By Michael Chance
University of New Haven
M.S. National Security
Since the events of September 11, 2001 terrorism has been an issue at the forefront of National Security. This paper will explore the more specific threat of cyberterrorism that exists and why we are in danger, examine incidents of cyberterrorism and our response, and provide a look into the role it will play in the future. This review of cyberterrorism was conducted using open source information such as unclassified government documents and newspaper articles concerning the subject matter.
To understand cyberterrorism, one must first be familiar with terrorism. According to the Code of Federal Regulations terrorism is “the unlawful use of force and violence against persons or property to intimidate or coerce a government, the civilian population, or any segment thereof, in furtherance of political or social objectives.” (Code of Federal Regulations Title 28 Section 0.85 Set. (2007). Government Inst.) This concept is fairly easy to grasp and most American’s have an understanding of what terrorism is. But when talking about cyberterrorism there seems to be some confusion as to its components. In February of 2002 Executive Assistant Director of the FBI Dale Watson gave testimony before congress stating that “cyberterrorism-–meaning the use of cyber tools to shut down critical national infrastructures (such as energy, transportation, or government operations) for the purpose of coercing or intimidating a government or civilian population–-is clearly an emerging threat.” (http://www.fbi.gov/congress/congress02/watson020602.htm) While still a form of terrorism it is a different approach than conventional terrorism. Dorothy Denning, a well-known information security researcher, provides a more comprehensive definition:
“Cyberterrorism is the convergence of terrorism and cyberspace. It is generally understood to mean unlawful attacks and threats of attack against computers, networks, and the information stored therein when done to intimidate or coerce a government or its people in furtherance of political or social objectives. Further, to qualify as cyberterrorism, an attack should result in violence against persons or property, or at least cause enough harm to generate fear. Attacks that lead to death or bodily injury, explosions, plane crashes, water contamination, or severe economic loss would be examples. Serious attacks against critical infrastructures could be acts of cyberterrorism, depending on their impact. Attacks that disrupt nonessential services or that are mainly a costly nuisance would not.” (http://www.cs.georgetown.edu/~denning/infosec/cybert:rror.html)
Richard Clarke, a counterterrorism expert and special advisor to President Bush on cyberspace security, described our vulnerability to a cyber terrorist attack as a digital Pearl Harbor. One where you would never see it coming and would have devastating effects. We can no longer turn a blind eye to these possibilities. In moving forward “it is imperative to imagine the ways terrorists could disrupt the nation’s information infrastructure and the computer networks that control telecommunications, the electric grid, water supplies and air traffic.”
This research was conducted using open source documents that are open to the public. All documents are unclassified and openly available for viewing. References used for the analysis of the topic were found via the Internet. Examples of works cited are unclassified government documents found on government websites using search terms related to the topic. Internationally distributed newspapers were also used to support the construction of the paper. Other valid and reliable sources used in collecting data were government websites for agencies such as the Federal Bureau of Investigations. Additional research was pursued utilizing college and university websites that posted studies of similar matters. Furthermore, books written by experts were examined and relevant information was extracted to reinforce the views within this text.
In reviewing the literature it was important to disseminate that which was reputable and worthy of noting. Information that was not corroborated or from a source that was not credible was examined and excluded from use based on its merit. Data from respectable scholars and universities were studied and surveyed. Ideas were compared and contrasted and then used to support my thesis. Inquiries into this particular field produced numerous results. A logical analysis of the material was conducted and presented in this paper.
REVIEW OF THE LITERATURE
Critical infrastructure is defined by the USA Patriot Act as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” (United State, 2001)
It can be said that this infrastructure represents the backbone of the United States. Minimizing our vulnerabilities to terrorist threats is a shared responsibility that falls on federal, state, and local government as well as private industry.
