by Robert Murrill
rmurrill@verizon.net
This paper will take a look at Cyber terrorism and explaining what it is and what it isn’t by showing how closely related Cyber Terrorism and Cyber Warfare are. Although the affects of both may have the same results, ultimately it is the tools of Cyber Warfare that are used in the performance of Cyber Terrorism. An examination of the political problem across three presidential administrations and the dilemmas they face in protecting what we deem valuable will be followed as the nation struggles with the concept and new threat of terror attacks on U.S. soil. Yet at the same time security experts, law enforcement and hackers are raging a cyber battle upon the world’s computer networks and infrastructure at an ever alarming rate. The world’s government agencies, terrorist organizations and organized crimes units, are profiting from the proliferation of terrorist acts against the infrastructure of cities worldwide. Electric, gas, water treatment and supply facilities are at risk, as well as the banking and financial institutions. The defense against such attacks starts with the acknowledgement that the threat exists; unfortunately not everyone in the governments has done this. The laws that were established to protect our privacy online are in some ways the same laws that leave the U.S. vulnerable and unable to counter cyber terrorism acts. The threat of cyber terrorism, does it exist?
Cyber Terrorism Defined
Cyber terrorism is a very misleading term, depending on who you ask it will take on varying degrees meanings. Since September 11, 2001 actions relating to deployments by known terrorist organizations and of disrupted attacks against information systems for the primary purpose of creating alarm and panic have been coined by some experts, who are associated with government agencies, as the standard for defining cyber terrorism. Others have added the phases; the premeditated use of disruptive activities, or the threat thereof, against computers and/or networks, with the intention to cause harm or further social, ideological, religious, political or similar objectives. By this broad definition, it is difficult to identify any instances of cyber terrorism. Mark Pollitt, special agent for the FBI, offers a working definition: “Cyber terrorism is the premeditated, politically motivated attack against information, computer systems, computer programs, and data which result in violence against noncombatant targets by sub national groups or clandestine agents.” (Pollitt, Retrieved March 11, 2010, http://en.wikipedia.org)
Regardless of the exact definition used, cyber terrorism must produce two actions. First it must produce fear. It is the fear that motivates security experts and business to set safeguards in place to ward off any potential attack or perceived threat. Second there must be an attack against a computer or network to validate the threat. Without a detection of an attack the message of the attacker could not be substantiated.
To further clarify terrorism in the cyber world is should be noted that there are certain names associated with the people who would perpetrate such acts on an individual level. There are hacker, cracker and cyber warrior. To simplify the differences between them and to show how they will be used in reference to this paper, they will be defined here. The term hacker refers to an individual who breaks into a computer by illegal or unauthorized means. In the past hacking was and is in some circles still is consider bad, although the skills a hacker processes are used in the cyber security field to protect vital asset. Today the term has become more of a statement to show weaknesses in the computer or software than for malicious intent although in this paper the word maybe used to show illegal actions. The term cracker has always referred to someone who had malicious intent. A software cracker is a person who modifies computer code. The code maybe distributed for illegal or malicious means. The basic skills necessary for a cyber warrior will vary in magnitude; however, they include: information security, hacking, espionage, and computer forensics. A cyber warrior is a person who is highly skilled in the art of cyber warfare. Governments, their militaries, law enforcement, the private sector and criminals (individuals or groups) around the world are taking the initiative to train their people in the field of cyber warfare.
A hacker, cracker or cyber warrior may at some time be engaged in cyber terrorist, with the primary goal being to raise fear and be acknowledged for their attack. Quite often the goal is to commit a cyber crime. A cyber crime is a crime where the internet or computers are used to commit a crime. What disqualifies this from being a cyber terrorism attack is the lack of fear as a motive to deliver a message. Cyber crime is generally financially motivated. Cyber crimes may also include hacking, copyright infringement, child pornography, and child grooming.
The View of Cyber Terrorism from 1996 to 2010
Not everyone believes that cyber terrorism is a problem. Two camps of thought have formed about the threat of cyber terrorism and how much damage if any, would such an attack bring. The first is of the mind that the targets of a cyber attack would be against the infrastructure of the world. This includes telecommunications, electrical power systems, gas and oil reserves, banking and finance systems, transportation, water supplies, and emergency services such as fire and police, and governments. The other is that computer failures and power outages are a simple fact of life, and the economy is too resilient to be easily crippled by system failures, deliberate or accidental. This mind set goes on to explain that a much broader threat is the organized effort that is believed to exists in germ warfare, which could kill tens of thousands people. Continuing with this, there is a fear that there may be as greater threat from the fringes of American life, where survivalists and right-wing opponents of the Federal Government appear to be taking a greater interest in weapons of mass destruction.
In July of 1996 President Clinton signed an executive order for a panel of experts to study the problem of cyber terrorism, and then tell the American public how to safeguard against information warfare. He sought after $2.8bn from Congress to help defend the U.S. against attacks by computer viruses, and chemical or biological weapons. President Clinton then signed two orders implementing his new terrorism policies. One outlined new steps to prevent and prepare for terrorist attacks against the United States. The other spelled out ways to protect the nation’s information infrastructure from cyber- terrorism.
