CIOs already feel assailed as they deal with internal and external threats to the network, but a new book due out in August outlines a broader threat to computer infrastructures, including the Internet.
This book, Black Ice: The Invisible Threat of Cyber-Terrorism, details how cyberterrorism could occur, the global and financial implications, and the effect it could have on privacy and civil liberties. It also contains advice on how to prepare for and prevent cyberterrorism.
The author, Dan Verton, is a former U.S. intelligence officer and a senior investigative reporter at Computerworld. He won first place in this year's Jesse H. Neal National Business Journalism Awards for his series of stories about wireless homeland security. He also maintains his own National Security Journal.
Verton agreed to answer some questions for TechRepublic.
TechRepublic: Your average geek might see the threat to the United States' computer infrastructure as clear and present.
Verton: Actually, the situation is quite the opposite. The average computer security practitioner doesn't bring to the table a sophisticated, long-term view of international terrorism. As a result, they approach issues of terrorism based on the historical examples that we currently have to work with. According to this way of thinking, all terrorists are simple-minded, bloodthirsty killers with no other objective but to shed blood. This is dangerous, inflexible thinking—the same type of thinking that allowed us to ignore evidence dating back eight years that al-Qaeda was interested in using commercial airliners as precision strike weapons. The truth of the matter is that modern global terrorism is a thinking enemy that understands the only way to force America to withdraw from the world is to strike at the soft underbelly of the U.S. economy, which is its digital infrastructure. You're not always going to feel terrorized from a cyberterrorist incident that aims to create fear and uncertainty by striking at the economy.
TechRepublic: Is the United States more vulnerable than any other developed nation?
Verton: Yes and no. Although all modern, industrialized economies now rely on computers and computer networks for most, if not all, of their vital human and economic services, the United States remains the driving force of the global technology industry. As a result, the United States is often a first-adopter of many untested technologies that bring with them unintended consequences, particularly in the realm of security. Secondly, as a superpower, the United States has many enemies around the world who now have cyberweapons that are relatively easy to use and provide a reasonable level of safety and anonymity for the attacker.
TechRepublic: The Internet was developed as an alternative communication and information source in the event of nuclear war. How vulnerable is it, really, to cyberterrorism?
Verton: Some information security practitioners like to think of cyberterrorism in terms of what has become known as a digital Pearl Harbor—a surprise attack that has devastating consequences for the entire U.S. information infrastructure. Fortunately, this level of strategic attack falls only within the capability of one or two nation states that are willing and able to use the full range of military options at their disposal. However, a successful cyberterrorist attack that combines both physical and cyber elements on a regional scale is certainly within the capabilities of terrorist organizations today. In fact, tabletop exercises conducted by actual owners and operators of critical infrastructures in the Pacific Northwest (code named Black Ice, from which I took the title of my book) have already demonstrated how cyber or physically induced failures in one sector of the economy, such as electric power, can cause cascading failures in multiple infrastructure sectors.
TechRepublic: It's easy to see how losing electrical power can destabilize a developed nation or region but do cyberterrorists really see the Internet as a vulnerable target?
Verton: Yes. In December 2002, I interviewed Sheikh Omar Bakri Muhammad, a London-based radical Islamic cleric who has by his own admission recruited suicide bombers and considers his al-Muhajirun organization the political arm of al-Qaeda. He talked in detail about the usefulness of cyberweapons. In addition, within five months of 9/11, a senior al-Qaeda operative and senior strategy advisor to Osama bin Laden, Abu Ubeid al-Qurashi, wrote an article in al-Ansar in which he describes "jihad on the Internet" as one of the "nightmares" that will soon come to America. The evidence is there that some senior people in these groups are thinking about the future.
TechRepublic: The job of a terrorist is to spread terror. How does one spread terror through the Internet?
Verton: The goal of cyberterrorism is not necessarily to spread terror as much as it is to spread fear and uncertainty by causing people to lose faith in the government's ability to protect and serve them or, for example, significantly hinder the financial industry's ability to function properly and protect private assets. One of the problems with the post-9/11 security environment is that the tremendous loss of human life on that day has caused us to a certain extent to ignore the political and economic warfare aspects of international terrorism.
TechRepublic: When we are talking about cyberterrorism, who poses the most likely threat: a domestic cracker or a terrorist outside the United States?
Verton: I think that depends on a number of factors. For example, a domestic cracker who happens to be employed by a major infrastructure owner in the United States could be very dangerous because he or she would be operating as a trusted insider. On the other hand, we have already seen how computer viruses and worms can be launched from anywhere in the world with devastating consequences for U.S.-based businesses and government agencies.
TechRepublic: With this in mind, do you foresee a time when domestic hackers and crackers may be labeled as terrorists?
Verton: That's certainly a possibility. In fact, it has already happened in the United Kingdom, where certain types of hacking incidents are by law viewed as terrorist actions. I think any hacking incident that threatens public health or safety, such as a hacker gaining access to a hospital network and changing blood types, causing numerous deaths from incorrect blood transfusions, could certainly rise to the level of terrorism. After all, dead is dead.
TechRepublic: It's been said that Americans have had to give up hard-won rights in exchange for security. Do you agree?
Verton: I think if Americans really want 99.99 percent security (there is no 100 percent guarantee), then yes, they will have to give up some rights. But that hasn't happened yet. What has happened is the process of slowly eroding some basic rights of privacy. This stems from a knee-jerk reaction to the 9/11 attacks and the rush to employ any and all technologies that show some promise of helping to identify the sleeping terrorists in our midst. If we had started with the 40,000 people currently on the various watch lists, we wouldn't have government programs such as the Total Information Awareness program (now known as the Terrorist Information Awareness program) trying to keep tabs on every electronic transaction that takes place.
TechRepublic: The BBC reported in March that the threat of cyberterrorism is being "overhyped" by the U.S. government. What is your opinion of the U.S. government's view on cyberterrorism?
Verton: I think reports like that and statements by so-called security experts criticizing the government for thinking through the entire spectrum of possible attack scenarios are part of the problem and not part of the solution. As I write in my book, the indications and the warnings were present in 1994 that al-Qaeda was interested in using airplanes as weapons. Yet we failed to act because the "experts" said such an attack mode was unlikely.
The indications and the warnings are now beginning to surface that terrorist groups understand where we are most vulnerable. The only question that remains to be answered is if we will remain shackled by inflexible thinking. If we do, then Americans should be prepared to respond to another attack, rather than prevent one. It's unfortunate that most businesses and security practitioners today think in terms of balancing risk based on the probability of being attacked. Terrorists, on the other hand, think in terms of the art of the possible.
TechRepublic: What can your average CIO/CTO/IT manager do to protect her/his company?
Verton: Work closely with the government on information sharing and think in terms of continuity of service as opposed to disaster recovery. In addition, learn what it really means to have a "defense in depth" strategy and conduct tests and drills to identify your weak points. Then fix them.
TechRepublic: Do you see any hope for wireless security?
Verton: In the corporate world, yes. But it has proven to be plagued by cost and complexity—two drivers of inaction. The average home user, on the other hand, is a turkey in a turkey-shoot for organized crime bent on taking advantage of identity theft and credit card fraud. The knowledge, investment in security, and acceptance of risk just hasn't penetrated the consumer market yet.