Final Report Dnagre Pwarade

Download as pdf or txt
Download as pdf or txt
You are on page 1of 45

CYBER TERRORISM

Vulnerabilities and Policy Issues


“Facts Behind The Myth”

BY

DHANASHREE NAGRE
PRIYANKA WARADE

Please visit our webpage

http://www.andrew.cmu.edu/user/dnagre/
2 CYBER TERRORISM

INDEX

MOTIVATION 3

SUMMARY 4

INTRODUCTION 5

BACKGROUND 8

TOOLS USED FOR CYBERCRIME 9

OTHER CYBERCRIME METHODS 11

CONNECTION BETWEEN TERRORISM AND CYBERCRIME 17

SCADA VULNERABILITIES 23

SUCCESS OF CYBER ATTACKS 25

SOME OTHER EXAMPLES 29

MEASURING CYBERCRIME 30

FEDERAL EFFORTS TO PROTECT COMPUTERS 33

THE NEED TO IMPROVE CYBER-SECURITY 35

FUTURE ATTRACTIVENESS OF CRITICAL INFRASTRUCTURE SYSTEMS 37

EDUCATION AND AWARENESS 38

SURVEY RESULTS 40

REFERENCES 45
3 CYBER TERRORISM

MOTIVATION

Since 9/11, terrorism has not only caused destruction of property and life but also
crippled the government security and got into the lime-light the vulnerabilities which
each country exposes to outsiders. We have also seen an increase in the number of
terrorist activities taking place all around the world even with the great pro-active
measures taken by the government of each country.

The need of the hour is that active protection mechanisms be placed at each of our
access points such that these terrorist activities could be prevented if not stopped
completely. Even as these measures are taking place as we speak, much of the
internetwork of government organizations and other cyber resources are still
unprotected or could be compromised easily. In such an event, act of cyber terrorism as
we have defined could be used along with other things to cripple a government and
bring about as much destruction as possible.

It is necessary to educate people about such malicious acts so that cyber terrorism could
be mitigated. Our aim through this report is to do just that and help in getting
awareness amongst people about it who are not familiar with this topic. We hope that
people consider such threats seriously and thereby, help in every which way to avoid
these threats which will prove to be of adequate help to governments as well.
4 CYBER TERRORISM

SUMMARY

Cybercrime is becoming more organized and established as a transnational business.


High technology online skills are now available for rent to a variety of customers,
possibly including nation states, or individuals and groups that could secretly represent
terrorist groups. The increased use of automated attack tools by cybercriminals has
overwhelmed some current methodologies used for tracking.

Internet cyber-attacks and vulnerabilities of the U.S. critical infrastructure, which are
acknowledged openly in publications, could possibly attract cyber-attacks to extort
money, or damage the U.S. economy to affect national security.

In April and May 2007, NATO and the United States sent computer security experts to
Estonia to help that nation recover from cyber-attacks directed against government
computer systems, and to analyze the methods used and determine the source of the
attacks.1 Some security experts suspect that political protestors may have rented the
services of cybercriminals, possibly a large network of infected PCs, called a “botnet,” to
help disrupt the computer systems of the Estonian government.

DOD officials have also indicated that similar cyber-attacks from individuals and
countries targeting economic, political, and military organizations may increase in the
future.

Cybercriminals have reportedly made alliances with drug traffickers in Afghanistan, the
Middle East, and elsewhere where profitable illegal activities are used to support
terrorist groups. In addition, designs for cybercrime botnets are becoming more
sophisticated, and future botnet architectures may be more resistant to computer
security countermeasures.3
This report discusses options now open to nation states, extremists, or terrorist groups
for obtaining malicious technical services from cybercriminals to meet political or
military objectives, and describes the possible effects of a coordinated cyber-attack
against the U.S. critical infrastructure. This report will be updated as events warrant.
5 CYBER TERRORISM

INTRODUCTION

What is Cyber terrorism?

“the premeditated, politically motivated attack against information, computer


systems, computer programs, and data which result in violence against
noncombatant targets by sub national groups or clandestine agents.”
-Mark M. Pollitt

“[the] use of information technology and means by terrorist groups and agents.”
-Serge Krasavin

“politically motivated hacking techniques used in an effort to cause grave harm,


included but not limited to loss of life or serious economic damage.”
-Larisa Paul

Labeling a “cyberattack” as “cybercrime” or “cyberterrorism” is problematic because


of the difficulty determining with certainty the identity, intent, or the political
motivations of an attacker. “Cybercrime” can be very broad in scope, and may
sometimes involve more factors than just a computer hack. “Cyberterrorism” is
often equated with the use of malicious code. However, a “cyberterrorism” event
may also sometimes depend on the presence of other factors beyond just a
“cyberattack.”

This is what it actually is…

Cybercrime is crime that is enabled by, or that targets computers. Some argue there
is no agreed-upon definition for “cybercrime” because “cyberspace” is just a new
specific instrument used to help commit crimes that are not new at all. Cybercrime
can involve theft of intellectual property, a violation of patent, trade secret, or
copyright laws. However, cybercrime also includes attacks against computers to
deliberately disrupt processing, or may include espionage to make unauthorized
copies of classified data. If a terrorist group were to launch a cyberattack to cause
harm, such an act also fits within the definition of a cybercrime. The primary
difference between a cyberattack to commit a crime or to commit terror is found in
the intent of the attacker, and it is possible for actions under both labels to overlap.

Cyberterrorism can be defined in different ways viz. it can be politically motivated


hacking operations intended to cause grave harm such as loss of life or severe
economic damage OR
It can be unlawful attacks and threats of attack against computers, networks, and
the information stored therein when done to intimidate or coerce a government or
its people in furtherance of political or social objectives OR
6 CYBER TERRORISM

It can be a physical attack that destroys computerized nodes for critical


infrastructures, such as the Internet, telecommunications, or the electric power grid,
without ever touching a keyboard.
Thus, it is possible that if a computer facility were deliberately attacked for political
purposes, all three methods described above (physical attack, EA, and cyberattack)
might contribute to, or be labeled as “cyberterrorism.”

Some experts believe that there has yet been no evidence of a true cyber terrorist
attack, as defined above. Despite the horrific acts of terrorism that have occurred
over the last couple of decades, it appears that none of them fits the prevailing
definition of a politically motivated computer intrusion causing loss of life or serious
economic damage.

Computers have become an enabling tool, another type of weaponry if you will, for
what we might call information warfare or cyber crime. Regardless of our working
definition—cyber terrorism or cyber crime—the potential for creating economic
damage is great.

The U.S. military is supported partly by civilian high technology services and
products, most often in the form of communications systems and computer
software. In future conflicts that involve cyberwarfare between nations, the
distinction between U.S. military and civilian targets may be blurred and civilian
computer systems may increasingly be seen as viable targets vulnerable to attack by
adversaries.

Computer networking technology has also blurred the boundaries between


cyberwarfare, cybercrime, and cyberterrorism. Officials in government and industry
now say that cybercrime and cyberattack services available for hire from criminal
organizations are a growing threat to national security as well as to the U.S.
economy.

New and sophisticated cybercrime tools could operate to allow a nation state or
terrorist group to remain unidentified while they direct cyberattacks through the
Internet. Many experts point out that past incidents of conventional terrorism have
already been linked with cybercrime, and that computer vulnerabilities may make
government and civilian critical infrastructure systems seem attractive as targets for
cyberattack.

Some experts argue that the government of Estonia may have already experienced
this type of cyberattack directed against their systems and websites in April, 2007.

This report explores the possible connections between cybercriminals and


7 CYBER TERRORISM

terrorist groups that want to damage the U.S. economy or national security
interests. The report also examines the effects of a coordinated cyberattack against
the U.S. critical infrastructure, including use of cybercrime tools that could possibly
take advantage of openly-publicized cyber vulnerabilities. Trends in cybercrime are
described, showing how malicious Internet websites, and other cybercrimes such as
identity theft are linked to conventional terrorist activity.
8 CYBER TERRORISM

BACKGROUND

The terrorist groups are using computers and the Internet to further goals associated
with spreading terrorism. This can be seen in the way that extremists are creating and
using numerous Internet websites for recruitment and fund raising activities, and for
Jihad training purposes. Several criminals who have recently been convicted of
cybercrimes used their technical skills to acquire stolen credit card information in order
to finance other conventional terrorist activities. It is possible that as criminals and
terrorist groups explore more ways to work together, a new type of threat may emerge
where extremists gain access to the powerful network tools now used by cybercriminals
to steal personal information, or to disrupt computer systems that support services
through the Internet.

There are several effective methods for disrupting computer systems. Cyberattack or
computer network attack (CNA), is the one which uses malicious computer code to
disrupt computer processing, or steal data. Three different methods of doing so are
given below:

• Conventional kinetic weapons can be directed against computer equipment, a


computer facility, or transmission lines to create a physical attack that disrupts
the reliability of equipment.

• The power of electromagnetic energy, most commonly in the form of an


electromagnetic pulse (EMP), can be used to create an electronic attack (EA)
directed against computer equipment or data transmissions. By overheating
circuitry or jamming communications, EA disrupts the reliability of equipment
and the integrity of data.

