In my last column, we looked at cybercrime and how its dynamics are subtly different from real-world crime. In this episode we're going to tackle a much tricker topic - namely cyberterror. Of all the cyber-badness that's out there, cyberterror is the most puzzling: if it's so gosh-darned lethal a threat, why haven't we seen any of it, yet?
This series of columns is based on a set of talks I gave as the keynote for IDC's CEMA Security Roadshow in 2008, with additional material and commentary. As always, I welcome constructive feedback at [email protected].
It's impossible to have worked in the information security arena in the last decade without running across someone who was encouraging you to be afraid of cyberterrorists. This, in spite of the fact that there hasn't - yet - been anything worthy of being considered "terror." Is cyberterror just a myth that's being trumpeted in order to generate cash-flow for security consultants, or is the threat real? As Dogbert used to say "that's not an 'or' question!" - perhaps the fear of cyberterror is a cash cow and there's a real danger.
"Terrorism" is typically defined as "the attempt to change a target's political process through fear and intimidation." It differs from crime because it's ideological and the terrorist's agenda is furthered by publicity. A cybercriminal does not want CNN to cover "the threat of bank scams" whereas the modern terrorist fails if they don't get media coverage. Other than fear, another agenda of the terrorist is to separate the people from their government, by demonstrating that the government can't keep up its side of the social contract. Since a government (in theory) is to protect its people, the terrorist's victory is all but assured when it can drive a wedge between the government and the governed. That's how the media serves to amplify the effect of a terrorist's strike - every time some talking head asks, "how could the government screw up so badly..?" the terrorists win a little bit.
So, you'd think cyberterror would be a splendid weapon: it's a venue that's utterly ripe with government screw-ups waiting to happen. Instead of death and destruction, so far we've been treated to "cyberterror" attacks that hardly qualify as more than "cyberannoyance." In 2001, when I researched the topic for my book on homeland security, the most significant cyberterror event I could find was one government agency that had been flooded with millions of Emails - not even bush league terror; closer to comedy. Today, we have the example of the cyberterror attacks against Estonian government sites. Initially, it was reported as if it was likely to be sponsored by the Russian government, but later it turned out to be a single disgruntled hacker. DDOS attacks such as the Estonian attacks are within the reach of most mid-level or advanced hackers. So, why isn't it happening more? Simply put: it's not particularly scary. And, in fact, once it happens a few dozen times it'll no longer be newsworthy. Remember: terrorists feed media attention, which means that they need to be scarier than Britney Spears' latest personal crisis and more damaging than the stunts on "Jackass."
The Cyberterror Paradox
Here's the odd thing about cyberterror: whenever a bunch of my friends and I get together at a conference, and pass the bottle while conjuring up cyberterror scenarios - we manage to scare the bejeezus out of ourselves. I find it hard to imagine that I'm more evil(tm) than all the terrorists in the world, but if a couple of half-sloshed computer programmers can plot a roadmap to ruin for a superpower, surely Bin Laden's buddies can, too. So what's going on?
One possibility is that terrorists are really nowhere near as sophisticated as the media (and the government) make them seem. Of course, when I consider how computer-security literate and sophisticated the media/government are, the fact that Al Quaeda owns laptops probably elevates them to the status of "power user terrorists." Never mind that they haven't figured out the most rudimentary kinds of encryption or communications security. Simply: these are not the kind of guys I'd vote as "most likely to hack into and destroy something important." Terrorists, to me, seem disappointingly unimaginative - they come up with a trick and then use it over and over until it's played out. Fortunately for us, that plays well with the security establishment's horrible tendency to try to protect against the last attack. It's as if the good guys and the bad guys have synchronized their decision/response(OODA)loops. The real fireworks happen when one side or the other shows a bit of innovation.
In the past I've been very critical - even to the point of outright scoffing - of the concept of cyberterror. But I have to admit that the potential is real. In the last few years I've learned things about SCADA networks that I wish I could forget. Yes, there is very real potential for horrific attacks and damage. Is there some twisted hacker out there, right this moment, about to sign up and change the face of 21st century terrorism? Perhaps all that's been sparing us, so far, is that most IT-savvy young men do not have the requisite feelings of disenfranchised hatred. Have we been saved by stock options?
