The threat of terrorism has been a very real part of our world for many years. In this discussion we will explore the world of cyber-terrorism. We will begin by discussing what steps our government has already taken to address the threat of terrorism. We will learn about the various agencies already in existence today and what role they play in the regulation and detection of cyber-terrorist threats. We will discuss what we can do to obtain the highest level of security that is possible with today's tools. We will also discuss various scenarios that could occur, why they might occur, what terrorists have to gain by them and the dangers involved with cyber-terrorism. We will also touch on the ethical issues that are relevant as well as our civil liberties that could be in danger of being reduced or lost altogether.
The FBI defines terrorism as the unlawful use of force or violence against persons or property to intimidate or coerce a government, the civilian population, or any segment thereof, in furtherance of political or social objectives. Cyber-terrorism could thus be defined as the use of computing resources to intimidate or coerce others. An example of cyber-terrorism could be hacking into a hospital computer system and changing someone's medicine prescription to a lethal dosage as an act of revenge. It sounds far fetched, but these things can and do happen.
Cyberterrorism is the convergence of terrorism and cyberspace. It is generally understood to mean unlawful attacks and threats of attack against computers, networks, and the information stored therein when done to intimidate or coerce a government or its people in furtherance of political or social objectives. Further, to qualify as cyberterrorism, an attack should result in violence against persons or property, or at least cause enough harm to generate fear. Attacks that lead to death or bodily injury, explosions, plane crashes, water contamination, or severe economic loss would be examples. Serious attacks against critical infrastructures could be acts of cyberterrorism, depending on their impact. Attacks that disrupt nonessential services or that are mainly a costly nuisance would not.
In August 1999, the Center for the Study of Terrorism and Irregular Warfare at the Naval Postgraduate School in Monterey, California, issued a report titled "Cyberterror: Prospects and Implications." Their objective was to articulate the demand side of terrorism. Specifically, they assessed the prospects of terrorist organizations pursuing cyberterrorism. They concluded that the barrier to entry for anything beyond annoying hacks is quite high, and that terrorists generally lack the wherewithal and human capital needed to mount a meaningful operation. Cyberterrorism, they argued, was a thing of the future, although it might be pursued as an ancillary tool.
The Monterey group defined three levels of cyberterror capability Simple-Unstructured: The capability to conduct basic hacks against individual systems using tools created by someone else. The organization possesses little target analysis, command and control, or learning capability. Advanced-Structured: The capability to conduct more sophisticated attacks against multiple systems or networks and possibly, to modify or create basic hacking tools. The organization possesses an elementary target analysis, command and control, and learning capability. Complex-Coordinated: The capability for a coordinated attacks capable of causing mass-disruption against integrated, heterogeneous defenses (including cryptography). Ability to create sophisticated hacking tools. Highly capable target analysis, command and control, and organization learning capability.
They estimated that it would take a group starting from scratch 2-4 years to reach the advanced-structured level and 6-10 years to reach the complex-coordinated level, although some groups might get there in just a few years or turn to outsourcing or sponsorship to extend their capability.
The study examined five terrorist group types: religious, New Age, ethno-nationalist separatist, revolutionary, and far-right extremists. They determined that only the religious groups are likely to seek the most damaging capability level, as it is consistent with their indiscriminate application of violence. New Age or single issue terrorists, such as the Animal Liberation Front, pose the most immediate threat, however, such groups are likely to accept disruption as a substitute for destruction. Both the revolutionary and ethno-nationalist separatists are likely to seek an advanced-structured capability. The far-right extremists are likely to settle for a simple-unstructured capability, as cyberterror offers neither the intimacy nor cathartic effects that are central to the psychology of far-right terror. The study also determined that hacker groups are psychologically and organizationally ill-suited to cyberterrorism, and that it would be against their interests to cause mass disruption of the information infrastructure.
In response to heightened awareness of the potential for cyber-terrorism President Clinton, in 1996, created the Commission of Critical Infrastructure Protection. The board found that the combination of electricity, communications and computers are necessary to the survival of the U.S., all of which can be threatened by cyber-warfare. The resources to launch a cyber attack are commonplace in the world; a computer and a connection to the Internet are all that is really needed to wreak havoc. Adding to the problem is that the public and private sectors are relatively ignorant of just how much their lives depend on computers as well as the vulnerability of those computers. Another problem with cyber crime is that the crime must be solved, (i.e. who were the perpetrators and where were they when they attacked you) before it can be decided who has the actual authority to investigate the crime. The board recommends that critical systems should be isolated from outside connection or protected by adequate firewalls, use best practices for password control and protection, and use protected action logs.