• Malicious code can be used to create a cyberattack, or computer network attack


(CNA), directed against computer processing code, instruction logic, or data. The
code can generate a stream of malicious network packets that can disrupt data
or logic through exploiting a vulnerability in computer software, or a weakness in
the computer security practices of an organization. This type of cyberattack can
disrupt the reliability of equipment, the integrity of data, and the confidentiality
of communications.
9 CYBER TERRORISM

TOOLS USED FOR CYBERCRIME


• Botnets

Botnets are becoming a major tool for cybercrime, partly because they can be
designed to very effectively disrupt targeted computer systems in different ways,
and because a malicious user, without possessing strong technical skills, can
initiate these disruptive effects in cyberspace by simply renting botnet services
from a cybercriminal. Botnets, or “Bot Networks,” are made up of vast numbers
of ompromised computers that have been infected with malicious code, and can
be remotely-controlled through commands sent via the Internet. Hundreds or
thousands of these infected computers can operate in concert to disrupt or block
Internet traffic for targeted victims, harvest information, or to distribute spam,
viruses, or other malicious code. Botnets have been described as the “Swiss
Army knives of the underground economy” because they are so versatile.

Botnet code was originally distributed as infected email attachments, but as


users have grown more cautious, cybercriminals have turned to other methods.
When users click to view a spam message, botnet code can be secretly installed
on the users’ PC. A website may be unknowingly infected with malicious code in
the form of an ordinary-looking advertisement banner, or may include a link to
an infected website. Clicking on any of these may install botnet code. Or, botnet
code can be silently uploaded, even if the user takes no action while viewing the
website, merely through some un-patched vulnerability that may exist in the
browser. Firewalls and antivirus software do not necessarily inspect all data that
is downloaded through browsers. Some bot software can even disable antivirus
security before infecting the PC. Once a PC has been infected, the malicious
software establishes a secret communications link to a remote “botmaster” in
preparation to receive new commands to attack a specific target. Meanwhile,
the malicious code may also automatically probe the infected PC for personal
data, or may log keystrokes, and transmit the information to the botmaster.

The Shadowserver Foundation is an organization that monitors the number of


command and control servers on the Internet, which indicates the number of bot
through May 2007, approximately 1,400 command and control servers were
found to be active on the Internet. The number of individual infected drones that
are controlled by these 1,400 servers reportedly grew from half a million to more
than 3 million from March to May 2007. Symantec, another security
organization, reported that it detected 6 million bot-infected computers in the
second half of 2006.
Some botnet owners reportedly rent their huge networks for US$200 to $300 an
hour, and botnets are becoming the weapon of choice for fraud and extortion.
Newer methods are evolving for distributing “bot” software that may make it
even more difficult in the future for law enforcement to identify and locate the
10 CYBER TERRORISM

originating “botmaster.” Some studies show that authors of software for botnets
are increasingly using modern, open-source techniques for software
development, including the collaboration of multiple authors for the initial
design, new releases to fix bugs in the malicious code, and development of
software modules that make portions of the code reusable for newer versions of
malicious software designed for different purposes. This increase in
collaboration among hackers mirrors the professional code development
techniques now used to create commercial software products, and is expected
to make future botnets even more robust and reliable. This, in turn, is expected
to help increase the demand for malware services in future years.

Traditionally, botnets organize themselves in an hierarchical manner, with a


central command and control location (sometimes dynamic) for the botmaster.
This central command location is useful to security professionals because it
offers a possible central point of failure for the botnet. However, in the near
future, security experts believe that attackers may use new botnet architectures
that are more sophisticated, and more difficult to detect and trace. One class of
botnet architecture that is beginning to emerge uses peer-to-peer protocol22,
which, because of its decentralized control design, is expected to be more
resistant to strategies for countering its disruptive effects. For example, some
experts reportedly argue that a well-designed peer-to-peer botnet may be nearly
impossible to shut down as a whole because it may provide anonymity to the
controller, who can appear as just another node in the bot network.
11 CYBER TERRORISM

OTHER CYBERCRIME METHODS

Cybercrime is usually conducted through a connection to the Internet, but can


also involve unauthorized removal of data on small, portable flash drive storage
devices. Cybercrime, usually in the form of network hacking, has involved
persons with strong technical skills, often motivated by the desire to gain
popularity among their technology peers. However, the growing trend is now to
profit from these network cyberattacks by targeting specific systems, often
through collaboration among criminals and technical experts. The motives that
drive these cybercriminal groups now may differ from those of their paying
customers, who may possess little or no technical skills.

New technologies continue to outpace policy for law enforcement. Problems of


coordination among agencies of different countries, along with conflicting
national policies about crime in cyberspace, work to the advantage of
cybercriminals who can choose to operate from geographic locations where
penalties for some forms of cybercrime may not yet exist. Sophisticated tools for
cyberattack can now be found for sale or for rent on the Internet, where highly-
organized underground cybercrime businesses host websites that advertise a
variety of disruptive software products and malicious technical services. High-
end cybercrime groups use standard software business development techniques
to keep their products updated with the latest antisecurity features, and seek to
recruit new and talented software engineering students into their organizations.

Where illicit profits are potentially very large, some high-end criminal groups
have reportedly adopted standard IT business practices to systematically
develop more efficient and effective computer code for cybercrime. Studies also
show that organized crime groups now actively recruit college engineering
graduates and technical expert members of computer societies, and sponsor
them to attend more information technology (IT) courses to further their
technical expertise. However, in some cases, targeted students may not realize
that a criminal organization is behind the recruitment offer.
Cyberattacks are increasingly designed to silently steal information without
leaving behind any damage that would be noticed by a user. These types of
attacks attempt to escape detection in order to remain on host systems for
longer periods of time. It is also expected that as mobile communication devices
are incorporated more into everyday life, they will be increasingly targeted in the
future for attack by cybercriminals.

Malicious code, such as viruses or Trojan Horses, are used to infect a computer
to make it available for takeover and remote control. Malicious code can infect a
computer if the user opens an email attachment, or clicks an innocent-looking
12 CYBER TERRORISM

link on a website. For example, users who visited the popular MySpace and
YouTube websites in 2005, and who lacked important software security patches,
reportedly may have had their PCs infected if they clicked on a banner
advertisement which silently installed malicious code on their computers to log
keystrokes or capture sensitive data. During the first half of 2006, the Microsoft
Security Team reported that it had removed 10 million pieces of malicious
software from nearly 4 million computers and web servers. Recently, analysts at
Google tested several million web pages for the presence of malicious software,
and determined that 4.5 million of the web pages examined were suspicious in
nature. After further testing of the 4.5 million web pages, over 1 million were
found to launch downloads of malicious software, and more than two thirds of
those programs were “bot” software that, among other things, collected data on
banking transactions and then emailed the information to a temporary email
account.
Researchers at the San Jose, Calif.-based security firm, Finjan Inc., after
reviewing security data from the first quarter of 2007, found that more malware
is hosted on servers in countries such as the U.S. and U.K., than in other
countries with less developed e-crime law enforcement policies. Findings from
the Finjan 2007 Web Security Trends Report are based on an analysis of more
than 10 million unique websites from Internet traffic recorded in the UK, and
include the following:
1. Attacks that involve the use of code obfuscation through diverse
randomization techniques are growing more numerous and complex,
making them virtually invisible to pattern-matching/signature-based
methods in use by traditional antivirus products.

2. Criminals are displaying an increasing level of sophistication when


embedding malicious code within legitimate content with less
dependence on outlaw servers in unregulated countries.

Finjan found that 90% of the websites examined containing malware resided on
servers located in the U.S. or U.K. “The results of this study shatter the myth that
malicious code is primarily being hosted in countries where e-crime laws are less
developed,” Finjan CTO Yuval Ben-Itzhak reportedly stated.

Identity Theft- Botnets and other examples of malicious code can operate to
assist cybercriminals with identity theft. Current FBI estimates are that identity
theft costs American businesses and consumers $50 billion a year. Individual
users are often lured into clicking on tempting links that are found in email or
when visiting websites. Clicking on titles such as “Buy Rolex watches cheap,” or
“Check out my new Photos,” can take advantage of web browser vulnerabilities
to place malicious software onto a users system which allows a cybercriminal to
gather personal information from the user’s computer.
13 CYBER TERRORISM

Malicious code can scan a victim’s computer for sensitive information, such as
name, address, place and date of birth, social security number, mother’s maiden
name, and telephone number. Full identities obtained this way are bought and
sold in online markets. False identity documents can then be created from this
information using home equipment such as a digital camera, color printer, and
laminating device, to make official-looking driver’s licences, birth certificates,
reference letters, and bank statements.

Identity theft involving thousands of victims is also enabled by inadequate


computer security practices within organizations. MasterCard International
reported that in 2005 more than 40 million credit card numbers belonging to
U.S. consumers were accessed by computer hackers. Some of these account
numbers were reportedly being sold on a Russian website, and some consumers
have reported fraudulent charges on their statements. Officials at the UFJ bank
in Japan reportedly stated that some of that bank’s customers may also have
become victims of fraud related to theft of the MasterCard information. In June
2006, officials from the U.S. Department of Energy acknowledged that names
and personal information belonging to more than 1,500 employees of the
National Nuclear Security Administration (NNSA) had been stolen in a network
intrusion that apparently took place starting in 2004. The NNSA did not discover
the security breach until one year after it had occurred.

