Digital attacks often mirror attacks in the real world. Illena Armstrong asks if they are inevitable and how to respond.
Cyberterrorist attacks are inescapable, with many experts contending that the inevitability of such assaults comes down to a question of when. But other infosec specialists warn that despite the likelihood of cyber warfare incidents occurring, too much hype about their certainty could lead corporate executives to dismiss the threats altogether.
Already cyberterrorist attacks have happened, but obviously nothing on the scale of some catastrophic 'digital Pearl Harbor.' In fact, while the idea of an internet-disabling attack ever coming to pass is greeted with skepticism by various infosec professionals, the reality of smaller scale terrorist incidents taking place in both the physical and cyber realms at the same time is received with knowing nods.
Ron Moritz, senior vice president of eTrust Security Solutions for Computer Associates, says that cyberterrorism is already a reality. Persistent conflict in the Middle East has prompted Israelis and Palestinians to wage a continual electronic war against each other. Other denial-of-service attacks have occurred at times of international attention as well, he says.
As another example, London security firm mi2g recently noted an increase in pro-Islamic groups uniting against America, the U.K., Australia, India and Israel. A spokesperson for mi2g's intelligence unit says that many hack attacks often mirror events occurring in the real world. "In this year, as tensions grew over political issues, such as the U.S./U.K. policy on Iraq, the Israel-Palestine conflict and the India-Pakistan stand-off over Kashmir, corresponding digital attacks were seen to occur in cyberspace."
The reality of digital warfare
With the advances that have been made in IT, digital warfare is simply too logical to dismiss, contends Dr. Bill Hancock, chief security officer with Cable and Wireless (C & W). Significant examples of organizations and nation states using the internet to disrupt, discredit or harass perceived enemies have occurred, he says, recalling instances of hacker organizations in China and Brazil defacing American web sites.
"Cyberterrorism is an extension of terrorism and terrorism itself does not lend itself to just one medium," he says. "Using cyberspace as a method to enhance an attack would be a logical thing to do."
As such, company executives and those responsible for critical infrastructure believe that sleeper units versed in cyberattacks are already in place in the U.S. and other countries, much like terrorists expert in physical attacks, says Bert Turner, senior vice president of sales and marketing for SilentRunner. Whoever launches such attacks using whatever means at their disposal will have the goal in mind to instill fear and cause confusion among organizations and the general population, he adds. Because many of the companies that could likely fall victim to such attacks are global and have offices in some countries where terrorists find refuge, such attacks are not reserved solely for the U.S., Britain or other allied nations, he says.
There are "infinite types of [cyber terrorist] scenarios ... ranging from slow degradation of important but non-critical systems to wholesale broad attacks on critical infrastructure systems and anything in between," says Michael Vatis, director of the Institute for Security Technology Studies at Dartmouth College. But, putting so much focus on possible cyberterrorist attacks is a mistake and could be perceived by some corporate executives as "fear-mongering."
"It misses the central point that all of our information systems are vulnerable - to varying degrees, but vulnerable. So we are susceptible to numerous sorts of attacks from a wide variety of sources," he says. "If you talk about cyberterrorism people can rightly say, 'What are you talking about? We haven't seen a cyberattack by terrorists.' Terrorists are just one example of a broad spectrum of threats, ranging from teenagers through organized crime groups, through hacktivist groups up to and including foreign nation states engaged in espionage or warfare."
As for terrorist attacks launched using the internet, mi2g's intelligence unit notes that the biggest threat still remains the blended attack. "Digital attacks that cripple emergency response, transport or telecommunications with some insider help, could be employed by terrorists in conjunction with physical attacks to magnify the effects of their intended distruption and damage."
Although Vatis, like many of his peers, expects that terrorists will use the cyberworld as one of many modes of attack, he adds that there are a lot of other cybercriminals to worry about when organizations attempt to protect their infrastructures.
To secure informational assets from cybercriminals, C & W's Hancock, who also chairs the board for the Internet Security Alliance, as well as the cyber terrorism subcommittee for the FCC's Network Reliability and Interoper ability Council, suggests that companies first obtain a thorough assessment of the threats specific to their company. In addition, they should have a thorough understanding of their vulnerabilities, assets requiring protection, and the parts of the infrastructure that, if attacked, would kill their business.
After undergoing this type of extensive vulnerability/risk assessment, he adds that companies should then move to gain a solid picture of who wants to attack them, why they might want to, and the ways those attackers might launch successful hits. This should lead to the organization taking steps to understand the current status of their infrastructure by scanning for bugs and holes, penetration testing, and so on.
By picking the short-term issues to tackle first, organizations will then be able to move on to developing a long-term security strategy that fits with their needs and infrastructure. At the end of the day, the overall goal of such risk assessment and planning is to look at the business case that justifies designing proper security.
"Security's a partner to business. It's not an impediment," Hancock says. "A cyberattack is a cyberattack. There are a lot of technologies and methods used. So if you protect yourself from one, you stand a better chance of protecting yourself from others."
Illena Armstrong is U.S. editor of SC Magazine.
A serious threat to commercial organizations?
Cyberterrorism is a hot topic. David Love points out that the 'hype' which surrounds it is actually doing a disservice to the application of sensible security defenses in commercial and industrial sectors.
Selling by fear never did work well. From the less sophisticated sectors of the industry, this discredited method of selling cyberterrorism protection is now in evidence. However, decision making in corporate protection is now moving from the IT department to the boardroom and, in general, directors will not authorize expenditure on protection without the presence of a sound business proposal.
What is information warfare?
Information warfare, the generic title that includes cyberterrorism, covers a spectrum ranging from full scale attack by one state on another (to cripple the communications and computing capabilities of an adversary) to concerted action by a group of individuals to attack a particular web site to express disapproval or to disrupt the smooth functioning of the target. The formation of the nation state saw the rise of standing armies to protect the state against attack. This model has lasted over the centuries, but an information warfare attack, of which cyberterrorism is a manifestation, bypasses the military and can be directed at a state with no warning.
While most responsible Western governments have taken steps to protect their critical national infrastructure (essential aspects of modern living, including communications, utilities, transport, national and local government), typically some 85 percent of the ownership of such infrastructure belongs to the private sector.
Does this matter? Yes it does when expenditure is required to give a supra level of protection to the well-being of the state. Does this matter? Yes, when the threat exists of a group whose interest is inimical to the state itself.
The big question then is, does such a threat exist today? While we have not yet seen any such manifestation, the effects of such an attack could at the least seriously inconvenience us and, at the worst, be catastrophic to our Western of life. In that cyberterrorism is relatively easy and inexpensive to mount, we must expect hostile organizations to have such a capability.
How do we protect ourselves?
As with any other aspect of IT security protection, the basis of adequate protection is a sound understanding of the value of our systems, their data and an appreciation of the consequences of any disruption to the systems.
In the main, it is the organizations defined as part of the critical national infrastructure that are most at risk but the paralysis or destruction of the data for an individual company will give no joy to the owners or employees of even small-scale enterprises. A good sophisticated and integrated protection strategy, will adequately protect against all aspects of cybercrime, including cyberterrorism.
David Love is head of security strategy, EMEA for Computer Associates (www.ca.com).