In January of 2003, Donald Rumsfeld quoted from a recovered al Qaeda training manual: “Using public sources openly and without resorting to illegal means, it is possible to gather at least 80 percent of all information required about the enemy.” Much of this information can be found on the Internet.
Even if information on a target is not directly available on the Internet, a little digging can usually uncover the information required. To illustrate this, I ran an online search for information on the only one nuclear power plant in Kansas, which provides more than 23 percent of the energy needs for the state.
This facility has a wonderful Web site describing the power plant and its history, and offering excellent nuclear energy information. There is no map to the facility, and no street address is provided for either the power plant or a corporate office. However, a simple Whois.com search for the Web site’s domain name provides a street address.
Of course, it is a far cry from surfing the Internet for information to hacking into the control system. But it is important to recognize that many terrorists are extremely intelligent and have many resources. If they cannot find the information they need on the Internet, they can purchase it. If they require training on a particular piece of software, they can purchase the software and the training. We all recognize that insiders, as well as former employees, pose a threat to our information today. It is not far-fetched that terrorists could purchase information or knowledge from these same people.
In 2000, Vitek Boden, a former employee of an Australian wastewater services provider, used his expertise to take remote control of a sewage treatment plant in Australia and released nearly 300 thousand gallons of raw sewage into waterways. This in and of itself is frightening, but the fact that it took him 45 attempts before he was finally successful is the key point. No one noticed his previous 44 attempts! How many other utilities are under attack that no one is aware of?
Although I believe cyberterrorism is a threat, what really concerns me is what I call “one off” cyberterrorism—the use of technology to maximize the impact of a more standard terrorist attack. One of the goals of a terrorist attack is to cause fear in the target population, since fear often changes behavior patterns, which in turn can disrupt an economy. The greater the fear, the greater the disruption.
It is important to recognize that most disaster management and disaster response plans are stored on networked computers for ease of access. These plans often outline how a community will respond to a particular attack or threat, including which agencies or departments are designated as first responders. If terrorists wanted to maximize the impact of an attack such as the release of a biological agent or the detonation of a dirty bomb, they would do everything in their power to impede the ability of the first responders to address the attack.
Preventing ambulances, firefighters and police from promptly arriving on the scene could cause the death toll to rise and could allow toxic agents to spread over a wider area. Hacking into the systems storing these disaster management plans would provide all the information necessary to accomplish this.
Many cities list the addresses of all fire stations. This can help terrorists locate the appropriate stations to impede via an additional bomb or attack. Other systems that could be targets include law enforcement’s computer-aided dispatch systems. These systems are often integrated with GPS so that the exact location of patrol cars can be determined. I believe these systems will become more vulnerable as agencies add functionally to them. Many are linked to other agencies in an effort to quickly share relevant information. The more interconnectivity added, the greater the risk of attack.
These risks are only compounded by the fact that many law enforcement agencies do not have the resources—funds or staffing—to adequately monitor their networks for intrusions. Theoretically, terrorists could have already compromised many of these systems.
Other information that is stored on computers that may be of interest to terrorists includes: