This is going to look like shit with the text formatting but I cannot make it any better and there is no way in hell that I have time to manually fix the sentences and paragraph spacing:
http://www.fas.org/sgp/crs/terror/RL33123.pdfOrder Code RL33123
CRS Report for Congress
Received through the CRS Web
Terrorist Capabilities for Cyberattack:
Overview and Policy Issues
Updated January 22, 2007
John Rollins
Specialist in Terrorism and International Crime
Foreign Affairs, Defense, and Trade Division
Clay Wilson
Specialist in Technology and National Security
Foreign Affairs, Defense, and Trade Division
Congressional Research Service ˜ The Library of Congress
Terrorist Capabilities for Cyberattack:
Overview and Policy Issues
Summary
Terrorist’s use of the internet and other telecommunications devices is growing both in terms of reliance for supporting organizational activities and for gaining expertise to achieve operational goals. Tighter physical and border security may also encourage terrorists and extremists to try to use other types of weapons to attack the United States. Persistent Internet and computer security vulnerabilities, which have been widely publicized, may gradually encourage terrorists to continue to enhance their computer skills, or develop alliances with criminal organizations and consider attempting a cyberattack against the U.S. critical infrastructure.
Cybercrime has increased dramatically in past years, and several recent terrorist events appear to have been funded partially through online credit card fraud. Reports indicate that terrorists and extremists in the Middle East and South Asia may be increasingly collaborating with cybercriminals for the international movement of money, and for the smuggling of arms and illegal drugs. These links with hackers and cybercriminals may be examples of the terrorists’ desire to continue to refine their computer skills, and the relationships forged through collaborative drug trafficking efforts may also provide terrorists with access to highly skilled computer programmers. The July 2005 subway and bus bombings in England also indicate that extremists and their sympathizers may already be embedded in societies with a large information technology workforce.
The United States and international community have taken steps to coordinate laws to prevent cybercrime, but if trends continue computer attacks will become more numerous, faster, and more sophisticated. In addition, a recent report by the Government Accountability Office states that, in the future, U.S. government agencies may not be able to respond effectively to such attacks.
This report examines possible terrorists’ objectives and computer vulnerabilities that might lead to an attempted cyberattack against the critical infrastructure of the U.S. homeland, and also discusses the emerging computer and other technical skills of terrorists and extremists. Policy issues include exploring ways to improve technology for cybersecurity, or whether U.S. counterterrorism efforts should be linked more closely to international efforts to prevent cybercrime.
This report will be updated as events warrant.
Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
When is Cyberattack Considered Cyberterrorism? . . . . . . . . . . . . . . . . . . . . 3
Objectives for a Cyberattack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Persistent Computer Security Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . 5
U.S. Government Cybersecurity Efforts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Department of Homeland Security (DHS) . . . . . . . . . . . . . . . . . . . . . . . 7
Department of Defense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
FBI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
NSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
CIA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Inter-Agency Forums . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Changing Concerns about Cyberattack, 2001-2006 . . . . . . . . . . . . . . . . . . . . 9
Inconsistent Reporting of Terrorists’ Cyber Activities . . . . . . . . . . . . . . . . 11
Technical Skills of Terrorists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Cyberterrorism Capability of State Sponsors of Terrorism . . . . . . . . . . . . . 15
Trends in Cyberterrorism and Cybercrime . . . . . . . . . . . . . . . . . . . . . . . . . . 16
The Insider Threat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Links Between Terrorism and Cybercrime . . . . . . . . . . . . . . . . . . . . . . . . . 19
International Efforts to Prevent Cybercrime . . . . . . . . . . . . . . . . . . . . . . . . 21
Analysis and Policy Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Related Legislation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Terrorist Capabilities for Cyberattack:
Overview and Policy Issues
Introduction
Often it is very difficult to determine if a cyber attack or intrusion is the work of a terrorist organization with the objective of doing harm, or a cyber criminal who wishes to steal information for purposes of monetary gain. Just as terrorists and violent extremists often rely on exploiting vulnerabilities of targets seen as soft and easy to access to support possible future cyber attacks, cyber criminals exploit these same vulnerabilities to gain access to information that may lead to monetary gain. Implementation of a stronger policy for domestic physical security has reduced the risk to some targets that may have previously been vulnerable to physical attacks. Also, it is suggested by numerous experts that terrorists may be enhancing their computer skills or forming alliances with cybercriminals that possess a high-level of telecommunications expertise. In addition, continuing publicity about Internet computer security vulnerabilities may encourage terrorists’ interest in attempting a possible computer network attack, or cyberattack, against U.S. critical infrastructure.
