Networks dominate today's computing landscape and commercial technical protection is lagging behind attack technology. As a result, protection program success depends more on prudent management decisions than on the selection of technical safeguards. Managing Network Security takes a management view of protection and seeks to reconcile the need for security with the limitations of technology.
I have heard a lot about cyber terrorism over the last several years, and you have probably heard your share as well. As I am a scientist by training, nature, and desire, I have a basic approach to all problems - the method (no - not acting). The method says that you create hypotheses, do experiments to try to refute them, and get refutations or confirmations that are then used to adjust the theory (or not). In the case of cyber terrorism, theories abound. Every pundit on the planet seems to think they know something - but few of them know very much. The problem is that there is no good way to do experiments. So we fall back on investigative skills as the only alternative to experiments for differentiating sound candidates from foolishness.
Most people who start talking about terrorism begin with a definition or some such thing. I will not. For my purposes I just assume that terrorists are people listed on the US State Department's list of terrorist organizations. If I miss a few it doesn't matter because there are so many on the list I can never get through them all anyway. If I include some who are not really terrorists by your definition, don't be offended - I didn't write the list. And who makes the list is not as important as the basic notion anyway.
The basic notion that I have about trying to understand cyber terrorism is that it can only be done by looking at one group at a time. You look at group after group after group and try to understand all you can about them in the available amount of time. Then you start to draw conclusions as you see the forest emerging from all those trees.
You might reasonably ask how many trees I have looked at on my quest to understand the forest. At this point I have had students in graduate classes and professional researchers working with me for a number of years on this subject. The net effect is that we have done mid-level depth studies on about 20 terrorist groups in the last few years. Earlier studies are probably not all that relevant to the cyber terror issue.
In your walk through forests, you might have noticed that besides the trees, there are some other things there - like the moss and grass and animals, etc. In the cyber arena, there are also things besides terrorist groups, and you have to understand them in order to understand how the terrorist groups might be able to exploit information technologies to their ends. In this arena I have a lot of experience, having done lots of work on critical infrastructures and consulting for corporations and governments over the years.
Of course the forest lives in an overall environment, as does information technology. If cyber terrorism is to be understood, it must be understood in context. The context of the day is focussed on the so-called Middle East - that region at the intersection of Africa, Asia, and Europe that is mostly desert and sitting on top of a huge oil field. Both historically, because of trade routes, and currently, because of the oil trade, this region has been and is today, critical to the wealth of nations. The predominantly Arab population of the region wants Israel out of there and the 'West' (that being mostly the US and Western European nations) wants Israel to remain, for reasons ranging from religious heritage to strategic positioning (e.g., Keep the peoples of the region at war and they will not realize that they are squandering their wealth buying guns from the West in exchange for the oil they sold to the west - leaving them with old guns that are only useful for fighting each other anyway). Of course there are lots of other terrorist groups that are lower profile today, but rest assured, they are still out there.
It should not be a big shock coming from me that I will take the approach that risks are a result of a conspiracy of threats, vulnerabilities and consequences. After all, I have written about it in this column a few times a year since 1995. In order to understand the forest, we must take the trees, mosses, other living creatures, and the outside environment into account, or we certainly miss the big picture. From this perspective, the only difference between cyber terrorism and other areas of information system abuse is the threat. The vulnerabilities that are present in information systems and the range of consequences of the exploitation of those systems by threats is more or less the same regardless of who the attacker is. This not strictly true because different threats have different combinations of things they apply with different levels of simultanaety toward different ends.
So if we are to understand this forest, we might want to start by looking at what consequences a terrorist organization might reasonably seek through cyber space. That's what a lot of folks do - they start by trying to find enormous consequences and see if they can back track those consequences to some sequence of acts that could be done by terrorist organizations. How about starting with the end of the world as we know it and seeing if terrorist groups could do it? Let's see, how would we end the world, and could we find a way to do it within the means of terrorists?
The terrorists are at somewhat of a disadvantage here because, for the most part, they really don't want to end the world, even if some of them are willing to brainwash other parents' teenaged children into committing suicide 'for the cause'. Indeed, they are sitting on the attacker's side of the fence - seeking insiders to take advantage of systems, trying to get and keep funded, working to get explosives and cache them where nation states won't take them away, trying to recruit pre-brainwashed teenagers and steep them in propaganda for a lifetime of exploitation, and so forth.
Of course we all care about the terrorist situation and the loss of life happening every day in the regions of conflict, but this does not make it a critical part of our everyday work life. Even if a terrorist group could end the world via cyber attack, it would have very little to do with what most of you do every day. So another issue that has to be considered is how cyber terrorism impacts what those who manage network security do. That has more to do with what the terrorists do every day than the one-off events they may be able to create on rare occasions. And indeed, if we can address the everyday issue, the one-off issue will be far less likely to ever happen.
So let's assume for the moment that we could focus our resources on fighting cyber terrorism in our organizations. What would that mean to most of us? Probably very little. Indeed, most of us are already defending our information systems by managing risks. The overall theory is that if each of us manages risks reasonably well, then in the aggregate we will manage the overall risk reasonably well and we will all be the better for it.
