GLOBAL DIALOGUE
Volume 2 ● Number 4 ● Autumn 2000—Terrorism: Image and Reality Cyberterrorism: The Logic Bomb versus the Truck Bomb
The hacker apparently never made good on his promise, but the threat of a cyberterrorist attack has many people worried. The highly acclaimed Computers at Risk report (1991) from the US National Research Council concludes, “Tomorrow’s terrorist may be able to do more with a keyboard than with a bomb.” Cybercrime, Cyberterrorism, and Cyberwarfare (1998) from the Washington-based Global Organized Crime Project of the Center for Strategic and International Studies says, “Cyberterrorists, acting for rogue states or groups that have declared holy war against the United States, are known to be plotting America’s demise as a superpower.” Defining CyberterrorismCyberterrorism is the convergence of cyberspace and terrorism. It refers to unlawful attacks and threats of attack against computers, networks and the information stored therein that are carried out to intimidate or coerce a country’s government or citizens in furtherance of political or social objectives. Further, to qualify as cyberterrorism, an attack should result in violence against persons or property, or at least cause enough harm to generate fear. Attacks that lead to death or bodily injury, explosions, or severe economic losses would be examples. Serious attacks against crucial infrastructures could count as acts of cyberterrorism, depending on their impact. Attacks that disrupt non-essential services or that are mainly a costly nuisance would not.
Numerous cyberterrorism scenarios have been suggested. In one, a cyberterrorist attacks the computer systems that control a large regional power grid. Power is lost for a sustained period of time and people die. In another, the cyberterrorist breaks into an air-traffic control system and tampers with it. Two large civilian aircraft collide. In a third, the cyberterrorist disrupts banking operations, international financial transactions and stock exchanges. Economic systems grind to a halt, the public loses confidence, and destabilisation is achieved. While none of these or similar scenarios has yet occurred, many believe it is not a question of “if” but “when”. Exploiting CyberspaceTerrorists have moved into cyberspace to facilitate traditional forms of terrorism such as bombings. They use the Internet to communicate, co-ordinate events and advance their agenda. While such activity does not constitute cyberterrorism in the strict sense, it does show that terrorists have some competency in using the new information technologies.
By 1996, the headquarters of terrorist financier Osama bin Laden in Afghanistan were equipped with computers and communications equipment. Egyptian computer experts were said to have helped devise for bin Laden a communications network that used the World Wide Web, e-mail and electronic bulletin boards. Activists of the Palestinian group Hamas have been said to use chat rooms and e-mail to plan operations and co-ordinate activities, making it difficult for Israeli security officials to trace their messages and decode their contents. The Revolutionary Armed Forces of Columbia use e-mail to field inquiries from the press.
The Web is especially popular as a medium for reaching a global audience. For example, after the Peruvian terrorist group Tupac Amaru stormed the Japanese ambassador’s residence in Lima in December 1996, taking hostage four hundred diplomatic, military and political officials, sympathisers in the United States and Canada put up solidarity websites. One site included detailed drawings of the residence and assault plans.
In February 1998, the Lebanese group Hizbollah was operating three websites: one for its central press office (www.hizbollah.org), another to describe its attacks on Israeli targets (www.moqawama.org), and the third for news and information (www.almanar.com.lb). That month, Clark Staten, executive director of the Emergency Response and Research Institute (ERRI) in Chicago, testified before a US Senate subcommittee that “even small terrorist groups are now using the Internet to broadcast their message and misdirect/misinform the general population in multiple nations simultaneously”. He gave the subcommittee copies of both domestic and international messages containing anti-American and anti-Israeli propaganda and threats, including a widely distributed extremist call for “jihad” (holy war) against the United States and the United Kingdom.
In June 1998, US News & World Report noted that twelve of the thirty groups on the US State Department’s list of terrorist organisations were on the Web. Today it appears that virtually every US-designated terrorist group has a website. Forcing them off the Web is impossible, because they can set up their sites in countries with free speech laws. The government of Sri Lanka, for example, banned the separatist Liberation Tigers of Tamil Eelam, but it did not even attempt to have their London-based website closed.