To date, the Federal Bureau of Investigation (FBI) reports that cyberattacks
attributed to terrorists have largely been limited to unsophisticated efforts such as
email bombing of ideological foes, or defacing of websites. However, it says their
increasing technical competency is resulting in an emerging capability for network-
based attacks. The FBI has predicted that terrorists will either develop or hire
hackers for the purpose of complimenting large conventional attacks with
cyberattacks.1 Recently, during the Annual Threat Assessment, FBI Director Mueller
observed that “terrorists increasingly use the internet to communicate, conduct
operational planning, proselytize, recruit, train and to obtain logistical and financial
support. That is a growing and increasing concern for us.”2
IBM has reported that, during the first half of 2005, criminal-driven computer
security attacks increased by 50 percent, with government agencies and industries in
the United States targeted most frequently.3 Cybercrime is now a major criminal
1 Keith Lourdeau, FBI Deputy Assistant Director, testimony before the U.S. Senate Judiciary Subcommittee on Terrorism, Technology, and Homeland Security, February 24, 2004. 2 Robert Mueller, FBI Director, testimony before the Senate Select Committee on Intelligence, January 11, 2007.
3 IBM Press Release, Government, financial services and manufacturing sectors top targets
o f s e c u r i t y a t t a c k s i n f i r s t h a l f o f 2 0 0 5 , A u g u s t 2 , 2 0 0 5 ,
CRS-2
activity, and it may become increasingly difficult to separate some forms of
cybercrime from suspected terrorist activities. For example, in a recent report from
the House Homeland Security Committee, FBI officials indicated that extremists
have used identity theft and credit card fraud to support recent terrorist activities by
Al Qaeda cells.4 Also, according to press reports Indonesian police officials believe
the 2002 terrorist bombings in Bali were partially financed through online credit card
fraud.5
This report reviews publications and government reports to explore the following: (1) examples of vulnerabilities that may raise the level of interest that terrorists might have in attempting a coordinated cyberattack; (2) effects of the War on Terror that are driving terrorists to use the Internet more; (3) inconsistent reporting about terrorists’ cyber activities; and (4) ways that terrorists may be improving their cyber skills.
Background
Distinctions between crime, terrorism, and war tend to blur when attempting to describe a computer network attack (CNA) in ways that parallel the physical world. For example, if a nation state were to secretly sponsor non-state actors who initiate a CNA to support terrorist activities or to create economic disruption, the distinction between cybercrime and cyberwar becomes less clear. Because it is difficult to tell from where a cyberattack originates, an attacker may direct suspicion toward an innocent third party. Likewise, the interactions between terrorists and criminals who use computer technology may sometimes blur the distinction between cybercrime and cyberterrorism. It also may be the case that individuals providing computer expertise to a criminal or terrorist may not be aware of the intentions of the individual that requested the support. So far, it remains difficult to determine the sources responsible for most of the annoying, yet increasingly sophisticated attacks that plague the Internet. Given the difficulty in determining the originator of the cyber intrusions or attacks, some argue that unlike responding to traditional criminal acts, the focus should be on the act rather than the perpetrator and the threshold for launching defensive and offensive actions should be lowered.
3 (...continued)
[http://www.ibm.com/news/ie/en/2005/08/ie_en_news_20050804.html]. 4 According to FBI officials, Al Qaeda terrorist cells in Spain used stolen credit card information to make numerous purchases. Also, the FBI has recorded more than 9.3 million Americans as victims of identity theft in a 12-month period; June, 2005. Report by the Democratic Staff of the House Homeland Security Committee, Identity Theft and Terrorism, July 1, 2005, p. 10.