But unfortunately, this falls over when it comes to issues like cyber terrorism. The reason for this is that the successful terrorist sits closer to the edge of our risk management spectrum than its center. The terrorist typically remains low profile until they become very high profile for a short period of time. They are trained in infiltration - which is to say - they are supposed to act assimilated until they do their big terror thing. If they commit crimes all along the way, it will be more likely that we will catch them along the way, so they try to keep a low profile, work their way into the desired position for the mission over a period of years, and then strike when the opportunity is right. As we all know but few admit, insider threats are dealt with poorly by our risk management processes.
So if we are going to look out for the cyber terrorists, it will probably be helpful to know what to look for. I cannot tell you what will happen in the future. If I knew, I would probably keep it to myself anyway. So all I can really do is tell you about the past. Recent history shows that terrorists do the following things in cyberspace:
Planning: Information technology is used to plan terrorist operations. This generally includes intelligence gathering, analysis, coordination of personnel and equipment, and other aspects of operations. If you encounter a planning process or system, contact local authorities right away - do not pass go - do not go through normal corporate processes to avoid potential liabilities or anything like that. If a terrorist detects that you have detected their planning system, you will probably be killed as soon as possible, so don't wait around. They will also move on and others will get killed unless they are stopped, so be quick about it.
Finance: Information technology is one of the keys in the financial system of terrorist organizations. They use information system to get funding, track books, move money around, coordinate financial actions, and make purchases. Funding often goes through so-called charitable donations, through computer crimes like credit card theft, through solicitations of any sort, and naturally, through the drug trade. The drug trade is facilitated by information technology in the money laundering and funds transfer arenas as well as acting as a communications media for the sales and delivery process. As with planning, detected systems and networks should be reported to law enforcement, in this case at the federal level. The risk to life tends to be lower in the finance arena than in the planning or operations arena and these systems tend to persist longer and be more deeply embedded in communities. In cases involving computer crimes, it is important to report to authorities so they can coordinate the actions of groups across many small activities to see the bigger picture.
Coordination and operations: Many activities are coordinated through information technology. This ranges from the transmission of 'go' signals for coordinated starts of operations, to synchronization of global activities, to arrangements to meet incoming shipments, to digital versions of dead drops. The convenience of information technology on a global scale makes it ideal for small groups to act on a globally coordinated basis with relative safety through encryption and steganographic technologies combined with anonymity. Information technology in the form of radios, telephones, and pagers, is used as an operational tool all the time. Computers are also used in real-time for activities ranging from checking identities to determine who to keep in a kidnap operation to satellite links for tracking ongoing operations via the media. With increasing frequency, information systems are being exploited to facilitate operations or as the objective of an operation. If you encounter a computer used in terrorist coordination or operations, you should immediately call the authorities. Chances are you will not be close enough to a real terrorist to get killed right away, but just in case, do it sooner rather than later.
Political Action: One of the key efforts or terrorist groups is the use of information technology to gain political action and attention. This ranges from high profile web sites that urge supporters to contact their congress-people to sites that give detailed instructions on how to hold protests for maximum media effect. These sites are legal, as long as they are created in a legal manner. They are interesting to read because they clearly show that these organizations are oriented toward media attention and that most if not all of the street protests and similar activities are not spontaneous - they are planned media events.
Propaganda: Many web sites are used by terrorist organizations as part of their propaganda machines. These sites actively promote the ideals of the movements, provide selected facts and lots of misleading statements, include pictures that are identified as one thing when they are in fact something else, and so forth. They include smear campaigns, pictures of blown up bodies, ancient propaganda as the basis for current propaganda, and so forth. For the most part, these sites are legal and designed to support current and future membership by providing support for their pre-existing notions and giving them 'facts' to back up their beliefs. The vast majority of the information is not directly false, but is clearly slanted. You should probably block these sites from corporate access or identify those within the organization that go there often from work.
While there are some other ways that terrorist groups might use information technology, the vast majority of activities to date have been in the areas described above. There have been outliers - ranging from the use of a chat room by a Palestinian group to lure and kill an Israeli teenager - to the attempts to break into US energy companies by middle Eastern groups - to the sale of software to run police systems by the Aum Shinrikyo group in Japan - to the exploitation of laser-based remote bomb controls by the IRA. Obviously, if you encounter anything like this you would want to report it to federal authorities right away.
Just as business has prospered in the Internet era because of the efficiencies associated with deeply embedded information technology, criminal and terrorist groups have taken advantage of the technology to their own ends. Technology brings efficiency to all who use it.
From the perspective of the security manager, cyber terrorism has not changed much about the way you operate, but it does produce some changes in the way you might respond to incidents. In particular, it should produce changes in the response processes and policies with regard to Internet use.
I have said for some time that many unreported criminal activities exploiting information technology should be reported. This might be viewed as an excuse for pushing that policy forward. It is not an excuse for it, it is merely another example of the importance of recognizing criminal activity and dealing with it. In this case the criminals will kill people who find them out, so it is more severe than many of the insider crimes that most security managers cover up from time to time.
About The Author:
Fred Cohen is researching information protection as a Principal Member of Technical Staff at Sandia National Laboratories, helping clients meet their information protection needs as the Managing Director of Fred Cohen and Associates, and educating cyber defenders over-the-Internet as a practitioner in residence in the University of New Haven's Forensic Sciences Program. He can be reached by sending email to fred at all.net or visiting http://all.net/