According to the National Strategy for the Physical Protection of Critical Infrastructure and Key Assets, we must commit to “secure(ing) the infrastructure and assets vital to our national security, governance, public health and safety, economy, and public confidence.” (United States, 2003. Pg vii). This network is made up of the institutions that our country relies on to function as a society. It is comprised of “agriculture, food, water, public health, emergency services, government, defense industrial base, information and telecommunications, energy, transportation, banking and finance, chemical industry and hazardous material, and postal and shipping.” (United States, 2003. Pg 6). These represent the staples of our nation and its economy. Even though they are separate entities that are self-governing they are interdependent upon one another. The relationship is complex and the disruption of one could adversely affect the other. Each sector plays a key role in our daily lives providing services that are invaluable.
This infrastructure is so essential that in 1996 President Clinton devised Executive Order 13010, Critical Infrastructure Protection, which addresses “threats of electronic, radio-frequency, or computer-based attacks on the information or communications components that control critical infrastructures (‘‘cyber threats’’)” (http://www.fas.org/irp/offdocs/eo13010.htm)
The components of agriculture and food and water represent the most basic needs of the people of the United States. All citizens require a reliable food supply and clean drinking water. Without these necessities people would go hungry or even starve. Even something as simple as washing your hands or brushing your teeth would be impossible. Any threat to these sectors could spread panic or fear amongst the people.
Any disruption in public health and emergency services would jeopardize the safety of everyone. Hospitals maintain human life and provide assistance to those in need. Public safety departments such as fire, police, and ambulances provided emergency services that are invaluable. You cannot put a price on the services that preserve human life and property.
Those that provide telecommunications, energy, and transportation are also taken for granted. In our daily lives we make phone calls and use the Internet for communications. We travel on highways and fly from airports to our destinations. Electricity is so vital to our everyday lives yet we fail to appreciate its value. Oil fuels our cars and heats our homes. Without these services our society would break down.
The United States relies heavily on the banking and finance industry to fuel the economy. Also of importance is postal and shipping. Business depends heavily on the mail system and the shipment of goods. Both are keys elements in keeping the economy thriving.
Other key players in the economy are the chemical industry and hazardous materials and the defense industrial base. There are safety issues as well as economic repercussions involved with chemicals and hazardous substances. Additionally, the Department of Defense is tasked with securing our nation. They harbor military secrets and plans to carry out that task. Clear Defense Contractors also are responsible for supporting this goal.
These groups that make up the critical infrastructure are the pillars that support the United States. If they are compromised or exploited the United States would cease to function properly and crumble. Many of these sectors are vulnerable to cyberterrorism due to their centralized control systems known as Supervisory Control and Data Acquisition (SCADA). The American National Standards Institute (ANSI) defines SCADA “as a system operating with coded signals over communication channels so as to provide control of Remote Terminal Unit (RTU) equipment.” (http://www.inl.gov/technicalpublications/Documents/3310858.pdf) This simply means that they “contain computers and applications that perform key functions in providing essential services and commodities [and] are part of the nation’s critical infrastructure and require protection from a variety of threats that exist in cyber space today.” (United States, 2002. Pg 2)
These centralized networks may provide a single point of failure for an organization that plays a key role in critical infrastructure. They make it easier to carry out a cyber attack and provide vulnerabilities for anyone with hacking abilities. Most of these SCADA systems are secure but some utilize public telephone lines in their transmissions. An example of an exploited vulnerability in a SCADA network is the staged cyber attack performed in March known as “Aurora.” The experiment was conducted by the Department of Energy in Idaho where “researchers who launched an experimental cyber attack caused a generator to self-destruct, alarming the federal government and electrical industry about what might happen if such an attack were carried out on a larger scale.” (http://www.cnn.com/2007/US/09/26/power.at.risk/index.html) It proved that critical infrastructure SCADA networks could be hacked. More importantly, it showed that even in the event of such an attack control can be gained and damage inflicted as opposed to just shutting the system down. This experiment was an eye opener for those tasked with securing critical infrastructure and raised concerns of similar attacks. In identifying potential threats there is now proof that it can be done and it has been done.
