Cyberterror: Clear and present danger or phantom menace?
Source: ZDNet UK
By Andrew Donoghue
Date: December 09, 2003
Is cyberterrorism a real threat or just a distraction from the day-to-day job of maintaining network security?
"Our enemies will use our technology against us...the fact that they may be from a Third World country should not in any way suggest to us that they will not understand how to use our technology. They will see the places where we did not think we needed to build in security and they will take advantage of those seams."
This extract from a speech made by Richard Clarke, former special advisor for Cyberspace Security to the US president, in the December following the events of September 11th, describes a scenario that probably seemed entirely plausible and inevitable to the audience of the Global Tech Summit given recent events. But two years on and despite the numerous terror attacks in Bali, Turkey and Iraq, the consensus among security experts is that there has never been a recorded act of cyberterrorism pre- or post-September 11th.
Despite no precedence to support the idea of an "electronic Pearl Harbour", governments continue to warn and even legislate around the issue. Just last month Singapore beefed up its Computer Misuse Act, giving police and other security agencies sweeping powers to "foil cyberterrorists before they attack." The controversial Act, which has been criticised by opposition MPs as an "an instrument of oppression itself" allows for pre-emptive action. Anyone who hacks or defaces a Web site may be jailed for up to three years or fined up to $10,000.
"Instead of a backpack of explosives, a terrorist can create just as much devastation by sending a carefully engineered packet of data into the computer systems which control the network for essential services, for example the power stations," said Ho Peng Kee, Singapore's senior minister of state for law and home affairs.
The UK approach
The UK is taking a less alarmist approach to the potential of an electronic attack but remains concerned. Responding to a parliamentary question recently, the home secretary, David Blunkett, said the threat from computer-related attacks by terrorists or their supporters is kept under continuous review, as are measures to counter it. "The risk is assessed to be low, but growing. It could change rapidly at any time and our response will need to adjust to remain proportionate. I will keep closely under review the level of funding needed for this work," he said.
There are numerous UK government departments with responsibility for responding to an act of cyberterrorism, including GCHQ, CESG, and the Cabinet Office. The main body charged with monitoring attacks against the critical national infrastructure, the network of essential services both private and publicly owned, is the National Infrastructure Security Co-ordination Centre (NISCC).
According to a Home Office spokesperson, although there have been no known cyberterror attempts against the UK so far: "The NISCC has assessed that the threat of electronic attack is increasing. The threat of the sort of attack that could disable a critical service is low but less serious and damaging attacks that might deface a Web site or deny service from a Web site are more likely."
Cyberterror or just cybercrime?
Although there has never actually been an act of cyberterrorism, there have been plenty of instances of politically motivated hacking incidents that sit outside the realm of simple cybercrime. A report published by the US Institute for Security and Technology Studies at Dartmouth College, in the weeks following September 11th, Cyber Attacks During The War on Terrorism, warned that US retaliation following September 11th was likely to result in "cyberattacks by terrorist groups themselves or by targeted nation states."
The report cited four case studies as evidence of the growing menace of cyberterrorism. The first example, although not a terrorist incident per se, followed the mid-air collision between a US spy plane and a Chinese fighter on 1 April, 2001. The reports author, Michael Vatis, a director at the institute, claims that as a direct result of the incident approximately 1,200 US sites, including the White House, the US Air Force, and the Department of Energy were subject to DDoS attacks or defaced by pro-Chinese images.
"Chinese hacker groups, such as the Honker Union of China and the Chinese Red Guest Network Security Technology Alliance, organised a massive and sustained week-long campaign of cyberattacks against American targets," the report states.
Although Vatis accepts that it is unclear if the Chinese government sanctioned these attacks, he pointed out that the activities were "highly visible and no arrests were made by Chinese officials, it can be assumed that they were at least tolerated, if not directly supported by Chinese authorities."
Another example cited in the report is the sustained "cyberbattle" running in parallel to the ongoing conflict between Israel and Palestine. In one instance, responding to the kidnapping of three Israeli soldiers in October 2000, pro-Israeli hackers launched a "sustained DDoS attacks against sites of the Palestinian Authority. Pro-Palestinian hackers apparently retaliated by taking down sites belonging to the Israeli Parliament, the Israeli Defence Forces, and the Tel Aviv Stock Exchange, the report claims.
While these kinds of events may be regarded as politically motivated hacking, they fall short of being acts of cyberterrorism, according to security experts. The consensus seems to be that a cyberattack only becomes cyberterrorism when there is serious damage to property, loss of life -- or it causes "terror" or fear in the target community.
"Despite the heightened sense of civilian unease and government vigilance in developed countries since 11 September, there hasn't been a validated case of 'cyberterrorism' worldwide. Although terrorists undoubtedly are using the Internet to communicate among themselves and as a research tool, their use of the Internet as a delivery vehicle for a significant, digital terrorist attack is a nightmare scenario not grounded in reality. There have been no losses of life or property because of a digital attack," says Gartner analyst Richard Mogull.
Gartner defines cyberterrorism as a "terrorism attack using a digital channel." The FBI defines terrorism as "unlawful or threatened use of force or violence...against persons or property to intimidate or force a government or civilian population to further political or social objectives." Mogull says that although terrorists are using the Internet to communicate among themselves, their use of the Internet as a "delivery vehicle for a significant, digital terrorist attack is a nightmare scenario not grounded in reality." There have been no losses of life or property because of a digital attack, he adds.
Don't believe the hype
Speaking at the CeBit technology fair earlier this year, Bruce Schneier, security expert and chief technology officer of network-monitoring company Counterpane Internet Security, said the threat posed by cyberterrorism had been overestimated. "The hype is coming from the US government and I don't know why. If they want to attack they will do it with bombs like they always have," he said.
He added that rather than fostering a climate of fear, disrupting the Net and other communications networks would probably just annoy people. Schneier, like Mogull, claims that companies and consumers should concentrate on "real" threats from criminals, viruses, worms and Trojans.
Responding to Schneier's comments, a statement from the UK NISCC agreed that currently terrorists are more likely to mount physical than electronic attacks and generic warnings around cyberterrorism could be less than helpful.
"Each company, industry, user will face different threats and have different vulnerabilities. It is for each to identify where the greatest threat is likely to come from and to protect against it," the memo stated.
According to Gatner's Mogull, there are real security issues that the IT industry has to face up to before worrying about cyberterrorism, which is still only a potential threat. "We are not doing ourselves any favours in the security industry by focusing on it^; there are plenty of other issues we need to face and we have enough vulnerabilities to manage in protecting our critical national infrastructure as it is."
^macro[showdigestcomments;^uri;Cyberterror: Clear and present danger or phantom menace?]