Deb Shinder explains how cyberterrorists seek to disrupt critical systems and spread panic. What does this threat mean to IT pros and how can you train to counter cyberterrorism?
When I was actively working as a police officer on the streets, I tried hard to live by the old saying, "Hope for the best but prepare for the worst." In law enforcement, you deal with the dark side of humanity so often that it's easy to become jaded and cynical. The same thing is true, to an extent, in the field of computer and network security.
Last month, I wrote about how cybercrime has evolved over the years from a frivolous activity somewhat akin to that of graffiti artists, petty thieves, and minor trespassers to a much more serious business that can involve multimillion dollar profits. However, for the most extreme cybercriminals, it's even more serious than that. In fact, it can be a matter of life and death.
When we think of terrorism, most of us think first of terroristic acts motivated by political, religious and/or ethnic ideologies, especially since the events of September 11, 2001. There is, however, no universally agreed-upon definition of the word; it's generally recognized as the use of violence or the threat of violence that's perpetrated not only with the goal of hurting its direct victims, but also with the intent to terrorize (cause a state of fear in) others. In furtherance of this, the terroristic acts are usually not kept covert (although the preparation necessarily is), because the larger the audience, the more fear can be generated and spread.
Terrorists have used computers and the Internet to communicate with one another and coordinate their attacks for quite some time. Cyberterrorism, though, goes beyond using the technology incidentally to the crime, and makes the technology the actual weapon and/or target of the crime.
The objective of cyberterrorism
Cyberterrorists often use viruses, worms and other malware to accomplish their goals, but that doesn't mean every virus writer is a cyberterrorist. What distinguishes the cyberterrorist from a run-of-the-mill virus writer/distributor? The same elements that differentiate a "real world" terrorist from other mass murderers: the motivations, scope and intent of the act. Cyberterrorists employ some of the same tools as profit-motivated criminals and even casual crackers who launch malware attacks "just for fun," but the motivation and intent involve creating fear and panic in a large segment of the population - even if the scope of the actual attack is limited.
To better understand this, consider an example from the "real world." Richard Reid, the infamous "shoe bomber," in December 2001 attempted to detonate explosives he had hidden in his shoes. The attempt failed, but because of the resulting fear, almost ten years later, all airline passengers in the U.S. are still required to remove their shoes and put them through the x-ray scanners. Similarly, a cyber attack doesn't have to do great damage in order for cyberterrorism to accomplish its purpose, so long as it generates widespread fear. Of course, if it does some real damage, so much the better from the cyberterrorist's point of view.
Targets of terrorism
Terrorists, including cyberterrorists, tend to "think big." Because they want to spread fear among a large segment of the population, their acts need to be high profile. One way to do that is by targeting large events, critical systems that affect large numbers of people, or particularly newsworthy individuals. Attractive targets for cyberterrorists include:
- Computers that control public utility systems such as the electrical grid or the water supply. By bringing down or taking control of such systems, they could cut off service to thousands of people, or even cause explosions that result in injuries or deaths. In the case of nuclear power plants, they could create even more panic by creating a meltdown that results in radiation leakage.
- Computers used by healthcare professionals in the diagnosis and treatment of patients. Taking over these systems or causing them to fail at a critical time could have dire consequences, up to and including death, for patients who are given the wrong medications or the wrong doses, whose surgeries are disrupted, or who are misdiagnosed and thus given the wrong treatments.
- Computers that control the transportation system. Our means of getting around today are mostly computer-controlled, from the cars on the streets to the train/subway/public transportation systems to jumbo jets in the skies. And it's not just the vehicles themselves; traffic control devices, air traffic control equipment and such are all computerized. By seizing control of those systems, a terrorist can bring travel to a half, disrupt the productivity of businesses, and even cause motor vehicle accidents that result in property damage, injuries and deaths.
- Computers used by local, state and federal government agencies, especially in public safety and national defense. From local police departments to the U.S. military, computers are used to organize the functions of government personnel who are directly responsible for protecting the citizenry. By taking down or controlling these systems, terrorists can prevent police, firefighters, military personnel, etc. from doing their jobs, direct them to the wrong locations, send them on "wild goose chases," cause them to take the wrong (and possibly dangerous actions), etc.
