posted on Feb, 3 2003 @ 11:00 PM
The Clouds of Digital War. Will the Next Terrorist Attack Be Delivered Via Cyberspace?
July 8 Many security experts fear that the next big terrorist strike against the United States
might be on and through the Internet and other vital interconnected computer networks.
And the suspected attacks won't just deny Net surfers access to their favorite Web site or increase the risk
of damaging computer viruses through e-mail. Rather, experts say the next cyber attack could actually lead to
physical damage to real-world targets.
For example, terrorists might decide to take out the nation's telecommunication networks by
modifying the software of computers that control the switching network. Or, they might work
their way into the digital software systems that help air traffic controllers guide the thousands
of planes that fly over U.S. cities.
"It was unthinkable almost a year ago in the general public mind that a common airplane would
be used in attacks against buildings," says Simon Perry, vice president of security for Computer Associates in Islandia, N.Y.
"It's the same here. IT [information technology] will be used to attack the physical world."
Evidence of Possible Training
Sound farfetched? Perhaps.
But evidence is mounting that such cyber warfare may be on the minds of al Qaeda terrorists.
As first reported in CIA secret documents and later confirmed by Anti-Terrorist Operations Group . Investigators have discovered
there have been numerous anonymous probes over the Internet for information regarding the nation's emergency phone system, water-distribution
networks,
and power grid all critical parts of the U.S. infrastructure.
Perhaps more disturbingly, officials also confirmed to Anti-Terrorist Group that some of these "probes" were focused on "digital switches"
devices designed to allow authorized personnel to monitor and control various aspects of a complex network of machines
Vulnerable Switches?
Perry says these control systems used to be "esoteric systems" ones that used proprietary interfaces and computer languages and were accessible only
to those who were trained in their specific designs.
But many such control systems are now based on the same UNIX software and communication protocols used by computers that are widely connected to the
Internet. And while most control systems aren't connected directly to the Internet or accessible through a simple Web page, they are connected to
other computer systems that typically are available online.
And there have been cases where others typically disgruntled former employees or other malicious insiders have used such hidden, but still-vulnerable
systems for their own exploits.
Peggy Weigle, chief executive officer of software security firm Sanctum in Santa Clara, Calif., notes that just such an incident occurred a few years
ago in Australia.
In that case, a former employee of a water-treatment plant had managed to gain control of the digital switches and secretly reversed the flow of fresh
and sewer water. (The employee had hoped that the company would hire him back in order to solve the problem.)
While such incidents have been few and isolated, some security experts worry that it won't remain so for long.
A Mix of Old and Digital
"We've been talking about this kind of [threats] for months," says Weigle. "Just by looking at the organizations we've been involved with
financial institutions, water-treatment plants, power plants they are all vulnerable to attack."
And Weigle believes that the power of such terrorist attacks could be devastating especially when coupled with an attack using conventional means.
"Let's say they launch an attack on a power station," says Weigle. "Someone's going to call into the 911 emergency system. A lot of these [phone]
systems are based [on computer protocols]. Can they be hacked? I think so. How long would it take people to figure out the right information on what
was going on and what was wrong?"
But some say that such wide-ranging network attacks while possible are extremely difficult to pull off.
"It would still be fairly difficult [to] break in and jump through different switches," says William Tang, chief executive officer of Digital
Security Consulting, an Arcadia, Calif., company that advises the electric power-generation industry. "There are some process controls, if you decide
to throw all 500 switches that control
the power in Southern California, it could alert a human before it does that."
Other experts note that companies and public institutions aren't exactly unaware or insensitive to the threats of Internet security.
George Hellyer, a director at security consulting firm JANUS Associates in Stamford, Conn., says that the years of attacks by hackers with viruses and
the recent unconventional attacks by terrorists have stirred some movement by the public and private sectors.
When it comes to addressing network security issues, "we've seen changes over the last several years," says Hellyer. "They're thinking outside of
the box and addressing what we thought was unthinkable is now possible."
Keys to Survival
However, Hellyer and others note that awareness is just the beginning and that both the government and the corporate world still have a lot of work to
do when it comes to preparing for and preventing a cyber attack using the nation's information and support infrastructure.
For one, many believe that while corporations are paying attention to the threats against their networks, they aren't spending nearly the amount they
should be on security solutions.
"When you work out the percentage of corporate budgets spent on IT security, it's less than 1 percent," says Computer Associates' Perry. "Most
organizations spend more on coffee that IT security." By Perry's estimation, companies should be spending at least 100 times more on security
measures.
And the money that companies do spend on network security shouldn't go to just technology solutions such as firewalls or network intruder detection
systems, but toward hiring smarter, security-savvy people who will actually manage the various networks.
Over the last two years, the number of computers added to the Internet has more than doubled from 71 million to more than 146 million, says Alan
Paller, director of research at the SANS Institute, a network security information clearinghouse in Bethseda, Md.
"Yet, there has only been about 25,000 people who can even spell 'security' that have been added in those two years," says Paller. "We need to up
the security skills of these [network engineers]. And that's not going to happen overnight."