As with serious, high-end, cybercrime I think we've been spared the worst scenarios because of set-up time required for deeply destructive attacks. Most of the time, when I read the scenarios offered by cyberterror pundits, they're assuming a cyber- component combined with a physical attack, either as an enabler or an amplifier. I think that what has saved us, there, is that terrorists have not demonstrated any penchant for long-term deep-cover operations. I shouldn't play armchair psychologist, but deep-cover operations don't seem to fit with a mindset that is hate-filled and action-oriented. Terrorists don't seem to be strong on long-term strategy other than survival. I don't think that terror has had its Napoleon Bonaparte, yet, and we should all be thankful for it. Do you think that energy companies, chemical companies, amtrak, trucking companies, and shipping companies do deep background checks on their employees? What about on the companies that provide basic services such as security, janitorial, and telephone to critical infrastructure? If you think about it for a bit, and imagine that you were able to plot on a 5-year timescale instead of 6 months, you ought to be able to really scare yourself. Is it simply a focus on short-term damage and rewards, or are they stupid and utterly clueless about tradecraft?
Ease of Abuse
I think the most likely reason terrorists have ignored cyberspace is because the skills necessary to launch real-world attacks are lower and willing soldiers are easier to recruit. Until such time as there is a massively successful (i.e.: horribly destructive) cyberterror event, terrorists will likely want to stick with the tactics to which they have already acculturated the media. Once again, it's easier for CNN to understand a suicide bomber - for now - than a mysterious refinery explosion that may have been caused by computers. The tipping point, unfortunately, would happen once the media started to conclude that anything that went wrong was likely to have been caused by cyberterrorists. If that were to happen, we could expect the United States to head-butt itself into insensibility with an overreaction such as we saw post-9/11. You can easily imagine a deliberate strategy of getting one's opponent to waste money through overreaction. Look at how much the United States has spent on the Transportation Security Administration, throwing away liquids and gels, and removing our shoes. Here's where the terrorist can always win: the worst part of asymmetric warfare is that the expense is asymmetric, too.
If the target does not respond to an attack, they are vulnerable to more of the same. If they do respond, the attacker can simply focus someplace else and repeat the process all over again. It's because of this dynamic that I've changed my views about cyberterror: it seems like a great way for an attacker to get the United States to spend ridiculous amounts of money. The more we spend to protect our physical systems, the more attractive a target we make our virtual systems. And vice-versa. The worst part about the mere threat of cyberterror is that it can drive costs up for higher-tech nations, at nearly no cost to lower-tech nations or independent actors.
Necessary For The Future
All of this brings me to the future. It's fairly safe to predict that sooner or later, there will be a significant cyberterror event. Before that happens, the United States needs to clearly establish a public doctrine regarding how we will respond to such events. This is especially important if you consider the question of whether the event is state-sponsored or the perpetrators are being sheltered by a state. Lately there has been a great deal of rumbling - rumbling I consider irresponsible, since evidence has not been presented - about alleged Chinese-sponsored cyber-espionage against United States and European powers. We need to encourage the international community to start thinking about this topic: at what point is a cyber-(whatever) attack an act of war, or a serious provocation? What kind of proofs and evidence are adequate to link a state sponsor to an event?
I know that these questions seem a bit over-the-top, but I'd hate to see wars and killing as a result of poorly-thought-out reactions to someone's exploiting a misconfigured firewall! It's a plausible scenario, unfortunately, and it's made more plausible by security practitioners' horrible tendency to worry inordinately about problems that take us by surprise. At this point, our computing infrastructure may be so poorly secured that it's not cost-effective for us to try to lock it down. We're going into a future for which we are clearly unprepared.
Next, let's look at espionage. If you think cyberterror is a depressing problem, just wait!
See you soon,