Evan Kohlman, a renowned counter terrorism expert, published an article in 2006 where he paraphrased Clarke’s “fears of a “digital Pearl Harbor” — a cyberattack against critical infrastructure.” (http://www.foreignaffairs.org/20060901faessay85510/evan-f-kohlmann/the-real-online-terrorist-threat.html) His views are in alignment with Clark’s in taking preventative measures to “keep terrorists from breaching sensitive government networks.” (http://www.foreignaffairs.org/20060901faessay85510/evan-f-kohlmann/the-real-online-terrorist-threat.html) He stresses the importance of this security and how it has become a growing threat. It has become apparent that these are real threats that need to be addressed.
Examples of Cyberterrorism
The Execution of Daniel Pearl
Probably the best example of using the Internet as a tool for cyberterrorism is the incident of Daniel Pearl, a Wall Street Journalist that was kidnapped and murdered in February 2002. Pearl, whose family is Jewish, was kidnapped by a group known as The National Movement for Pakistani Sovereighnty while in Karachi, Pakistan. Pearl was investigating the infamous shoe bomber, Richard Reid, and thought he was meeting with a source for an interview. Instead, he was abducted and subsequently beheaded.
The execution and decapitation was videoed taped and later posted on the Internet. The video served as a message to spread religious, political, and ideological views. As most terrorist events such as this the intention was also to spread fear and to coerce and intimidate foreign governments, specifically the United States. The video was graphic in nature showing Pearl beheaded with a sword and then the executor holding his head. The explicit video promotes terrorism and makes use of the Internet to recruit new members and motivate those already on board.
Pearl’s captors sent demands via a hotmail e-mail address. Eventually, law enforcement traced the IP address, which led to three arrests. The person charged with the murder was Khalid Sheikh Mohammed who is affiliated with Al Quaida. He was sentenced to death and is being held prisoner at Guantanamo Bay, Cuba where he awaits his fate.
Abdul Aziz, aka Imam Samudra, has been linked to several bombings including the Bali bombing of a nightclub in October 2002 where 202 people were killed. He is part of a group called Jamaah Islamiah, which is linked to Al Quaida. It is believed that he is the mastermind behind the bombing responsible for organizing and financing the attack. Aziz used the Internet to get fraudulent credit card information in order to finance the bombing. Investigators claimed that he “left a trail of evidence on his personal computer of how he tried to commit credit card fraud to help finance terror attacks.”(Fayler, 2007. Pg 24)
Aziz was sentenced to death for his role in the killings and is being held in an Indonesian prison. While incarcerated he has been busy on the Internet and still currently active in spreading his message. During his time behind bars he wrote a book “in which he described how to perpetrate credit card fraud as a means of funding terrorist attacks.” (http://www.timesonline.co.uk/tol/news/world/asia/article617892.ece) The book contains a chapter titled “Hacking- Why not?” In this portion of his book Aziz “urges fellow Muslim radicals to take the holy war into cyber-space by attacking US computers specifically for the purpose of credit card fraud.” (http://epress.anu.edu.au/sdsc/cyber_warfare/mobile_devices/ch04s06.html) Aziz goes on to guide aspiring terrorists by telling them how to make contact with others with similar interests in chat rooms and how to communicate using e-mails and instant messaging. He also instructs these individuals how to browse the Internet to collect intelligence and download tools to carry out credit card fraud. Overall, his efforts are helping those that wish to organize, recruit, and fund for the purpose of carrying out terrorist attacks.
