Team 1 Sec3

From CyberSecurity
Revision as of 07:11, 24 October 2005 by Yi-Kai (talk | contribs) (Section 3 complete draft)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Estimated feasibility and strategic value of the attack technique to a terrorist organization. Teams should consider, at a minimum, 1) scalability of techniques, 2) feasibility of acquiring the required technical and financial resources, and 3) potential value of cyberattack as a tool for achieving the various terrorist aims identified in lectures 1, 2, 3, and/or 5.

Section 3: Feasibility and strategic value of cyberattacks to a terrorist organization [by Yi-Kai Liu and Pravin Mittal]

In this section we examine cyberattacks from the perspective of a terrorist organization. We consider a broad range of possible attacks, from major assaults on critical infrastructure to minor disruptions of the Internet. We analyze the likely outcomes of such attacks, as well as their feasibility and strategic value to a terrorist organization. Section 3.1 argues that cyberattacks are unlikely to cause serious or widespread damage to critical infrastructure. Section 3.2 gives some estimates of the technical and financial resources needed to carry out different kinds of cyberattacks. In section 3.3 we argue that cyberattacks can be useful to terrorists, if not as a weapon, then as a psychological tool and a means of getting attention. Section 3.4 gives concluding remarks and discusses the future importance of cybersecurity.

3.1: Cyberattacks on critical infrastructure – scalability, and terrorist motivations [by Pravin Mittal]

Before we delve into whether cyberspace can be used as a tool for terrorism, we should try to get a more precise semantic definition of the word “cyberterrorism.” The most widely accepted and unambiguous definition was put forward by Dorothy Denning, a professor of Computer Science, on the subject before the House Armed Services Committee in May 2001, which states: “Cyberterrorism is the convergence of cyberspace and terrorism. It refers to unlawful attacks and threats of attacks against computers, networks and the information stored therein when done to intimidate or coerce a government or its people in furtherance of political or social objectives. Further, to qualify as cyberterrorism, an attack should result in violence against persons or property, or at least cause enough harm to generate fear. Attacks that lead to death or bodily injury, explosions, or severe economic loss would be examples. Serious attacks against critical infrastructures could be acts of cyberterrorism, depending on their impact. Attacks that disrupt nonessential services or that are mainly a costly nuisance would not.”

A terrorist’s goal is to influence the public opinion by causing psychological and physical damage on the target. We should now look from the perspective of a military strategist to define what is the threshold of damage from cyber-attacks that will help them to achieve their aforementioned goals? If we define that a nation will not tolerate a single day of disruption of some part of the national infrastructure, it would be setting too high a goal when viewed against the larger context where hundreds of systems which provide critical infrastructure routinely fail without paralyzing or affecting the public psyche. So it is reasonable to think, from a strategic military level, that for a terrorist to make a political statement and to inflict psychological damage, the scale of cyber-attacks should go beyond routine disruptions.

Now let’s evaluate scenarios of attacks on critical infrastructures to see if they are scalable enough for terrorists to make a political statement by inflicting psychological terror on masses or damaging physical infrastructure.

Many analysts (Washington Post) believe a cyber-terrorist may hack into the water supply infrastructure, take control of dams and floodgates to use them to cause widespread havoc in terms of life and property. This is not an easy task given that the United States has 54,064 separate water systems serving an uneven spread of the population. Most of them work independently and have a diverse set of network technologies making it harder for the terrorists. Also, many of these supplies get routinely disrupted without causing terror or paralysis as a lot of redundancy is built into these systems. So a terrorist will need to simultaneously disrupt hundreds of these for longer period of time to be of any strategic value.

Similarly, the U.S. electrical power grid consists of 3000 electrical power providers, private and public, using a variety of different technologies to operate them. To effectively undermine them, it will need a vast group of hackers, and one must identify different vulnerabilities as it is a heterogeneous system, which is very difficult task. This is supported by congressional testimony by NERC, an industry group, which stated that neither viruses nor denial-of-service attacks interrupted their service. Another independent study on risk assessment done by a task force of the National Security Telecommunications Advisory Committee has come to similar conclusions.

