted by interested actors from the political, business, and security circles.

  • Cyber-terrorism is, to be sure, an attractive option for modern terrorists, who value its anonymity, its potential to inflict massive damage, its psychological impact, and its media appeal.

  • Cyber-fears have, however, been exaggerated. Cyber-attacks on critical components of the national infrastructure are not uncommon, but they have not been conducted by terrorists and have not sought to inflict the kind of damage that would qualify as cyber-terrorism.

  • Nuclear weapons and other sensitive military systems, as well as the computer systems of the CIA and FBI, are “air-gapped,” making them inaccessible to outside hackers. Systems in the private sector tend to be less well protected, but they are far from defenseless, and nightmarish tales of their vulnerability tend to be largely apocryphal.

  • But although the fear of cyber-terrorism may be manipulated and exaggerated, we can neither deny nor ignore it. Paradoxically, success in the "war on terror" is likely to make terrorists turn increasingly to unconventional weapons, such as cyber-terrorism. And as a new, more computer-savvy generation of terrorists comes of age, the danger seems set to increase.

Guarding Against Cyber-terrorism

According to various security experts, understanding terrorists' activities on the Internet is only the beginning of the problem; the challenge remains to balance the effort to control these activities with the need to preserve civil liberties. In the U.S and other countries several government counter-terrorist measures have been implemented since the attacks of September 11, 2001. These include the use of "sniffers" such as Carnivore and Magic Lantern which can search for certain information or keywords. In addition, there have been efforts to remove material from web sites or even remove entire web sites. These and other countermeasures force officials and citizens to ask hard questions about what price they are willing to pay, and what opportunities are being lost, in the cyber-war against terrorism.

Realistically, the best approach to preventing abuse of the Internet by terrorists will require both the acceptance of some vulnerabilities and some constraints on civil liberties. Listed below is some points that can counter the threat of cyber-terrorism

  • Enforcing legal laws, especially to increase the transparency of Internet security measures;

  • Applying the "social responsibility" model to the Internet (e.g., self-policing by the Inter Service Providers - ISPs);

  • Encouraging international collaboration (to the maximal extent possible);

  • Creating education and counterterrorism sites; and

  • Promoting peaceful uses of the Internet for conflict management and resolution.

Conclusion

Future terrorists may indeed see greater potential for cyber-terrorism than do the terrorists of today. Furthermore, the next generation of terrorists is now growing up in a digital world, one in which hacking tools are sure to become more powerful, simpler to use, and easier to access. Cyber-terrorism may also become more attractive as the real and virtual worlds become more closely coupled. For instance, a terrorist group might simultaneously explode a bomb at a train station and launch a cyber-attack on the communications infrastructure, thus magnifying the impact of the event. Unless these systems are carefully secured, conducting an online operation that physically harms someone may be as easy tomorrow as penetrating a website is today.

Paradoxically, success in the "war on terror" is likely to make terrorists turn increasingly to unconventional weapons such as cyber-terrorism. The challenge before us is to assess what needs to be done to address this ambiguous but potential threat of cyber-terrorism. But to do so without inflating its real significance and manipulating the fear it inspires. Anti-terrorism experts conclude that, at least for now, hijacked vehicles, truck bombs, and biological weapons seem to pose a greater threat than does cyber-terrorism. However, just as the events of 9/11 caught the world by surprise, so could a major cyber-assault. The threat of cyber-terrorism may be exaggerated and manipulated, but we can neither deny it nor dare to ignore it.

—By: R. Manoj. The author is an Assistant Editor at Fanatic Media, Bangalore. He is also an Independent Researcher, specializing in Software Security. He has an active interest in designing security algorithms for securing softwares. He can reached at infosecurity@fanaticmedia.com


Home   |   Current Issue   |   Archives   |   Subscription   |   Advertisement   |   Contacts

© 2006-07 'InfoSecurity' magazine. All rights reserved.
Website designed, developed and maintained by Fanatic Media