January 1999 the presidential coordinator for the counter terrorism effort, Richard Clarke, felt that there was the threat of information warfare from a rogue nation, terrorist group or criminal cartel could perform a systematic national intrusion into computer systems that could have effects comparable to the bombing of infrastructures during the Second World War. The threat was made very clear when a satellite malfunctioned, disabling pagers, automatic money machines, credit card systems and television networks around the world. The following year a cyber attack against CNN, Yahoo!, eBay, Amazon, ETrade and other major web sites inconvenienced millions of users and continued to raise concerns about internet security. Some of these attacks were apparently coordinated, overloaded these sites with a barrage of messages generated by hackers. A 15-year-old Canadian boy was charged with two counts of computer mischief for crippling the CNN website and 1,200 other related cyber attacks. The FBI, Royal Canadian Mounted police and the Justice Department investigated the attacks but were only able to make the connection to the boy after he boasted about the exploit in an Internet chat room.
In year 2000, prior to the mass terror attack on the World Trade Center and the Pentagon, cyber attacks were prevalent. The FBI believed the damage caused by international hacking could run into hundreds of millions of dollars. Law enforcement’s view of cyber terrorism was wherever they are; hackers will be investigated and arrested. Although the opinion of most civilian security experts was that people should not feel safe from these attacks because of an arrest, cyber terrorism is a new form of terrorism and it is not going to go away. The world still did not comprehend that the “denial of service” (DoS) attack that requires a large capacity network capable of transmitting large volumes of data to computers, were common and very vulnerable.
One month after the 9-11 attacks Jeffrey A. Hunker, the former National Security Council cyber-terrorism expert, said an attack could be launched against the United States by one person at a computer terminal 1,000 miles away. “With people running everywhere and police not knowing what to do, the resulting panic would result in a lot of loss of life and do what terrorists are trying to do, which is spread uncertainty and fear in the U.S. population”. (MEYER, J., & SHIVER, J., Jr. 2001 http://articles.latimes.com)
Terrorist and terrorism now had a new face; with something tangible that all sides could agree upon the “War on Terrorism” had begun in earnest. President Bush took steps to heighten security in cyber space. Governor Tom Ridge was named to the newly created post of director of the Office of Homeland Security, retired Army General Wayne Downing was appointed to serve as national director for combating terrorism and Richard Clarke was named special White House advisor for cyber space security. Mr. Clarke, after expressing many warnings of the possibility of a devastating computer-based attack on the United States, now had a platform from which to launch his fears. The hijackers who took part in the attacks on the 11th of September were believed to have used the internet to communicate, logging on to computer terminals in public libraries and copy shops to make their online activities difficult to track. Government officials started to admit that hackers are trying to download military and national security secrets, and that the US Department of Defense computer systems had suffered from many of the same viruses that have crippled corporate and personal computer systems.
Yet the argument continued as many terrorism experts said, “bombs are better than bytes” still remaining skeptical of the implications of cyber terrorism. Richard Forno, who developed the first information security program for the U.S. House of Representatives and served as the chief information security officer for Network Solutions, shied away from the idea of a dramatic kind of cyber attack envisioned in Electronic Pearl Harbor scenarios. “Cyber attacks were more of a nuisance than viable terrorist tactics”, he said. And he did not consider someone hacking Amazon or eBay to be an act of cyber-terrorism. The government needed to respond to specific threats and not simply give in to knee-jerk reactions, given by some in Congress. (2001 http://news.bbc.co.uk)
Over the next few years the Bush administration had requested only $19.3 million for “Cybercorps”, a scholarship program to recruit more computer experts to the government to fight cyber terrorism, and $27.1 billion for the military and domestic security needs. Foreign governments like India who later enacted The Information Technology Act of 2008, were politely urging the United States to become more involved in the fight against cyber terrorism. By mid July of 2002 the banking and financial institutions of the world had made more progress in protecting their systems from hackers, according to Dan Verton, a cyber terrorism expert at Computerworld magazine in Washington D.C. felt that utilities, oil companies and industrial plants were still lagging in their efforts to secure their computer systems and networks. (Wright, 2007 http://www.usatoday.com/tech/news/computersecurity/2002-07-19-cyber-terrorism_x.htm)
While debate in Congress carried on, cyber attacks like what took place in 1997 continued. A teen-age hacker broke into the control tower computer system at Worchester, Mass., airport, disrupting service. And in 2000 a hacker broke into a utility company computer in Maroochy Shire, Australia, and released millions of gallons of raw sewage into the town waterways. Finally the House of Representatives sponsored funding for cyber security research totaling $878 million. Other congressman was pushing for legislation to create “Netguard”, an emergency response team of computer experts that would aid the government in the event of a cyber attack. The House also passed legislation boosting criminal penalties against cybercriminals. But despite the flurry of legislation the mentality was, it could still take years for the nation to fully prepare its complex telecommunications system and power grid for a cyber attack. The primary concern of the Bush administration remained focused on the immediate and tangible threat of al-Qaeda as a terrorist organization that could again strike at U.S interests, but not from the internet. When a U.S. military plane crashed in Chinese territory in 2003 after computer hackers attacked American systems with viruses. The academic Dr. Alan Ryan warned that cyber terrorism was the way of the future and the nation’s security experts would have to focus their attention on the problem. “Cyber attack is a reality … it has become a weapon of non-war…” (Canbarra, 2003 http://identity-love-sock.com///_age-03-02-26.001.html) By mid 2005 the attitude of the American people about the importance of cyber-security, was no one would ever die in a cyber-attack. Richard Clarke, a former terrorism and cyber-security czar in the Bush Administration believed they were all wrong. The dangers of hackers, software worms, and computer viruses attacking the automatic networks that run critical infrastructure are all emerging as a vital and weak link in America’s defense against terrorism. Computer networks run everything from water-treatment plants and oil refineries to power grids and transport networks. These facilities often keep operating 24/7. In the wrong hands these facilities could become a lethal weapon if compromised. According to IBM’s global security intelligence team, in the entire first half of 2005 there were 237 cyber-attacks worldwide, a 50 percent increase from the same period the year before.
