Saturday, October 20, 2012

Assessing the Threat of Cyber Terrorism

A while back, the notorious terrorist organization Al Qaeda called for an “electronic jihad” against the United States. This video is almost unheard of in the European Union outside of the UK, but it seems to have caused quite some fear in the United States. The worries range from a general low-key anxiety to full-out fear that the end of civilization is close. So, what’s the true threat of “Cyber Terrorism”?

This is a requested post. If you want me to rant about a topic of your choice, let me know. Chances are I might actually do it.

Overview

The mentioned video compares computer network flaws with the flaws in aviation security before the 9/11 attack. This quote is repeated in reports about the threat, and evokes fears of collapsing skyscrapers and thousands of deaths.

The news reports are lurid as usual. Viewers are meant to be shocked so they stick to the news and keep watching. Exaggeration is normal. Most viewers will know this, but few will know how much of this is exaggerated.

Computers and networks permeate our lives. We use them daily, but few of us know enough of them to really assess the threats. And with uncertainty comes fear, adding to the fear already evoked in the news.

To reduce this uncertainty, I will first go into possible scenarios on what electronic attacks can really do. After that, I will look at the few large-scale cyber attacks that happened so far, and what they managed to achieve.

Definition

When in unknown or uncertain territory, the first thing to do to get your bearings is to actually figure out what you’re talking about. Politt (1997) of the FBI Laboratory proposes the following definition for cyber terrorism:

Cyberterrorism is the premeditated, politically motivated attack against information, computer systems, computer programs, and data which result in violence against noncombatant targets by sub national groups or clandestine agents.

This allows us to rule out a lot of incidents. Most computer crime causes monetary damage, but actual violence is rare. The next section will look at what kinds of possible scenarios we are looking at.

Technical Background

While computers are metaphorically everywhere, reality is still not run on them. We have smart phones, tablets and Google’s Project Glass, but we can still go down the street without any computer interaction at all. This makes cyber threats possible, but inherently limited as to the effects on our daily life. Especially violence via computerized and networked means is very difficult to achieve.

The following subsections will take at the technical background of the different possible attacks.

Quick Note On Website Defacement

Before going into threats, I’d like to make a note about a type of attack that often gets a lot of publicity, but is mostly irrelevant. That would be the so-called website defacement.

This refers to a situation where an attacker intrudes into a system and replaces the public website of a company or group with something else. Usually, this involves mocking the group itself.

Such attacks are mostly irrelevant. If you are not talking about a company that offers web services, the servers running the web page usually are not even near the computer systems that run the factory or handle internal documents. An infiltration of web servers is rarely a major security breach. For example, if the website of the FBI is defaced, that’s embarrassing, but it doesn’t at all mean that the attackers got access to any kind of internal information.

This kind of attack is quite common in conflicts because of its propaganda effect, and also a preferred topic in the media as it affects systems we can see, but as far as threats go, it’s on the level of graffiti on the facade of an office building.

Denial of Service

A Denial of Service (DoS) is the most common type of attack in cyber crime, and usually the easiest to achieve for an attacker.

The idea is to prevent a given service provider from doing its job by overloading the service. The bluntest type of attack here is simply flooding the service (or just the connection they have with the internet) with so many requests that they can’t service them all anymore. Legitimate requests will suffer from this as well. When multiple computers all over the world, for example in a botnet, do this, it’s called a Distributed Denial of Service (DDoS).

This kind of attack has no direct effect on our lives, but the secondary effects due to services breaking down might affect us.

Most very important systems are not directly connected to the internet, so the effect of these kinds of attacks are rather limited. We will later see in the example of Estonia that such attacks can cause some infrastructure breakdowns when executed well. But as we also will see is that those breakdowns are of limited duration and effect.

In and by themselves, these kinds of attacks are likely to cause financial damage and annoyance, but no life-threatening situations.

Information Theft

Another possible attack is not to use computers to do something bad directly, but to use them to gain information which in turn can be used to cause problems.

One of the biggest examples of information theft is Wikileaks, a platform where secret military and governmental documents are leaked to the public. The effects of this platform have been primarily embarrassment, not harm.

Ironically enough, though, the best way to access such top secret information is not via viruses and cyber warfare. It is via what is called social engineering⨪—that is, finding someone who is quite willing to pass on information. That’s how Wikileaks got most of their major releases.

Hijacking Industrial Control Systems

Industrial Control Systems (ICS) are the computerized systems that control industrial processes in factories and other facilities. They allow computerized interference with procedures in factories, and thus direct access to cause damage.

These are prime targets for attacks, but they are very difficult to hit.

Many such systems are not full-fledged computers, but very specific hardware with limitations. Which means it’s difficult to write a general-purpose worm that hits many different systems. Specific targets are possible, though.

Also, most of these systems are not directly connected to the internet, which means a worm will need to insert itself indirectly, for example by infecting an USB stick and then infecting a system the USB stick is inserted to. But that in turn means it needs to be fully programmed in advance and can not receive commands during execution anymore.

None of this is an impossible barrier. We will see later with Stuxnet that such attacks have happened. But they are extremely rare and difficult to pull off.