A resident of the United Kingdom, Younes Tsouli is referred to as the world’s most wanted cyber-jihadist. Tsouli is responsible for many web sites and web forums posted on the Internet that promote terrorism. His support for Al Quaida and Islamic terrorism is clearly stated on these web sites. His web forums, Islamic Terrorists and Islamic Supporters Forum, contain images of terrorism and helped others plan attacks. By posting this content on his web sites “he became the main distributor of video material from al-Qaeda in Iraq.” (http://news.bbc.co.uk/2/hi/americas/7191248.stm) He is responsible for “covertly and securely disseminate manuals of weaponry, videos of insurgent feats such as beheadings and other inflammatory material.” (http://www.washingtonpost.com/wp-dyn/content/article/2006/03/25/AR2006032500020.html)
Due to his technical abilities and support for Islamic terrorism Tsouli quickly became involved in its workings. He was recruited by high-ranking Al Quaida members to aid and assist in the movement. His web sites provided information on how to acquire explosives and make bombs. They also gave instructions and often had hidden links to more extremist information. There was also hacked software offered to download from these sites. Tsouli once “posted a 20-page message titled “Seminar on Hacking Websites,” to the Ekhlas forum. It provided detailed information on the art of hacking, listing dozens of vulnerable Web sites to which one could upload shared media.” Al Quaida provided the funding for his operations.” (http://www.washingtonpost.com/wp-dyn/content/article/2006/03/25/AR2006032500020.html)
Authorities were able to locate Tsouli through Internet and phone records. Eventually “investigators raided Tsouli’s house, where they found stolen credit card information [and] looking further, they found that the cards were used to pay American Internet providers on whose servers he had posted jihadi propaganda.” (http://www.washingtonpost.com/wp-dyn/content/article/2006/03/25/AR2006032500020.html) He was sentenced to 16 years in prison for his involvement with terrorist groups. At the time “his conviction was the first for incitement to commit an act of terrorism through the Internet”
Georgian web site Defaced
In mid 2008, conflicts arose between Russia and the small country of Georgia, which lies on the southern border of Russia. The conflict was fought over control of South Ossetia, which borders both Russia and Georgia. Both countries attempted to assume control of South Ossetia and military action was taken by both sides. Eventually Georgia would withdraw its troops conceding to Russia.
As part of this conflict cyber attacks were launched against “the main website of the Georgian Ministry of Foreign Affairs (mfa.gov.ge).” According to McAfee, web site defacement is “changing the home page or other key pages of a Web site by an unauthorized individual or process.” (http://www.mcafee.com/us/threat_center/glossary.html) Such unauthorized access could damage or threaten the credibility and reputation of the victim. In this case images of Georgian President Mikheil Saakashvili were likened to those of Adolph Hitler. The images were meant to send a politically motivated message. Vandalizing the web site for the Ministry of Foreign Affairs of Georgia was an attempt to damage its reputation and discredit them amidst a politically driven war. Defacement is a new tactic for fighting war that does not employ violence but instead spreads propaganda across the Internet.
Response to Cyberterrorism
In 1996 President Bill Clinton issued Executive Order #13010, which dealt with the protection of critical infrastructure. It mentioned “threats of electronic, radio-frequency, or computer-based attacks on the information or communications components that control critical infrastructures (“cyber threats”)” (http://www.fas.org/irp/offdocs/eo13010.htm) It was a basic plan to deal with threats to critical infrastructure and outlined the agencies that were part of this plan. Mainly, the objective was to protect institutions and have plans for their continued operations.
Once again in May 1998 the issue of cyber security was addressed in the Presidential Decision Directive 63. This directive was aimed at protecting the critical infrastructure discussed earlier in my paper. It summarized the need to address vulnerabilities. It also put the burden on the Federal Government and its agencies to get involved and stressed public/private partnerships. President Clinton stated his intentions to “take all necessary measures to swiftly eliminate any significant vulnerability to both physical and cyber attacks on our critical infrastructures, including especially our cyber systems.” (http://www.fas.org/irp/offdocs/pdd/pdd-63.htm)
The PDD 63 would later be superceded by the Homeland Security Presidential Directive #7. Issued by President George W. Bush in 2003, it was meant to “update policies intended to protect the country from terrorist attacks.” (http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci1144956,00.html) Since the events of 9/11, there were new concerns and the need for new guidelines. It continued the path of prevention and security but also identified the potential for serious cyber attacks. The new directive set out to “establish a national policy for Federal departments and agencies to identify and prioritize United States critical infrastructure and key resources and to protect them from terrorist attacks.” (http://www.whitehouse.gov/news/releases/2003/12/20031217-5.html)
In February of 2003 the White House released The National Strategy to Secure Cyberspace. This report is “a 76-page document outlining a sustained, multi-faceted approach to safeguarding the nation’s vital communications technologies.” (http://usinfo.state.gov/journals/itgic/1103/ijge/gj11.htm) It acknowledged the importance of the use of computer networks and their security in maintaining National Security. The plan outlines the need for a planned response to cyber attacks as well as preparedness and prevention methods. In President Bush’s letter addressing Americans in the document he describes it as “a framework for protecting this infrastructure that is essential to our economy, security, and way of life.” (United States, 2003.)