Some sources report that stolen credit card numbers and bank account
information are traded online in a highly structured arrangement, involving
buyers, sellers, intermediaries, and service industries. Services include offering to
conveniently change the billing address of a theft victim, through manipulation
of stolen PINs or passwords. Observers estimated that in 2005 such services for
each stolen MasterCard number cost between $42 and $72. Other news articles
report that, in 2007, a stolen credit card number sells online for only $1, and a
complete identity, including a U.S. bank account number, credit-card number,
date of birth, and a government-issued ID number now sells for just $14 to $18.
As of January 2007, 35 states have enacted data security laws requiring
businesses that have experienced an intrusion involving possible identity theft to
notify persons affected, and to improve security for protection of restricted data.
However, existing federal and state laws that impose obligations on information
owners, may require harmonization to provide protections that are more
uniform.

Cyber Espionage- Cyber espionage involves the unauthorized probing to test


a target computer’s configuration or evaluate its system defenses, or the
unauthorized viewing and copying of data files. However, should a terrorist
14 CYBER TERRORISM

group, nation, or other organization use computer hacking techniques for


political or economic motives, their deliberate intrusions may also qualify them,
additionally, as cybercriminals. If there is disagreement about this, it is likely
because technology has outpaced policy for labeling actions in cyberspace. In
fact, industrial cyber espionage may now be considered a necessary part of
global economic competition, and secretly monitoring the computerized
functions and capabilities of potential adversary countries may also be
considered essential for national defense.
U.S. co unterintelligence officials reportedly have stated that about 140 different
foreign intelligence organizations regularly attempt to hack into the computer
systems of U.S. government agencies and U.S. companies. Cyber espionage,
which enables the exfiltration of massive amounts of information electronically,
has now transformed the nature of counterintelligence, by enabling a reduced
reliance on conventional spying operations. The Internet, including satellite links
and wireless local networks, now offers new, low cost and low risk opportunities
for espionage.

In 2001, a Special Committee of Inquiry established by the European parliament


accused the United States of using its Echelon electronic spy network to engage
in industrial espionage against European businesses. Echelon was reportedly set
up in 1971 as an electronic monitoring system during the Cold War. European-
Union member Britain helps operate the system, which includes listening posts
in Canada, Australia, and New Zealand. Echelon is described as a global spy
system reportedly capable of intercepting wireless phone calls, e-mail, and fax
messages made from almost any location around the world.

The European parliament Special Committee reported that information gathered


on Echelon may have helped the United States beat the European Airbus
Consortium in selling aircraft to Saudi Arabia in 1994. In 1995, France expelled
five American diplomats and other officials, reportedly including the Paris station
chief for the CIA, because of suspected industrial espionage activities linked to
Echelon.

The State Department denied that the U.S. government was engaged in
industrial espionage. However, former director of the U.S. Central Intelligence
Agency, James Woolsey, has reportedly justified the possibility of industrial
espionage by the United States on the basis of the use of bribery by European
companies. Officials of the European parliament reportedly expressed outrage
about the justification, while not denying that bribery is sometimes used to
make sales.
Some government officials warn that criminals now sell or rent malicious code
tools for cyber espionage, and the risk for damage to U.S. national security due
to cyber espionage conducted by other countries is great. One industry official,
15 CYBER TERRORISM

arguing for stronger government agency computer security practices, stated


that, “If gangs of foreigners broke into the State or Commerce Departments and
carried off dozens of file cabinets, there would be a crisis. When the same thing
happens in cyberspace, we shrug it off as another of those annoying computer
glitches we must live with.”

In 2003, a series of cyberattacks designed to copy sensitive data files was


launched against DOD systems, and the computers belonging to DOD
contractors. The cyber espionage attack apparently went undetected for many
months. This series of cyberattacks was labeled “Titan Rain,” and was suspected
by DOD investigators to have originated in China. The attacks were directed
against the U.S. Defense Information Systems Agency (DISA), the U.S. Redstone
Arsenal, the Army Space and Strategic Defense Installation, and several
computer systems critical to military logistics. Although no classified systems
reportedly were breached, many files were copied containing information that is
sensitive and subject to U.S. export-control laws.

In 2006, an extended cyberattack against the U.S. Naval War College in Newport,
Rhode Island, prompted officials to disconnect the entire campus from the
Internet. A similar attack against the Pentagon in 2007 led officials to temporarily
disconnect part of the unclassified network from the Internet. DOD officials
acknowledge that the Global Information Grid, which is the main network for the
U.S. military, experiences more than three million daily scans by unknown
potential intruders.
Accurate attribution is important when considering whether to retaliate using
military force or police action. Some DOD officials have indicated that the
majority of cyber attacks against DOD and U.S. civilian agency systems are
suspected to originate in China, and these attacks are consistently more
numerous and sophisticated than cyberattacks from other malicious actors. The
motives appear to be primarily cyber espionage against civilian agencies, DOD
contractors, and DOD systems. The espionage involves unauthorized access to
files containing sensitive industrial technology, and unauthorized research into
DOD operations. Some attacks included attempts to implant malicious code into
computer systems for future use by intruders.
Security experts warn that all U.S. federal agencies should now be aware that
in cyberspace some malicious actors consider that no boundaries exist between
military and civilian targets. According to an August 2005 computer security
report by IBM, more than 237 million overall security attacks were reported
globally during the first half of that year.54 Government agencies were targeted
the most, reporting more than 54 million attacks, while manufacturing ranked
second with 36 million attacks, financial services ranked third with approximately
34 million, and healthcare received more than 17 million attacks. The most
frequent targets for these attacks, all occurring in the first half of 2005, were
16 CYBER TERRORISM

government agencies and industries in the United States (12 million), followed
by New Zealand (1.2 million), and China (1million). These figures likely represent
an underestimation, given that most security analysts agree that the number of
incidents reported are only a small fraction of the total number of attacks that
actually occur.
17 CYBER TERRORISM

CONNECTION BETWEEN TERRORISM AND


CYBERCRIME

The proportion of cybercrime that can be directly or indirectly attributed to terrorists is


difficult to determine. However, linkages do exist between terrorist groups and
criminals that allow terror networks to expand internationally through leveraging the
computer resources, money laundering activities, or transit routes operated by
criminals. For example, the 2005 U.K. subway and bus bombings, and the attempted car
bombings in 2007, also in the U.K., provide evidence that groups of terrorists are already
secretly active within countries with large communication networks and computerized
infrastructures, plus a large, highly skilled IT workforce. London police officials
reportedly believe that terrorists obtained high-quality explosives used for the 2005 U.K.
bombings through criminal groups based in Eastern Europe.
A recent trial in the U.K. revealed a significant link between Islamic terrorist groups and
cybercrime. In June 2007, three British residents, Tariq al-Daour, Waseem Mughal, and
Younes Tsouli, pled guilty, and were sentenced for using the Internet to incite murder.
The men had used stolen credit card information at online web stores to purchase items
to assist fellow jihadists in the field — items such as night vision goggles, tents, global
positioning satellite devices, and hundreds of prepaid cell phones, and more than 250
airline tickets, through using 110 different stolen credit cards. Another 72 stolen credit
cards were used to register over 180 Internet web domains at 95 different web hosting
companies. The group also laundered money charged to more than 130 stolen credit
cards through online gambling websites. In all, the trio made fraudulent charges totaling
more than $3.5 million from a database containing 37,000 stolen credit card numbers,
including account holders’ names and addresses, dates of birth, credit balances, and
credit
limits.

Cybercriminals have made alliances with drug traffickers in Afghanistan, the Middle
East, and elsewhere where illegal drug funds or other profitable activities such as credit
card theft, are used to support terrorist groups. Drug traffickers are reportedly among
the most widespread users of encryption for Internet messaging, and are able to hire
high-level computer specialists to help evade law enforcement, coordinate shipments of
drugs, and launder money. Regions with major narcotics markets, such as Western
Europe and North America, also possess optimal technology infrastructure and open
commercial nodes that increasingly serve the transnational trafficking needs of both
criminal and terrorist groups. Officials of the U.S. Drug Enforcement Agency (DEA),
reported in 2003 that 14 of the 36 groups found on the U.S. State Department’s list of
foreign terrorist organizations were also involved in drug trafficking. A 2002 report by
the Federal Research Division at the Library of Congress, revealed a “growing
involvement of Islamic terrorist and extremists groups in drug trafficking”, and limited
evidence of cooperation between different terrorist groups involving both drug
18 CYBER TERRORISM

trafficking and trafficking in arms. Consequently, DEA officials reportedly argued that the
war on drugs and the war against terrorism are and should be linked.