After three-week cyber offensive in 2007, Estonia urged NATO to develop a unified strategy against cyber terrorists. Estonia suspected Russian hackers had launched a series of attacks on leading government, banking and media websites. Mikhel Tammet, a senior government official who chaired Estonia’s cyber defense coordination committee, said; “This is a kind of terrorism…. The act of terrorism is not to steal from a state, or even to conquer it. It is, as the word suggests, to sow terror itself. If a highly IT country cannot carry out its everyday activities, like banking, it sows terror among the people.” (Blomfield, 2007 http://www.telegraph.co.uk////accused-over-Estonian-cyber-terrorism.html) There was no evidence to connect the campaign to the Kremlin. Russia became the first country to be recognized by the world as having been involved in a cyber terrorist attack.
Barack Obama’s over whelming presidential election in 2008 promised a change in the way cyber terrorism would be addressed. He announced he would create a “cyber czar,” who would have broad authority to develop a strategy to protect the nation’s government run and private computer networks. The administration released report that outlined the government’s cyber security initiatives and policies. It was purposely left vague and was not intended to resolve the issues between what roles the National Security Agency and the premier Electronic Surveillance Agency, (that was created under the Bush administration) will have in protecting private-sector networks. The major concern that was in the existing policy was the debate over legal authorities and the protection of citizens’ e-mails and phone calls. The Bush administration’s secrecy in how it was going to handle this concern in its comprehensive national cyber security initiative, most of which was classified, hindered such a debate. The report recommended that members would be appointed to the Privacy and Civil Liberties Oversight Board, an independent executive branch agency created by Congress in 2007 to ensure that privacy concerns are considered in the implementation of counter terrorism policies and laws. It suggested that the board’s mandate would expressly include cyber security.
July10, 2009 Michael S. Malone published an article online with abcnews.go.com asking “When does a cyber attack by another nation cross the line and become an official act of war?” Web sites in the United States and South Korea had been attacked by unidentified hackers whose intent was to crash them. Some of the targeted sites in the U.S. were the departments of Transportation, State and Treasury Departments, the White House, the New York Stock Exchange, Yahoo and the Federal Trade Commission. On July 4th, hackers were successful in bring down some of the sites for as much as 24 hours. Officials in both countries say the attacks appear to have been launched from inside North Korea. Mr. Malone’s point of view like many others was that the U.S. is not ready to confront North Korea on the matter directly and would much rather blame ourselves for the failure of not being able to defend against such an attack.
The debate for him is if a worm, virus or hacker can cause millions of computers to go down then why not some medical device that is wired into something like a fetal monitoring system, or some surgical equipment, robotic bomb demolition equipment or a nuclear warhead. According to the Department of Homeland Security, the rate of online security breaches on government and private institutions in this country has reached over 72,000 attacks over last year (2008), double the number of the year before. (Malone 2009) In 2007, Russia was the country in the news now the Chinese government has been implemented in sponsoring teams of hackers to probe our defenses. Similar stories have appeared about terrorist groups in the Middle East.
In January of 2010 the Chinese attacked Google’s corporate infrastructure. It has been documented that institutions in India, the US, the UK, Australia, and Russia all have been attacked regularly by IP addresses originating in China, all aimed at stealing information. To date the U.S. Government has not passed any significant legislation to combat cyber terrorism or officially hold any nation or organization responsible for conducting cyber attacks.