5 Alan Sipress, “An Indonesian’s Prison Memoir Takes Holy War Into Cyberspace,” Washington Post, December 14, 2004, p. A19.
CRS-3
The Internet is now used as a prime recruiting tool for insurgents in Iraq.6
Insurgents have created many Arabic-language websites that are said to contain
coded plans for new attacks. Some reportedly give advice on how to build and
operate weapons, and how to pass through border checkpoints.7 Other news articles
report that a younger generation of terrorists and extremists, such as those behind the
July 2005 bombings in London, are learning new technical skills to help them avoid
detection by law enforcement computer technology.8
When is Cyberattack Considered Cyberterrorism?
Some observers feel that the term “Cyberterrorism” is inappropriate, because a widespread cyberattack may simply produce annoyances, not terror, as would a bomb, or other chemical, biological, radiological, or nuclear explosive (CBRN) weapon. However, others believe that the effects of a widespread computer network attack would be unpredictable and might cause enough economic disruption, fear, and civilian deaths, to qualify as terrorism. At least two views exist for defining the term Cyberterrorism:
! Effects-based: Cyberterrorism exists when computer attacks result in effects that are disruptive enough to generate fear comparable to a traditional act of terrorism, even if done by criminals.
! Intent-based: Cyberterrorism exists when unlawful or politically
motivated computer attacks are done to intimidate or coerce a
government or people to further a political objective, or to cause
grave harm or severe economic damage.9
Objectives for a Cyberattack
The Internet, whether accessed by a desktop computer or the many available handheld devices, is the medium through which a cyberattack would be delivered.
However, for a targeted attack10 to be successful, the attackers usually require that the
network itself remain more or less intact, unless the attackers assess that the
perceived gains from shutting down the network would offset the accompanying loss
of communication. A targeted cyberattack could be effective if directed against a
6 Jonathan Curiel, “TERROR.COM: Iraq’s tech-savvy insurgents are finding supporters and luring suicide-bomber recruits over the Internet,” San Francisco Chronicle, July 10, 2005, [http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2005/07/10/CURIEL.TMP].
7 Jonathan Curiel, “Iraq’s tech-savvy insurgents are finding supporters and luring suicide-bomber recruits over the Internet,” San Francisco Chronicle, July 10, 2005, p. A.01.
8 Michael Evans and Daniel McGrory, “Terrorists Trained in Western Methods Will Leave
Few Clues,” London Times, July 12, 2005.
9 For a more in-depth discussion of the definition of cyberterrorism, see CRS Report RL32114, Computer Attack and Cyberterrorism: Vulnerabilities and Policy Issues for Congress, by Clay Wilson.
10 A targeted attack is one where the attacker is intentionally attempting to gain access to or disrupt a specific target. This is in contrast to a random attack where the attacker seeks access to or disrupt any target that appears vulnerable.
CRS-4
portion of the U.S. critical infrastructure, and if timed to amplify the effects of a
simultaneous conventional physical or chemical, biological, nuclear, or radiological
(CBRN) terrorist attack. The objectives of a cyberattack include the following four
areas:11
1. Loss of integrity, such that information could be modified improperly;
2. Loss of availability, where mission critical information systems are rendered unavailable to authorized users;
3. Loss of confidentiality, where critical information is disclosed to unauthorized users; and,
4. Physical destruction, where information systems create actual physical harm through commands that cause deliberate malfunctions.
According to Richard Clarke, former Administration Counter Terrorism Advisor and National Security Advisor, if terrorists were to launch a widespread cyberattack against the United States, the economy would be the intended target for disruption, while death and destruction might be considered collateral damage.12 Many security experts also agree that a cyberattack would be most effective if it were used to amplify a conventional bombing or CBRN attack. Such a scenario might include attempting to disrupt 911 call centers simultaneous with the detonating of an explosives devices. This type of example is usually contrasted to a widespread, coordinated cyberattack, unaccompanied by a physical attack, that would technically be very difficult to orchestrate and unlikely be effective in furthering terrorists’ goals.