Another cyber-threat scenario which has been bought forward by many analysts is hackers taking control of air traffic systems and aircraft. Again, aircraft still carry pilots and we are not at a stage where remote computer systems control individual aircraft in the air. Again, Federal Aviation Authority does not solely depend on computer networks to control air-traffic or its communications. Now given the context that it is normal for 15000-20000 flights to be delayed or cancelled every month, small intrusions if they occur will provide no strategic incentive for terrorists.

Although the Internet infrastructure has a few points of failure, the internet protocols like packet switching allow rerouting of communications even if some nodes on the network are eliminated. Besides landline, wireless and satellite communications also provide redundancy in case one of the communication channels is compromised. In July 2002, a simulation of a cyber-attack was sponsored by the U.S. Naval War College. This war-game dubbed “Digital Pearl Harbor” was carried out by well-known government hackers and security analysts. The hackers failed to crash the internet; nevertheless, they were successful in causing harm to some parts of the infrastructure. Officials concluded that such an attack would require vast amounts of resources including $200 million and would at least need five years of preparation. This is quite an evidence of the limited likelihood of any successful cyber-attacks by terrorists on the Internet infrastructure.

3.2: Resources needed to execute a cyberattack [by Yi-Kai Liu]

In general, a cyberattack requires substantial technical skills, but only modest financial resources. Technical skills are especially precious because computer security is a rapidly changing field--attacks and defenses are becoming more sophisticated, and a software vulnerability can be discovered, exploited and patched all within a span of one year [1,2]. As a result, attackers must work to “stay current” with new vulnerabilities and defenses. Financial resources, on the other hand, can be quite modest--desktop PC’s are becoming commodity products, and high-speed internet access is fairly common. Human labor (i.e., programming the attack) is probably the most “expensive” component.

The technical skills required to mount a cyberattack vary considerably for different types of attacks. We analyze two main possibilities: large-scale attacks on unprotected home PC’s, and specialized attacks on well-defended corporate and government systems.

First, we consider attacks on low-end targets, such as home PC’s with well-known vulnerabilities and no defenses. These targets are very common, and will likely remain so for the next several years, because so many users lack the technical skills to secure their machines. Each individual PC is not very valuable, so the emphasis of this attack is on massive scalability using automated attack tools. The usual approach is to spread a worm or Trojan horse, or assemble a botnet and use it to do a distributed denial-of-service (DDoS) attack. An example of this is the Code Red worm, which infected more than 250,000 hosts within 9 hours on July 19, 2001 [3]. There are also anecdotal reports of botnets with as many as 50,000 machines [4]. We note that botnets may be especially attractive to a terrorist organization, since they are multipurpose tools that can do anything from DDoS attacks to sending spam [4,5].

The technical requirements of this attack are fairly low, since it makes use of already-known vulnerabilities. Documentation, exploit code and network scanners are all freely available (note that tools such as Nmap are dual-use, having legitimate uses in “red team” penetration testing). More overtly malicious tools, like worms and DoS agents, can be obtained with moderate effort; this may be inferred from the fact that “script kiddies” with limited technical ability have been implicated for releasing worms into the wild, as well as a significant fraction of DoS attacks [6,7]. We estimate that an attack of this kind could be carried out by 5 moderately skilled programmers in a few weeks. Alternatively, the whole operation might be outsourced to one of the criminal organizations which already build botnets for DDoS attacks and “cyber-extortion” [4]. Judging from the “protection fees” that these organizations demand, we estimate that such a job might cost a few hundred thousand dollars.