Cyber Terrorism Executed
In order to expedite a cyber attack, a cyber warrior must gain access to the target in mind, although there maybe debate over what is the best way to accomplish this, the goal is to gain access without detection. There are several techniques that are used by computer criminals and security experts alike that are repeated consistently in all attacks. A typical approach to an attack on an Internet connected system contains these things:
· Network enumeration: Discovering information about the intended target.
· Vulnerability analysis: Identifying potential ways of attack. The vulnerability can be associated with social engineering like eavesdropping. A vulnerability detector like a packet sniffer can also be a scanning tool used to quickly check computers on a network for known weaknesses. Hackers also commonly use port scanners. These check to see which ports on a specified computer are “open” or available to access the computer. Sometimes they will detect what program or service is listening on that port, and its version number. It is important to know that a firewall can defend a computer from intruders by limiting access to ports and machines, both from inbound and outbound traffic, but can still be circumvented.
· Exploitation: Attempting to compromise the system by employing the vulnerabilities found through the vulnerability analysis. The Exploit can be a Trojan, virus and worm, and Denial of services. A security exploit is a prepared application that takes advantage of a known weakness. A common example of a security exploit is an SQL injection, Cross Site Scripting, Spoofing and Cross Site Request Forgery which abuses security holes that may result from substandard programming practices. Other exploits would be able to be used through FTP, HTTP, PHP, SSH, Telnet and some insecure web pages. These are very common in website/domain hacking.
The advanced persistent threat attack (APT) further detailing the typical attack, involves seven basic steps. All but the seventh step are the same steps taken by a penetration tester (someone who tests for vulnerabilities). These are not necessarily performed in the order given in a real environment.
1. Reconnaissance: Attackers research and identify individuals they will target in the attacks, using public search or other methods, and get their email addresses or instant messaging handles.
2. Intrusion into the network: It all typically starts with spear-phishing emails, where the attacker targets specific users within the target company with spoofed emails that include malicious links or malicious PDF or Microsoft Office document attachments. These exploits infect the targeted machine and gives the attacker a foot in the door.
3. Establishing a backdoor: The attackers try to get domain administrative credentials and extract them from the network. Since these credentials are typically encrypted, they then decrypt them using “pass-the-hash” or other tools to gain elevated user privileges. From here, they move “laterally” within the victim’s network, installing backdoors. They typically install malware via process injection, registry modification, or scheduled services.
4. Obtaining user credentials: Attackers get most of their access using valid user credentials; they access systems on the victim’s network using the stolen credentials, (BotNets). The most common types of credentials are domain-administrator credentials.
5. Installing multiple utilities: Utility programs are installed on the victim’s network to conduct system administration, including installing backdoors, grabbing passwords, getting email, and listing running processes. Utilities are typically found on systems without backdoors.
6. Privilege escalation, lateral movement, and data exfiltration: Now the attackers start grabbing emails, attachments, and files from servers via the attacker’s C&C (Command & Control) infrastructure. They typically funnel the stolen data to staging servers, where they encrypt and compress it, and then delete the compressed files from the staging server.
7. Maintaining persistence: If the attackers find they are being detected or remediated, they will use other methods to ensure they don’t lose their presence in the victim’s network, including revamping their malware.
Another type of attack associated with Denial of Service involves placing tools on middleman (computers that act as relays to other computers) computers and remotely ordering them to overwhelm the victims site with fake traffic. This exploit has been attributed to taking down network of CNN and others like the computer systems at the University of California, Santa Barbara, a router at Stanford University, and a home business computer in the area of Portland, Oregon in 2000.
Cyber Terrorism Perpetrators
As of January 2010, the people Republic of China was by far the most feared in reference to cyber attacks against foreign countries. The largest and the most coordinated series of attacks on any military establishments happened in 2003 in the U.S. It was called Titan Rain. U.S. computer networks, which included those at Lockheed Martin, Sandia National Laboratories, Redstone Arsenal, and NASA were attacked. U.S. Officials believed the attacks originated in China. The United Kingdom has also suffered at the hands of Chinese hackers. In 2005, a malware program was sent around to 70 U.K. Members of the Parliament and in other parts of the government. These attacks were traced back to China. In the beginning these attacks were only associated with defacement and mischief, they rapidly became aimed at information gathering. Even the White House is not exempt. In 2008 some computers were compromised by networks based in China. In January of this year, China attacked Google’s corporate infrastructure. Chinese hackers have compromised many institutions’ IT infrastructure. Investigations have discovered that at least twenty other large companies from a wide range of businesses that have included the finance, technology, media and chemical sectors of the economy. Chinese hackers have also been fighting cyber warfare with countries like Russia and Iran.
