[ISN] The Myth of Cyberterrorism

From: InfoSec News (isnat_private)
Date: Mon Nov 11 2002 - 22:59:13 PST

  • Next message: InfoSec News: "Re: [ISN] Cordless keyboard woes continue"

    Forwarded from: William Knowles <wkat_private>
    By Joshua Green 
    November 2002 
    Again and again since September 11, President Bush, Vice President
    Cheney, and senior administration officials have alerted the public
    not only to the dangers of chem ical, biological, and nuclear weapons
    but also to the further menace of cyberterrorism. "Terrorists can sit
    at one computer connected to one network and can create worldwide
    havoc," warned Homeland Security Director Tom Ridge in a
    representative observation last April. "[They] don't necessarily need
    a bomb or explosives to cripple a sector of the economy, or shut down
    a power grid."
    Even before September 11, Bush was fervently depicting an America
    imminently in danger of an attack by cyberterrorists, warning during
    his presidential campaign that "American forces are overused and
    underfunded precisely when they are confronted by a host of new
    threats and challenges--the spread of weapons of mass destruction, the
    rise of cyberterrorism, the proliferation of missile technology." In
    other words, the country is confronted not just by the specter of
    terrorism, but by a menacing new breed of it that is technologically
    advanced, little understood, and difficult to defend against. Since
    September 11, these concerns have only multiplied. A survey of 725
    cities conducted by the National League of Cities for the anniversary
    of the attacks shows that cyberterrorism ranks with biological and
    chemical weapons atop officials' lists of fears.
    Concern over cyberterrorism is particularly acute in Washington. As is
    often the case with a new threat, an entire industry has arisen to
    grapple with its ramifications--think tanks have launched new projects
    and issued white papers, experts have testified to its dangers before
    Congress, private companies have hastily deployed security consultants
    and software designed to protect public and private targets, and the
    media have trumpeted the threat with such front-page headlines as this
    one, in The Washington Post last June: "Cyber-Attacks by Al Qaeda
    Feared, Terrorists at Threshold of Using Internet as Tool of
    Bloodshed, Experts Say."
    The federal government has requested $4.5 billion for infrastructure
    security next year; the FBI boasts more than 1,000 "cyber
    investigators"; President Bush and Vice President Cheney keep the
    issue before the public; and in response to September 11, Bush created
    the office of "cybersecurity czar" in the White House, naming to this
    position Richard Clarke, who has done more than anyone to raise
    awareness, including warning that "if an attack comes today with
    information warfare . . . it would be much, much worse than Pearl
    It's no surprise, then, that cyberterrorism now ranks alongside other
    weapons of mass destruction in the public consciousness. Americans
    have had a latent fear of catastrophic computer attack ever since a
    teenage Matthew Broderick hacked into the Pentagon's nuclear weapons
    system and nearly launched World War III in the 1983 movie WarGames.  
    Judging by official alarums and newspaper headlines, such scenarios
    are all the more likely in today's wired world.
    There's just one problem: There is no such thing as cyberterrorism--no
    instance of anyone ever having been killed by a terrorist (or anyone
    else) using a computer. Nor is there compelling evidence that al Qaeda
    or any other terrorist organization has resorted to computers for any
    sort of serious destructive activity. What's more, outside of a Tom
    Clancy novel, computer security specialists believe it is virtually
    impossible to use the Internet to inflict death on a large scale, and
    many scoff at the notion that terrorists would bother trying. "I don't
    lie awake at night worrying about cyberattacks ruining my life," says
    Dorothy Denning, a computer science professor at Georgetown University
    and one of the country's foremost cybersecurity experts. "Not only
    does [cyberterrorism] not rank alongside chemical, biological, or
    nuclear weapons, but it is not anywhere near as serious as other
    potential physical threats like car bombs or suicide bombers."
    Which is not to say that cybersecurity isn't a serious problem--it's
    just not one that involves terrorists. Interviews with terrorism and
    computer security experts, and current and former government and
    military officials, yielded near unanimous agreement that the real
    danger is from the criminals and other hackers who did $15 billion in
    damage to the global economy last year using viruses, worms, and other
    readily available tools. That figure is sure to balloon if more isn't
    done to protect vulnerable computer systems, the vast majority of
    which are in the private sector. Yet when it comes to imposing the
    tough measures on business necessary to protect against the real
    cyberthreats, the Bush administration has balked.
