Team 1 Sec3.1
[FINAL DRAFT -PRAVIN; Added references]
Before we delve into if cyberspace can be used as a tool for terrorism, we should try to get more precise semantic definition of word “Cyberterroism”. Most widely accepted and unambiguous definition was put forward by Dorothy Denning, a professor of Computer Science, on the subject before House Armed Services in May 2001, which states: “Cyberterrorism is the convergence of cyberspace and terrorism. It refers to unlawful attacks and threats of attacks against computers, networks and the information stored therein when done to intimidate or coerce a government or its people in furtherance of political or social objectives. Further, to qualify as cyberterrorism, an attack should result in violence against persons or property, or at least cause enough harm to generate fear. Attacks that lead to death or bodily injury, explosions, or severe economic loss would be examples. Serious attacks against critical infrastructures could be acts of cyberterrorism, depending on their impact. Attacks that disrupt nonessential services or that are mainly a costly nuisance would not.” [1]
Terrorist’s goal is to influence the public opinion by causing psychological and physical damage on the target. We should now look from the perspective of military strategist to define what is threshold of damage from cyber-attacks will help them to achieve their aforementioned goals? If we define that a nation will not tolerate single day of disruption of some part of the national infrastructure it would be setting too high a goal when viewed against the larger context where hundreds of systems which provides critical infrastructure routinely fails without paralyzing or affecting the public psyche [2]. So it is reasonable to think from a strategic military level for terrorist to make political statement and to inflict psychological damage that the scale of cyber-attacks should go beyond routine disruptions.
Now let’s evaluate scenarios of attacks on critical infrastructures if they are scalable enough for terrorists to make political statement by inflicting psychological terror on masses or damaging physical infrastructure.
Many analysts [3] believe cyber-terrorist may hack into water supply infrastructure, take control of dams and floodgates to use them to cause widespread havoc in terms of life and property. This is not an easy task given that United States has 54,064 separate water systems serving uneven spread of population [4]. Most of them work independently and has diverse set of network technologies making it harder for the terrorists. Also, many of these supplies get routinely disrupted without causing terror or paralysis as lot of redundancy is built into these systems [5]. So for terrorist will need to simultaneously disrupt hundreds of these for longer period of time to be of any strategic value.
Similarly, U.S electrical power grid consists of 3000 electrical power providers, private and public, uses a variety of different technologies to operate them. To effectively undermine them it will need vast group of hackers and identify different vulnerabilities as it is a heterogeneous system which is very difficult task. This is supported by congressional testimony by NERC [6], an industry group, which stated that neither viruses nor Denial of service interrupted their service. Another independent study on risk assessment done by Task force of National Security Telecommunications Advisory Committee has come to similar conclusions [7]. Another cyber-threat scenario which has been bought forward by lot of analysts [8] is hackers taking control of air traffic systems and aircrafts. Again, aircrafts still carry pilots and we are not is stage where remote computer systems control individual aircrafts in air. Again, Federal Aviation Authority does not solely depend on computer networks to control air-traffic or its communications. Now given the context that it is normal for 15000-20000 flights to be delayed or cancelled every month, small intrusions if occurs will provide no strategic incentive for terrorists.
Although Internet infrastructure has few points of failure, the internet protocols like packet switching allows rerouting of communications even if some nodes on the network are eliminated. Besides landline, wireless and satellite communications also provide redundancy in case one of the communication channels is compromised. In July 2002, simulation of cyber-attack was sponsored by U.S. Naval War College. This war-game dubbed “Digital Pearl harbor” was carried out by well-know Government hackers and security analysts. The hackers failed to crash the internet; nevertheless, they were successful in causing harms to some parts of the infrastructure. Officials concluded that such kind of attack would require vast amount of resources including $200 million and will at least need five years of preparation. This is quite an evidence of limited likelihood of any successful cyber-attacks by terrorists on internet infrastructure.
Notes:
[1] Gabriel Weimann, “Cyberterrorism: How real is the threat?,” United States Institute of Peace, December, 2004
[2] James A. Lewis, “Assessing the Risks of Cyber Terrorism, Cyber War and Other Threats,” Center of Strategic and International Studies, December, 2002
[3] Barton Gellman, “ Cyber attacks by al Qaeda feared: Experts: Terrorists at threshold of using Web as deadly tool,” The Washington Post, June 27, 2002
[4] DeNileon, Guy, “The Who, What Why and How of Counter-terrorism Issues,” American Water Works Association Journal, May 2001, Volume 93, No. 5, pp. 78–85,
[5] Scott Berinato, “Debunking the Threat to Water Utilities,” CIO Magazine, March 15, 2002, http://www.cio.com/archive/031502/truth_sidebar2.html
[6] Testimony of Michehl R. Gent Before the Senate Government Affairs Committee, May 8, 2002, ftp://www.nerc.com/pub/sys/all_updl/docs/testimony/mrg-testimony-SenateGovernmentalAffairs-5-08-02-(final).pdf
[7] Information Assurance Task Force of the National Security Telecommunications Advisory Committee http://www.aci.net/kalliste/electric.htm
[8] Larissa Paul, “When Cyber Hacktivism Meets Cyberterrorism,” SANS Institute, February 19, 2001 “Examples of cyber terrorist actions can include hacking into an air traffic control system that results in planes colliding…”
[FINAL DRAFT]
Below is the SECOND draft for the review after incorpating some changes due to feedback from Yi-kai. Please let me know your feedbacks: 3.1 Scalability and Strategic incentives of Cyberterrorism
Before we delve into if cyberspace can be used as a tool for terrorism, we should try to get more precise semantic definition of word “Cyberterroism”. Most widely accepted and unambiguous definition was put forward by Dorothy Denning, a professor of Computer Science, on the subject before House Armed Services in May 2001, which states: “Cyberterrorism is the convergence of cyberspace and terrorism. It refers to unlawful attacks and threats of attacks against computers, networks and the information stored therein when done to intimidate or coerce a government or its people in furtherance of political or social objectives. Further, to qualify as cyberterrorism, an attack should result in violence against persons or property, or at least cause enough harm to generate fear. Attacks that lead to death or bodily injury, explosions, or severe economic loss would be examples. Serious attacks against critical infrastructures could be acts of cyberterrorism, depending on their impact. Attacks that disrupt nonessential services or that are mainly a costly nuisance would not.”