The strategy itself is made up of five key points which are “(1) a national cyberspace security response system; (2) a national cyberspace security threat and vulnerability reduction program;(3) a national cyberspace security awareness and training program;(4) securing governments’ cyberspace; and,(5) national security and international cyberspace security cooperation.” (United States, 2003. Pg 54) The plan addresses particular safeguards and the role of federal, state, and local government agencies.
Overall, the United States has made it clear that there are concerns for protecting America’s critical infrastructure and securing cyberspace. Efforts have been made to address these concerns and to clearly define whose responsibility it is to do so. In moving forward it is important for our country to continue to identify new threats and respond to them with solutions.
The Future of Cyberterrorism
In moving forward in the age of technology it would be foolish to discount the risks of cyberterrorism. It is important to keep in mind that “the next generation of terrorists are now growing up in a digital world, one in which hacking tools are sure to become more powerful, simpler to use, and easier to access.” (Weimann, 2006. Pg 170) If you consider how easy it is to attain the tools and skills necessary to carry out an attack you then must consider the true threat that cyberterrorism poses to our National Security. Knowing the intent of terrorists opens up many possibilities of using technology to achieve their goals. Consequently, “in the future, the logic bomb rather than the conventional bomb may prove to be the terrorist weapon of choice.” (Hodge, 1999. Pg 105)
It is expected that “in the future, the threat of cyberterrorism appears more ominous… cyberterrorists have the advantage of attacking from almost anywhere, by themselves, at a minimal expense, without risk of harm, and with limited risk of detection.” (Purpura, 2007. Pg 61) Many experts believe that this is a real threat and must be dealt with. As suggested by Barry Collins, Senior Research Fellow at the Institute for Security and Intelligence, “cyber-terrorism… is a misnomer in that the consequences are not limited to the world of cyberspace but occur in the physical world.” (Hodge, 1999. Pg 105) He goes on to say that “if we fail to be ready when and where the virtual and physical worlds converge, then all that will be left is terror.” (http://afgen.com/terrorism1.html)
Historically, terrorism has been characterized by acts of violence carried out with the intent to cause panic and fear. But with cyberterrorism “the face of terrorism is changing. While the motivations remain the same, we are now facing new and unfamiliar weapons.” (http://afgen.com/terrorism1.html) Frank Cilluffo of the Office of Homeland Security stated “while bin Laden may have his finger on the trigger, his grandchildren may have their fingers on the computer mouse.” (Weimann, 2006. Pg 170) The emerging threat of cyberterrorism is quickly growing and becoming a reality. We can no longer sit idly and disregard the possibility of a cyber attack. It is “likely that the threat will increase in the future for a coordinated cyberattack… cyberterrorism become increasingly more mainstream in the future.” (Wilson, 2005. Pg 22) If we fail to prepare for this inevitable future we allow terrorists an avenue to accomplish their goals. We must consider the likelihood that “tomorrow’s terrorist may be able to do more with a keyboard than with a bomb.” (Arquilla & Ronfeldt, 2001. Pg 282)
The United States needs a plan for dealing with cyberterrorism. Efforts need to be undertaken and precautionary measures put in place. A strategy for cyberterrorism should be two- fold. First, a proactive approach that anticipates future events and attempts to avoid them. The best way to deal with an attack is to be prepared and prevent it from happening in the first place. Secondly, a reactive approach which deals with the response to a cyberterrorism event. This involves identifying and reacting to an attack.