Even in democracies, however, there are limits to what terrorists can post on the Net. After a group of anti-abortionists put up a website terrorising doctors who perform abortions, a federal jury ordered that the pages be taken down and damages of more than $100 million paid. The “Nuremberg Files” site had listed the names of about two hundred abortion providers under the heading of “baby butchers”. Readers were invited to send in such personal details as the doctors’ home addresses, licence plate numbers and the names of their children. Three doctors whose names appeared on the list were killed, and after each murder the doctor’s name was promptly crossed out. Doctors named on the site testified that they lived in constant fear and used disguises, bodyguards and bulletproof vests for protection. In ordering the site closed, the federal jury said the site and “wanted” posters amounted to death threats against the doctors.
Many terrorists are using encryption to conceal their communications and stored files, compounding the difficulties of counter-terrorism efforts. Hamas, for example, has reportedly used encrypted Internet communications to transmit maps, pictures and other information pertaining to terrorist attacks. Ramzi Ahmed Yousef, a member of the international terrorist group responsible for bombing the World Trade Center in 1993, encrypted files on his laptop computer. The files, which US government officials decrypted, contained information concerning plans to blow up twelve US-owned commercial airliners in the Far East. The Aum Shinrikyo cult, which nerve-gassed the Tokyo subway in March 1995, killing twelve people and injuring six thousand more, also used encryption to protect its computerised records, which included plans to deploy weapons of mass destruction in Japan and the United States. Cyberspace ViolenceCyberspace is constantly under assault. Cyberspies, thieves, saboteurs and thrill seekers break into computer systems, steal personal data and commercial secrets, vandalise websites, disrupt service, sabotage data and systems, launch computer viruses and worms, conduct fraudulent transactions and harass individuals and companies. These attacks are facilitated by increasingly powerful and easy-to-use software tools, which are readily available for free from thousands of websites on the Internet.
Many of the attacks are serious and costly. For example, the ILOVEYOU virus and variants, launched in May 2000, were estimated to have hit tens of millions of users worldwide and cost billions of dollars in damage. Denial-of-service attacks against Yahoo, CNN, eBay and other e-commerce websites are estimated to have caused more than $1 billion in losses. They also shook the confidence of businesses and individuals in e-commerce.
Governments are particularly concerned about terrorist and state-sponsored attacks against the vital infrastructures that constitute the national life-support systems of their countries. The Clinton administration has defined eight such systems: telecommunications, banking and finance, electrical power, oil and gas distribution and storage, water supply, transportation, emergency services and government services.
There have been numerous attacks against such infrastructures in the United States. Although they cannot strictly be described as terrorist in nature, they reveal the vulnerability of modern society to cybercrime and the possibilities open to cyberterrorists. Thus, hackers have invaded the public phone networks, compromising nearly every category of activity, including switching and operations, administration, maintenance and provisioning (OAM&P). They have crashed or disrupted signal transfer points and switches and other network elements. They have planted “time bomb” programs designed to shut down major switching hubs, disrupted emergency 911 phone services throughout the eastern seaboard and boasted that they have the capability to bring down all switches in Manhattan. They have installed wiretaps, re-routed phone calls, changed the greetings on voice-mail systems, taken over voice mailboxes and made free long-distance calls at their victims’ expense, leaving some victims with phone bills of hundreds of thousands of dollars. When they cannot crack the technology, they use “social engineering” to trick employees into giving them access.
In March 1997, one teenage hacker penetrated and disabled a telephone company computer that serviced Worcester Airport in Massachusetts. As a result, the telephone service to the Federal Aviation Administration control tower, the airport fire department, airport security, the weather service and various private airfreight companies was cut off for six hours. Later in the day, the juvenile disabled another telephone company computer, this time causing an outage in the Rutland area. The outage caused financial losses and threatened public health and public safety. On a separate occasion, the hacker allegedly broke into a pharmacist’s computer and accessed files containing prescriptions.
Banks and financial systems are a popular target of cybercriminals. The usual motive is money, and perpetrators have stolen or attempted to steal tens of millions of dollars. In one case of sabotage, a computer operator at Reuters in Hong Kong tampered with the dealing room systems of five of the company’s bank clients. In November 1996, he programmed the systems to delete key operating system files after a delay long enough to allow him to leave the building. When the “time bombs” exploded, the systems crashed. They were partially restored by the next morning, but it took another day before they were fully operational. However, the banks said the tampering did not significantly affect trading and that neither they nor their clients experienced losses.