Although the Chinese IP addresses have become the most feared in the world, they are not the only ones. Baidu, the largest search engine in China was attacked by a cyber group claiming to be the cyber army of Iran. The Russian Consulate website in China was defaced in 2009. Russia is also highly suspected to have launched the Distributed Denial of Service (DDoS) attack that brought down the Estonian government in 2007. The infected machines would have flooded Estonian websites with bogus information. This was accomplished when hackers used bots (computer programs) to infiltrate hundreds of thousands of computers around the world (middlemen) without their owners’ knowledge. It is believed that hackers have infected up to a quarter of the world’s computers, making tracing the true culprits almost impossible. Whether the Kremlin was involved or not has never been proven, although some believe that the level of anti-Estonia hysteria that was created might have encouraged nationalist hackers to take matters into their own hands. It is said that thousands of people are believed to have joined in after the instructions on how to carry out the DDoS attack were posted on dozens of Russian websites.
The link between Islamic terrorist groups and cyber crime has been investigated and has been revealed to be a significant problem. The alliance between organized crime and terrorists is increasingly profitable. Terror cells will always need to launder money to find somewhere safe to place it until it is needed, like buying property for cash or investing in trusts that yield high incomes. They have learned from organized crime on how to make money from the internet and users desktops. Experts say security officials must do more to understand and confront cyber crime as part of any overall strategy for combating traditional terrorism which could lead to cyber terrorism.
According to Steven P. Bucci, Ph.D (Heritage Lecture #1123), Terrorist organizations are capable finding highly trained, intelligent, and computer literate people who are in agreement with their cause who can be taught to develop code, write malware, and hack as well as anyone. He further states that all they really need to make an effective assault in the cyber realm are two things; “First, they do not really need to attack an entire nation to achieve success. They desire to create a large event, but it does not necessarily need to be as extensive as a full nation-state attack. The second factor is that they also have abundant funds and potential access to even more. These funds open up the criminal option, which will give the terrorists the capability to be extraordinarily destructive.” (Bucci 2009)
To date no one has identified positively that any terrorist organization has conducted a cyber terror attack against a government or civilian site, this not to include national governments that support terrorism. Primarily, when terrorist organizations perform this type of activity it is considered a cyber crime activity.
Individual or independent software crackers are also a threat, but of different sort. One of the most celebrated cases in America is the case of United States vs. Robert Morris. In 1988 Robert Morris created a computer virus called a worm in a lab at Cornell University. The intent of the program was to find and “brake in” to as many computer systems it could. According to Morris it was only an experiment that when wrong. When it was able to be contained it had infected over 6000 machine attached to the internet. Morris was convicted under the Computer Fraud and Abuse Act (CFAA) of 1986.
MafiaBoy also know as Michael Calce, a high school student from Canada launched a denial-of-service attack in February 2000 that affected websites that included Yahoo!, Amazon.com, Dell, Inc., E*TRADE, eBay, and CNN. Both Michael Calce and Robert Morris committed crimes that required the skills of a cyber warrior and their acts exhibited the outward behavior of a terrorist attack, but both lacked the intent and motivation that would classify them as cyber terrorist. Single individuals would not profit from being a cyber terrorist. These types of attacks are motivated by greed and notoriety. Even the factious character Thomas Gabriel from the movie Live Free or Die Hard created a “fire Sale”, a term used to mean everything must go. Thomas, a terrorist hacker had taken control of all the networks within the United States. Everything networked that controlled energy, public transportation, utilities, and communications, including the media. Although no one is in agreement whether or not this could actually be accomplished, Thomas Gabriel’s ultimate goal was financial gain.
Others that have gained notoriety were “Captain Crunch”. In 1972, “Capt. Crunch” aka John Draper, found out that by blowing the whistle that came in the Capt. Crunch cereal boxes, he could reproduce the notes that would place free long-distance phone calls. He spent some time in prison and on probation. Afterwards he went to work for Apple Computer. Kevin Mitnick in 1994 was the world’s most wanted hacker for breaking into Digital Equipment’s computers and stealing source codes. He served time in prison before becoming a book author. Kevin Poulsen in 1995 broke into the FBI’s computers. After his prison time he became a computer security journalist. Onel DeGuzman in 2000, this computer science student unleashed the “ILOVEYOU” virus on the internet. He went unpunished because the Philippines had no laws covering the computer crimes.
Targets of Cyber Terrorism
From a national security viewpoint, the real danger is that a determined and talented cyber terrorist could break into a utility or chemical plant’s computer network and manipulate the sensor-control systems; in essence a “ localized fire sale”. With this type of attack anything that could set off an “accident” that could kill not just workers at the plant, but thousands of civilians in the surrounding area. Nearly 300 critical-infrastructure facilities lie in densely populated regions with 50,000 or more local residents, according to the Department of Homeland Security (DHS). In Idaho this scenario was successfully put to test by the US-Department of Energy and they brought down a power station. The US Department of Energy took part in an experiment code-name Aurora, wanted to see if it is was possible to bring down a power station using a simulated attack by a computer terrorist. The power cycle was changed enough in the power station to take it off line.
At least three US oil companies were the targets of a series cyber attacks that may have originated in China, that are attributed to a new level of sophistication in the growing global war of internet espionage. The focus of the attack was to glean information pertaining to the industries valuable “bid data” detailing the quantity, value, and location of oil discoveries worldwide. Marathon Oil, ExxonMobil, and ConocoPhillips were not aware of the attacks, which occurred in 2008, until the FBI informed them in 2009. The data that was stolen included email passwords, messages, and other sources connected to executives with access to proprietary exploration and discovery information.
