Pundits, the media, security directors and politicians disagree on the significance of the cyberterrorism threat. Immediately after 9/11, the public media and the industry seemed to consider it a high-stakes issue, but as time passed the tone of most articles reflected that the threat was being blown out of proportion.
It's not surprising there's no consensus, considering that many people don't even have a clear understanding of the term cyberterrorism. It refers to a politically motivated, computer-based attack that is designed to cause a catastrophic event resulting in physical harm, death and fear among a large population base.
Individuals have proposed numerous cyberterror scenarios, such as hacking into the control systems of a hydroelectric dam and releasing a flood on downstream communities, and hacking into air traffic control systems to cause the crash of a passenger jet. Are these real threats, or is the cyberterrorist just another bogeyman?
Is the Threat Overblown?
I have several friends who are cybercrime investigators for various law enforcement agencies. I conducted an informal survey with the promise of anonymity, asking if any of them was aware of true cyberterrorist attacks or investigations. They were all aware of numerous hacking attacks, but none were aware of any cyberterrorist attacks or investigations. This lends some credibility to the belief that the cyberterrorist threat has been blown out of proportion.
Industries may have proactively implemented practices to minimize such attacks. For instance, many have realized that interconnectivity, although convenient, is not necessarily a good idea. In the recently released U.S. Nuclear Regulatory Commission Draft Regulatory Guide DG-1130, “Criteria for Use of Computers in Safety Systems of Nuclear Power Plants,” remote connectivity is directly addressed. The draft states: “Remote access to the safety system software functions or data from outside the technical environment of the plant (e.g., from the administrative or engineering buildings or from outside the plant) that involves a potential security threat to safety functions should not be implemented.”
It should be noted that adherence to these guidelines is strictly voluntary. Still, even when critical infrastructure facilities are connected, they tend to be extremely difficult to get into. Hacking into the control center of a water treatment plant or power company requires a great deal more sophistication and expertise than hacking into a system to download R&D documents or credit card numbers.
Knocking on Your Door
Even though cyberterrorism appears to be a non-event, I think it is dangerous to let our guard down. Determined terrorists are still trying to find ways into the systems controlling our infrastructure, and they will keep knocking at the door in hopes that someday they can get in.
In a recent presentation, the security director of a large Midwestern utility company provided statistics showing the hits on the company’s firewalls from unfriendly foreign nations. The numbers were staggering. It appears that terrorists are not only knocking on the door of our infrastructure, they're pounding on it with hinge-shaking force. Sooner or later, they will break through, either as the result of a system malfunction or new knowledge and expertise that will allow them to bypass current security mechanisms.
In addition, despite the warnings, many organizations are throwing wide the door because they find the convenience of interconnectivity too alluring to ignore. Not only are they embracing the convenience of standard networking technologies, but they are even embracing the newer wireless technologies. I believe it is only a matter of time before a true cyberterrorism attack occurs within the United States.
Don’t Underestimate the Enemy
Perhaps the individuals who minimize the cyberterrorism threat underestimate the skill sets of our enemies. It is already understood that terrorists use computers on a regular basis for communication and research.
In January of 2003, Donald Rumsfeld quoted from a recovered al Qaeda training manual: “Using public sources openly and without resorting to illegal means, it is possible to gather at least 80 percent of all information required about the enemy.” Much of this information can be found on the Internet.
Even if information on a target is not directly available on the Internet, a little digging can usually uncover the information required. To illustrate this, I ran an online search for information on the only one nuclear power plant in Kansas, which provides more than 23 percent of the energy needs for the state.
This facility has a wonderful Web site describing the power plant and its history, and offering excellent nuclear energy information. There is no map to the facility, and no street address is provided for either the power plant or a corporate office. However, a simple Whois.com search for the Web site’s domain name provides a street address.
Of course, it is a far cry from surfing the Internet for information to hacking into the control system. But it is important to recognize that many terrorists are extremely intelligent and have many resources. If they cannot find the information they need on the Internet, they can purchase it. If they require training on a particular piece of software, they can purchase the software and the training. We all recognize that insiders, as well as former employees, pose a threat to our information today. It is not far-fetched that terrorists could purchase information or knowledge from these same people.