In another act of sabotage against a crucial infrastructure, a fired employee of Chevron’s emergency alert network disabled the firm’s alert system by hacking into computers in New York and San José, California, and reconfiguring them so they would crash. The vandalism was not discovered until an emergency arose at the Chevron refinery in Richmond, California, and the system could not be used to notify the adjacent community of the release of a noxious substance. During the ten-hour period in 1992 when the system was down, thousands of people in twenty-two states and six unspecified areas of Canada were put at risk.
An overflow of raw sewage on the Sunshine Coast of Australia in June 2000 was linked to a forty-nine-year-old Brisbane man who allegedly penetrated the Maroochy Shire Council’s computer system and used radio transmissions to create the overflows. The man was charged with 370 offences, including stealing, computer hacking and using radio communications equipment without authority.
Government computers, particularly US Department of Defence computers, are a regular target of attack. Detected attacks against unclassified DoD computers rose from 780 in 1997 to 5,844 in 1998 and 22,144 in 1999.
The most damaging and costly attacks have been carried out for reasons other than the pursuit of terrorist goals. As the above cases illustrate, they have been motivated by greed, revenge, thrill seeking, the desire for notoriety, and other non-ideological factors. They are properly classified as cybercrimes, not cyberterrorism. Ideologically Motivated CyberattacksTerrorism is normally associated with attacks perpetrated in furtherance of political and social objectives. Numerous cyberattacks have been so motivated. For example, in 1998 ethnic Tamil guerrillas swamped Sri Lankan embassies with eight hundred e-mails a day over a two-week period. The messages read: “We are the Internet Black Tigers and we’re doing this to disrupt your communications.” Intelligence authorities characterised it as the first known attack by terrorists against a country’s computer systems.
Also in 1998, Spanish protesters bombarded the San Francisco–based Institute for Global Communications (IGC)—an Internet service provider—with thousands of bogus e-mail messages (a practice known as “spamming”). E-mail was tied up and undeliverable to IGC’s users, and support lines were clogged with people who could not get their mail. The protesters also spammed IGC staff and member accounts, swamped IGC’s Web page with bogus credit card orders, and threatened to employ the same tactics against organisations using IGC services. They demanded that IGC stop hosting the website of the Euskal Herria Journal, a New York–based publication supporting Basque independence. Protesters said IGC supported terrorism because a section of the Web pages contained material on the Basque terrorist group ETA, which claimed responsibility for assassinations of Spanish political and security officials, and attacks on Spanish military installations. IGC finally relented and pulled the site because of the “mail bombings”.
During the Kosovo conflict in 1999, computers of the North Atlantic Treaty Organisation were blasted with e-mail bombs and hit with denial-of-service attacks by “hacktivists” protesting against NATO’s bombing of Serbia. In addition, Western businesses, public organisations and academic institutes reportedly received highly politicised, anti-NATO, virus-laden e-mails from a range of eastern European countries. Web defacements were also common. After a US plane accidentally bombed the Chinese embassy in Belgrade, Chinese hacktivists posted on US government websites messages such as, “We won’t stop attacking until the war stops!”
Since December 1997, the Electronic Disturbance Theater (EDT), a New York–based activist group, has been conducting Web sit-ins against various sites in support of Mexico’s Zapatista guerrillas. At a designated time, thousands of protesters point their browsers to a target site using software that floods the target with rapid and repeated download requests. EDT’s software has also been used by animal rights groups against organisations said to abuse animals. Electrohippies, another group of hacktivists, conducted Web sit-ins against the World Trade Organisation when it met in Seattle in late 1999. These sit-ins all require mass participation to have much effect, and thus are more suited to use by activists than by relatively small groups of terrorists operating in secrecy.
While the above incidents had social and political motivations, it is hard to judge whether they were sufficiently harmful or frightening to be classified as cyberterrorism. To the best of my knowledge, no attack so far has led to violence or injury to persons, although some may have intimidated their victims. Both the EDT and the Electrohippies view their operations as acts of civil disobedience, analogous to street protests and physical sit-ins, not as acts of violence or terrorism. This is an important distinction. Most activists, whether participating in a street march or Web sit-in, are not terrorists.
However, there are a few indications that some terrorist groups are pursuing cyberterrorism, either solely or in conjunction with acts of physical violence. In February 1998, the ERRI’s Clark Staten told a US Senate Judiciary Committee Subcommittee on Technology, Terrorism and Government Information that it was believed that “members of some Islamic extremist organizations have been attempting to develop a ‘hacker network’ to support their computer activities and even engage in offensive information warfare attacks in the future”.