Because such an attack cannot directly cause death and destruction, this may explain
why there is no evidence that terrorist groups have undertaken a significant cyber
attack.13 However, other observers say that, because of interdependencies among
infrastructure sectors, a large-scale cyberattack that affected one sector could also
have disruptive, unpredictable, and perhaps devastating effects on other sectors, and
possibly long-lasting effects to the economy. These observers assert Al Qaeda and
associated terrorist groups are becoming more technically sophisticated, and years of
11 U.S. Army Training and Doctrine Command, Cyber Operations and Cyber Terrorism, Handbook No. 1.02, August 15, 2005, p.II-1 and II-3 12 Kevin Rademacher reporting remarks of Richard Clarke at CardTech/SecurTech security conference April 2005, “Clarke: ID Theft Prevention Tied to Anti-terrorism Efforts,” Las Vegas Sun, April 13, 2005, at [http://www.lasvegassun.com/sumbin/stories/text/2005/ apr/13/518595803.html].
13 Joris Evers, “Does Cyberterrorism Pose a True Threat?,” PCWorld, March 14, 2003, at [http://www.peworld.com/news/article/0,aid,109819,00.asp]. Joris Evers, reporting remarks by Bruce Schneier at CeBIT technology trade show in March 2003, “Cyberterror Threat Overblown,” Computerworld, March 14, 2003, at [http://www.computeworld,com/ printthis/2003/0,4814,79368,00.html]. Gabriel Weimann, Special Report - Cyberterrorism:
How Real is the Threat?, United States Institute of Peace, Washington, D.C., May 2004. Dan Ilett reporting remarks of Richard Clarke at the Oxford University Internet Institute in February 2005, Clarke joins latest cyberterror debate, ZDNet UK, February 11, 2005, at [http://www.zdnet.co.uk/print/?TYPE=story&AT=39187582-39020375t-10000025c].
CRS-5
publicity about computer security weaknesses has made them aware that the U.S.
economy could be vulnerable to a coordinated cyberattack.14
Publicity would be also one of the primary objectives for a terrorist attack. Extensive coverage has been given to the vulnerability of the U.S. information infrastructure and to the potential harm that could be caused by a cyberattack. This might lead terrorists to feel that even a marginally successful cyberattack directed at the United States may garner considerable publicity.15 Some suggest that were such a cyber attack by a terrorist organization to occur and become known to the general public, regardless of the level of success of the attack, concern by many citizens may lead to widespread withdrawal of funds and selling of equities.
Persistent Computer Security Vulnerabilities
At the July 2005 Black Hat computer security conference (a private sector
sponsored annual meeting of organizations focused on cyber-security technology and
related issues) Las Vegas, a security expert demonstrated an exploit of what many
consider to be a significant Internet security flaw, by showing how the most
commonly used Internet routers; the computer’s device that forwards data to a
desired destination, could quickly be hacked.16 This router vulnerability could allow
an attacker to disrupt selected portions of the Internet, or even target specific groups
of banks or power stations.17 Security expert Bruce Schneier, a recent critic of the
idea of cyberterrorism, reportedly agreed that the router flaw was a “major” Internet
security vulnerability, and could allow criminals to steal identity information, or
otherwise attack networks. The company released in April 2005 a software patch to
fix the problem, but over the following four months, had apparently not notified its
customers and government agencies, including DHS, about the seriousness of the
vulnerability.18
14 Dan Verton, Black Ice: The Invisible Threat of Cyber-Terrorism, McGraw-Hill, 2003, p. 110. Keith Lourdeau, Deputy Assistant Director of the FBI Cyber Division, testimony before the Senate Judiciary Subcommittee on Terrorism, Technology and Homeland Security, February 24, 2004. Ryan Naraine reporting remarks of Roger Cressey at Infosec World 2005, Cyber-Terrorism Analyst Warns Against Complacency, eWEEK.com, April 4, 2005, at [http://www.eweek.com/article2/0,1759,1782288,00.asp]. 15 The Electronic Intrusion Threat to National Security and Emergency Preparedness (NS/EP) Internet Communications, Office of the Manager, National Communications System, December 2000, p.31, at [http://www.ncs.gov/library/reports/electron ic_intrusion_threat2000_final2.pdf].