State Department officials, at a Senate hearing in March 2002, also indicated that some
terrorist groups may be using drug trafficking as a way to gain financing while
simultaneously weakening their enemies in the West through exploiting their desire for
addictive drugs. The poppy crop in Afghanistan reportedly supplies resin to produce over
90 percent of the world’s heroin, supporting a drug trade estimated at $3.1 billion.
Reports indicate that money from drug trafficking in Afghanistan is used to help fund
terrorist and insurgent groups that operate in that country. Subsequently, U.S.
intelligence reports in 2007 have stated that “al Qaeda in Afghanistan” has been
revitalized and restored to its pre-September 11, 2001 operation levels, and may now
be in a better position to strike Western countries.
Drug traffickers have the financial clout to hire computer specialists with skills for using
technologies which make Internet messages hard or impossible to decipher, and which
allow terrorist organizations to transcend borders and operate internationally with less
chance of detection. Many highly trained technical specialists that make themselves
available for hire originally come from the countries of the former Soviet Union and the
Indian subcontinent. Some of these technical specialists reportedly will not work for
criminal or terrorist organizations willingly, but may be misled or unaware of their
employers’ political objectives. Still, others will agree to provide assistance because
other well-paid legitimate employment is scarce in their region.

Links between computer hackers and terrorists, or terrorist-sponsoring nations may be


difficult to confirm. Membership in the most highly-skilled computer hacker groups is
sometimes very exclusive and limited to individuals who develop, demonstrate, and
share only with each other, their most closely-guarded set of sophisticated hacker tools.
These
exclusive hacker groups do not seek attention because maintaining secrecy allows them
to operate more effectively. Some hacker groups may also have political interests that
are supra-national, or based on religion, or other socio-political ideologies, while other
hacker groups may be motivated by profit, or linked to organized crime, and may be
willing to sell their computer services, regardless of the political interests involved.
Information about computer vulnerabilities is now for sale online in a hackers’ “black
market”. For example, a list of 5,000 addresses of computers that have already been
infected with spyware and which are waiting to be remotely controlled as part of an
automated “bot network” reportedly can be obtained for about $150 to $500. Prices for
information about computer vulnerabilities for which no software patch yet exists
reportedly range from $1,000 to $5,000. Purchasers of this information are often
organized crime groups, various foreign governments, and companies that deal in
spam.64
19 CYBER TERRORISM

Terrorist Capabilities for Cyberattack - Some experts estimate that advanced or


structured cyberattacks against multiple systems and networks, including target
surveillance and testing of sophisticated new hacker tools, might require from two to
four years of preparation, while a complex coordinated cyberattack, causing mass
disruption against integrated, heterogeneous systems may require 6 to 10 years of
preparation. This characteristic, where hackers devote much time to detailed and
extensive planning before launching a cyberattack, has also been described as a
“hallmark” of previous physical terrorist attacks and bombings launched by Al Qaeda.

It is difficult to determine the level of interest, or the capabilities of international


terrorist groups to launch an effective cyberattack. A 1999 report by The Center for the
Study of Terrorism and Irregular Warfare at the Naval Postgraduate School concluded
that it is likely that any severe cyberattacks experienced in the near future by
industrialized nations will be used by terrorist groups simply to supplement the more
traditional physical terrorist attacks.

Some observers have stated that Al Qaeda does not see cyberattack as important for
achieving its goals, preferring attacks which inflict human casualties. Other observers
believe that the groups most likely to consider and employ cyberattack and
cyberterrorism are the terrorist groups operating in post-industrial societies (such as
Europe and the United States), rather than international terrorist groups that operate in
developing regions where there is limited access to high technology.

However, other sources report that Al Qaeda has taken steps to improve organizational
secrecy through more active and sophisticated use of technology, and evidence suggests
that Al Qaeda terrorists used the Internet extensively to plan their operations for
September 11, 2001. In past years, Al Qaeda groups reportedly used new Internet-based
telephone services to communicate with other terrorist cells overseas. Khalid Shaikh
Mohammed, one of the masterminds of the attack against the World Trade Center,
reportedly used special Internet chat software to communicate with at least two airline
hijackers. Ramzi Yousef, who was sentenced to life imprisonment for the previous
bombing of the World Trade Center, had trained as an electrical engineer, and had
planned to use sophisticated electronics to detonate bombs on 12 U.S. airliners
departing from Asia for the United States. He also used sophisticated encryption to
protect his data and to prevent law enforcement from reading his plans should he be
captured.

Tighter physical security measures now widely in place throughout the United States
may encourage terrorist groups in the future to explore cyberattack as way to lower the
risk of detection for their operations. However, other security observers believe that
terrorist organizations might be reluctant to launch a cyberattack because it would
result in less immediate drama and have a lower psychological impact than a more
conventional bombing attack. These observers believe that unless a cyberattack can be
20 CYBER TERRORISM

made to result in actual physical damage or bloodshed, it will never be considered as


serious as a nuclear, biological, or chemical terrorist attack.

Possible Effects of a Coordinated Cyberattack – In March 2007, researchers at


Idaho National Laboratories (INL) conducted an experiment labeled the “Aurora
Generator Test” to demonstrate the results of a simulated cyberattack on a power
network. In a video released by the Department of Homeland Security, a power
generator turbine, similar to many now in use throughout the United States, is forced to
overheat and shut down dramatically, after receiving malicious commands from a
hacker. The researchers at INL were investigating results of a possible cyberattack
directed against a vulnerability that, reportedly, has since been fixed. The video,
however, implied that other multiple power generators sharing similar cyber
vulnerabilities could potentially be disabled the same way.

In July 2002, the U.S. Naval War College hosted a war game called “Digital Pearl Harbor”
to develop a scenario for a coordinated cyberterrorism event, where mock attacks by
computer security experts against critical infrastructure systems simulated state-
sponsored cyberwarfare. The simulated cyberattacks determined that the most
vulnerable infrastructure computer systems were the Internet itself, and the computer
systems that are part of the financial infrastructure. It was also determined that
attempts to cripple the U.S. telecommunications infrastructure would be unsuccessful
because built-in system redundancy would prevent damage from becoming too
widespread. The conclusion of the exercise was that a “Digital Pearl Harbor” in the
United States was only a slight possibility.

However, in 2002, a major vulnerability was discovered in switching equipment


software that threatened the infrastructure for major portions of the Internet. A flaw in
the Simple Network Management Protocol (SNMP) would have enabled attackers to
take over Internet routers and cripple network telecommunications equipment globally.
Network and equipment vendors worldwide raced quickly to fix their products before
the problem could be exploited by hackers, with possible worldwide consequences. U.S.
government officials also reportedly made efforts to keep information about this major
vulnerability quiet until after the needed repairs were implemented on vulnerable
Internet systems. According to an assessment reportedly written by the FBI, the security
flaw could have been exploited to cause many serious problems, such as bringing down
widespread telephone networks and also halting control information exchanged
between ground and aircraft flight control systems.
Security experts agree that a coordinated cyberattack could be used to amplify the
effects of a conventional terrorist attack, including a nuclear, biological, or chemical
(NBC) attack. However, many of these same experts disagree about the damaging
effects that might result from an attack directed against control computers that operate
the U.S. critical infrastructure. Some observers have stated that because of U.S.
dependency on computer technology, such attacks may have the potential to create
21 CYBER TERRORISM

economic damage on a large scale, while other observers have stated that U.S.
infrastructure systems are resilient and would possibly recover easily, thus avoiding any
severe or catastrophic effects.

While describing possible offensive tactics for military cyber operations, DOD officials
reportedly stated that the U.S. could confuse enemies by using cyberattack to open
floodgates, control traffic lights, or scramble the banking systems in other countries.
Likewise, some of China’s military journals speculate that cyberattacks could disable
American financial markets. China, however, is almost as dependent on these U.S.
markets as the United States, and might possibly suffer even more from such a
disruption to finances. As to using cyberattack against other U.S. critical infrastructures,
the amount of potential damage that could be inflicted might be relatively trivial
compared to the costs of discovery, if engaged in by a nation state. However, this
constraint does not apply to non-state actors like Al Qaeda, thus making cyberattack a
potentially useful tool for those groups who reject the global market economy.

Organized Cybercrime - Some large cybercriminal groups are transnational, with names
like Shadowcrew, Carderplanet, and Darkprofits. Individuals in these groups reportedly
operate from locations all over the world, working together to hack into systems, steal
credit card information and sell identities, in a very highly structured, organized
network. Organized crime is also recruiting teenagers who indicate they feel safer doing
illegal activity online than in the street. A recent report from the McAfee security
organization, titled the “Virtual Criminology Report”, draws on input from Europe’s
leading high-tech crime units and the FBI, and suggests that criminal outfits are
targeting top students from leading academic institutions and helping them acquire
more of the skills needed to commit high-tech crime on a massive scale.
In the future, we may see new and different modes of criminal organization evolve in
cyberspace. Cyberspace frees individuals from many of the constraints that apply to
activities in the physical world, and current forms of criminal organization may not
transition well to online crime. Cybercrime requires less personal contact, less need for
formal organization, and no need for control over a geographical territory. Therefore,
some researchers argue that the classical hierarchical structures of organized crime
groups may be unsuitable for organized crime on the Internet. Consequently, online
criminal activity may emphasize lateral relationships and networks instead of
hierarchies.

