In the aftermath of the September 11 terrorist events in the United States, the fear that malevolent hackers and other criminal perpetrators might unleash a cyberattack on the Internet is becoming an increasing concern.
Because terrorists choose the path of least resistance, an attack using computers and code rather than guns and bombs just might be an enticing alternative, as security professionals are fixated on the preventing physical assaults. Simply put, cyberterrorism (also known as information warfare) is the use of computers, or other electronic means, to degrade, disrupt, corrupt or destroy data and/or networks in a way that causes havoc, jeopardizes safety, and creates fear among direct and indirect victims. Damage can be done to computer hardware, software and data.
Businesses, governments and individuals who depend on the Internet for their daily professional and personal lives are all potential victims of cyberterrorism. The arsenal of a cyberterrorist is broad and may include computer viruses, trojan horses, packet sniffers and password crackers, among others. Destroying the physical attributes which process data, such as computer hard-drives, routers, communications cables, and fiber-optics, is also cyberterrorism, insofar as their destruction precludes the safe and reliable exchange of information within or among networks.
Leveraging a successful cyberoffensive against any major target that does not maintain effective computer security protocols may not be as hard as perceived. In all likelihood, the damage inflicted will not be life threatening. Rather the damage will be limited to stealing or corrupting data to either utilize it for another purpose or to destroy it in a way that harms the target. But cyberterror can indirectly spur physical violence as well. Consider this: an operator at a water treatment facility presses a button to add a certain measurement of chemicals to untreated water. Instead of doing so, the computer dumps twice the amount of chemicals, an amount way above the maximum safety zone. The resulting excess causes poisonous toxins in the water and when distributed to individual homes, entire communities fall ill. Investigators and the public are left asking “How did this occur?” The answer: a computer bug known as a trojan horse.
Reflecting its legendary namesake, a trojan horse performs some unwanted and unanticipated action. Unlike other information warfare weapons, trojan horses are covert actors, making them particularly dangerous. They remain dormant within a network or system and are only activated by a certain action, time, or event. In this sense, a trojan horse can make a terrorist assault more virulent because of synchronization: at the very moment a trojan horse assails the critical computerized systems of our water treatment plant from the inside, an assailant terrorist begins a “traditional” physical attack on the outside.
Cyberattacks, whether using trojan horses or the other information warfare weapons, may be perpetrated by insiders – individuals who are authorized to work in, near, or around control rooms and the networks which are run from them. This would, of course, necessitate a terrorist gaining legitimate access to highly secure areas under false pretences and passing the necessary background and security investigations to boot.
Similarly, insiders could include those with ‘part-time’ access, such as contract workers. This allows the culprit to have authorized access without the daily stage performance. Once again, the threat of a regular contract worker, who is subject to intensive background screenings and screening updates, does not pose a significant threat with regard to cyberterrorism.
What cyberterrorists like about their ability to wreak havoc is that they can operate from afar at a remote location, undetectable by authorities. Attacking computer networks, unlike a physical attack, doesn’t have to be a suicidal mission. And there are no messy getaway plans either. Third-party terminals are probably the easiest to tap into and offer a very inexpensive way to assail a target.
All networks that are not intranets do not exist as standalones. Any connectivity between users at a distance is vulnerable. Distance users of your communication network include suppliers, distributors and contract workers. Each of these points in your network represents a target of opportunity and a point of vulnerability to the would-be cyberterrorist. The serious nature of this threat results not from the initial attack against a ‘tangential’ system but from the cascading effect: destroying a single computer system might cause other systems to fail. As a result of computer interconnectivity and interdependence, one network crash is multiplied. In turn, it is then possible that an assault against ‘tangential’ networks would allow information warriors to assail the most critical safety and control systems.
Businesses, governments and individuals also greatly depend on public networks that we take for granted in our daily lives. For instance, if a cyberterrorist shuts down all telephone and radio communications in your community, you might not be able to contact emergency personnel like police and fire fighters. Sensitive targets are now helpless and isolated, at least for the immediate term. A denial-of-service attack could be done by flooding computer servers with so much data at one time they cease operation. Or perhaps a sophisticated computer virus could disable crucial networks beyond quick repair.
With so many types of threats, how can we fend off cyberterrorists? First, a quality risk assessment is a must. The key questions about vulnerability are who, what, where, why and how. Can attacks be multiplied by an assailant? Managers cannot preclude extreme scenarios as Hollywood make-believe. As the aforementioned examples show, vigilance by all members of the network is a huge necessity. Only then can preventive measures begin. While there is no single solution or panacea that will solve and eliminate the potential of a cyberterrorist attack, there are concrete steps that can and should be taken.
Install firewalls to prevent unauthorized access. Firewalls are network ‘gatekeepers’ which keep malicious data out and sensitive data in. Any network connected to the outside, including those connected to authorized third parties, must have firewall protection. However, because firewalls are not impenetrable, firewalls should be redundant (the presence of multiple firewalls protecting the same network). More importantly, the firewall must be updated to reflect changes in technology and/or threat scenarios.
Firewalls are only one part of a larger cybersecurity solution. Firewalls must work in concert with other anti-cyberterrorism measures. These include virus detection programs (similar to those installed on a home computer), encryption programs to guard the most sensitive networks, and system monitors to detect network inconsistencies and abnormalities.
Also, consider system design. Update aging systems and replace obsolete software that is more prone to attacks than today’s more advanced programs. Designing a network to be ‘intranet only,’ for instance, is a good place to start. An intranet is an electronic data and communications network that is closed off; it is completely internal and has no outside connectivity. Consider also that a virtual private network (VPN) can securely and effectively connect geographically distinct locations over existing networks. In this way, costs are minimized, as end-to-end encryption is ensured without the need to build a private network of secure lines.
Redundancy is also essential. Having several identical systems provides continuity of operations should one fail. Backing up data, preferably to an off-site server, will ensure that information which is permanently corrupted can be retrieved in its original form. And a systems ‘override command’ to shut down the entire system – or parts of it – to prevent a virus or system failure from spreading and causing further damage, would be prudent.
While the issues of cyberterrorism should be a concern, physical attacks are still a driving concern, at least now. Arguably, anti-American foreign terrorists do not yet possess the means or technological ability to perpetrate a sophisticated and well planned cyberassault which could equal the destructive capability of a bomb. But this in no way implies that they will never possess such means or are not working on ways to improve their capabilities as you read this. It is a mistake to underestimate a terrorist’s ability to embrace high-technology.
Preserving the sanctity and security of the Internet and related networks through safeguarding data has never been more important. In the National Plan for Information Systems Protection released by the White House in 2000, former U.S. President Bill Clinton himself even stated: “We know that the threat is real. Where once our opponents relied exclusively on bombs and bullets, hostile powers and terrorists can now turn a laptop computer into a potent weapon capable of doing enormous damage.”
Jason B. Lee is chief investment officer of Lee & Co., an independent investment banking and private equity consulting firm based in Washington, DC. Lee specializes in two very unrelated areas of financial management: investment analysis and information security protection.