16 Amy Storer, Update: IPv6 risks may outweigh benefits, SearchSecurity.com, July 29, 2005, at [http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_ gci1112459,00.html?track=NL-358&ad=525032USCA].
17 Victor Garza, Security researcher cause furor by releasing flaw in Cisco Systems IOS, SearchSecurity.com, July 28, 2005, at [http://searchsecurity.techtarget.com/ori ginalContent/0,289142,sid14_gci1111389,00.html].
18 Justin Rood, Cisco Failed to Alert DHS, Other Agencies About Software Security Flaw, CQ Homeland Security, August 2, 2005, at [http://homeland.cq.com/hs/display.d o?docid=1810432&sourcetype=31&binderName=news-all].
CRS-6
The United States may provide ample economic targets vulnerable to cyberattack, thus tempting terrorist groups to increase their cyber skills.19 A February 2005 report by the President’s Information Technology Committee (PITAC) stated that the information technology infrastructure of the United States, which is vital for communication, commerce, and control of the physical infrastructure, is highly vulnerable to terrorist and criminal attacks. The report also found that the private sector has an important role in protecting national security by deploying sound security products, and by adopting good security practices.20 However, a recent survey of 136,000 PCs used in 251 commercial businesses in North America found that a major security software patch, known as SP2, was installed on only nine percent of the systems, despite the fact that Microsoft advertized the importance of installing the security patch one year ago. The remaining 91 percent of commercial businesses surveyed will continue to be exposed to major security threats until they deploy the software patch throughout their organizations.21 This may bring into question the extent to which the private sector will self-protect without greater incentive.
Several recent studies by global computer security firms found that the highest
rates for computer attack activity were directed against critical infrastructures, such
as government, financial services, manufacturing, and power. These reports also
show that the United States is the most highly targeted nation for computer attacks;
during the first half of 2005, United States computer systems were attacked at a rate
10 times higher than the next most highly targeted nation, China (see section titled
“Trends in Cybercrime,” below).22 U.S. federal agencies have come under criticism
in past years for the effectiveness of their computer security programs.23 Further, a
May 2005 report by the Government Accountability Office (GAO) stated that
19 Dan Verton, Black Ice: The Invisible Threat of Cyber-Terrorism, McGraw-Hill, 2003, p. 110. (Hereafter cited as Verton, Black Ice.)
20 The President’s Information Technology Advisory Committee, Cyber Security: A Crisis of Prioritization, Report to the President, February 2005, p. 25, [http://www.nitrd.gov/pitac/reports/20050301_cybersecurity/cybersecurity.pdf]. 21 John Foley, “Businesses Slow to Deploy Windows XP SP2,” Information Week, April 26, 2005, p. 26.
22 IBM News, Report Finds Online Attacks Shift Toward Profit, August 2, 2005, at [http://www.ibm.com/news/us/en/2005/08/2005_08_02.html]. Symantec Press Release, Symantec Internet Security Threat Report Highlights Rise In Threats To Confidential Information, March 21, 2005, at [http://www.symantec.com/press/2005/n050321.html]. 23 Based on 2002 data submitted by federal agencies to the White House Office of Management and Budget, GAO noted, in testimony before the House Committee on Government Reform (GAO-03-564T, April 8, 2003), that all 24 agencies continue to have “significant information security weaknesses that place a broad array of federal operations and assets at risk of fraud, misuse, and disruption.” Christopher Lee, November 20, 2002, Agencies Fail Cyber Test: Report Notes ‘Significant Weaknesses’ in Computer Security, at [http://www.washingtonpost.com/ac2/wp-dyn/A12321-2002Nov19?language=printer.]
CRS-7
because of the growing sophistication of malicious code on the Internet, the federal
government may increasingly be limited in its ability to respond to cyber threats.24
U.S. Government Cybersecurity Efforts
Many U.S. federal government departments and agencies have responsibilities and have established programs to address various aspects of cyber-security. Some would argue that this level of federal effort demonstrates the government’s view as recognizing cyber-security as a national priority. Others see the many organizations and programs as unnecessarily duplicative with the Nation lacking a coherent strategy for understanding the true cyber security threat or the roles and responsibilities of each federal government organization.