    Crushing BlackBerrys 
    When ordinary people imagine cyberterrorism, they tend to think along
    Hollywood plot lines, doomsday scenarios in which terrorists hijack
    nuclear weapons, airliners, or military computers from halfway around
    the world. Given the colorful history of federal
    boondoggles--billion-dollar weapons systems that misfire, $600 toilet
    seats--that's an understandable concern. But, with few exceptions,
    it's not one that applies to preparedness for a cyberattack. "The
    government is miles ahead of the private sector when it comes to
    cybersecurity," says Michael Cheek, director of intelligence for
    iDefense, a Virginia-based computer security company with government
    and private-sector clients. "Particularly the most sensitive military
    Serious effort and plain good fortune have combined to bring this
    about. Take nuclear weapons. The biggest fallacy about their
    vulnerability, promoted in action thrillers like WarGames, is that
    they're designed for remote operation. "[The movie] is premised on the
    assumption that there's a modem bank hanging on the side of the
    computer that controls the missiles," says Martin Libicki, a defense
    analyst at the RAND Corporation. "I assure you, there isn't." Rather,
    nuclear weapons and other sensitive military systems enjoy the most
    basic form of Internet security: they're "air-gapped," meaning that
    they're not physically connected to the Internet and are therefore
    inaccessible to outside hackers. (Nuclear weapons also contain
    "permissive action links," mechanisms to prevent weapons from being
    armed without inputting codes carried by the president.) A retired
    military official was somewhat indignant at the mere suggestion: "As a
    general principle, we've been looking at this thing for 20 years. What
    cave have you been living in if you haven't considered this [threat]?"
    When it comes to cyberthreats, the Defense Department has been
    particularly vigilant to protect key systems by isolating them from
    the Net and even from the Pentagon's internal network. All new
    software must be submitted to the National Security Agency for
    security testing. "Terrorists could not gain control of our
    spacecraft, nuclear weapons, or any other type of high-consequence
    asset," says Air Force Chief Information Officer John Gilligan. For
    more than a year, Pentagon CIO John Stenbit has enforced a moratorium
    on new wireless networks, which are often easy to hack into, as well
    as common wireless devices such as PDAs, BlackBerrys, and even
    wireless or infrared copiers and faxes.
    The September 11 hijackings led to an outcry that airliners are
    particularly susceptible to cyberterrorism. Earlier this year, for
    instance, Sen. Charles Schumer (D-N.Y.) described "the absolute havoc
    and devastation that would result if cyberterrorists suddenly shut
    down our air traffic control system, with thousands of planes in
    mid-flight." In fact, cybersecurity experts give some of their highest
    marks to the FAA, which reasonably separates its administrative and
    air traffic control systems and strictly air-gaps the latter. And
    there's a reason the 9/11 hijackers used box-cutters instead of
    keyboards: It's impossible to hijack a plane remotely, which
    eliminates the possibility of a high-tech 9/11 scenario in which
    planes are used as weapons.
    Another source of concern is terrorist infiltration of our
    intelligence agencies. But here, too, the risk is slim. The CIA's
    classified computers are also air-gapped, as is the FBI's entire
    computer system. "They've been paranoid about this forever," says
    Libicki, adding that paranoia is a sound governing principle when it
    comes to cybersecurity. Such concerns are manifesting themselves in
    broader policy terms as well. One notable characteristic of last
    year's Quadrennial Defense Review was how strongly it focused on
    protecting information systems.
    But certain tics in the way government agencies procure technology
    have also--entirely by accident--helped to keep them largely free of
    hackers. For years, agencies eschewed off-the-shelf products and
    insisted instead on developing proprietary systems, unique to their
    branch of government--a particularly savvy form of bureaucratic
    self-preservation. When, say, the Department of Agriculture succeeded
    in convincing Congress that it needed a specially designed system,
    both the agency and the contractor benefited. The software company was
    assured the agency's long-term business, which became dependent on its
    product; in turn, bureaucrats developed an expertise with the software
    that made them difficult to replace. This, of course, fostered
    colossal inefficiencies--agencies often couldn't communicate with each
    other, minor companies developed fiefdoms in certain agencies, and if
    a purveyor went bankrupt, the agency was left with no one to manage
    its technology. But it did provide a peculiar sort of protection:  
    Outside a select few, no one understood these specific systems well
    enough to violate them. So in a sense, the famous inability of
    agencies like the FBI and INS to share information because of
    incompatible computer systems has yielded the inadvertent benefit of
    shielding them from attack.