Most other government organizations have also formed some type of group to deal with cyber-terrorists. The CIA created its own group, the Information Warfare Center, staffed with 1,000 people and a 24-hour response team. The FBI investigates hackers and similar cases. The Secret Service pursues banking, fraud and wiretapping cases. The Air Force created its own group, Electronic Security Engineering Teams, ESETs. Teams of two to three members go to random Air Force sites and try to gain control of their computers. The teams have had a success rate of 30% in gaining complete control of the systems.
Currently there are no foolproof ways to protect a system. The completely secure system can never be accessed by anyone. Most of the militaries classified information is kept on machines with no outside connection, as a form of prevention of cyber terrorism. Apart from such isolation, the most common method of protection is encryption. The wide spread use of encryption is inhibited by the governments ban on its exportation, so intercontinental communication is left relatively insecure. The Clinton administration and the FBI oppose the export of encryption in favor of a system where by the government can gain the key to an encrypted system after gaining a court order to do so. The director of the FBI's stance is that the Internet was not intended to go unpoliced and that the police need to protect people's privacy and public-safety rights there. Encryption's draw back is that it does not protect the entire system, an attack designed to cripple the whole system, such as a virus, is unaffected by encryption.
Others promote the use of firewalls to screen all communications to a system, including e-mail messages, which may carry logic bombs. Firewall is a relatively generic term for methods of filtering access to a network. They may come in the form of a computer, router other communications device or in the form of a network configuration. Firewalls serve to define the services and access that are permitted to each user. One method is to screen user requests to check if they come from a previously defined domain or Internet Protocol (IP) address. Another method is to prohibit Telnet access into the system.
Here are few key things to remember to protect yourself from cyber-terrorism. All accounts should have passwords and the passwords should be unusual, difficult to guess. Change the network configuration when defects become known. Check with venders for upgrades and patches. Audit systems and check logs to help in detecting and tracing an intruder. If you are ever unsure about the safety of a site, or receive suspicious email from an unknown address, don't access it. It could be trouble.
Cyber-terrorists often commit acts of terrorism simply for personal gain. Such a group, known as the Chaos Computer Club, was discovered in 1997. They had created an Active X Control for the Internet that can trick the Quicken accounting program into removing money from a user's bank account. This could easily be used to steal money from users all over the world that has the Quicken software installed on their computer. This type of file is only one of thousands of types of viruses that can do everything from simply annoy users, to disable large networks, which can have disastrous, even life and death, results.
Cyber-terrorist are many times interested in gaining publicity in any possible way. For example, information warfare techniques like Trojan horse viruses and network worms are often used to not only do damage to computing resources, but also as a way for the designer of the viruses to "show off." This is a serious ethical issue because many people are affected by these cases. For one, the viruses can consume system resources until networks become useless, costing companies lots of time and money. Also, depending on the type of work done on the affected computers, the damage to the beneficiaries of that work could be lethal. Even if the person never meant to harm someone with their virus, it could have unpredictable effects that could have terrible results.
Terrorism can also come in the form of disinformation. Terrorists can many times say what they please without fear of reprisal from authorities or of accountability for what they say. In a recent incident, the rumor that a group of people were stealing people's kidneys for sale was spread via the Internet. The rumor panicked thousands of people. This is an ethical issue similar to screaming 'Fire' in a crowded theater. In case like this, the number of people affected is unlimited. Thousands of people were scared by this and could have suffered emotionally.
In 1996, a computer hacker allegedly associated with the White Supremacist movement temporarily disabled a Massachusetts ISP and damaged part of the ISP's record keeping system. The ISP had attempted to stop the hacker from sending out worldwide racist messages under the ISP's name. The hacker signed off with the threat, "you have yet to see true electronic terrorism. This is a promise."
In 1998, Spanish protestors bombarded the Institute for Global Communications (IGC) with thousands of bogus e-mail messages. E-mail was tied up and undeliverable to the ISP's users, and support lines were tied up with people who couldn't get their mail. The protestors also spammed IGC staff and member accounts, clogged their Web page with bogus credit card orders, and threatened to employ the same tactics against organizations using IGC services. They demanded that IGC stop hosting the Webs site for the Euskal Herria Journal, a New York-based publication supporting Basque independence. Protestors said IGC supported terrorism because a section on the Web pages contained materials on the terrorist group ETA, which claimed responsibility for assassinations of Spanish political and security officials, and attacks on military installations. IGC finally relented and pulled the site because of the "mail bombings."
During the Kosovo conflict in 1999, NATO computers were blasted with e-mail bombs and hit with denial-of-service attacks by hacktivists protesting the NATO bombings. In addition, businesses, public organizations, and academic institutes received highly politicized virus-laden e-mails from a range of Eastern European countries, according to reports. Web defacements were also common. After the Chinese Embassy was accidentally bombed in Belgrade, Chinese hacktivists posted messages such as "We won't stop attacking until the war stops!" on U.S. government Web sites.