In an effort to thwart cyberterrorism “a proactive approach to securing the global information infrastructure may help to prevent future disasters in the making.” (Colarik, 2006. Pg xvii) We must locate our vulnerabilities and harden them before they are exploited. Critical infrastructure needs to be secured as well as the computer networks that control them. The need for secure computer networks does not only apply to government agencies but also to private sector companies that have databases of crucial information. Unlawful access to these networks could be catastrophic. A proactive strategy needs to be updated regularly and be one step ahead of those it is designed to protect against. Continuing safeguard measures needs to be explored in order to seriously address the invisible threat against the United States.
In the near future “cyber-terrorism will increase and likely target U.S. government facilities, as well as infrastructure centers and nongovernmental organizations such as relief agencies.” (http://www.israel21c.org/bin/en.jsp?enScript=PrintVersion.jsp&enDispWho=Articles^l40) And when these attacks are carried out we need to be prepared. A reactive approach is one that has a response to the attack. There should be counter-cyberterrorism standards in place for such activity. Our preparedness and response to an attack should be planned. We need to be able to detect and then recover from any attempt at illegally accessing a computer network. A successful reactive strategy “will detect and respond to Internet events… and coordinate cybersecurity and incident response with federal, state, local, private sector and international partners.” (http://www.pcworld.com/article/111066/homeland_security_to_oversee_cybersecurity.html)
Overall, the future of cyberterrorism and the role it plays is somewhat unknown. But what is known is that the threat exists and it is real. The United States must take measures to safeguard against cyberterrorism. There are documented events of cyberterrorism and how terrorists use cyberspace to conduct their business. Additionally, the threat to our critical infrastructure is far too serious to be taken lightly. The threat of cyberterrorism has been addressed by several presidents and acknowledged by many reputable professionals. The government has also played a role by drafting numerous Executive Orders and Presidential Directives. But it seems these efforts to assess and manage the threat fall short. More steps need to be taken for awareness and incident response and they need to be taken now. If the United States continues to struggle to allocate resources and fail to take this threat serious we are in jeopardy of a digital Pearl Harbor and open ourselves up to a repeat of the events of 9/11. If we continue to question whether this threat is viable and do nothing about it we are vulnerable to an attack. Ultimately “the threat of cyberterrorism may be exaggerated and manipulated, but we can neither deny it nor dare to ignore it.” (Weimann, 2004.)
Arquilla, J., & Ronfeldt, D. F. (2001). Networks and netwars: the future of terror, crime, and militancy. Santa Monica, CA: Rand.
Code of Federal Regulations Title 28 Section 0.85 Set. (2007). Government Inst.
Colarik, A. M. (2006). Cyber terrorism Political and economic implications. Hershey, PA: Idea Group Pub.
Fayler, G. (2007). The globalization of terror funding. Ramat-Gan: The Begin-Sadat Center for Strategic Studies, Bar-Ilan Univ.
Hodge, C. C. (1999). Redefining European security. Garland reference library of social science, v. 1154. New York: Garland.
Purpura, P. P. (2007). Terrorism and homeland security: an introduction with applications. The Butterworth-Heinemann homeland security series. Amsterdam: Butterworth-Heinemann.
United States. (2001). Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT ACT) Act of 2001. Washington, D.C.: U.S. G.P.O.
United States. (2002). 21 steps to improve cyber security of SCADA networks. Washington, D.C.: President’s Critical Infrastructure Protection Board.
United States. (2003). The national strategy for the physical protection of critical infrastructures and key assets. Washington, D.C.: [Dept. of Homeland Security?].
United States. (2003). The national strategy to secure cyberspace. Washington, D.C.: [Dept. of Homeland Security?].
Weimann, G. (2006). Terror on the Internet: the new arena, the new challenges. Washington, D.C.: United States Institute of Peace Press.
Weimann, G. (2004). Cyberterrorism How real is the threat? Washington, DC: U.S. Institute of Peace.
Wilson, C. (2005). Computer attack and cyber terrorism vulnerabilities and policy issues for Congress. [Washington, D.C.]: Congressional Research Service, Library of Congress.