    Ankle Biters
    That leaves the less-protected secondary targets--power grids, oil
    pipelines, dams, and water systems that don't present opportunities as
    nightmarish as do nuclear weapons, but nonetheless seem capable, under
    the wrong hands, of causing their own mass destruction. Because most
    of these systems are in the private sector and are not yet regarded as
    national security loopholes, they tend to be less secure than
    government and military systems. In addition, companies increasingly
    use the Internet to manage such processes as oil-pipeline flow and
    water levels in dams by means of "supervisory control and data
    acquisition" systems, or SCADA, which confers remote access. Most
    experts see possible vulnerability here, and though terrorists have
    never attempted to exploit it, media accounts often sensationalize the
    likelihood that they will.
    To illustrate the supposed ease with which our enemies could subvert a
    dam, The Washington Post's June story on al Qaeda cyberterrorism
    related an anecdote about a 12-year-old who hacked into the SCADA
    system at Arizona's Theodore Roosevelt Dam in 1998, and was, the
    article intimated, within mere keystrokes of unleashing millions of
    gallons of water upon helpless downstream communities. But a
    subsequent investigation by the tech-news site CNet.com revealed the
    tale to be largely apocryphal--the incident occurred in 1994, the
    hacker was 27, and, most importantly, investigators concluded that he
    couldn't have gained control of the dam and that no lives or property
    were ever at risk.
    Most hackers break in simply for sport. To the extent that these hacks
    occur, they're mainly Web site defacements, which are a nuisance, but
    leave the intruder no closer to exploiting the system in any deadly
    way. Security experts dismiss such hackers as "ankle biters" and roll
    their eyes at prognostications of doom.
    Of course, it's conceivable that a computer-literate terrorist truly
    intent on wreaking havoc could hack into computers at a dam or power
    company. But once inside, it would be far more difficult for him to
    cause significant damage than most people realize. "It's not the
    difficulty of doing it," says RAND's Libicki. "It's the difficulty of
    doing it and having any real consequence." "No one explains precisely
    the how, whys, and wherefores of these apocalyptic scenarios," says
    George Smith, the editor of Crypt Newsletter, which covers computer
    security issues. "You always just get the assumption that chemical
    plants can be made to explode, that the water supply can be
    polluted--things that are even hard to do physically are suddenly
    assumed to be elementary because of the prominence of the Internet."
    Few besides a company's own employees possess the specific technical
    know-how required to run a specialized SCADA system. The most commonly
    cited example of SCADA exploitation bears this out. Two years ago, an
    Australian man used an Internet connection to release a million
    gallons of raw sewage along Queensland's Sunshine Coast after being
    turned down for a government job. When police arrested him, they
    discovered that he'd worked for the company that designed the sewage
    treatment plant's control software. This is true of most serious
    cybersecurity breaches--they tend to come from insiders. It was Robert
    Hanssen's familiarity with the FBI's computer system that allowed him
    to exploit it despite its security. In both cases, the perpetrators
    weren't terrorists but rogue employees with specialized knowledge
    difficult, if not impossible, for outsiders to acquire--a security
    concern, but not one attributable to cyberterrorism.
    Terrorists might, in theory, try to recruit insiders. But even if they
    succeeded, the degree of damage they could cause would still be
    limited. Most worst-case scenarios (particularly those put forth by
    government) presuppose that no human beings are keeping watch to
    intervene if something goes wrong. But especially in the case of
    electrical power grids, oil and gas utilities, and communications
    companies, this is simply untrue. Such systems get hit all the time by
    hurricanes, floods, or tornadoes, and company employees are well
    rehearsed in handling the fallout. This is equally true when the
    trouble stems from human action. Two years ago in California, energy
    companies like Enron and El Paso Corp. conspired to cause power
    shortages that led to brownouts and blackouts--the same effects
    cyberterrorists would wreak. As Smith points out, "There were no
    newspaper reports of people dying as a result of the blackouts. No one
    lost their mind." The state suffered only minor (if demoralizing)  
    But perhaps the best indicator of what is realistic came last July
    when the U.S. Naval War College contracted with a research group to
    simulate a massive attack on the nation's information infrastructure.  