The problem here is that in the past, most industrial control systems were simply not connected to networks at all and used proprietary protocols. This provided very strong security. With more and more systems moving towards TCP/IP and remote access, this level of security is slowly eroding. As Byres and Hoffman (2004) point out, though, “with proper planning, however, the risks can be mitigated.”

The most scary example of computerized remote access to hardware I saw so far was a vulnerability in a specific type of pacemaker. It turned out that the normal remote control application to reprogram and maintain the pacemaker could be used to make this pacemaker release a deadly 830 V charge. By anyone. From 15 m (15 feet) away. Talk about scary!

But while this is scary, what’s the terrorist application? A terrorist could use this to kill someone, but they’d need to first find someone with this kind of pacemaker. Even going into a place with lots of people, they’d need to get within 15 meters of someone. And then they killed one person. While terrible, a bomb explosion would be more effective. Nothing at all like the scary cyber terrorist using fiber optics from a cave in Afghanistan to kill with impunity in New York.

Politt (1997) notes that other rather scary attack scenarios have been proposed. In one, the attacker is assumed to take over process control of a cereal factory and increase the iron additive to the cereal. “Boxed cereal then sickens and kills a nation of children.” He goes on to note, though, that “this may be possible, but the likelihood of success is minimal.” Process control systems are built with safety checks precisely because mechanical and software failure can and do happen regularly. Remotely controlled problems of this kind are just another possible source of malfunctions—and “[i]t should also be noted that mechanical failures are much more common and catastrophic in nature and affect.“

Real Incidents of Cyber Terrorism

The last section was a theoretical overview of what damage cyber terrorism could cause. This section now will look at real incidents of cyber terrorism and their effects.

There have been surprisingly few. While there is a constant stream of attacks, malware and cyber crime on the internet, targeted attacks for the purpose of terrorism are very rare.

As late as 2005, Kim and Hyun note that “[a]n actual cyberterror attack has not occurred yet by this time. In spite of the frightful scenes of terrorism that have occurred in the last few years, it appears that none of them classified into cyberterrorism causing loss of life or serious social and economic damage.” So, while they had many possible scenarios, none of them had materialized.

They go on to say that “[h]owever, we could all agree that there have been many instances of attacks on several infrastructures through network(sic!) that have gave(sic!) rise to social and economic suffering and one successful cyberterror attack can cause critical destruction.” This sounds bad, but in the whole paper, they have not cited a single concrete scenario for this. We are simply assumed to agree. (“We could all agree” should be in the Empty Phrases Handbook for Scientific Papers.)

Since 2005, though, a few attacks happened that can be attributed to a broader definition of cyber terror.

E-Jihad

One incident of large public recognition was a group of supposed Jihadists releasing a small tool to coordinate the take-down of “infidel” websites. While popular media attributed this with no hesitation to Al Qaeda, using statements such as “Al Qaeda cyber-jihad to begin Nov. 11”, the security world didn’t have much more than a tired raising of an eyebrow for those attempts.

The infamous E-Jihad was based on a terribly-written, low-quality program mostly used by young activists with very little actual effect. Well, outside of media coverage.

“First Known Terror Cyber Attack”

In its coverage of cyber terrorism and the Al Qaeda video, ABCnews mentions a supposed “first known terror cyber attack.” From the report:

The first known terror cyber attack, it says, was an email spamming attack in 2010 that, while relatively primitive, managed to infect the emails of thousands of U.S. and international corporations.

This quote does not make sense as is. Talking about “infecting e-mails” does not make a whole lot of sense. E-mails do not get infected, computers do.

E-mail as a transport and distribution path for malware is extremely common. If you have an e-mail address, chances are you received malware through it at least once. They’re a good way to distribute malware, as many users will fall for simple ruses. But what does it mean if “a corporation’s e-mail is infected”? That depends a whole lot of the corporation.

I wasn’t able to find a reference to the incident they’re talking about. Regardless of the possible financial effect here, it should be clear that violence was not involved. Calling this “cyber terrorism” is a stretch of the term. E-mail malware causing financial damage is a daily event. Annoying and costly, but not particularly scary.

Citing this as an example for cyber terrorism in such a report only reinforces that they have no example of actual cases of cyber terrorism. This is scare tactics more than anything: You first establish “cyber terror” related to the 9/11 attacks, and then bring up something much less problematic as an example on how this is happening right now! Good journalism is something else.

Especially as they could have cited real attacks.

Estonia

In 2007, Estonia was the victim of a large-scale targeted cyber attack. The government had decided to move a memorial to a less prominent position. As this memorial was commemorating the liberation of the country from the Nazis by Russia, this caused heavy rioting among the Russian-speaking population, but also the mentioned cyber attack.

This is the closest to a nation-wide attack in cyber warfare that we have seen so far. The effects of this should be instructive to analyze possible threats of such incidents.

Estonia was a prime target for such an attack. Its government had put a lot of effort into utilizing the power of the internet for most operations. Electric power grids, banking services including 97 percent of bank transactions, and even the water services of the capital Tallinn were all connected to the internet and served as possible targets for the attackers. (Herzog 2011) Also, Estonia had a very small network infrastructure, making it very vulnerable to flood-based Denial of Service attacks.

