How worried should we be about the likelihood of cyber-terrorist attacks launched through the Internet?
According to last month's Sophos 'Security Threat Report', concern is increasing that computer applications running critical national infrastructures are vulnerable to malevolent hacks. Such hacks could in theory switch control of power and gas supplies, say, to the keyboards of hostile entities, enabling them to wreak damage and disruption. Similar threats face crucial financial computer platforms that underpin national economies, and even emergency services communication channels.
The 'Security Threat Report' suggests that governments and political activists alike now see the Internet as an extension of conventional homeland battlegrounds; and the combatants are far removed from the 'hacktivists'. The question for those mandating defensive strategies is this: how do cyber-terrorism threats vary from those already posed by cyber-crime?
Few security pundits doubt that such groups have - or can easily get - access to the core skills required to hack; but what would the desired outcomes likely be? Society is still not taking sufficient account of the possibility of radically-motivated cyber-attacks, says Roger Thompson, vice president of web threat research at security software firm AVG.
'I don't think there is anywhere near enough discussion of cyber-espionage, say,' explains Thompson. 'These subjects have been overshadowed by coverage of conventional cyber-crime.'
At the extreme end, cyber-terrorism attacks would be aimed at damage or disruption to critical national infrastructure, such as power grids, water and sewage systems, traffic and transport controls, and communications networks. Some concern stems from the perception that some such infrastructures were built-out years before the notion of online threats was ever dreamt of, so are inherently insecure; at the same time there is also a perception that the ever-increasing complexity of new IT-driven control systems is a vulnerability in itself.
Fact hacked from fiction
Movies have long been savvy to the dramatic potential of malicious interference with computer-based control systems. The most recent 'Die Hard' flick sees hero John McClane (Bruce Willis) thwart a gang of super-hackers led by a geek-gone-bad seeking revenge after being fired for trying to raise the alarm over the US's vulnerability to cyber-warfare. The first phase of their plan disables Washington's traffic lights, and the US stock market. Later they succeed in obtaining the access codes needed to bring down part of the East Coast power grid.
The film provoked speculation as to the real-world safeguards in place to prevent an actual attack, and how the populace would react were it known that a utility outage was confirmed as being the result of a cyber-terrorist act. Sophos senior technology consultant Graham Cluley suspects that it would, if nothing else, bring cyber-terrorism more squarely into public consciousness.
'It all rather depends on the nature of the attack, and on how people were affected,' Cluley says; media reaction might prove to be an influential factor in conditioning public opinion: '[It depends on] whether the media manages to rouse the rabble into outrage about the incident, forcing the government to be seen to be taking serious action. If many people were inconvenienced, or put at risk, then questions would be asked as to whether appropriate security measures were in place'.
AVG's Roger Thompson agrees: 'If there was a cyber-attack on core physical services, expect the politicians to demand retaliation against the perceived enemy.' As for public reaction, 'The public wouldn't really care,' Thompson feels, 'unless it was physically inconvenienced for a long time'.
Senior research consultant at the Information Security Forum (ISF) Adrian Davis, meanwhile, remains sceptical about the likelihood of down-the-line terror. Although he acknowledges that critical infrastructure may well be at risk, he feels that hack-based attacks would 'not provide the enduring impact that cyber-terrorists may want to achieve'. More important than totally secure and inviolate systems, he suggests, is governments' ability to recover from attacks.
The US Securities and Exchange Commission investigated speedily and thoroughly following last May's so-called 'Flash Crash' stock market dip caused by glitches between high-frequency trading computer systems (see E&T issue 13, p50) The Congressional hearing into that incident looked at a range of possible causes, some hard to divine given the leading-edge nature of the technology involved. Would it be possible for a terrorist hack on these systems to introduce aberrations made to look like autonomous computer 'behaviours', and thus go undetected?
AVG's Roger Thompson thinks that it could - 'But that'd be a hard way [of causing a 'wobble']. What is more likely is some criminal bank trying to find a way to 'game' the stock market system for their profit, and I expect that is an ongoing activity. These guys, however, do not want to cut down the apple tree, they just want to shake it and pick-up whatever falls off,' he says.
Many tiny hacks
'If I was trying to destabilise western civilisation, I don't think I'd try and hack-down the New York Stock Exchange,' agrees Adrian Davis of the ISF. He thinks cyber-terrorists would more likely use their hacking skills to illicitly skim-off tiny amounts of money to fund activities, rather than bring the system to a halt. However, Davis warns, the potential cyber-terrorism threat should never be downgraded: 'The Internet itself is now part of our critical infrastructure. It is responsible for supporting millions of jobs; so it is important that governments and other responsible organisations have to do everything they can to protect it.'
For information-risk professionals and corporate-risk experts who have to deal with these issues, Davis reminds, 'the threat is very much on their radar'. Cyber-terrorism and cyber-warfare are different propositions, but they have some commonalities. The 'Security Threat Report' suggests that public opinion may be starting to expect that governments be more proactive in using technology as an offensive weapon again potentially hostile states. Some 23 per cent of those polled said that they believe it is acceptable for their governments to 'spy' on other countries via hacking and/or targeted malware, while 40 per cent qualified their approval by stating that it is acceptable where a state of war exists between countries.
For Sophos's Graham Cluley, the first step toward better understanding this reaction is to clearly identify the nature of the enemy. 'There's much discussion about [the likelihood of] cyber-terrorism, but unfortunately a lot of it seems to be hyped to describe 'super-viruses', or teams of cyber-hackers that could be run by enemy nations. State-sponsored cyber-crime should not be any harder to protect against than traditional cyber-crime.' Cluley adds: 'The question is more one of ethics and the lack of agreements about what is - and isn't - acceptable when warfare [turns] to the Internet, rather than the traditional battlefield.'
Around 54 per cent of the 'Security Threat Report' respondents indicated that they did not believe that their government was doing enough to protect its country from Internet-borne attacks by hostile nations, although as the ISF's Adrian Davis points out, evidence of actual attacks of this are almost impossible to determine: 'If you are engaged in countering frontline cyber-terrorism, would you want to speak about it in public? I don't think so. It's a case of: walk softly, but carry a big stick.'