In November 1998, the Detroit News reported that Khalid Ibrahim, who claimed to be a member of the militant Indian separatist group Harkat-ul-Ansar, had tried to buy military software from hackers who had stolen it from US Department of Defence computers they had penetrated. The attempted purchase was discovered when an eighteen-year-old hacker calling himself Chameleon attempted to cash a $1,000 cheque from Ibrahim. Chameleon said he did not have the software and had not given it to Ibrahim, but Ibrahim may have obtained it or other sensitive information from one of the many other hackers he approached. Harkat-ul-Ansar declared war on the United States following the August 1998 cruise-missile attack on a suspected terrorist training camp in Afghanistan run by Osama bin Laden, which allegedly killed nine of their members.
The Provisional Irish Republican Army employed the services of contract hackers to penetrate computers in order to acquire the home addresses of British law enforcement and intelligence officers. The data was used to draw up plans to kill the officers in a single “night of the long knives” if the British government did not meet terms for a new cease-fire. As this case illustrates, terrorists may use hacking as a way of acquiring intelligence in support of physical violence, even if they do not use it to wreak havoc in cyberspace.
Terrorists might also engage in computer network attacks as a way of financing physical operations. For example, they could penetrate an e-commerce website and steal credit card numbers, conduct fraudulent transactions against an Internet bank, or extort money from victims by threatening electronic sabotage. How Real a Threat?To understand the potential threat of cyberterrorism, two factors must be considered: first, whether there are targets that are vulnerable to attacks that could lead to violence or severe harm; and second, whether there are actors with the capability and motivation to carry them out.
Looking first at vulnerabilities, several studies have shown that vital infrastructures are potentially open to cyberterrorist attack. “Eligible Receiver”, a no-warning exercise conducted by the US Department of Defence in 1997, found that power grid and emergency 911 systems had weaknesses that could be exploited by an adversary using only tools publicly available on the Internet. Although neither of these systems was actually attacked, study members concluded that the services these systems provide could be disrupted. Also in 1997, President Clinton’s Commission on Critical Infrastructure Protection issued its report warning that through mutual dependencies and interconnectedness, vital infrastructures could be vulnerable in new ways. The report said that vulnerabilities were steadily increasing, while the costs of attack were decreasing.
Although many of the weaknesses in computerised systems can be corrected, it is effectively impossible to eliminate all of them. Even if the technology itself offers good security, it is frequently configured or used in ways that leave it open to attack. In addition, there is always the possibility that insiders, acting alone or in concert with other terrorists, will misuse their access capabilities. According to Colonel Konstantin Machabeli of Russia’s Interior Ministry, the state-run gas monopoly Gazprom was hit in 1999 by hackers who collaborated with a Gazprom insider. The hackers allegedly used a Trojan horse to gain control of the central switchboard, which controls gas flows in pipelines. Gazprom, the world’s largest natural gas producer and the largest gas supplier to western Europe, denied the report.
Consultants and contractors are frequently in a position to cause grave harm. In March 2000, Japan’s Metropolitan Police Department reported that a software system it had procured to track 150 police vehicles, including unmarked cars, had been developed by the Aum Shinrikyo cult. At the time of the discovery, the cult had received classified tracking data on 115 vehicles. Further, the cult had developed software for at least eighty Japanese firms and ten government agencies. It had worked as a subcontractor for other firms, making it almost impossible for them to know who was developing their software. As a subcontractor, the cult could have installed Trojan horses to launch or facilitate cyberterrorist attacks at a later date. Fearing a Trojan horse of its own, the US State Department last February sent an urgent cable to about 170 embassies asking them to remove software which it belatedly realised had been written by citizens of the former Soviet Union.
If we assume, then, that vital infrastructures are vulnerable to cyberterrorist attack, the question becomes one of whether there are actors with the capability and motivation to carry out such operations. While many hackers have the knowledge, skills and tools to attack computer systems, they generally lack the motivation to cause violence or severe economic or social harm. Conversely, terrorists who are motivated to cause violence seem to lack the capability or motivation to cause damage in cyberspace. Looking AheadIn August 1999, the Center for the Study of Terrorism and Irregular Warfare at the Naval Postgraduate School in Monterey, California, issued a report entitled “Cyberterror: Prospects and Implications”. The report assessed the likelihood of terrorist organisations pursuing cyberterrorism. It concluded that the barrier to entry for anyone other than nuisance hackers was quite high, and that terrorists generally lacked the wherewithal and human capital needed to mount a meaningful operation. Cyberterrorism, the report argued, was a thing of the future, although it might be pursued as an ancillary tool.