Instead of assuming stable personnel configurations that can persist for years, online
criminal organization may incorporate the “swarming” model, in which individuals
coalesce for a limited period of time in order to conduct a specific task, or set of tasks,
and afterwards go their separate ways. The task of law enforcement could therefore
become much more difficult. If cybercriminals evolve into the “Mafia of the moment” or
the “cartel of the day,” police will lose the advantage of identifying a permanent group
22 CYBER TERRORISM

of participants who engage in a set of routine illicit activities, and this will only
contribute to the future success of organized cybercrime.

Why do they use cyber attacks?

Cyber terrorist prefer using the cyber attack methods because of many advantages for
it:

• It is Cheaper than traditional methods.


• The action is very difficult to be tracked.
• They can hide their personalities and location.
• There are no physical barriers or check points to cross.
• They can do it remotely from anywhere in the world.
• They can use this method to attack a big number of targets.
• They can affect a large number of people.
23 CYBER TERRORISM

SCADA Vulnerabilities
Vulnerabilities
Supervisory Control And Data Acquisition (SCADA) systems are the computers that
monitor and regulate the operations of most critical infrastructure industries (such as
the companies that manage the power grid). These SCADA computers automatically
monitor and adjust switching, manufacturing, and other process control activities, based
on digitized feedback data gathered by sensors. These control systems are often placed
in remote locations, are frequently unmanned, and are accessed only periodically by
engineers or technical staff via telecommunications links. However, for more efficiency,
these communication links are increasingly connected to corporate administrative local
area networks, or directly to the Internet.

Some experts believe that the importance of SCADA systems for controlling the
critical infrastructure may make them an attractive target for terrorists. Many SCADA
systems also now operate using Commercial-Off-The-Shelf (COTS) software, which some
observers believe are inadequately protected against a cyberattack. These SCADA
systems are thought to remain persistently vulnerable to cyberattack because many
organizations that operate them have not paid proper attention to these systems’
unique computer security needs.
The following example may serve to illustrate the possible vulnerability of control
systems and highlight cybersecurity issues that could arise for infrastructure computers
when SCADA controls are interconnected with office networks. In August 2003, the
“Slammer”Internet computer worm was able to corrupt for five hours the computer
control systems at the Davis-Besse nuclear power plant located in Ohio (fortunately, the
power plant was closed and off-line when the cyberattack occurred). The computer
worm was able to successfully penetrate systems in the Davis-Besse power plant control
room largely because the business network for its corporate offices was found to have
multiple connections to the Internet that bypassed the control room firewall.
Other observers, however, suggest that SCADA systems and the critical infrastructure
are more robust and resilient than early theorists of cyberterror have stated, and that
the infrastructure would likely recover rapidly from a cyberterrorism attack. They cite,
for example, that water system failures, power outages, air traffic disruptions, and other
scenarios resembling possible cyberterrorism often occur as routine events, and rarely
affect national security, even marginally. System failures due to storms routinely occur
at the regional level, where service may often be denied to customers for hours or days.
Technical experts who understand the systems would work to restore functions as
quickly as possible. Cyberterrorists would need to attack multiple targets simultaneously
for long periods of time to gradually create terror, achieve strategic goals, or to have
any noticeable effects on national security.
An important area that is not fully understood concerns the unpredictable interactions
between computer systems that operate the different U.S. infrastructures. The concern
24 CYBER TERRORISM

is that numerous interdependencies (where downstream systems may rely on receiving


good
data through stable links with upstream computers) could possibly build to a cascade of
effects that are unpredictable in how they might affect national security. For example,
while the “Blaster” worm was disrupting Internet computers over several days in August
2003, some security experts suggest that slowness of communication links, caused by
Blaster worm network congestion, may have contributed to the Eastern United States
power blackout that occurred simultaneously on August 14. The computer worm could
have degraded the performance of several communications links between data centers
normally used to send warnings to other utility managers downstream on the power
grid.

DOD uses Commercial-Off-The-Shelf (COTS) hardware and software products in core


information technology administrative functions, and also in the combat systems of all
services, as for example, in the integrated warfare systems for nuclear aircraft carriers.
DOD favors the use of COTS products in order to take advantage of technological
innovation, product flexibility and standardization, and resulting contract cost-
effectiveness. Nevertheless, DOD officials and others have stated that COTS products
are lacking in security, and that strengthening the security of those products to meet
military Requirements may be too difficult and costly for most COTS vendors. To
improve security, DOD Information Assurance practices require deploying several layers
of additional protective measures around COTS military systems to make them more
difficult for enemy cyberattackers to penetrate.
However, on two separate occasions in 2004, viruses reportedly infiltrated two top-
secret computer systems at the Army Space and Missile Defense Command. It is not
clear how the viruses penetrated the military systems, or what the effects were. Also,
contrary to security policy requirements, the compromised computers reportedly lacked
basic anti virus software protection. Security experts have noted that no matter how
much protection is given to computers, hackers are always creating new ways to defeat
those protective measures.
25 CYBER TERRORISM

SUCCESS OF CYBER ATTACKS

Networked computers with exposed vulnerabilities may be disrupted or taken over by a


hacker, or by automated malicious code. Botnets opportunistically scan the Internet to
find and infect computer systems that are poorly configured, or lack current software
security patches. Compromised computers are taken over to become slaves in a
“botnet”, which can include thousands of compromised computers that are remotely
controlled to collect sensitive information from each victim’s PC, or to collectively attack
as a swarm against other targeted computers.

Even computers that have updated software and the newest security patches may still
be vulnerable to a type of cyberattack known as a “Zero-Day exploit.” This may occur if a
computer hacker discovers a new software vulnerability and launches a malicious attack
to infect computers before a security patch can be created by the software vendor and
distributed to protect users. Zero-day vulnerabilities in increasingly complex software
are regularly discovered by computer hackers. Recent news articles report that zero-day
vulnerabilities are now available at online auctions, where buyers and sellers negotiate
with timed bidding periods and minimum starting prices. This allows newly-discovered
computer security vulnerabilities to be sold quickly to the highest bidder. Computer
security expert Terri Forslof, of Tipping Point, has reportedly said that such practices will
“...increase the perceived value of vulnerabilities, and the good guys already have
trouble competing with the money you can get on the black market.”

The Insider Threat - A major threat for organizations is the ease with which data can
now be copied and carried outside using a variety of portable storage devices, such as
small flash drives. Newer high-density memory stick technology reportedly allows
installed computer applications to be run entirely from the flash drive. This means that
the entire contents of a PC could possibly be copied to and stored on a small, easily
portable, and easily concealed media device.
Employees with access to sensitive information systems can initiate threats in the form
of malicious code inserted into software that is being developed either locally, or under
offshore contracting arrangements. For example, in January 2003, 20 employees of
subcontractors working in the United States at the Sikorsky Aircraft Corporation were
arrested for possession of false identification used to obtain security access to facilities
containing restricted and sensitive military technology. All of the defendants pleaded
guilty and have been sentenced, except for one individual who was convicted at trial on
April 19, 2004.
Persistence of Computer System Vulnerabilities - Vulnerabilities in software and
computer system configurations provide entry points for a cyberattack. Vulnerabilities
persist largely as a result of poor security practices and procedures, inadequate training
in computer security, or technical errors in software products. Inadequate resources
devoted to staffing the security function may also contribute to poor security practices.
26 CYBER TERRORISM

Home PC users often have little or no training in best practices for effectively securing
home networks and equipment.

Errors in New Software Products - Vendors for Commercial-Off-The- Shelf software


(COTS) are often criticized for releasing new products with errors that create the
computer system vulnerabilities. Richard Clarke, former White House cyberspace
advisor until 2003, has reportedly said that many commercial software products have
poorly written, or poorly configured security features. In response to such criticism, the
software industry reportedly has made new efforts to design products with
architectures that are more secure. For example, Microsoft has created a special
Security Response Center and now works with DOD and with industry and government
leaders to improve security features in its new products. However, many software
industry representatives reportedly agree that no matter what investment is made to
improve software security, there will continue to be vulnerabilities in future software
because products are becoming increasingly more complex.
Inadequate Resources - Although software vendors periodically release fixes or
upgrades to solve newly discovered security problems, an important software security
patch might not get scheduled for installation on an organization’s computers until
several weeks or months after the patch is available. The job may be too time-
consuming, too complex, or too low a priority for the system administration staff. With
increased software complexity comes the introduction of more vulnerabilities, so
system maintenance is never-ending. Sometimes the security patch itself may disrupt
the computer when installed, forcing the system administrator to take additional time
to adjust the computer to accept the new patch. To avoid such disruption, a security
patch may first require testing on a separate isolated network before it is distributed for
installation on all other regular networked computers.

Because of such delays, the computer security patches installed in many organizations
may lag considerably behind the current cyberthreat situation. Whenever delays are
allowed to persist in private organizations, in government agencies, or among PC users
at home, computer vulnerabilities that are widely reported may remain unprotected,
leaving networks open to possible attack for long periods of time.

