In 1984 William Gibson’s epoch-making novel Neuromancer introduced the world to the term cyberpunk (although many would argue that the term was actually coined by science fiction writer Bruce Bethke and/or editor Gardner Dozois).
Since then the word cyber seems to have taken on the meaning of anything relating to the virtual world or computer processing. We have cyber cafes, cybercrimes, cybersecurity, cybercriminals, cybercops, cyberforensics and now even cyberterrorism.
Because we preface all of these common terms with the word ‘cyber,’ the average person seems to think that there is something obscure, mysterious and highly technical about cyber entities. For this reason folks seem to think that there is nothing they can do about cyber terrorism as it is a highly technical area that is beyond their experience or expertise. Nothing could be further from the truth.
Ten years ago when I graduated from the Air Force Office of Special Investigations Protective Services Operations and Antiterrorism Course, antiterrorism was defined as defensive measures used to reduce the vulnerability of personnel, facilities and equipment to terrorist acts. Now, in 2002, the only thing that has changed is the addition of the ill-defined term ‘cyber’ in front of terrorism. If you care to use the term cyber antiterrorism in place of traditional antiterrorism, the only thing that changes are the terrorist methods used to attack your personnel, facilities and equipment. The actual terrorist threat remains unchanged. Therefore, it is no more difficult for the average citizen to protect against cyber terrorism than it is to protect against traditional terrorism.
Just as the longbow revolutionized traditional warfare, the computer has revolutionized terrorism. Moreover, just as the armies of the day changed their tactics to counter the longbow, we, as a society, must now change our tactics to counter technology-enabled terrorism. We must avoid being misled by the journalistic sound bite “cyber terrorism” and recognize that the threat we face is not new. We must realize that the terrorist threat to civilized society is as old as recorded history and technology is just its most recent tool.
In traditional antiterrorism we concentrate on awareness training, vulnerability surveys, protective measures and contingency planning. The concentrations are no different in combating technology-enabled terrorism; the methods implemented are. In traditional antiterrorism we educate employees and security personnel to be aware of their surroundings, alternate their routes of travel and protect their personal information and itineraries.
In technology-enabled antiterrorism we need to educate employees and security personnel to be aware of their network environment, secure the routes traveled by their data and to secure the data itself. In place of travel route maps identifying potential ambush points we need network maps identifying unauthorized connections and bogus users. In place of police escorts we need intrusion detection systems. In place of armored limousines for our critical leaders we need encryption for our critical data. However, there is much more to combating technology-enabled terrorism than simply the protection of data.
In the world of the 21st century the convergence of the virtual and physical worlds has given the technology-enabled terrorist the ability to carry out many aspects of a physical attack by remote control using technology. In 1997, a red team, put together by the intelligence community and pretending to be from North Korea, managed to shut down large segments of America’s power grid and silence the command and control system of the Pacific command in Honolulu. The team consisted of only 35 men and women using hacking tools freely available on Internet web sites. Today technology-enabled terrorists using freely available tools can overload telephone lines; disrupt the operations of air traffic control, shipping and railroad computers; attack the computers controlling major financial institutions, hospitals and other emergency services; alter by remote control formulas for medication at pharmaceutical plants; change the pressure in gas pipelines to cause a value failure or sabotage the New York Stock Exchange. (For more details of these examples, see Lanz, S. (Ed.) (1998). Cybercrime…Cyberterrorism…Cyber Warfare: Averting an Electronic Waterloo. Center for Strategic and International Studies, Washington, DC.)
Moreover, the technology-enabled terrorist can also exploit unprotected networks such as those controlling traffic signals; toll booths; bridges; heating, air-conditioning and ventilation (HVAC) systems; shipping and receiving systems; radio repeaters and cell phone towers as well as hundreds of other targets. Although it would be difficult (but not impossible) to conduct a terrorist attack using nothing more than technology, it is quite simple to use technology to enhance a physical terrorist attack. Since this is an openly published article I will not go into greater detail concerning how the technology-enabled terrorist can assist the traditional terrorist but only offer that the potential is significant.
In all of this the important point is to realize that cyber terrorism (more correctly referred to as technology-enabled terrorism) is not a mystical endeavor best left to technical security experts. Technology-enabled terrorism is a threat that should be addressed by every member of an organization or corporation. Notice that I said every member – not just managers and senior staff.
It is also critical to note that technology-enabled terrorism is not about technology alone – physical access and traditional security also have their parts to play. In my experience lack of pervasive organizational communication regarding the threat is where both our cyber and traditional defenses fail. Most corporate managers are familiar with the basic technological and physical security threats but they fail to propagate that knowledge to the lowest level.
Think about it. Who are the people who know what is actually happening in an organization? Who would actually see a questionable package, an illegal modem, a tampered lock or a suspicious insider? The janitor, the mail-room clerk, the motor pool dispatcher, the HVAC repair technician, the LAN helpdesk employee, etc. These people are the true eyes and ears of both traditional and cyber security; they are also the folks we almost always forget to train and educate concerning the threat. If you are a senior manager, CIO or chief of security take the time once a week and talk to one of these folks one-on-one. Show them that you trust them with the protection of your enterprise and teach them what to look for.
Dave Lang is an adjunct professor at the George Washington University and a technical manager for Veridian (www.veridian.com).