- Computers used by the news media to disseminate information. News agencies - including print reporters, TV and radio news crews and those who use online media — all use computers in the process of getting the news out to the public. By taking over those systems, terrorists can keep the public in the dark about what's going on or even spread disinformation that could lead to public uprisings or panic in the streets.
- Computers used for financial transactions. Today's banking, retail and business-to-business transactions are very computer-dependent. From the cashier at the big-box discount store who doesn't know how to make change without the instructions of the computer to the Federal Reserve banks maintaining accounts and payment services for other banks, everything is done electronically. By taking down or controlling those systems, terrorists could bring the entire economic infrastructure to a halt and induce mass hysteria among the population.
- All electronic devices and components. The doomsday scenario of cyberterrorism is a massive electromagnetic pulse (EMP) that wipes out the circuits of most or all electronic devices. An EMP would simultaneously destroy all unshielded computers, telephone systems, TVs, radios, the electronic components in cars, washing machines, assembly lines, traffic lights, pretty much every machine or device that relies on electronic circuitry. This would have far-reaching catastrophic consequences and it's probable that a significant portion of the population would die from starvation and lack of potable drinking water.
What does it mean to the IT pro?
Protecting against cyberterrorism isn't just the job of the government. If you're responsible for the administration of a network — whether it's a large enterprise network, a local government network, a small business network or even a home network — you're on the front lines in the battle against cyberterrorism, whether you realize it or not. You might think that your network wouldn't be an attractive target to a terrorist because it doesn't control critical infrastructure, healthcare equipment/data, major financial transactions or other "important" tasks and information. But even if your network isn't the target, it can be used by cyberterrorists as a weapon.
Although cyberterrorists may strive to make the results of their acts of terrorism well publicized, they also take care to keep the physical origins of those attacks secret. Thus they prefer to seize control of intermediary systems (without the knowledge of the owners of those systems) to do their dirty work so it can't be easily traced back to them. Cyberterrorists can use standard malware distribution techniques (such as email attachments and "drive-by downloads" on websites) to install remote control software on computers and turn them into "zombies" that are part of a huge botnet. The "bot master" can then use these computers to launch DDoS attacks against those more critical targets.
The takeaway here for IT pros is that you need to protect your systems not only from being the target of a cyberterrorist attack, but also from being used to accomplish one. Awareness is the first step. If your network is not adequately secured, you're putting more than just your own systems/your own company at risk. If those systems are connected to the Internet, you have an obligation to take measures to prevent them from being used against others, just as someone who owns a gun has an obligation to keep it out of the hands of children or someone who owns a car has the legal obligation not allow an unlicensed person to drive it.
Steps you can take
The details of securing your systems are beyond the scope of this article, and differ depending on your particular configurations. They include the basics, such as a good multi-factor authentication system with policies requiring strong passwords that must be changed frequently and smart card/token or biometric systems; access controls; encryption technologies to protect data both in storage and in transit, continuous monitoring and reporting of security events; a comprehensive incident response plan; and so forth. Once your security mechanisms are in place, penetration testing is essential to spot the vulnerabilities in your protective mechanisms and plug them.
Education and training
Some are predicting that cyberterrorism expertise may be the key to a successful IT career in the coming years.
Many universities have training programs in counter-cyberterrorism for corporate and government personnel. Many of these programs are funded in full or in part by the federal government. If you work in an area where you're responsible for managing and monitoring systems that control critical infrastructure, the Cyberterrorism Defense Analysis Center (CDAC) offers free Department of Homeland Security (DHS) certified training programs for qualified personnel. You can find out more here: http://www.cyberterrorismcenter.org/
March 29-31, 2011, The Government Security Conference and Expo (GovSec) is being held in Washington, D.C. to help government and law enforcement officials prepare to defend against cyberterrorism.
June 27-29, 2011, IDGA (Institute of Defense and Government Advancement) Cyber Warfare Summit will be held in Washington, D.C. with the objective of "advancing the development of cyber operations."