Estonia, 2007

In the Spring of 2007, government computer systems in Estonia experienced a sustained


cyberattack that has been labeled by various observers as cyberwarfare, or cyberterror,
or cybercrime. On April 27, officials in Estonia moved a Soviet-era war memorial
commemorating an unknown Russian who died fighting the Nazis. The move stirred
emotions, and led to rioting by ethnic Russians, and the blockading of the Estonian
Embassy in Moscow. The event also marked the beginning of a series of large and
sustained Distributed Denial-Of-Service (DDOS) attacks launched against several
27 CYBER TERRORISM

Estonian national websites, including government ministries and the prime minister’s
Reform Party.
In the early days of the cyberattack, government websites that normally receive around
1,000 visits a day reportedly were receiving 2,000 visits every second. This caused the
repeated shut down of some websites for several hours at a time or longer, according to
Estonian officials. The attacks, which flooded computers and servers and blocked
legitimate users, were described as crippling, owing to Estonia’s high dependence on
information technology, but limited resources for managing their infrastructure.
Security experts say that the cyberattacks against Estonia were unusual because the
rate of the packet attack was very high, and the series of attacks lasted weeks, rather
than hour or days, which is more commonly seen for a denial of service attack.
Eventually, NATO and the United States sent computer security experts to Estonia to
help recover from the attacks, and to analyze the methods used and attempt to
determine the source of the attacks.

This event can serve to illustrate how computer network technology has blurred the
boundaries between crime, warfare, and terrorism. A persistent problem during and
after any cyberattack is accurate identification of the attacker, by finding out whether it
was sponsored by a nation, or was the independent work of a few unconnected
individuals, or was initiated by a group to instill frustration and fear by damaging the
computerized infrastructure and economy. The uncertainty of not knowing the initiator
also affects the decision about whom should ultimately become a target for retaliation,
and whether the response should come from law enforcement or the military.

Initially, the Russian government was blamed by Estonian officials for the cyberattacks,
and there were charges of cyberwarfare. Other observers argued that the cyberattack
involved collusion between the Russian government and transnational cybercriminals
who made their large botnets available for short-term rent, either to individuals or to
larger groups. They argue that as the rented time expired, the intensity of the persistent
cyberattacks against Estonia also began to fall off. However, not all security experts
agree, and it remains unclear at this time whether the cyberattacks were sanctioned or
initiated by the Russian government, or if a criminal botnet was actually involved.

After some investigation, network analysts later concluded that the cyberattacks
targeting Estonia were not a concerted attack, but instead were the product of
spontaneous anger from a loose federation of separate attackers. Technical data
showed that sources of the attack were worldwide rather than concentrated in a few
locations. The computer code that caused the DDOS attack was posted and shared in
many Russian language chat rooms, where the moving of the war memorial was a very
emotional topic for discussion. These analysts state that although access to various
Estonian government agencies was blocked by the malicious code, there was no
apparent attempt to target national critical infrastructure other than internet resources,
and no extortion demands were made. Their analysis thus far concluded that there was
28 CYBER TERRORISM

no Russian government connection to the attacks against Estonia. However,


investigation into the incident continues, and officials from the United States view some
aspects of the event as a possible model for future cyberwarfare or cyberterrorism
directed against a nation state.

In January 2008, a court in Estonia convicted and fined a local man for bringing down a
government website, as part of the extended cyberattack in 2007. The 20- year-old, who
is apparently an ethnic Russian Estonian, used his home PC to carry out the attack. The
investigation continues, and so far, he is the only person convicted for participating in
the cyberattack against Estonia.
29 CYBER TERRORISM

SOME OTHER EXAMPLES

• Jeanson Ancheta, a 21-year-old hacker and member of a group called the


“Botmaster Underground”, reportedly made more than $100,000 from different
Internet Advertising companies who paid him to download specially-designed
malicious adware code onto more than 400,000 vulnerable PCs he had secretly
infected and taken over. He also made tens of thousands more dollars renting
his 400,000-unit “botnet herd” to other companies that used them to send out
spam, viruses, and other malicious code on the Internet. In 2006, Ancheta was
sentenced to five years in prison.
• When crackers in Romania illegally gained access to the computers controlling
the life support systems at an Antarctica research station, endangering the 58
scientists involved. However, the culprits were stopped before damage actually
occurred. Mostly non-political acts of sabotage have caused financial and other
damage, as in a case where a disgruntled employee caused the release of
untreated sewage into water in Maroochy Shire, Australia. Computer viruses
have degraded or shut down some non-essential systems in nuclear power
plants, but this is not believed to have been a deliberate attack. (Note: it is also
argued that this is actually not a case of cyberterrorism, but rather a case of
cybercrime, as cyberterrorism requires a political motive and not a primary focus
on monetary gain)
• In October 2007, the website of Ukrainian president Viktor Yushchenko was
attacked by hackers. A radical Russian nationalist youth group, the Eurasian
Youth Movement, claimed responsibility.
• In 1999 hackers attacked NATO computers. The computers flooded them with
email and hit them with a denial of service (DoS). The hackers were protesting
against the NATO bombings in Kosovo. Businesses, public organizations and
academic institutions were bombarded with highly politicized emails containing
viruses from other European countries.
30 CYBER TERRORISM

Measuring Cybercrime

New, automated attack methods have outpaced current methods for tracking the
number and severity of cyberattacks and cybercrime intrusions. For example, according
to a study by the Cooperative Association for Internet Data Analysis (CAIDA), on January
25, 2003, the SQL Slammer worm (also known as “Sapphire”) automatically spread to
infect more than 90% of vulnerable computers worldwide within 10 minutes of its
release on the Internet, making it the fastest-spreading computer worm in history. As
the study reports, the Slammer worm doubled in size every 8.5 seconds and achieved its
full scanning rate (55 million scans per second) after about 3 minutes. It caused
considerable harm through network outages which led to numerous canceled airline
flights and automated teller machine (ATM) failures.

The use of automated tools for cybercrime has had a dramatic affect on the Computer
Emergency Response Team/ Coordinating Center (CERT/CC). In 2004, CERT/CC
announced that it had abandoned its traditional practice of producing an annual report
tracking the number of cyber intrusions recorded for each year. For many years prior to
2004, CERT/CC had maintained a database of statistics about security incidents that
were reported to it anonymously by businesses and individuals worldwide. The reason
given for abandoning its annual tracking report was because the widespread use of new,
automated cyberattack tools had escalated the number of network attacks to such a
high level, that the CERT/CC organization determined that traditional methods for
counting security incidents had become meaningless as a metric for assessing the scope
and effects f attacks against Internet-connected systems. The CERT-CC website currently
states, “Given the widespread use of automated attack tools, attacks against Internet-
connected systems have become so commonplace that counts of the number of
incidents reported provide little information with regard to assessing the scope and
impact of attacks. Therefore, beginning in 2004, we stopped publishing the number of
incidents reported.”
The FBI estimates that all types of computer crime in the U.S. now costs industry about
$400 billion, while officials in the Department of Trade and Industry in Britain say
computer crime has risen by 50 percent from 2005 to 2006. As one example of costs
associated with a recent computer security breach, TJX, the parent company of TJ Maxx,
took a $12 million charge in its fiscal first quarter of 2008 due to the theft of more than
45 million credit and debit card numbers, starting in 2006. The money reportedly went
to investigating and containing the intrusion, improving computer security,
communicating with customers, and other fees. TJX estimates that, adding damages
from future lawsuits, the breach may eventually cost $100 per lost record, or a total of
$4.5 billion.
It is estimated that only five per cent of cybercriminals are ever arrested or convicted
because the anonymity associated with web activity makes them hard to catch, and the
31 CYBER TERRORISM

trail of evidence needed to link them to a cybercrime is hard to unravel. Studies also
show that cybercrime incidents are rarely reported, especially by companies that wish
to avoid negative publicity leading to possible loss of confidence by its customers.
However, law enforcement officials argue that “maintaining a code of silence” won’t
benefit a company in the long-run. Steven Martinez, deputy assistant director for the
FBI’s cyber division, reportedly stated at the 2006 RSI Computer Security Conference
that partnerships between law enforcement, the academic community, and the private
sector are key to understanding and reducing cybercrime.
Each year, the Computer Security Institute (CSI), with help from the FBI, conducts a
survey of thousands of security practitioners from U.S. corporations, government
agencies, financial institutions, and universities. The CSI/FBI Computer Crime and
Security Survey, published annually, is perhaps the most widely-used source of
information about how often computer crime occurs and how expensive these crimes
can be. The 2006 survey indicated that the average financial loss reported due to
security breaches was $167,713, an 18% decrease from the previous year’s average loss
of $203,606.

However, some observers argue that the analyses reported in the CSI/FBI survey may be
questionable, because the survey methodology is not statistically valid. This is because
the survey is limited only to CSI members, which reduces the likelihood that
respondents are a representative sample of all security practitioners, or that their
employers are representative of employers in general. In addition, the 2006 CSI/FBI
survey points out that most companies are continuing to sweep security incidents under
the rug.

