All of these scenarios are well within the realm of possibility, and there is strong evidence that our adversaries have examined some of them as options. In January 2002, the National Infrastructure Protection Center issued a notice to the water industry warning that al Qaeda had been seeking information on SCADA systems from various resources on the Internet. Also in early 2002, the FBI disseminated information regarding possible attempts by terrorists to use U.S. municipal and state Web sites to obtain information on local energy infrastructures, water reservoirs, dams, enriched uranium storage sites, and nuclear and gas facilities.
The Barbarian is Inside The Gates
Large-scale virus and worm propagation, hacking, distributed denial of service attacks, identity theft, and data hijacking and extortion are often referred to as acts of cyber-terrorism even absent the elements of intimidation or political goals. There has been little evidence to date of any confirmed attempts by terrorist adversaries to use cyber methods to achieve mass disruption. While it is important to recognize the potential use of cyber space as a terrorist weapon, the threats to cyber security that we most frequently encounter, and those that have been the most damaging, are far more ordinary in their points of origin.
The barbarian seeking to slay us in cyber space is more likely to be inside the gates than out, particularly in business enterprise. The IT industry estimates that approximately 80 percent of reported network compromises are insider cases, in which there was some involvement on the part of an employee, former employee, contractor, vendor, or some other person who either holds or previously held some degree of trusted access status.
This degree of access, coupled with the insider's familiarity with the enterprise's mission-critical assets, makes insider cases more damaging than outsider incidents. Quite often, investigators need look no further than the human resource or procurement records of a victim institution to find the name of the perpetrator.
The insider threat is believed to be so serious that the United States Secret Service and Carnegie Mellon CERT/CC have embarked jointly on the Insider Threat Study to analyze the physical and online behavior of insiders prior to and during network compromises, as a means of developing information that might aid in the preventative effort.
Weapons Easy to Obtain
The greatest threat in cyber space is traditional criminal enterprise. Carnegie Mellon CERT reports that computer-related crime has increased by a factor of 36 since 1997. Citing FTC statistics released in September 2003, the Joint Council on Information Age Crime reports that there were 27.3 million identity theft victims in the United States in the past five years, with business, financial-institution and consumer losses exceeding $53 billion in the past year.
Just as technology has enhanced the capabilities of legitimate business, so has it better enabled the processes of criminal enterprise. Information Age tools have provided new and more ingenious ways of committing age-old crimes. The ability to commit traditional crimes such as fraud, illicit drug dealing and child pornography has been greatly enhanced by the means of communication now available in cyberspace. Unauthorized access to data is often both an end goal of criminal cyber activity and an enabler of additional crime. The Internet is used as a means of facilitating communication for a variety of violent crimes, including child luring and enticement and homicide.
The application of new and emerging technology brings both business advantages and new risk. New technology is often employed in new and ingenious ways that are well outside the imagination and scope of a creator's imagination or initial intention, thus opening up new vulnerabilities to be exploited. It's said that the bad guys don't just work at it eight hours a day, five days a week, but eight days a week, 26 hours a day. It is often this level of effort and commitment on the part of the offender that leads to his discovery of new ways to exploit existing technology, or to gain insight on how to abuse new technology almost immediately upon its introduction into the marketplace.
The Internet has made readily available many sources of information ripe for exploitation by the technically savvy. Additionally, the well-versed social engineer need not have the technical skills to hack his way onto a network when he can more easily talk his way onto it. Social engineering techniques are being used with increasing frequency to disguise viruses and worms and to dupe users into unwittingly engaging in further on-line activity designed to increase the rate of infection.