Cyber attacks come manly in two forms: one against data, the other on control systems. The first type attempts to steal or corrupt data and deny services. The vast majority of Internet and other computer attacks have fallen into this category, such as credit-card number theft, web site vandalism and the occasional major denial-of-service assault conducted by cyber warriors (crackers) and or those connected to organized crime looking to gather financial data. Control system attacks attempt to disable or take power over operations used to maintain physical infrastructure, such as “distributed control systems” that regulate water supplies, electrical transmission networks and railroads. While remote access to many control systems have previously required an attacker to dial in with a modem, these operations are increasingly using the Internet to transmit data or are connected to a company’s local network.
Many power companies and water utilities are operated with networks of computer-controlled devices, known as supervisory control and data acquisition (SCADA) systems, which could be hacked. In 2002 the FBI reported to congress that “U.S. law enforcement and intelligence agencies have received indications that Al-Qaida members have sought information on SCADA systems that was available on multiple SCADA-related Websites. SCADA systems could be attacked by overloading a system until failure, and then causes other operations to malfunction. It is common belief that the technology exists for such an attack to occur, but that terrorist organizations still lack the skill to make it happen.
Defenses against Cyber Terrorism
Before anyone can defend against a cyber terrorist attack there has to be an acknowledgment that there is a “cyber war” taking place. Terrorist plots in the United States and in the United Kingdom have grabbed the attention and opened the minds of most, and have shown the world that those with the proper skills can do serious harm. Why then would it not make sense that a terrorist or a nation would not combine an ideology and some technical skill to deploy a cyber attack?
In December of 2009 the Ponemon Institute released its Cyber Security Mega Trends Study of IT Security and Operational professionals. In the study questions were asked to determine the perceptions in the levels and severity of cyber security risks. The results varied greatly between IT Operations and IT Security. 92% of IT security professionals say they had been a victim of cybercrime, yet only 55% of IT operations from the same companies claimed to have been a victim. 45% of IT operations say they either don’t know and have not been a victim.
Fig. 2
The cyber attacks against Estonia demonstrated what a war in cyber space could be performed when the expertise is gathered around one cause. The outcome of that attack was the acknowledgment that today’s society is very vulnerable to cyber criminals or militant hacker groups. For the last decade, the federal government’s information systems and critical infrastructures have remained a “high-risk” category as assessed by the Government Accountability Office. Many Islamist hacker sites are hosted in the United States. Under Executive Order 13224, companies are not allowed to provide services to organizations known to support terrorism, but here is still a large gap in cooperation between the government and industry that would go far in closing these sites down.
Some sites that have been shut down in the United States have reappeared in other countries such as Malaysia. In May 2006, the Malaysia’s Prime Minister, Abdullah Badawi, announced the creation of a program called the International Multilateral Partnership Against Cyber-Terrorism (IMPACT), to help countries work globally to fight cyber terrorists. Because of this organization’s efforts, a jihadist hacker site registered in Florida was shut down, but those behind it moved its operation in to Malaysia. The Malaysian authorities took action to shut the site down, but it appeared again where it originated, Tampa Florida. Since then the site has grown from only 300 to more than 122,000 in membership. There are those in the congress that feel the United States needs to keep these jihadist sites up in order to monitor and understand their activities. This approach has its merits in relationship to “counter cyber-warfare.” Although in the cyber world the lessons of too many “un-friendly” sites multiplying and growing with impunity is not wise. The attack against Estonia should be a sobering reminder. IMPACT in Malaysia has shown that governments and private organizations are working together combat and defend against cyber terrorism.
Laws in the United States pertaining to the Internet are written to protect the right to privacy not to ward against cyber terrorism. To understand this you have to understand what the right to privacy means. Be aware that there is also a distinction between privacy and anonymity. Privacy applies when people already know something or the when the facts can be publicly known. Anonymity is when you don’t have any knowledge about anything or anybody. The government has always restricted privacy, but there is a tradeoff between security and privacy.
The concept of a right of privacy came from a kind of freedom known as freedom from biased press coverage. In 1890 a Harvard Law Review article by Samuel Warren and Louis Brandeis used the term in proposing a new tort “the invasion of privacy” in their complaint about how “the press” was printing the social activities of the Warrens, a prominent Boston family. The argument was the paper produced “injury to reputation on grounds that invasion of privacy was a deeper harm, one that damaged a person’s sense of their own uniqueness, independence, integrity, and dignity, making the claim that privacy was a personal, not a property, right. Thought out the years case law has set precedent until the idea of Reasonable Expectation was introduced with Katz v. U.S. 389 U.S. 347 (1967). Briefly the key points were; Katz shifted the definition of privacy from being place based to being person based. Previous, the idea of privacy were derived mainly from the “property” concept in life, liberty, and property. Katz also balanced the interest in protecting individuals from government intrusion with the interest in protecting society from criminals. When adding search and seizure, the Fourth Amendment, a search is defined as any invasion of privacy by a government official where there is a reasonable expectation of privacy. A “seizure” is any deprivation of liberty or property. Both searches and seizures are governed by the unreasonable search and seizure clause before any other standard is applied. This is why there are exceptions to what constitutes a search or requires a warrant for seizure. These exceptions are; plain view, hearing, smell, and touch, what is in an open field, public place, or what was on an abandoned property Tangible v. Virtual (intangible).