In 2000, Vitek Boden, a former employee of an Australian wastewater services provider, used his expertise to take remote control of a sewage treatment plant in Australia and released nearly 300 thousand gallons of raw sewage into waterways. This in and of itself is frightening, but the fact that it took him 45 attempts before he was finally successful is the key point. No one noticed his previous 44 attempts! How many other utilities are under attack that no one is aware of?
Although I believe cyberterrorism is a threat, what really concerns me is what I call “one off” cyberterrorism—the use of technology to maximize the impact of a more standard terrorist attack. One of the goals of a terrorist attack is to cause fear in the target population, since fear often changes behavior patterns, which in turn can disrupt an economy. The greater the fear, the greater the disruption.
It is important to recognize that most disaster management and disaster response plans are stored on networked computers for ease of access. These plans often outline how a community will respond to a particular attack or threat, including which agencies or departments are designated as first responders. If terrorists wanted to maximize the impact of an attack such as the release of a biological agent or the detonation of a dirty bomb, they would do everything in their power to impede the ability of the first responders to address the attack.
Preventing ambulances, firefighters and police from promptly arriving on the scene could cause the death toll to rise and could allow toxic agents to spread over a wider area. Hacking into the systems storing these disaster management plans would provide all the information necessary to accomplish this.
Many cities list the addresses of all fire stations. This can help terrorists locate the appropriate stations to impede via an additional bomb or attack. Other systems that could be targets include law enforcement’s computer-aided dispatch systems. These systems are often integrated with GPS so that the exact location of patrol cars can be determined. I believe these systems will become more vulnerable as agencies add functionally to them. Many are linked to other agencies in an effort to quickly share relevant information. The more interconnectivity added, the greater the risk of attack.
These risks are only compounded by the fact that many law enforcement agencies do not have the resources—funds or staffing—to adequately monitor their networks for intrusions. Theoretically, terrorists could have already compromised many of these systems.
Other information that is stored on computers that may be of interest to terrorists includes:
- Routes for vehicles transporting hazardous waste
- Locations of power plants
- Locations of fuel supplies for municipalities
- Storage areas for grain, cattle and other agricultural products
- Locations of communications centers
- Purchase history for first responders—identifying equipment available to public safety professionals
- Storage locations of dangerous chemicals
- Road construction plans
- Scheduling of security teams for special events
- Locations of power lines, water lines and gas lines
- Date, time and location of special events (large gatherings of people)
A Well Planned Attack
With the information listed above, terrorists could perpetrate a well planned and devestating attack on, for instance, a large public event.
- If terrorists can find information that indicates whether the security team sheduled to cover the event intends to search for explosives, they can plan a suicide bombing around that information. If there is to be no searching, they may use a stable, traditional explosive. If there is going to be searching, they may choose an explosive that is less stable, but easy to make and much more difficult to detect. Having prior knowledge of what types of explosives can get past security mechanisms increases the probability of success.
- If they can find out what types of toxic gases the local first responders are ill equipped to address—something that may be evident from first responder purchase histories—terrorists may plan to release one of those gases into the crowd.
- With the addresses of the local fire stations and hospitals, terrorists may be able to impede first responders' attempts to reach the site of the event. They may create an accident in front of a fire station, drop a large amount of spikes in front of an ambulance facility to puncture tires, or pour Karo syrup into the fuel tanks of MedEvac helicopters to slow down response times.
- Since most communication systems are now computer based, terrorists could use automated programs to flood communications systems, again increasing the impact of the attack by confusing attempts to mitigate the damage.
All of these things could be accomplished by hacking into networked systems that are often less protected than the control systems for our infrastructure.
This type of one-off cyberterrorist attack is more of a reality than direct cyberterrorism, and it has a greater likelihood of success. Because of this, every government entity tasked with emergency preparedness should have line items in their budgets for protecting their computer systems and networks. If they don’t, the emergencies they are preparing for could be much worse than expected.
John Mallery is a managing consultant for BKD, LLP, one of the 10 largest accounting firms in the United States. He works in the Forensics and Dispute Consulting unit and specializes in computer forensics. He is also a co-author of Hardening Network Security, which was recently published by McGraw-Hill. Mr. Mallery can be reached at firstname.lastname@example.org.