With the apparent absence of statistically valid survey results concerning the financial
costs of computer crime, and with an accompanying lack of clear data about the number
and types of computer security incidents reported, it appears that there may be no valid
way to currently understand the real scope and intensity of cybercrime. The growing use
of botnets and sophisticated malicious code also suggests that the percentage of
unreported cybercrime, plus the percentage undetected, may both be going up.

Problems Tracing Cybercrime - The challenge of identifying the source of attacks is


complicated by the unwillingness of commercial enterprises to report attacks, owing to
potential liability concerns. CERT/CC estimates that as much as 80% of all actual
computer security incidents still remain unreported. Law enforcement officials concede
they are making little progress in tracing the profits and finances of cybercriminals.
Online payment services, such as PayPal and E-Gold, enable criminals to launder their
profits and exploit the shortcomings of international law enforcement. Recently,
Intermix Media was fined $7.5 million in penalties for distribution of spyware which
silently captures personal information from user’s PCs. However, some adware and
spyware purveyors reportedly can still make millions of dollars per year in profits. Many
32 CYBER TERRORISM

companies who distribute spyware are difficult to pursue legally because they typically
also offer some legitimate services. In many cases, the finances that back cybercrimes
are so distributed they are hard for law enforcement to figure out.

Better Measurement of Cybercrime Trends - Experiences at CERT/CC show that


statistical methods for measuring the volume and economic effects of cyberattacks may
be questionable. Without sound statistical methods to accurately report the scope and
effects of cybercrime, government and legal authorities will continue to have unreliable
measures of the effectiveness of their policies and enforcement actions.

Figures from several computer security reports now used for measuring annual financial
losses to U.S. industry due to intrusions and cybercrime are believed by some observers
to be limited in scope or possibly contain statistical bias. Is there a need for a more
statistically reliable analysis of trends in computer security vulnerabilities and types of
cyberattacks to more accurately show the costs and benefits for improving national
cybersecurity? Congress may wish to encourage security experts to find more effective
ways to collect data that will enable accurate analysis of trends for cyberattacks and
cybercrime. Congress may also wish to encourage security researchers to find better
ways to identify the initiators of cyberattacks.
33 CYBER TERRORISM

Federal Efforts to Protect Computers

The federal government has taken steps to improve its own computer security and to
encourage the private sector to also adopt stronger computer security policies and
practices to reduce infrastructure vulnerabilities. In 2002, the Federal Information
Security Management Act (FISMA) was enacted, giving the Office of Management and
Budget (OMB) responsibility for coordinating information security standards and
guidelines developed by federal agencies. In 2003, the National Strategy to Secure
Cyberspace was published by the Administration to encourage the private sector to
improve computer security for the U.S. critical infrastructure through having federal
agencies set an example for best security practices.
The National Cyber Security Division (NCSD), within the National Protection and
Programs Directorate of the Department of Homeland Security (DHS) oversees a Cyber
Security Tracking, Analysis and Response Center (CSTARC), tasked with conducting
analysis of cyberspace threats and vulnerabilities, issuing alerts and warnings for
cyberthreats, improving information sharing, responding to major cybersecurity
incidents, and aiding in national-level recovery efforts. In addition, a new Cyber Warning
and Information Network (CWIN) has begun operation in 50 locations, and serves as an
early warning system for cyberattacks. The CWIN is engineered to be reliable and
survivable, has no dependency on the Internet or the public switched network (PSN),
and reportedly will not be affected if either the Internet or PSN suffer disruptions.

In January 2004, the NCSD also created the National Cyber Alert System (NCAS), a
coordinated national cybersecurity system that distributes information to subscribers to
help identify, analyze, and prioritize emerging vulnerabilities and cyberthreats. NCAS is
managed by the United States Computer Emergency Readiness Team (US-CERT), a
partnership between NCSD and the private sector, and subscribers can sign up to
receive notices from this new service by visiting the US-CERT website.

International Convention on Cybercrime - Cybercrime is also a major international


challenge, even though attitudes about what comprises a criminal act of computer
wrongdoing still vary from country to country. However, the Convention on Cybercrime
was adopted in 2001 by the Council of Europe, a consultative assembly of 43 countries,
based in Strasbourg. The Convention, effective July 2004, is the first and only
international treaty to deal with breaches of law “over the internet or other information
networks.” The Convention requires participating countries to update and harmonize
their criminal laws against hacking, infringements on copyrights, computer facilitated
fraud, child pornography, and other illicit cyber activities.
Although the United States has signed and ratified the Convention, it did not sign a
separate protocol that contained provisions to criminalize xenophobia and racism on
the Internet, which would raise Constitutional issues in the United States. The separate
protocol could be interpreted as requiring nations to imprison anyone guilty of
34 CYBER TERRORISM

“insulting publicly, through a computer system” certain groups of people based on


characteristics such as race or ethnic origin, a requirement that could make it a crime to
e-mail jokes about ethnic groups or question whether the Holocaust occurred. The
Department of Justice has said that it would be unconstitutional for the United States to
sign that additional protocol because of the First Amendment’s guarantee of freedom of
expression. The Electronic Privacy Information Center, in a June 2004 letter to the
Foreign Relations Committee, objected to U.S. ratification of the Convention, because it
would “create invasive investigative techniques while failing to provide meaningful
privacy and civil liberties safeguards.”

On August 3, 2006, the U.S. Senate passed a resolution of ratification for the
Convention. The United States will comply with the Convention based on existing U.S.
federal law; and no new implementing legislation is expected to be required. Legal
analysts say that U.S. negotiators succeeded in scrapping most objectionable provisions,
thereby ensuring that the Convention tracks closely with existing U.S. laws.

DOD and Cyberattack Response - If a terrorist group were to use a cybercrime botnet to
subvert computers in a third party country, such as China, to launch a cyberattack
against the United States, the U.S. response to the cyberattack must be carefully
considered, in order to avoid retaliating against the wrong entity. Would the resulting
effects of cyberweapons used by the United States be difficult to limit or control? Would
a cyberattack response that could be attributed to the United States possibly encourage
other extremists, or rogue nations, to start launching their own cyberattacks against the
United States? Would an attempt by the U.S. to increase surveillance of another entity
via use of cyberespionage computer code be labeled as an unprovoked attack, even if
directed against the computers belonging to a terrorist group? If a terrorist group
should subsequently copy, or reverse-engineer a destructive U.S. military cyberattack
program, could it be used against other countries that are U.S. allies, or even turned
back to attack civilian computer systems in the United States? If the effects become
widespread and severe, could the U.S. use of cyberweapons exceed the customary rules
of military conflict, or violate international laws.
Commercial electronics and communications equipment are now used extensively to
support complex U.S. weapons systems, and are possibly vulnerable to cyberattack. This
situation is known to our potential adversaries. To what degree are military forces and
national security threatened by computer security vulnerabilities that exist in
commercial software systems, and how can the computer industry be encouraged to
create new COTS products that are less vulnerable to cyberattack?
35 CYBER TERRORISM

The Need to Improve Cyber


Cyber-
yber -security

Department of Defense (DOD) officials have stated that, while the threat of cyber attack
is “less likely” to appear than conventional physical attack, it could actually prove more
damaging because it could involve disruptive technology that might generate
unpredictable consequences that give an adversary unexpected advantages. The
Homeland Security Presidential Directive 7 required that the Department of Homeland
Security (DHS) coordinate efforts to protect the cybersecurity for the nation’s critical
infrastructure. This resulted in two reports in 2005, titled “Interim National
Infrastructure Protection Plan,” and “The National Plan for Research and Development
in Support of Critical Infrastructure Protection”, where DHS provided a framework for
identifying and prioritizing, and protecting each infrastructure sector.

However, some observers question why, in light of the many such reports describing an
urgent need to reduce cybersecurity vulnerabilities, there is not an apparent perceived
sense of national urgency to close the gap between cybersecurity and the threat of
cyberattack. For example, despite Federal Information Security Management Act of
2002 (FISMA), some experts argue that security remains a low priority, or is treated
almost as an afterthought at some domestic federal agencies. In 2007, the Government
Accountability Office issued a report, titled “Critical Infrastructure Protection: Multiple
Efforts to Secure Control Systems Are Under Way, but Challenges Remain,” which states
that cybersecurity risks have actually increased for infrastructure control systems
because of the persistence of interconnections with the Internet, and continued open
availability of detailed information on the technology and configuration of the control
systems. The report states that no overall strategy yet exists to coordinate activities to
improve computer security across federal agencies and the private sector, which owns
the critical infrastructure. Some observers argue that, as businesses gradually
strengthen their security policies for headquarters and administrative systems, the
remote systems that control critical infrastructure and manufacturing may soon be seen
as easier targets of opportunity for cybercrime.