    Government hackers and security analysts gathered in Newport, R.I.,
    for a war game dubbed "Digital Pearl Harbor." The result? The hackers
    failed to crash the Internet, though they did cause serious sporadic
    damage. But, according to a CNet.com report, officials concluded that
    terrorists hoping to stage such an attack "would require a syndicate
    with significant resources, including $200 million, country-level
    intelligence and five years of preparation time."
    Hack Attack
    Despite all the media alarm about terrorists poised on the verge of
    cyberattack, intelligence suggests that they're doing no more than
    emailing and surfing for potential targets. When U.S. troops recovered
    al Qaeda laptops in Afghanistan, officials were surprised to find its
    members more technologically adept than previously believed. They
    discovered structural and engineering software, electronic models of a
    dam, and information on computerized water systems, nuclear power
    plants, and U.S. and European stadiums. But nothing suggested they
    were planning cyberattacks, only that they were using the Internet to
    communicate and coordinate physical attacks. "There doesn't seem to be
    any evidence that the people we know as terrorists like to do
    cyberterrorism," says Libicki. Indeed, in a July report to the Senate
    Governmental Affairs Committee detailing the threats detected to
    critical infrastructure, the General Accounting Office noted "to date
    none of the traditional terrorist groups such as al Qaeda have used
    the Internet to launch a known assault on the U.S.'s infrastructure."  
    It is much easier, and almost certainly much deadlier, to strike the
    old-fashioned way.
    Government computers have been targeted by politically minded hackers,
    but these attacks are hardly life threatening. They're typified by
    last October's penetration of a Defense Department Web site dedicated
    to "Operation Enduring Freedom" and, somewhat incongruously, a Web
    server operated by the National Oceanic and Atmospheric Association.  
    The organization responsible was called the "al Qaeda Alliance Online"  
    and was comprised of groups with names like GForce Pakistan and the
    Pakistani Hackerz Club--names that connote a certain adolescent
    worship of hip-hop that's a clue to the participants' relative lack of
    menace; none turned out to have actual terrorist ties.
    In both cases, the attackers replaced the government sites' home pages
    with photos and anti-American text--but that's all they did. Robbed of
    this context, as is usually the case with reports of politically
    motivated cyberattacks, such manifestations are often presumed to be
    much more serious terrorist threats than is warranted. "When somebody
    defaces a Web site, it's roughly equivalent to spray painting
    something rude on the outside of a building," says James Lewis,
    director of technology policy at the Center for Strategic and
    International Studies. "It's really just electronic graffiti."
    The Gloom Boom
    Yet Washington hypes cyberterrorism incessantly. "Cyberterrorism and
    cyberattacks are sexy right now. It's novel, original, it captures
    people's imagination," says Georgetown's Denning. Indeed, a peculiar
    sort of one-upmanship has developed when describing the severity of
    the threat. The most popular term, "electronic Pearl Harbor," was
    coined in 1991 by an alarmist tech writer named Winn Schwartau to hype
    a novel. For a while, in the mid-1990s, "electronic Chernobyl" was in
    vogue. Earlier this year, Sen. Charles Schumer (D-N.Y.) warned of a
    looming "digital Armageddon." And the Center for Strategic and
    International Studies, a Washington think tank, has christened its own
    term, "digital Waterloo."
    Why all this brooding over so relatively minor a threat? Ignorance is
    one reason. Cyberterrorism merges two spheres--terrorism and
    technology--that most lawmakers and senior administration officials
    don't fully understand and therefore tend to fear, making them
    likelier to accede to any measure, if only out of self-preservation.  