Note that, because worm and DDoS attacks have become so routine, a terrorist group would have to mount an exceptionally large attack in order to distinguish itself from criminals and hackers. This certainly poses an additional challenge, but it is hard to estimate. As an extreme case, experts believe it is possible to design a worm that would spread throughout the Internet within minutes; another possibility is that a worm could spread surreptitiously, eventually infecting 10,000,000 hosts [8]. However, such an attack would require much greater technical skill, and a much deeper understanding of the functioning of the Internet as a whole.

Next, we consider a second major class of attacks, targeting PC’s and other systems that have been patched to fix known vulnerabilities, and are protected by network defenses. These can be found in corporate and government settings. The emphasis of this attack is on penetrating security in order to disrupt operations or gather information. While the details will vary greatly from one target to another, we can make some general observations.

The technical requirements of this attack are substantial. The attacker may need to identify new vulnerabilities and develop new exploits; moreover, because of countermeasures such as intrusion detection systems, the attack itself will be more complicated. Some information may be available from hackers, but each attack must be tailored to a specific target--thus, insider information is helpful. We estimate that such an attack could be carried out by a team of 5 people, with experience in systems and network programming, over a period of 6 months to one year.

A special case of this attack occurs when the target is an uncommon or one-of-a-kind system, such as a router, a mainframe or an embedded control system (e.g., SCADA). These may be found in critical infrastructure. Often, information about these systems is not publicly available, so the attacker will have to actively investigate, or obtain cooperation from an insider. Developing an attack will likely require technical expertise, creativity and sustained effort. On the other hand, many of these systems were not designed with security in mind, and may have serious (but little-known) vulnerabilities [9]. Moreover, in the case of critical infrastructure, a successful attack can have catastrophic consequences.

References

[1] CERT Coordination Center, “Overview of Attack Trends,” manuscript, 2002. Available at http://www.cert.org/archive/pdf/attack_trends.pdf (accessed 10/21/05).

[2] W.A. Arbaugh, W.L. Fithen and J. McHugh, “Windows of Vulnerability: A Case-Study Analysis,” IEEE Computer Magazine, Dec. 2000.

[3] CERT Advisory CA-2001-23, “Continued Threat of the ‘Code Red’ Worm,” July 26, 2001. Available at http://www.cert.org/advisories/CA-2001-23.html (accessed 10/23/05).

[4] E. Ratliff, “The Zombie Hunters,” The New Yorker, Oct. 10, 2005.

[5] SwatIt, “GT Bot,” web page. Available at http://swatit.org/bots/gtbot.html (accessed 10/22/05).

[6] C. Thompson, “The Virus Underground,” New York Times Magazine, Feb. 8, 2004.

[7] D. Moore, G.M. Voelker and S. Savage, “Inferring Internet Denial-of-Service Activity,” USENIX Security Symposium, 2001.

[8] S. Staniford, V. Paxson and N. Weaver, “How to 0wn the Internet in Your Spare Time,” USENIX Security Symposium, 2002.

[9] D. Matthews, “Hardware Bus Security in Embedded Systems,” The Fifth HOPE (Hackers on Planet Earth), New York City, July 9-11, 2004.

3.3: Using cyberattacks to achieve terrorists’ aims [by Yi-Kai Liu]

Terrorism is violence intended to manipulate a larger audience. Acts of terrorism may cause mass destruction and casualties, but the ultimate goal is to get attention, create fear, influence public opinion, and cause a change in government policy. Cyberattacks enter the picture in two ways: first, as a tool for causing physical harm; and second, as a way of attracting attention and creating psychological effects.

Physical harm: As discussed in section 3.1, we do not think a catastrophic attack on critical infrastructure via the Internet is feasible. However, cyberattacks can augment a physical attack in useful ways (e.g., by disrupting emergency communications and response). Also, denial-of-service attacks can hurt e-commerce retailers, and phishing attacks can lead to identity theft and fraud. In these cases, there is financial damage.

