Computer Crime Problems Research Center

Barton Gellman
Washington Post Staff Writer

Cyber-Attacks by Al Qaeda Feared

Terrorists at Threshold of Using Internet as Tool of Bloodshed, Experts Say

Late last fall, Detective Chris Hsiung of the Mountain View, Calif., police department began investigating a suspicious pattern of surveillance against Silicon Valley computers. From the Middle East and South Asia, unknown browsers were exploring the digital systems used to manage Bay Area utilities and government offices. Hsiung, a specialist in high-technology crime, alerted the FBI's San Francisco computer intrusion squad.

Working with experts at the Lawrence Livermore National Laboratory, the FBI traced trails of a broader reconnaissance. A forensic summary of the investigation, prepared in the Defense Department, said the bureau found "multiple casings of sites" nationwide. Routed through telecommunications switches in Saudi Arabia, Indonesia and Pakistan, the visitors studied emergency telephone systems, electrical generation and transmission, water storage and distribution, nuclear power plants and gas facilities.

Some of the probes suggested planning for a conventional attack, U.S. officials said. But others homed in on a class of digital devices that allow remote control of services such as fire dispatch and of equipment such as pipelines. More information about those devices -- and how to program them -- turned up on al Qaeda computers seized this year, according to law enforcement and national security officials.

Unsettling signs of al Qaeda's aims and skills in cyberspace have led some government experts to conclude that terrorists are at the threshold of using the Internet as a direct instrument of bloodshed. The new threat bears little resemblance to familiar financial disruptions by hackers responsible for viruses and worms. It comes instead at the meeting points of computers and the physical structures they control.

U.S. analysts believe that by disabling or taking command of the floodgates in a dam, for example, or of substations handling 300,000 volts of electric power, an intruder could use virtual tools to destroy real-world lives and property. They surmise, with limited evidence, that al Qaeda aims to employ those techniques in synchrony with "kinetic weapons" such as explosives.

"The event I fear most is a physical attack in conjunction with a successful cyber-attack on the responders' 911 system or on the power grid," Ronald Dick, director of the FBI's National Infrastructure Protection Center, told a closed gathering of corporate security executives hosted by Infraguard in Niagara Falls on June 12.

In an interview, Dick said those additions to a conventional al Qaeda attack might mean that "the first responders couldn't get there . . . and water didn't flow, hospitals didn't have power. Is that an unreasonable scenario? Not in this world. And that keeps me awake at night."

'Bad Ones and Zeros'

Regarded until recently as remote, the risks of cyber-terrorism now command urgent White House attention. Discovery of one acute vulnerability -- in a data transmission standard known as ASN.1, short for Abstract Syntax Notification -- rushed government experts to the Oval Office on Feb. 7 to brief President Bush. The security flaw, according to a subsequent written assessment by the FBI, could have been exploited to bring down telephone networks and halt "all control information exchanged between ground and aircraft flight control systems."

Officials said Osama bin Laden's operatives have nothing like the proficiency in information war of the most sophisticated nations. But al Qaeda is now judged to be considerably more capable than analysts believed a year ago. And its intentions are unrelentingly aimed at inflicting catastrophic harm.

One al Qaeda laptop found in Afghanistan, sources said, had made multiple visits to a French site run by the Societe Anonyme, or Anonymous Society. The site offers a two-volume online "Sabotage Handbook" with sections on tools of the trade, planning a hit, switch gear and instrumentation, anti-surveillance methods and advanced techniques. In Islamic chat rooms, other computers linked to al Qaeda had access to "cracking" tools used to search out networked computers, scan for security flaws and exploit them to gain entry -- or full command.

Most significantly, perhaps, U.S. investigators have found evidence in the logs that mark a browser's path through the Internet that al Qaeda operators spent time on sites that offer software and programming instructions for the digital switches that run power, water, transport and communications grids. In some interrogations, the most recent of which was reported to policymakers last week, al Qaeda prisoners have described intentions, in general terms, to use those tools.

Specialized digital devices are used by the millions as the brains of American "critical infrastructure" -- a term defined by federal directive to mean industrial sectors that are "essential to the minimum operations of the economy and government."

The devices are called distributed control systems, or DCS, and supervisory control and data acquisition, or SCADA, systems. The simplest ones collect measurements, throw railway switches, close circuit-breakers or adjust valves in the pipes that carry water, oil and gas. More complicated versions sift incoming data, govern multiple devices and cover a broader area.

What is new and dangerous is that most of these devices are now being connected to the Internet -- some of them, according to classified "Red Team" intrusion exercises, in ways that their owners do not suspect.

Because the digital controls were not designed with public access in mind, they typically lack even rudimentary security, having fewer safeguards than the purchase of flowers online. Much of the technical information required to penetrate these systems is widely discussed in the public forums of the affected industries, and specialists said the security flaws are well known to potential attackers.

Until recently, said Director John Tritak of the Commerce Department's Critical Infrastructure Assurance Office, many government and corporate officials regarded hackers mainly as a menace to their e-mail.

"There's this view that the problems of cyberspace originate, reside and remain in cyberspace," Tritak said. "Bad ones and zeros hurt good ones and zeros, and it sort of stays there. . . . The point we're making is that increasingly we are relying on 21st century technology and information networks to run physical assets." Digital controls are so pervasive, he said, that terrorists might use them to cause damage on a scale that otherwise would "not be available except through a very systematic and comprehensive physical attack."

'Mapping Our Vulnerabilities'

The 13 agencies and offices of the U.S. intelligence community have not reached consensus on the scale or imminence of this threat, according to participants in and close observers of the discussion. The Defense Department, which concentrates on information war with nations, is most skeptical of al Qaeda's interest and prowess in cyberspace.

"DCS and SCADA systems might be accessible to bits and bytes," Assistant Secretary of Defense John P. Stenbit said in an interview. But al Qaeda prefers simple, reliable plans and would not allow the success of a large-scale attack "to be dependent on some sophisticated, tricky cyber thing to work."

"We're thinking more in physical terms -- biological agents, isotopes in explosions, other analogies to the fully loaded airplane," he said. "That's more what I'm worried about. When I think of cyber, I think of it as ancillary to one of those."

White House and FBI analysts, as well as officials in the Energy and Commerce departments with more direct responsibility for the civilian infrastructure, describe the threat in more robust terms.

"We were underestimating the amount of attention [al Qaeda was] paying to the Internet," said Roger Cressey, a longtime counterterrorism official who became chief of staff of the President's Critical Infrastructure Protection Board in October. "Now we know they see it as a potential attack vehicle. Al Qaeda spent more time mapping our vulnerabilities in cyberspace than we previously thought. An attack is a question of when, not if."

Ron Ross, who heads a new "information assurance" partnership between the National Security Agency and the National Institute of Standards and Technology, reminded the Infraguard delegates in Niagara Falls that, after the Sept. 11 attacks, air traffic controllers brought down every commercial plane in the air. "If there had been a cyber-attack at the same time that prevented them from doing that," he said, "the magnitude of the event could have been much greater."

"It's not science fiction," Ross said in an interview. "A cyber-attack can be launched with fairly limited resources."


Home | What's New | Articles | Links
Library | Staff | Contact Us

Copyright Computer Crime Research Center, 2001-2002 All Rights Reserved.
Contact the CCRC Office at 380-612-735-907