Outflanking the cyber terrorist threat

While cyber terrorism may not be an immediate threat, it would be foolish not to recognize that the United States is facing a “thinking enemy” who will adapt to attack our critical infrastructures and vulnerabilities, says Ruth David, former director for science and technology at the CIA.

David is now president and CEO of Analytic Services Inc., an independent, not-for-profit, public service research institution in Arlington, Va. She and Bill Crowell, CEO of Santa Clara, Calif.-based security firm Cylink Corp. and a former deputy director of the super secret National Security Agency, each participated in rare interviews with Computerworld’s Dan Verton. They discussed the threats posed by cyber terrorist attacks and the steps that the public and private sectors should take to thwart them.

There’s been speculation, even before Sept. 11, about the U.S.’s vulnerability to an “electronic Pearl Harbor” or cyber terrorist attack. How has this changed since Sept. 11, and how vulnerable are the various economic sectors to cyber terrorist attacks?

David: While it is true that major terrorist attacks to date have targeted human lives, I would not blindly extrapolate that behavior into the future. After all, on Sept. 10, we would not have expected a hijacker to turn a commercial airplane full of passengers into a guided missile, and even on Sept. 12, we did not envision exploding shoes as a threat to aviation.

In the aftermath of the 9/11 attacks, those adversaries almost certainly observed the immediate effect of service interruptions as well as the prolonged economic impact of infrastructure disruptions. While the weapon used was explosive rather than cyber, it doesn’t take much imagination to see that similar effects could be achieved through cyber terrorism.

Crowell: Clearly, the vulnerabilities of the nation to cyberattack are growing. Critical national functions like banking, financial services, health, water and communications are increasingly dependent on highly automated systems that connect the many nodes of their operations.

These changes in the degree to which business and the government are dependent on public networks have been occurring for about a decade. The disturbing thing is that all of the trends are in the wrong direction. Business is moving more and more critical functions to networks. The speed and complexity of the deployments make it difficult for them to employ good defenses rapidly. Diversity is decreasing as we migrate more to common operating systems and common network systems.

To what extent is the war on terrorism, particularly the battle for improved homeland security, a technology problem? What roles do you see the government, corporate America and the IT vendor/developer community playing?

David: Technology is only one component. Without supporting policy, effective processes and well-trained people, technologies solve nothing. Deployment of facial recognition technologies at border entry points will not ensure apprehension of terrorists.

Corporate America will play an increasingly important role in developing security technologies to protect nongovernmental personnel and property that may be targeted by terrorists attacking what we are as a nation rather than what we do as a government.

Crowell: The battle for improved homeland security involves both technology and processes. Technology can be used to make the processes more efficient, predictable and effective.

The Transportation Security Agency, \[Federal Aviation Administration] and Department of Transportation are all looking for ways to improve [airport security]. However, I am particularly concerned that many of the critical processes are now using technologies that are more vulnerable, not less. An example is the use of wireless LANs for the tracking of baggage. Without proper encryption and authentication, the baggage handling system will not prevent either insider or outside attack.

Some have said that the government’s push to create a separate and secure intranet (GovNet) for sensitive government operations and possibly e-commerce is tantamount to throwing in the towel on Internet security. Are there viable alternatives to disconnecting from the Internet?

David: To the extent that terrorists attack symbols of America, seek to shake the confidence of the public in our government’s ability to protect [citizens], and/or seek to inflict economic damage, GovNet solves nothing, since many valuable cybertargets would be left undefended. In fact, a separate network might actually impede the homeland security mission since it could further isolate government from industry and the American public at a time when communication and collaboration are desperately needed.

In particular, I believe the absence of a coherent governmentwide security policy has significantly limited our ability to protect sensitive government operations.

Crowell: I think that the GovNet initiative has been misrepresented in the press. Perhaps this is because the government did not carefully lay out the principles in the beginning of the discussion. [The government has] advocated that the core mission systems be on separate private networks that are highly protected from denial-of-service attacks and from hacking and cyberattacks.

The Internet would be used for e-government to enjoy the enormous reach it provides to the public. These are not new concepts. In banking and financial services, these policies have long been the basis for their risk management practices.

Howard Schmidt, the deputy chairman of the President’s Critical Infrastructure Protection Board, said recently that the next national plan for protecting the country’s critical systems and networks will be written with the help of the private sector. What do you think the immediate priorities and focus should be for such a public/private plan?

David: If I were to offer a top priority, it would be to establish trust between government and industry and among the key industry sectors. This means first and foremost to create a safe environment for the sharing and analysis of information regarding cyberattacks and discovered vulnerabilities.

My next priority would be to bolster our intrusion-detection capabilities. I worry less about the overt attacks that disrupt service than the subtle attacks designed to steal or corrupt data attacks that may go undetected until disaster occurs.

Crowell: I think that there are two elements that should be part of the plan. The first is that the government should be a leader in network security and move quickly to employ the best practices for both GovNet and e-government. The second is that the [Securities and Exchange Commission] should establish the same risk disclosure rules for network security that it used to focus attention on Y2k and on disaster recovery.

Without such a mechanism, there is a strong likelihood that the vulnerabilities and risks in network-based business won’t get the attention that [they need] until there is a disastrous event. I think that the disaster recovery systems of the financial businesses in the World Trade Center saved many of them from total collapse.

Terrorism 101 With Eric Shaw

Eric Shaw, a former CIA profiler and clinical psychologist who now consults for Stroz & Associates LLC, a cybersecurity firm in New York, takes Computerworld’s Dan Verton inside the minds of terrorists.

There’s been a lot of speculation, even before Sept. 11, about the nation’s vulnerability to an “electronic Pearl Harbor,” or cyberterrorist attacks. But there has been little evidence that terrorists value cyberattacks. What has changed since Sept. 11?

Shaw: There’s still little evidence that traditional terrorist groups place a high priority on cyberattacks vs. using information technology for communication, command and control, and propaganda. Guns, bombs and vehicles [such as] trucks, planes and boats for delivery appear to be quite adequate for their needs, as the Sept. 11 attacks showed.

I am worried that a new operational standard has been set up for imitation. I think we are going to see more attacks on relatively unprotected civilian sites and on individuals. The same trend may occur in this country as terrorists turn away from heavily fortified government facilities to less protected corporate sites.

Are there any exceptions to the lack of terrorist interest in cyberattacks?

Shaw: Yes. First, there are several types of nontraditional, politically motivated groups that cannot at present be considered terrorists that have utilized low-level cyberassaults, especially denial-of-service attacks. These groups often are referred to as members of antiglobalization, hacker, anarchist and other coalitions, often associated with our political left. They have actively organized and recruited individuals and groups for cyberattacks against their identified adversaries.

Second, I am concerned about online or face-to-face recruitment of disgruntled IT specialists. For example, there were rumors earlier this year that an al-Qaeda affiliate had placed moles into Microsoft who had introduced Trojans into Windows XP. Though denied by the company, think of the potential impact.

The IT field is one of the most international and ethnically diverse in this country, and its members … may represent a very attractive recruitment pool for terrorist organizations.