Psychological effects: Many people rely on computers and the Internet in their daily lives, while having only a minimal understanding of computer technology and security. A cyberattack has the potential to create irrational fear among people who simply feel exposed, but do not understand the nature of the threat. Also, because of their novelty, such attacks tend to get extra news coverage (particularly large-scale attacks such as worms). Terrorist groups may see this as a way to get attention, show off their capabilities, and make themselves more credible.

Yet another possibility is that terrorists would use the Internet as a communications medium, like television and radio. The equivalent of an al Qaeda video might be a worm that downloads a terrorist manifesto onto every computer it infects. Terrorists might find this attractive because, unlike traditional media, the Internet lets them communicate directly with their audience.

Overall, we believe that cyberattacks are more useful as psychological tools, and carrying out such an attack would be relatively easy. Cyberattacks are less effective as weapons. They can be used to augment a physical attack, but the resulting advantage may not be worth the extra effort and complexity.

As a final note, we point out that cyberattacks have certain advantages for international terrorist organizations. First, cyberattacks do not require personnel to live and operate in the target country; this is convenient, as al Qaeda’s experiences have shown that learning English and living in the U.S. can be major stumbling blocks. Also, operating from a friendly foreign country shields attackers from law enforcement. Cyberspace is international, so there is no clear governmental authority, and fewer constraints on malicious activities. Lastly, cyberattacks can help meet a terrorist organization’s internal needs. For instance, these attacks can assist with propaganda and recruitment, and they can be self-financing through criminal enterprises such as identity theft and cyber-extortion.

3.4: Conclusions, and the future of cybersecurity [by Pravin Mittal]

If we need draw the essence of the first four lectures regarding the goals of terrorism, we conclude that the primary aim of terrorists is to coerce the government or public opinion by inflicting psychological and physical damage to the target. In our report, we clearly distinguish cyber-terrorism from common cyber-crimes, and the scale on which these cyber-threats can be launched against critical infrastructure. It is important to view these threats in the context of the routine disruptions that occur commonly. We are of the view that for terrorists to achieve the aforementioned goals, they must go beyond routine disruptions to paralyze or create psychological terror. (James A. lewis, Centre of Strategic and International Studies; Gabriel Weimann, United States Institute of Peace).

From our analysis, it can be concluded that most cyber-attacks have very little chance of causing widespread havoc and achieving their goals. It would also be fair to say that the fears of cyber-terrorism have been exaggerated by mass media, which unfortunately has failed to distinguish between cyber-terrorism and cyber-crimes.

Nevertheless, we cannot deny or ignore the future risks of cyber-terrorism. The dependence of our critical infrastructure on computer networks is not static, as it is getting more inter-twined and dependent on them everyday. Also, there seems to be momentum for adopting more standardized versions of network protocols, as this provides greater cost advantage than maintaining propriety standards and protocols. Finally, several states, including the U.S. and China, are now developing information warfare capabilities. All these factors may make future cyber-threats more potentially viable than they are now. It is essential that we put enough resources into research efforts which will make these internet protocols and network infrastructure more secure and resilient to future cyber-attacks.

Also, many scholors (Verton) have argued that Al-Qaeda has shown a great penchant to acquire modern technology. Bin Laden, in an interview published in an Arabic newspaper, claims to have the support of "hundreds of Muslim scientists were with him who would use their knowledge…ranging from computers to electronics.” Frank Cilluffo, Department of Homeland Security, in a widely quoted remark states that, “While Bin-Laden may have his finger on the trigger, his grandchildren may have their fingers on a computer mouse.”

It would be fair to say that threats of cyber-terrorism are exaggerated and manipulated at best in our current times and unfortunately mass media has done a great disservice in this regard. But it would be unwise to ignore the perils of cyber-terrorisms that future holds as our society gets more dependent on these computer networks.

Retrieved from "http://cubist.cs.washington.edu/CyberSecurity/index.php?title=Team_1_Sec3&oldid=2238"