Department of Homeland Security (DHS). Some homeland security experts are concerned that the establishment of DHS has delayed federal government cyber security efforts significantly. It is suggested that during a time when the terrorists appear to be growing more reliant on the internet and gaining valuable expertise and experience, DHS, the lead federal agency responsible for cyber-security, has not progressed to meet the challenges that might lie ahead. Others cite the difficulty of ascertaining the intentions, origination, and groups behind cyber-intrusions and attacks as a reason for DHS and the federal government’s lack of progress. In February, 2006, DHS participated in and sponsored exercise Cyber Storm which tested the ability of the U.S. government, international partners, and the private sector to recognize, disrupt, and respond to a large-scale cyber attack. Analysis of the exercise produced eight major findings to better position the United States to “enhance the nation’s cyber preparedness and response capabilities.”25 While many were pleased that DHS conducted this exercise and recognized areas for improvement, other homeland security observers found the findings to be an acknowledgment of the work that has not been accomplished since the establishment of the Department.
Department of Defense. In August 2005, DOD Directive 3020.40, the
“Defense Critical Infrastructure Program,” assigned functional responsibility within
DOD for coordinating with public and private sector services for protection of
defense critical infrastructures from terrorist attacks, including cyberattack.26 DOD
also announced the formation of the Joint Functional Component Command for
Network Warfare (JFCCNW) which has responsibility for defending all DOD
24 GAO, Information Security; Emerging Cybersecurity Issues Threaten Federal Information Systems, report 05-231, May 2005.
25 DHS, DHS Releases Cyber Storm Public Exercise Report, September 13, 2006 [http://www.dhs.gov/xnews/releases/pr_1158341221370.shtm]. The eight cyber-security enhancement findings addressed: Interagency Coordination, Contingency Planning, Risk Assessment and Roles and Responsibilities, Correlation of Multiple Incidents between Public and Private Sectors, Exercise Program, Coordination between Entities of Cyber Incidents, Common Framework for Response to Information Access, Strategic Communications and Public Relations, and Improvement of Process, Tools and Technology. 26 The Defense Critical Infrastructure is defined as those DOD and non-DOD networked assets essential to project, support, and sustain military forces and operations worldwide.
CRS-8
computer systems. The expertise and tools used in this mission are for both offensive
and defensive operations.27
FBI. The FBI Computer Intrusion program provides administrative and operational support and guidance to field offices investigating computer intrusions.
A Special Technologies and Applications program supports FBI counterterrorism
computer intrusion investigations, and the FBI Cyber International Investigative
program conducts international investigations through coordination with FBI
Headquarters Office of International Operations and foreign law enforcement
agencies.28
NSA. The National Security Agency (NSA) has created the National Centers
of Academic Excellence in Information Assurance Education (CAEIAE) Program,
which is intended to reduce vulnerability of national information infrastructure by
promoting higher education in information assurance (IA), and by producing more
professionals with IA expertise. The NSA and the Department of Homeland Security
(DHS) in support of the President’s National Strategy to Secure Cyberspace,
established in February 2003, now jointly sponsor the program. Under this program,
four-year colleges and graduate-level universities are eligible to apply to be
designated as a National Center of Academic Excellence in Information Assurance
Education (CAEIAE). Students attending CAEIAE schools are eligible to apply for
scholarships and grants through the Department of Defense Information Assurance
Scholarship Program and the Federal Cyber Service Scholarship for Service Program
(SFS).29
CIA. The CIA Information Operations Center, which evaluates threats to U.S.
computer systems from foreign governments, criminal organizations and hackers,
conducted a cybersecurity exercise in 2005 called “Silent Horizon” to see how
government and industry could react to Internet based attacks. One problem the CIA
wanted to examine was who would actually deal with a major cyberwar attack. In
theory, the government is in charge, but in practice, the defenses are controlled by a
number of civilian telecommunications firms. The simulated cyber attacks were set
five years into the future. The stated premise of the exercise was that cyberspace
would see the same level of devastation as the 9/11 hijackings.30
An earlier cyberterrorism exercise called “Livewire” concluded there were
serious questions over government’s role during a cyberattack depending on who was
identified as the culprit — terrorists, a foreign government, or bored teenagers. It
27 John Lasker, “U.S. Military’s Elite Hacker Crew,” Wired News, April 18, 2005, [http://www.wired.com/news/print/0,1294,67223,00.html]. 28 Keith Lourdeau, testimony before the Senate Judiciary Subcommittee on Terrorism, Technology, and Homeland Security, February 24, 2004, [http://www.fbi.gov/congress/ congress04/lourdeau022404.htm].