Cybercrime is obviously one of the risks of doing business in the age of the internet, but
observers argue that many decision-makers may currently view it as a low-probability
threat. Some researchers suggest that the numerous past reports describing the need to
improve cybersecurity have not been compelling enough to make the case for dramatic
and urgent action by decision-makers. Others suggest that even though relevant
information is available, future possibilities are still discounted, which reduces the
apparent need for present-day action. In addition, the costs of current inaction are not
borne by the current decision-makers. These researchers argue that IT vendors must be
willing to regard security as a product attribute that is coequal with performance and
cost; IT researchers must be willing to value cybersecurity research as much as they
value research for high performance or cost-effective computing; and, finally, IT
purchasers must be willing to incur present-day costs in order to obtain future benefits.
36 CYBER TERRORISM

Growth in Technical Capabilities of Terrorists- Seized computers belonging to Al Qaeda


indicate its members are becoming more familiar with hacker tools and services that are
available over the Internet. Could terrorist groups find it advantageous to hire a
cybercrime botnet tailored to attack specific targets, possibly including the civilian
critical infrastructure of Western nations? Could cybercrime botnets, used strategically,
provide a useful way for extremists to amplify the effects of a conventional terrorist
attack using bombs?

As computer-literate youth increasingly join the ranks of terrorist groups, will


cyberterrorism likely become increasingly more mainstream in the future? Will a
computer-literate leader bring increased awareness of the advantages of an attack on
information systems, or be more receptive to suggestions from other, newer computer-
literate members? Once a new tactic has won widespread media attention, will it likely
motivate other rival terrorist groups to follow along the new pathway?

Incentives for the National Strategy to Secure Cyberspace

Does the National Strategy to Secure Cyberspace present clear incentives for achieving
security objectives? Suggestions to increase incentives may include requiring that all
software procured for federal agencies be certified under the “Common Criteria” testing
program, which is now the requirement for the procurement of military software.
However, industry observers point out that the software certification process is lengthy
and may interfere with innovation and competitiveness in the global software market.
Should the National Strategy to Secure Cyberspace rely on voluntary action on the part
of private firms, home users, universities, and government agencies to keep their
networks secure, or is there a need for possible regulation to ensure best security
practices? Has public response to improve computer security been slow partly because
there are no regulations currently imposed? Would regulation to improve computer
security interfere with innovation and possibly harm U.S. competitiveness in technology
markets? Two of the former cybersecurity advisers to the president have differing
views: Howard Schmidt has stated that market forces, rather than the government,
should determine how product technology should evolve for better cybersecurity;
however, Richard Clarke has stated that the IT industry has done little on its own to
improve security of its own systems and products.
37 CYBER TERRORISM

Future Attractiveness of Critical


Infrastructure Systems

There has yet been no published evidence showing a widespread focus by


cybercriminals on attacking the control systems that operate the U.S. civilian critical
infrastructure. Disabling infrastructure controls for communications, electrical
distribution or other infrastructure systems, is often described as a likely scenario to
amplify the effects of a simultaneous conventional terrorist attack involving explosives.

However, in 2006, at a security discussion in Williamsburg, Virginia, a government


analyst reportedly stated that criminal extortion schemes may have already occurred,
where cyberattackers have exploited control system vulnerabilities for economic gain.
And, in December 2006, malicious software that automatically scans for control system
vulnerabilities reportedly was made available on the Internet for use by cybercriminals.
This scanner software reportedly can enable individuals with little knowledge about
infrastructure control systems to locate a SCADA computer connected to the Internet,
and quickly identify its security vulnerabilities.

The Idaho National Laboratory is tasked to study and report on technology risks
associated with infrastructure control systems. Past studies have shown that many, if
not most, automated control systems are connected to the Internet, or connected to
corporate administrative systems that are connected to the Internet, and are currently
vulnerable to a cyberattack. And, because many of these infrastructure SCADA systems
were not originally designed with security as a priority, in many cases, new security
controls cannot now be easily implemented to reduce the known security
vulnerabilities. Following past trends, where hackers and cybercriminals have taken
advantage of easy vulnerabilities, some analysts now predict that we may gradually see
new instances where cybercriminals exploit vulnerabilities in critical infrastructure
control systems.
38 CYBER TERRORISM

EDUCATION AND AWARENESS

Improving Security of Commercial Software - Some security experts emphasize that if


systems administrators received the necessary training for keeping their computer
configurations secure, then computer security would greatly improve for the U.S. critical
infrastructure. However, should software product vendors be required to create higher
quality software products that are more secure and that need fewer patches? Could
software vendors possibly increase the level of security for their products by rethinking
the design, or by adding more test procedures during product development?

Education and Awareness of Cyberthreats - Ultimately, reducing the threat to national


security from cybercrime depends on a strong commitment by government and the
private sector to follow best management practices that help improve computer
security. Numerous government reports already exist that describe the threat of
cybercrime and make recommendations for management practices to improve
cybersecurity.

A 2004 survey done by the National Cyber Security Alliance and AOL showed that most
home PC users do not have adequate protection against hackers, do not have updated
antivirus software protection, and are confused about the protections they are
supposed to use and how to use them. How can computer security training be made
available to all computer users that will keep them aware of constantly changing
computer security threats, and that will encourage them to follow proper security
procedures?

Coordination Between Private Sector and Government - What can be done to improve
sharing of information between federal government, local governments, and the private
sector to improve computer security? Effective cybersecurity requires sharing of
relevant information about threats, vulnerabilities, and exploits. How can the private
sector obtain information from the government on specific threats which the
government now considers classified, but which may help the private sector protect
against cyberattack? And, how can the government obtain specific information from
private industry about the number of successful computer intrusions, when companies
resist reporting because they want to avoid publicity and guard their trade secrets?
Should cybercrime information voluntarily shared with the federal government about
successful intrusions be shielded from disclosure through Freedom of Information Act
requests?

How can the United States better coordinate security policies and international law to
gain the cooperation of other nations to better protect against a cyberattack? Pursuit of
hackers may involve a trace back through networks requiring the cooperation of many
Internet Service Providers located in several different nations. Pursuit is made
39 CYBER TERRORISM

increasingly complex if one or more of the nations involved has a legal policy or political
ideology that conflicts with that of the United States.
Thirty-eight countries, including the United States, participate in the Council of Europe’s
Convention on Cybercrime, which seeks to combat cybercrime by harmonizing national
laws, improving investigative abilities, and boosting international cooperation. However,
how effective will the Convention without participation of other countries where
cybercriminals now operate freely?
Intents behind Cyber Terrorrism:

• Political protestors may have rented the services of cybercriminals, possibly a


large network of infected PCs, called a “botnet,” to help disrupt the computer
systems of the Estonian government.
• cyberattacks from individuals and countries targeting economic, political, and
military organizations
• Cybercriminals have reportedly made alliances with drug traffickers in
Afghanistan, the Middle East, and elsewhere where profitable illegal activities
are
used to support terrorist groups

• Trends in cybercrime are described, showing how malicious Internet websites,


and other cybercrimes such as identity theft are linked to conventional terrorist
activity.
40 CYBER TERRORISM

Survey results

We created a survey to get an idea about how many people were arare of cyber
terrorism and had significant knowledge about it. We surveyed around 51 people in all
and got the following results for the different questions

1. Are you aware of Cyber Terrorism?

2. If yes, what do you think it is?


41 CYBER TERRORISM

3. If no, do you think something like this exists?

4. Is Cyber Terrorism over hyped?


42 CYBER TERRORISM

5. Are you aware of any cyber attacks that were used by the Terrorists groups?

6. What according to you is the difference between Cyber Terrorism and Cyber Crime?
43 CYBER TERRORISM

7. Are you aware of the cyber attacks on the government computer systems of Estonia?

8. Does Cyber terrorism bother you as a member of the world society?


44 CYBER TERRORISM

9. Have you ever encountered any terrorist activist remarks or forums on the internet?

10. Do you believe there should active education of cyber terrorism in the manner they
have for other cyber crimes to prevent innocent victims from falling for it?
45 CYBER TERRORISM

References

• Larry Greenemeier, “Estonian Attacks Raise Concern Over Cyber ‘Nuclear Winter,’”
Information Week, May 24, 2007, at
[http://www.informationweek.com/news/showArticle.jhtml?articleID=199701774]

• Tim Greene, “Storm Worm Strikes Back at Security Pros,” NetworkWorld.com, October

• 24, 2007, at [http://www.networkworld.com/news/2007/102407-storm-worm-security.


html?nlhtsec=1022securityalert4&&nladname=102507securityal]

• For more on electromagnetic weapons, see CRS Report RL32544, High Altitude
Electromagnetic Pulse (HEMP) and High Power Microwave (HPM) Devices: Threat
Assessments, by Clay Wilson

• Carolyn Marsan, “Examining the Reality of Cyberwar in Wake of Estonian Attacks,”


Network World, August 27, 2007, vol. 24, no. 33, p. 24.

• http://www.crime-research.org/articles/Cyber_Terrorism_new_kind_Terrorism/

• http://www.fas.org/sgp/crs/terror/RL32114.pdf

• Fi n jan, Inc . , Web Security Trends Report, Q2 2007,


[http://www.finjan.com/Content.aspx?id=827]

• David Hayes, “A Dollar goes a Long Way in Swiping Private Data,” The Kansas City
Star, March 20, 2007, p. 1

• Chris Marsden, “European Union to Investigate US-Run Satellite Spy Network,” World
Socialist Websi te, July 10, 2000, [http://www.wsws.org/articles/2000/jul2000/eche-
j10.shtml]

You might also like