    Just as tellingly, many are eager to exploit this ignorance. Numerous
    technology companies, still reeling from the collapse of the tech
    bubble, have recast themselves as innovators crucial to national
    security and boosted their Washington presence in an effort to attract
    federal dollars. As Ohio State University law professor Peter Swire
    explained to Mother Jones, "Many companies that rode the dot-com boom
    need to find big new sources of income. One is direct sales to the
    federal government; another is federal mandates. If we have a big
    federal push for new security spending, that could prop up the sagging
    But lately, a third motive has emerged: Stoking fears of
    cyberterrorism helps maintain the level of public anxiety about
    terrorism generally, which in turn makes it easier for the
    administration to pass its agenda.
    Profit of Doom
    At the center of all this hype is Richard Clarke, special adviser to
    the president for cyberspace security, a veteran of four
    administrations, and terrorism czar to Bill Clinton. Even though he
    was a senior Clinton official, Clarke's legendary bureaucratic skills
    saw him through the transition; and when replaced by Gen. Wayne
    Downing after September 11, Clarke created for himself the position of
    cybersecurity czar and continued heralding the threat of cyberattack.  
    Understanding that in Washington attention leads to resources and
    power, Clarke quickly raised the issue's profile. "Dick has an ability
    to scare the bejesus out of everybody and to make the bureaucracy
    jump," says a former colleague. The Bush administration has requested
    a 64 percent increase in cybersecurity funds for next year.
    Last month, I paid Clarke a visit in his office a few blocks west of
    the White House to talk about the threat and discovered that even he
    is beginning to wilt under the false pretense of cyberterrorism. As I
    was led back to meet him, his assistant made an odd request: "Mr.  
    Clarke doesn't like to talk about the source of the threat, he'd
    rather focus on the vulnerability." And indeed, the man who figured
    most prominently in hyping the issue seemed particularly ill at ease
    discussing it.
    Clarke is in the curious bind of an expert on terrorism charged to
    protect the nation against a form of the disease that has yet to
    appear. But he is smart enough to understand that one very real
    cybersecurity threat is unfolding: the damage, largely economic, being
    done by hackers and criminals. Last year, 52,000 cyberattacks were
    reported, up from 21,000 the year before. Yet Clarke's greatest
    leverage is misperception about the true source of this threat. In his
    careful way, he tried to guide our conversation away from terrorism
    and toward cybersecurity.
    "To date,"he readily conceded, "we've never seen any of the officially
    designated terrorist groups engage in a cyberattack against us." But
    he stressed that little noticed in the aftermath of September 11 was a
    large-scale cyberattack seven days later--the Nimda virus--that proved
    extremely costly to private industry. "Nimda hit a lot of businesses
    that thought they had done a good job securing themselves," Clarke
    explained. "And a lot of CEOs got really pissed because they thought
    they had spent a lot of time and money doing cybersecurity for the
    company and--bang!--they got hammered, knocked offline, their records
    got destroyed, and it cost millions of dollars per company." The $15
    billion in damage caused by cyberattacks last year is derived mostly
    from worms, viruses, denial-of-service attacks, and theft, all of
    which capitalized on the generally lax cybersecurity in the
    private-sector businesses that comprise about 85 percent of the
    Internet. Many vulnerabilities are imported through the use of
    products by private companies, such as Microsoft, that supply
    software. There is no regulatory mechanism to ensure that they meet
    security standards; and as Clarke notes, "there's no legal liability
    if you are the software manufacturer and sell somebody something that
    doesn't work."
    He also pointed out that a typical company devotes one-quarter of 1
    percent of its information technology budget to cybersecurity,
    "slightly less than they spend on coffee." By contrast, the Bush
    administration's FY 2003 budget would spend 8 percent, or 32 times
    higher a proportion. Yet even this considerable outlay doesn't
    guarantee that the government's systems are secure. The same poorly
    written and configured software that plagues private industry also
    hampers government computers--the federal government is, after all,
    Microsoft's largest customer. John Gilligan, the Air Force CIO and one
    of the fiercest advocates of stronger safety standards in government,
    says that 80 percent of successful penetrations of federal computer
    systems can be attributed to software full of bugs, trapdoors, and
    "Easter eggs"--programming errors and quirks inserted into the code
    (see box) that could leave software vulnerable to hackers. What's
    more, as federal agencies move away from proprietary systems toward
    universal software, this becomes a greater problem not just in terms
    of security, but also of cost. "The assessment I make is that we're
    fast approaching the point at which we're spending more money to find,
    patch, and correct vulnerabilities than we paid for the software,"  
    says Gilligan.