Information privacy in cyber space is only now being a thought of as technologies are transforming and developing. It was the development of the news print that started the debate of individual privacy and that debate has moved to the internet. A computer connected to the Internet is a publishing company, telephone, television, all together in one. The Fourth Amendment, really views privacy in terms of zones or spheres, but the Internet and information technology changes all that. Cyber space isn’t a place portioned off in sections where someone owns and governs it as their own. Neither is it a place where it is desired to have the government snooping or regulating it. The issue of Congress trying to come up with a set of cyber space regulations, and then establishing jurisdiction would be extremely problematic.
In cyber space the law of privacy is viewed differently. Plain view is, as long as someone isn’t using a technology too advanced (not available to the public) that can look past your security system is allowed. In plain view stops when others can manipulate your hard drive via the Internet. Open fields now means that anything posted beyond your “curtilage” is public domain or public property. Unless what a person has posted in cyber space is copyrighted with notices, or a registered trademark or patent. A public place means that any “flow” of information as part of ordinary commerce, regular transmission or exchange of information is not private in cyber space. Banking, credit records, and all sorts of other database information qualifies as non-private.
Cyber space law was established mainly to address certain aspects of the Internet and is mainly driven by how a computer is used to commit a crime or if the crime is committed against a computer. Most cyber crime is prosecuted at the federal level under either of these two acts. The Computer Fraud and Misuse Act (last amended 1999): “Whoever knowingly accesses a computer without permission…to obtain information…defined as harmful to national defense, foreign relations…, or injury to the United States, intentionally accesses the financial record of a financial institution, any computer of any department or agency of the U.S., any protected computer involved in interstate or foreign communication, any nonpublic computer that conducts affairs for the government…with intent to defraud, extort, or cause damage…shall be punished by fine and imprisonment for five to twenty years.” The other is the Economic Espionage Act of 1996: “Whoever intentionally or knowingly steals, copies, receives, or conspires to benefit any foreign instrumentality by converting any trade secret related to interstate or foreign commerce shall be subject to criminal and civil forfeiture of all property used or derived from the offense as well a fine from $500,000 to $5,000,000 and imprisonment from ten to fifteen years.
Conclusion
Since 1996, Presidents Clinton, Bush, and Obama have all inadequately addressed the issue of cyber terrorism, although Congress has been willing to appropriate real funding as it pertains to the traditional view of terrorism. Neither have security experts and world leaders been able to agree between themselves on whether cyber terrorism exists or how to combat it, although cyber attacks have been committed by some of the same foreign governments and individuals that deny its very existence. Terrorist and organized crime syndicates contribute to the problem by employing technically inclined individuals to deploy known exploits used by both security experts and hackers alike. A few of the world governments and private industry leaders have joined together to combat cyber terrorism by forming the International Multilateral Partnership Against Cyber-Terrorism (IMPACT), and by passing laws like the Information Technology Act, 2008. Unfortunately the laws in the United States that pertain to cyber terrorism are based upon internet privacy and do not adequately address the issue.
Glossary:
Child grooming – The deliberate actions taken by an adult to form a trusting relationship with a child, with the intent of later having sexual contact.
Malware – Short for “malicious software,” malware refers to software programs designed to damage or do other unwanted actions on a computer system.
Password cracking – The process of recovering passwords from data that has been stored in or transmitted by a computer system.
Packet sniffer – A packet sniffer is an application that captures data packets, which can be used to capture passwords and other data in transit over the network.
Spoofing – a spoofing attack involves one program, system, or website successfully masquerading as another by falsifying data and thereby being treated as a trusted system by a user or another program. The purpose of this is usually to fool programs, systems, or users into revealing confidential information, such as user names and passwords, to the attacker.
Cross-site request forgery – also known as a one-click attack or session riding and is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.
Backdoor – A backdoor is a method of bypassing normal authentication, securing remote access to a computer, obtaining access to plaintext, and so on, while attempting to remain undetected.
Rootkit – A rootkit is designed to conceal the compromise of a computer’s security, and can represent any of a set of programs which work to subvert control of an operating system from its legitimate operators. Usually, a rootkit will obscure its installation and attempt to prevent its removal through a subversion of standard system security. Rootkits may include replacements for system binaries so that it becomes impossible for the legitimate user to detect the presence of the intruder on the system by looking at process tables.