The ethical issues involved in cyber-terrorism are many. Any sort of crime or ethical violation can occur using a computer. Extortion of banks takes money from the banks, as well as their customers. The bank's, on the other hand, which many times refuse to admit to their inadequate defenses violate the public trust that the bank will be secure. The illegal altering of medical records is unethical, as it can quickly and easily cause harm to another. Spreading disinformation is unethical in its lack of regard for the truth, as well as for the safety of and consequences on others who believe the misinformation. Altering, destroying, or stealing others data is a violation of their privacy. The ordinary hacker is guilty of lack of regard for the privacy of the peoples systems that he or she would enter. Hacking-for-hire is additionally illicit because they openly sell their services to break into others systems.
U.S. officials mobilizing to freeze the financial assets of international terrorist Osama bin Laden may resort to cyber-methods, such as hacking, to cut off the money supply that has been used to finance his terrorist activities, including the Sept. 11 attacks on the World Trade Center and the Pentagon, of which he is the prime suspect. Intelligence and security experts said the U.S. government, using diplomatic channels, doesn't expect to receive cooperation from all of the hundreds of banks, holding companies and other private enterprises and fictitious front companies that bin Laden uses to hide his estimated $300 million personal fortune. As a result, the U.S. intelligence community might use cyber-methods to put a virtual stranglehold on bin Laden's global terror organization, Al Qaeda. While acknowledging that the operation could take years, security officials said that such an attempt was possible. During times of war it would be legal to hack into, disable and steal information from "enemy" servers. But who the enemy in this case is will be difficult to determine. "The evidence and perhaps the assets may be in what appear to be neutral third parties' hands," such as brokerage firms, clearinghouses and investment banks. "Once neutral third parties are involved, the lawfulness of intrusive electronic techniques becomes questionable." This according to an article by Dan Verton.
The United States government began to take the threat of cyber-terrorists seriously in 1996 when President Clinton established the Commission of Critical Infrastructure Protection. However, as we have seen, we rarely take action in this country until after the fact. Just as with airport security, it is unlikely that we will aggressively take actions to protect out National Information Infrastructure until after there is a massive and costly attack upon it.
The best way we can protect ourselves is to keep sensitive and critical information on isolated networks that are not connected to phone lines. Businesses whose networks are connected to the Internet inherit a certain amount of risk. In the end, it is people and not necessarily technology that will keep our networks protected. IT specialist's must install the latest patches and use up to date anti-virus protection coupled with frequent back-ups to maintain a network secure. It is crucial that businesses utilize a firewall that is properly configured when they are connected to the Internet. As a residential user, we can also use personal firewalls that are less robust with anti-virus software to protect ourselves. Never download or open an executable file or zipped document from anyone you don't know. Even if you do know them, scan it before you open it. To further protect yourself, install your Operating System on a separate partition away from your programs and files and back up your files frequently.
The Ethical issues involved are many. It doesn't take much to cross into the realm of unethical behavior. Whether you are stealing, extorting, spreading disinformation or just invading someone's privacy. These are all illicit actions. It is likely that the Department of Justice will get more powerful wire-tapping permissions in order to aggressively find and prevent further terrorist activity. The impact that this will have on our civil liberties is yet to be seen. Use of new tools such as Carnivore will definitely be an invasion of our privacy. It's the use of these tools and the court orders that are required that will determine the extent to which our liberties are compromised.
The next generation of terrorists will grow up in a digital world, with ever more powerful and easy-to-use hacking tools at their disposal. They might see greater potential for cyberterrorism than the terrorists of today, and their level of knowledge and skill relating to hacking will be greater. Hackers and insiders might be recruited by terrorists or become self-recruiting cyberterrorists, the Timothy McVeigh's of cyberspace. Some might be moved to action by cyber policy issues, making cyberspace an attractive venue for carrying out an attack. Cyberterrorism could also become more attractive as the real and virtual worlds become more closely coupled, with a greater number of physical devices attached to the Internet. Some of these may be remotely controlled. Terrorists, for example, might target robots used in telesurgery. Unless these systems are carefully secured, conducting an operation that physically harms someone may be easy as penetrating a Web site is today.
In conclusion, the violent pursuit of political goals using exclusively electronic methods is likely to be at least a few years into the future. However, the more general threat of cybercrime is very much a part of the digital landscape today. In addition to cyberattacks against digital data and systems, many people are being terrorized on the Internet today with threats of physical violence. On-line stalking, death threats, and hate messages are abundant. The Florida teen who threatened violence at Columbine High School in an electronic chat room is but one example. These crimes are serious and must be addressed. In so doing, we will be in a better position to prevent and respond to cyberterrorism if and when the threat becomes more serious.