    Bad for Business
    The danger of hyping a threat like cyberterrorism is that once the
    exaggeration becomes clear, the public will grow cynical toward
    warnings about real threats. The Chicken Little approach might be
    excusable were the Bush administration hyping cyberterrorism in order
    to build political momentum for dealing with the true problem posed by
    hackers and shoddy software. There is a precedent for this sort of
    thing. In the midst of all the anxiety about the Y2K bug, the federal
    government and the SEC came up with a novel way to ensure that private
    companies were ready: They required businesses to disclose their
    preparations to shareholders, setting goals and letting market forces
    do the rest.
    There were high hopes, then, for the Bush administration's National
    Strategy to Secure Cyberspace--the culmination of a year's effort to
    address the country's post-9/11 cybersecurity problems. Clarke's team
    circulated early drafts that contained what most experts considered to
    be solid measures for shoring up security in government, business, and
    home computers. But the business community got word that the plan
    contained tough (read: potentially costly) prescriptions, and
    petitioned the White House, which gutted them. When a draft of the
    plan was rolled out in mid-September, Bill Conner, president of the
    computer security firm Entrust, told The Washington Post, "It looks as
    though a Ph.D. wrote the government items, but it reads like someone a
    year out of grade school wrote the rest of the plan."
    It's hard to imagine a worse outcome for all involved, even private
    industry. By knuckling under to the business community's
    anti-regulatory impulses, Bush produced a weak plan that ultimately
    leaves the problem of cybersecurity to persist. It proposes no
    regulations, no legislation, and stops well short of even the Y2K
    approach, prompting most security experts to dismiss it out of hand.  
    What it does do instead is continue the stream of officially
    sanctioned scaremongering about cyberattack, much to the delight of
    software companies. IT security remains one of the few bright spots in
    the depressed tech market and thus that important sector of the market
    is perfectly satisfied with the status quo. But as the Nimda virus
    proved, even companies that pay for security software (and oppose
    government standards) don't realize just how poorly it protects them.  
    So in effect, the Bush administration has created the conditions for
    what amounts to war profiteering--frightening businesses into
    investing in security, but refusing to force the changes necessary to
    make software safe and effective.
    The way the Bush White House has exaggerated the likelihood of
    cyberterrorism is familiar to anyone who's followed its style of
    government. This is an administration that will frequently proclaim a
    threat (the Saddam/al Qaeda connection, for instance) in order to
    forward its broader agenda, only to move on nonchalantly when evidence
    proves elusive or nonexistent. But in this case, by moving on, Bush
    leaves unaddressed something that really is a problem--just not one
    that suits the administration's interests. Forced to choose between
    increasing security and pleasing his business base, the president has
    chosen the latter. Hyping a threat that doesn't exist while shrinking
    from one that does is no way to protect the country.
    Spy Hunter 
    There is, for instance, an entire videogame secretly embedded in 
    Microsoft Excel 2000. "Spy Hunter," a shoot-'em-up driving game, in 
    which race cars zoom down a highway, maneuvering around oil slicks and 
    other obstacles, can be opened with a few keystrokes. 
    To find the game: Under File menu, click "Save as Web Page," then 
    "Selection: Sheet" and "Publish." Next, choose "Add Interactivity" and 
    save to an .htm page on your drive. Load the .htm page with Internet 
    Explorer. You should see Excel in the center of the page. Scroll down 
    to row 2000, and tab across so that WC is the active column. Hold down 
    "Shift" and press the space bar to highlight the WC cell. Then 
    simultaneously depress Shift + Crtl + Alt and click the four-color 
    "Office" logo in the upper-left-hand corner. If you have the original 
    Excel 2000, the game will appear. Use the arrow keys to drive, 
    spacebar to fire, "O" to drop oil slicks, and "H" for your headlights 
    when it gets dark. 
     -- Joshua Green 
    Joshua Green is an editor of The Washington Monthly. 
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Nov 12 2002 - 02:29:46 PST