Terrorism is not a new phenomenon but has gained special popularity recently.
What is surprising is that the threat to the Internet as an economic infrastructure has not yet dawned on the business community. Ever since the use of IT in warfare, defense experts have been especially interested, as part of intelligence and counter-intelligence, in the activity of foreign powers and potential cyberterrorists over all communication channels, but their expertise enables them to understand also the nature of the threats to the Internet as the backbone of the national and international economy.
One expert, Paul Strassmann, is an associate of the Butler Group. He has served as an expert member of a number of U.S. military commissions concerned with information warfare and has studied this field for at least ten years. The knowledge of these military experts is now relevant to the non-defense world as well, and it needs to be translated into practical measures for the rest of us, as we discuss below.
We have come to rely on the Internet for commerce as well as ordinary modern life; in fact we rely on it as much as on the telephone. During different crises in recent years the Internet has often been the communication channel of choice - after the attack in Manhattan on 11th September, mobile phones or even land line phones became saturated or even impossible to operate. Short messages (SMS) and the web were the most reliable media for communities and individuals.
Communication in most commercial activities is now conducted almost exclusively over the Internet, with a decreasing use of telephone, fax and land mail. E-commerce is growing as a proportion of the overall commercial transactions and represents probably around 5 percent of the total exchanges in value, a remarkable figure for an innovation that is only about four years old. Because the strong interdependence of the various economic processes, crippling the Internet would instantly paralyze the whole global economy.
Even if the Internet is out of action for a few hours, the consequences will be felt for a long time afterwards. Some well-publicized outages in high profile web sites, like Yahoo, Amazon, CNN, Buy.com and eBay, or the Stock Exchange in 2000, showed that the indirect effects in terms of longer-term loss of custom or stock market value far exceed the already considerable direct loss of trade. And many non-commercial activities are moving onto the Internet, some life-critical, such as remote medical diagnostics and treatment.
Because the Internet is an ideal replacement for communication in time of crisis, an attack on the Internet would be most effective if coordinated with a natural or man-made crisis - another major terrorist attack for example.
What would be the most effective method of attack? Viruses can spread in a spectacularly short time: 24 to 36 hours round the globe. This costs of lot of effort and money to neutralize and is a kind of pollution that we could do without. But viruses are not fast enough for the kind of blitzkrieg that would be intended by malevolent global terrorists. The most effective way to temporarily disable the Internet would be through a massive distributed denial-of-service (DDoS) attack that would cripple a significant proportion of the routers. The Internet was designed by ARPA engineers to be resilient to nuclear attacks on mainland America but not to the more subtle but persuasive threat of a software borne device.
This is not warmongering but facing a stark, real possibility, especially as we can do something about it. Our responsibility as IT professionals is both passive and active. Our passive responsibility is in terms of the risk of becoming an unsuspecting collaborator with the terrorists, and our active responsibility is to take the appropriate measures for defense.
The mechanism of DDoS is well known: the 'spore' of the contamination - to borrow form the field of bio terrorism - is a special form of software virus called a zombie. The zombie is received like other viruses through email attachments or other downloaded executable files. It installs itself at a discreet location in the computer where it can access the Internet communication ports, sending periodical reports of its existence to the originator of the virus, the 'Master'. Millions of copies of the zombie can thus be disseminated to millions of unsuspecting user systems over a period of time.
At a date chosen by the Master, the zombies receive almost simultaneously the order to flood a particular web address with meaningless but constant messages. This will create a congestion of part of the network that could trigger a cascade of failures throughout the entire network. It is not necessary that all zombies are online at the same time; only a fraction need to be activated to trigger a successful disruption. With the growing popularity of 'always on' technologies, there is more and more opportunity for both contamination and DDoS attacks. A variation of this scenario would be to exploit the known vulnerabilities of the Microsoft Internet Information Server (IIS), which is used in some 40 percent of Internet servers.
The core of the strategy of DDoS attacks relies on the failure of innocent bystanders to prevent the infection of their own system - and the implications of this new state of affairs are vast. This has consequences for both individual users of the web and IT professionals.
Every ordinary, individual user needs to understand what is happening. Surfing the Net may have dangerous consequences if the appropriate protections are not in place: individual firewalls and up-to-date anti-virus software. For systems managers, service providers, CIO and IT directors, the implication could (will) be more prescriptive, in the shape of a new legal framework. It is likely that an operator's license for operating connected computer systems will be required, regulating the use of the information and communication infrastructure. The process of implementing the necessary legislation and regulatory controls is likely to be swift and businesses must be prepared to act. In fact new legislation is being drafted by the U.S. senate in that direction and the E.C. is likely to follow suit.
What is that legislation likely to do? The following are likely:
CIOs would become agents acting on behalf of national cybersecurity interests in safeguarding servers, workstations and networks under their control. Their infosecurity responsibilities would become subject to regulation, similar to that of a CFO who can be jailed if malpractices can be proved in their custody of financial accounts. Ensuring that adequate security measures have been taken to protect the systems in the CIOs' care will then not only be a question of good commercial practice but also of legal accountability.
Suppliers of IT equipment and Internet software would become liable if they do not update known security flaws in their products that have previously been vulnerable to cyberattacks. In this respect, the punitive damages could be comparable to what has been imposed on firms producing tobacco products or defective pharmaceuticals.
Software engineers and network operators could need a license to practice their trade in the same way as existing regulations impose strict training, qualification verification and regulatory compliance testing on operators of equipment such as lorries, airplanes, x-rays and handlers of radioactive substances.
In conclusion, I recommend that computer and network executives need to anticipate major changes in their responsibilities with regard to information security that could be enforced by new legislative measures. Executives should start also making contingency plans to protect their systems in case of significant interruption in Internet services. Boards of directors will be seeking assurances that business operations are able to continue without damage if Internet services are seriously degraded. As in the case of the much-anticipated Y2K problem, preparation and planning may be all that's necessary to prevent a mere possibility becoming a predictable disaster.
Dr Jacques Halé is research director with the Butler Group (www.butlergroup.com), a firm of IT industry analysts based in the U.K.