Social Engineering – is the art of getting persons to reveal sensitive information about a system. This is usually done by impersonating someone or by convincing people to believe you have permissions to obtain such information.
Trojan horse – is a program which seems to be doing one thing, but is actually doing another. A trojan horse can be used to set up a back door in a computer system such that the intruder can gain access later. (The name refers to the horse from the Trojan War, with conceptually similar function of deceiving defenders into bringing an intruder inside.)
Virus – is a self-replicating program that spreads by inserting copies of itself into other executable code or documents. Therefore, a computer virus behaves in a way similar to a biological virus, which spreads by inserting itself into living cells.
While some are harmless or mere hoaxes most computer virus are considered malicious.
Keylogger – is a tool designed to record (‘log’) every keystroke on an affected machine for later retrieval. Its purpose is usually to allow the user of this tool to gain access to confidential information typed on the affected machine, such as a user’s password or other private data.
Web Site Resources
ABS-cbnnews.com. (2010, January 19). Young lawmaker says cybercrime bill ‘too vague’. Retrieved from Computer Crime Research Center website: http://www.crime-research.org//.01.2010//
Krasavin, S., Ph.D. MBAv. (n.d.). What is cyber-terrorism? Retrieved from Computer Crime Research Center website: http://www.crime-research.org//terrorism.htm
Lemos, R. (n.d.). Cyberterrorism: The real risk. Retrieved from Computer Crime Research Center website: http://www.crime-research.org//.htm
Melnick, J. (2007, August 19). The cyberwar against the United States. Retrieved from Globe Newspaper Company website: http://www.boston.com///_opinion//////_cyberwar_against_the_united_states/
Nakashima, E. (2009, May 26). Obama set to create a cybersecurity czar with broad mandate. Retrieved from The Washington Post website: http://www.washingtonpost.com/dyn//////.html
Sizemore, E. (n.d.). Cyber terrorism: The past, the present, and the future. Retrieved from Associated Content website: http://www.associatedcontent.com/article/177180/cyber_terrorism_the_past_the_present.html
US oil industry hit by cyberattacks: Was China involved? (2010, January 25). Retrieved from The Christian Science Monitor website: http://www.csmonitor.com////oil-industry-hit-by-cyberattacks-Was-China-involved
Fig-1 Bucci, S. P., Ph.D. (2009, June 12). The confluence of cyber crime and terrorism. Retrieved from The Heritage Foundation website: http://www.insideronline.org/.cfm?id=10340
Fig-2 Brice, C. E. (2009, December 8). 2009 security Mega Trends will bring on the advent of operational security [Web log post]. Retrieved from http://blog.lumension.com/?p=216
References to Quotes
Blomfield, A. (2007, May 17). Russia accused over Estonian ‘cyber-terrorism’. Retrieved from Telegraph website: http://www.telegraph.co.uk////accused-over-Estonian-cyber-terrorism.html
Canbarra. (2003, February 26). Erratca:Dr. Alan Ryan, cyberwar [Online forum message]. Retrieved from http://identity-love-sock.com///_age-03-02-26.001.html
Malone, M. S. (2009, July 10). Cyber-terrorism and how we should respond. Retrieved from ABC News website: http://abcnews.go.com///?id=8045546&page=1
(Hunker 2001) MEYER, J., & SHIVER, J., Jr. (2001, October 9). U.S. to intensify effort against threat of computer terrorism. Retrieved from Los Angeles Times website: http://articles.latimes.com/////
(Pollitt 1997) Pollitt, M. M. (n.d.). Cyberterrorism. Retrieved March 11, 2010, from http://en.wikipedia.org//
(Forno 2001) U.S. names cyber-terrorism czar. (2001, October 10). Retrieved from BBC News website: http://news.bbc.co.uk////.stm
(Verton 2007) Wright, G. (n.d.). Official: USA vulnerable to cyber terrorism. Retrieved from USA TODAY website: http://www.usatoday.com/tech/news/computersecurity/2002-07-19-cyber-terrorism_x.htm
Nonperiodicals
Bullock, J. A., Haddow, G. D., Coppola, D., Ergin, E., Westerman, L., & Yeletaysi, S. (2005). Information security and national network infrastructure security. In Homeland security (pp. 153-170). Burlinton MA.: Butterworth-Heinemann.
Howard, R. D., & Sawyer, R. L. (2002). Terrorism and IT: Cyberterrorism and terrorist organizations online. In Terrorism and counterterrorism (pp. 271-288). Connecticut: McGraw-Hill /Dushkin.
Cases and Statues
United States v. Kevin Milnick, No. 97-50365, slip op. (9th Cir. Apr. 20, 1998) (Open Jurist).
18 U.S.C. § 1029 Fraud and related activity in connection with access devices
Unites States v. Kevin Poulsen, No. 94-10020, slip op. (9th Cir. Dec. 8, 1994) (Open Jurist).
18 U.S.C.A. § 793 Gathering, transmitting or losing defense information