The effects were numerous and drastic. Credit card and automatic teller machine transactions were not occurring for several days, while the government’s communication was severely restricted so that an effective response was difficult. (Herzog 2011) After a few days, though, Estonia was able to block most of the attackers and continue to function normally. And … that’s it. The largest attack on a single country to date, a country which was severely vulnerable to such an attack, had no direct casualties, and even though it occurred at the same time as major real-life riots, civilization or law and order did not break down.

To make a point that this is not harmless, Herzog (2011) notes that it could “have been significantly more devastating. In future assaults, hackers may target state’s traffic lights, water supply, power grids, air traffic controls, or even its military weapon systems.” But it didn’t happen, and there is no scenario on how this could have happened. Or what the effects would have been if those infrastructure elements had been targeted.

Additionally, the same kind of attack would be difficult to replicate on larger countries than Estonia. The US for example is much more diverse with a much larger network infrastructure. And of course, the incident in Estonia caused specialists all over the world to look at the problems, and other countries infrastructure is not even remotely as vulnerably anymore as Estonia’s was.

Stuxnet

Stuxnet was the first major malware that specifically targeted industrial control systems. The designated targets of the worm most likely were specific nuclear enrichment facilities in Iran. The full effects of the worm are not fully known. Siemens reports that their customers suffered no damage from the worm, but apparently the enrichment factories in Iran were affected and had to be shut down temporarily.

The Stuxnet worm has been a very hot topic in computer security. The technical finesse was extreme, and the execution excellent. It infiltrated systems slowly, and transferred even within companies from internet-connected computers to the control systems via data storage devices like USB sticks. It then was able to infect the industrial control systems and influence them.

Such an elaborated setup is difficult to implement. So difficult, actually, that malware specialist Kaspersky notes that “[w]e believe this type of attack could only be conducted with nation-state support and backing.”

The nation-states involved in the development of Stuxnet, incidentally, seem to have been the United States and Israel.

Summary

The large-scale attack on Estonia and the very targeted attack by the Stuxnet worm serve to frame the possible future of cyber warfare and cyber terrorism. Both were shocking in their unprecedented scale and execution, but neither caused violence or death. Nonetheless, they gave us something to think about—and thinking about this is what the security community is doing. Defenses are being worked on.

As far as cyber terrorism goes, we have some severe fears on what could happen, but we have nothing concrete. There are no real incidents so far. And outside of the Al Qaeda video, the signs that we are now entering a time of cyber terrorism are small. In May 2012, Dorothy E. Denning wrote an analysis of the current threat of cyber terrorism:

When Stuxnet came along, at least one jihadist took notice. A posting to the popular al-Shamukh jihadist forum in late 2010 called for attacks against SCADA systems, claiming they could be used to cause a massive explosion in a power plant, even a nuclear one, among other things. However, while giving a broad overview of SCADA systems and pointing to Stuxnet, the Australian sewage overflows, and other incidents affecting critical infrastructures, the posting offered no details for executing such attacks. Further, the premier jihadist English-language publication, Inspire, which has published nine issues as of May 2012, has focused exclusively on physical acts of violence. Readers can learn how to “make a bomb in the kitchen of your mom,” but not how to conduct even rudimentary cyber-attacks.

Although jihadist websites and forums have offered tutorials and tools for rudimentary hacking, I have not seen jihadist materials for specifically attacking an ICS or any information suggesting that jihadists have access to a lab with ICS equipment and software, or that they have even attempted cyber-attacks against an ICS. The existence of Stuxnet, recognition of the potential damage that cyber-weapons such as Stuxnet could cause, and the availability of exploit tools against ICSs may bring us a bit closer to a cyber-terrorist incident than we were before Stuxnet, but the threat does not seem imminent.

Even though 9/11 was terrible, the attack itself had little lasting effect. The main way in which it changed our way of life was how it was used to instill fear and to infringe our freedoms in the name of the war on terror. The take-over of three planes and the collapse of the two towers did not cause an internal instability in the country, and outside of massive grief, the direct effects on the US and the rest of the world were over a few months after the attack.

Compared to the deaths and grief caused by the attack on the World Trade Center, cyber terrorism is quite tame. It can cause financial damage, it might even cause some deaths, but all in all, the effects are limited to the electronic world. Our daily lives will go on. And indeed, Lewis (2002) notes that “[t]errorists or foreign militaries may well launch cyber attacks, but they are likely to be disappointed in the effect. Nations are more robust than the early analysts of cyber-terrorism and cyber-warfare give them credit for, and cyber attacks are less damaging than physical attacks.”

The word “terrorism” comes from the root of “terror,” “fear.” The strongest weapon of terrorism is the fear it can induce in the population. Usually, this refers to the fear of unseen combatants bringing violence where we don’t expect it. But as a sadly recurring theme, the word “terrorism” is abused way too much to strike fear into people where none is necessary.

Computer security is an extremely important topic. I wouldn’t be working where I am right now if it weren’t. And we need to deal with these threats. But we also need to be realistic about what it can and can not do.

Bibliography