The Monterey team defined three levels of cyberterror capability. The first is the “simple–unstructured” capability to conduct basic hacks against individual systems using tools created by someone else. Organisations at this level possess negligible target analysis, command and control functions, or learning ability.
The second level is the “advanced–structured” capability to conduct more sophisticated attacks against multiple systems or networks, and possibly to modify or create basic hacking tools. Organisations at this level possess elementary target analysis, command and control functions and learning ability.
The third level is the “complex–co-ordinated” capability to carry out a co-ordinated attack capable of causing mass disruption against integrated, heterogeneous defences (including cryptography). An organisation operating at this level would be able to create sophisticated hacking tools. It would possess significant target analysis, command and control functions and learning ability.
The Monterey team estimated that it would take a group starting from scratch two to four years to reach the advanced–structured level and six to ten years to reach the complex–co-ordinated level, although some groups might get to these levels sooner or turn to outsourcing or sponsorship to extend their capability.
The study examined five terrorist group types: religious, New Age, ethno-nationalist separatist, revolutionary, and far-right extremist. It determined that only the religious groups were likely to seek the most damaging capability level, as it is consistent with their indiscriminate application of violence. New Age or single-issue terrorists, such as the Animal Liberation Front, pose the most immediate threat, but are more likely to accept disruption as a substitute for destruction. Revolutionary groups and ethno-nationalist separatists are both likely to seek an advanced–structured capability. Far-right extremists are likely to settle for a simple–unstructured capability, as cyberterror offers neither the intimacy nor the cathartic effects that are central to the psychology of far-right terrorism. The study also determined that hacker groups are psychologically and organisationally ill suited to cyberterrorism, and that it would be against their interests to cause mass disruption of the information infrastructure.
Thus, at this time, cyberterrorism does not seem to pose an imminent threat. This could change. For a terrorist, cyberterrorism has some advantages over physical methods. It can be conducted remotely and anonymously, and does not involve the handling of explosives or a suicide mission. It would probably attract extensive media coverage, as journalists and the public alike are fascinated by practically any kind of computer attack. Indeed, cyberterrorism could be immensely appealing to terrorists precisely because of the tremendous attention given to it by governments and the media.
Yet cyberterrorism also has its drawbacks. Systems are complex, so it may be harder to control an attack and achieve a desired level of damage than it is by using physical weapons. Unless people are injured, there is also less drama and emotional appeal for the terrorist. Further, terrorists may be disinclined to try new methods unless they see their old ones as inadequate, particularly when the new methods require considerable knowledge and skill to use effectively. Terrorists generally stick with tried and true methods. Novelty and sophistication of attack may be much less important than the assurance that a mission will be operationally successful. Indeed, the risk of operational failure could be a deterrent to terrorists. For now, the truck bomb poses a much greater threat than the logic bomb.
The next generation of terrorists will grow up in a digital world, with ever more powerful and easy-to-use hacking tools at their disposal. They might see greater potential for cyberterrorism than the terrorists of today, and their level of knowledge and skill relating to hacking will be greater. Hackers and insiders might be recruited by terrorists or become self-recruiting cyberterrorists, the Timothy McVeighs of cyberspace. Some might be moved to action by cyber policy issues, making cyberspace an attractive venue for carrying out an attack. Cyberterrorism could also become more attractive as the real and virtual worlds become more closely coupled, with a greater number of physical devices attached to the Internet. Some of these may be remotely controlled. Terrorists, for example, might target the robots used in telesurgery. Unless such systems are carefully secured, carrying out a cyberattack that physically harms someone may be easy as penetrating a website is today.
Although the violent pursuit of political goals using exclusively electronic methods is likely to be at least a few years into the future, the more general threat of cybercrime is very much a part of the digital landscape today. In addition to cyberattacks against digital data and systems, many people are being “terrorised” on the Internet today with threats of physical violence. Online stalking, death threats and hate messages are abundant. These crimes are serious and must be addressed. In so doing, we will be in a better position to prevent and respond to cyberterrorism if and when the threat becomes more serious.
|