Terrorist’s goal is to influence the public opinion by causing psychological and physical damage on the target. We should now look from the perspective of military strategist to define what is threshold of damage from cyber-attacks will help them to achieve their aforementioned goals? If we define that a nation will not tolerate single day of disruption of some part of the national infrastructure it would be setting too high a goal when viewed against the larger context where hundreds of systems which provides critical infrastructure routinely fails without paralyzing or affecting the public psyche. So it is reasonable to think from a strategic military level for terrorist to make political statement and to inflict psychological damage that the scale of cyber-attacks should go beyond routine disruptions.
Now let’s evaluate scenarios of attacks on critical infrastructures if they are scalable enough for terrorists to make political statement by inflicting psychological terror on masses or damaging physical infrastructure.
Many analysts (Washington Post) believe cyber-terrorist may hack into water supply infrastructure, take control of dams and floodgates to use them to cause widespread havoc in terms of life and property. This is not an easy task given that United States has 54,064 separate water systems serving uneven spread of population. Most of them work independently and has diverse set of network technologies making it harder for the terrorists. Also, many of these supplies get routinely disrupted without causing terror or paralysis as lot of redundancy is built into these systems. So for terrorist will need to simultaneously disrupt hundreds of these for longer period of time to be of any strategic value.
Similarly, U.S electrical power grid consists of 3000 electrical power providers, private and public, uses a variety of different technologies to operate them. To effectively undermine them it will need vast group of hackers and identify different vulnerabilities as it is a heterogeneous system which is very difficult task. This is supported by congressional testimony by NERC, an industry group, which stated that neither viruses nor Denial of service interrupted their service. Another independent study on risk assessment done by Task force of National Security Telecommunications Advisory Committee has come to similar conclusions.
Another cyber-threat scenario which has been bought forward by lot of analysts is hackers taking control of air traffic systems and aircrafts. Again, aircrafts still carry pilots and we are not is stage where remote computer systems control individual aircrafts in air. Again, Federal Aviation Authority does not solely depends on computer networks to control air-traffic or its communications. Now given the context that it is normal for 15000-20000 flights to be delayed or cancelled every month, small intrusions if occurs will provide no strategic incentive for terrorists.
Although Internet infrastructure has few points of failure, the internet protocols like packet switching allows rerouting of communications even if some nodes on the network are eliminated. Besides landline, wireless and satellite communications also provide redundancy in case one of the communication channels is compromised. In July 2002, simulation of cyber-attack was sponsored by U.S. Naval War College. This war-game dubbed “Digital Pearl harbor” was carried out by well-know Government hackers and security analysts. The hackers failed to crash the internet; nevertheless, they were successful in causing harms to some parts of the infrastructure. Officials concluded that such kind of attack would require vast amount of resources including $200 million and will at least need five years of preparation. This is quite an evidence of limited likelihood of any successful cyber-attacks by terrorists on internet infrastructure.
Comment: I agree that cyberterrorism must go beyond routine disruption of services, but I don't think it has to cause long-term damage to national infrastructure. The motivation for terrorism is different from the motivation for war -- terrorists want to influence people's behavior, which is not the same as destroying a country's physical infrstructure. For instance, a terrorist would consider attacking a public transit system, even though that is not a good military target. --Yi-Kai
[PRAVIN] Good point. I have made the relevant changes and let me know know if I need to make further changes. [PRAVIN]
We have four sections so each gets little less than two pages. I am targeting each subsection to be 2/3 pages, give and take few lines here and there.
3. Estimated feasibility and strategic value of the attack technique to a terrorist organization:
3.1 Scalability and Strategic incentives of Cyberterrorism
Below is the outline for what I am working on. But it has been constant flux so final thing may appear little different
- Define Cyberterrorism which distinguishes hacking with Cyberterrorism (More precise definition accepted in academic circle)
- Scalability of attacks if possible and if it is strategic from terrorist's perspective
a)national infrastructure (water, electricity, dams etc.) b) economic/finacial institutions c) psychologically terrorize the nation
[I am going from the perspective "warfare" defined by military that will cause long term harm to national interest rather than annoyance which does not have much significance over time. For example, hackers hacks into Amazon.com webpage, users may go to website of another bookseller or may delay buying the book but does ultimately. Attack was able to create inconvenience to users but in long term GDP output or infrastructure, psyschological damage was nothing. Contrast it with situation if someonehacks into stock exchange and able to carry fictitiuous transactions of billions of dollars which scares of investors,dents the confidence in finacial markets and crash stock markets? But again is it possible to do in scalable fashion?]