29 National Security Agency, [http://www.nsa.gov/ia/academia/caeiae.cfm]. 30 Ted Bridis, “‘Silent Horizon’ war games wrap up for the CIA,” USA Today, May 26, 2005, [http://www.usatoday.com/tech/news/techpolicy/2005-05-26-cia-wargames_x.htm].
CRS-9
also questioned whether the U.S. government would be able to detect the early stages of such an attack without significant help from private technology companies.
Inter-Agency Forums. To improve cybersecurity for federal agencies and
the critical infrastructure, the Office of Management and Budget (OMB) has created
a task force to investigate how agencies can better coordinate cybersecurity functions
such as training, incident response, disaster recovery, and contingency planning. The
U.S. Department of Homeland Security has also created a new National Cyber
Security Division that will focus on reducing vulnerabilities in the government’s
computing networks, and in the private sector to help protect the critical
infrastructure.31
Many security vendors agree that to combat cybercrime more effectively, it must be treated as a global problem. Some of these security vendors have created their own independent advance-warning systems for their customers through linking proprietary security equipment into global networks that share information collected by their distributed customer base. One example is an early-warning cyber-security intrusion program that’s composed of a global network of 19,000 firewall and intrusion-detection devices maintained by thousands of volunteer data partners. This early intrusion system correlates global data to detect the start of a possible swarming Internet attack originating simultaneously in different parts of the world, and notifies administrators to help them defend their systems when targeted.32 A similar public/private partnership security warning program was created through the Cyber Incident Detection Data Analysis Center (CIDDAC).33 In 2005, CIDDAC will install special sensors on the networks of participating partner companies to automatically detect cyberattacks and notify administrators and law enforcement.
Changing Concerns about Cyberattack, 2001-2006
Following the September 11 attacks, public concerns were high about the threat
of a possible follow-on cyberattack from terrorist groups.34 Subsequently, there has
been disagreement among security experts about (1) whether such an attack could
31 Jason Miller, “New Cybersecurity Team Meets this Week,” Government Computer News, March 21, 2005. Grant Gross, “Homeland Security to Oversee Cybersecurity,” PC World, June 9, 2003, at [http://www.pcworld.com/news/article/0,aid,111066,00.asp]. 32 Paul Roberts, “Symantec Offers Early Warning of Net Threats,” PC World, February 12, 2003, at [http://www.pcworld.com/news/article/0,aid,109322,00.asp]. 33 CIDDAC is a not-for-profit organization that combines private and government perspectives to facilitate automated real-time sharing of cyberattack data. CIDDAC is specifically designed to protect privacy rights while collecting cyber threat information from sensors attached to corporate computer networks.
34 In July 2002, Gartner Research and the U.S. Naval War College hosted a three-day, seminar-style war game called “Digital Pearl Harbor” (DPH), with the result that 79% of the gamers said that a strategic cyberattack against the United States was likely within the next two years. Gartner Research, ‘Digital Pearl Harbor’: Defending Your Critical Infrastructure, October 4, 2002, at [http://www.gartner.com/pages/story.php.id.2727.s.8.jsp].
CRS-10
possibly be launched by terrorists against U.S. civilian critical infrastructure, or (2)
whether such an attack could seriously disrupt the U.S. economy.35
Simulated cyberattacks, conducted by the U.S. Naval War College in 2002,
indicated that attempts to cripple the U.S. telecommunications infrastructure would
be unsuccessful because system redundancy would prevent damage from becoming
too widespread. Many observers suggest that evidence from natural disasters shows
that many the critical infrastructure systems, including banking, power, water, and
air traffic control, would likely recover rapidly from a possible cyberattack.36
To date, there has been no published report of a coordinated cyberattack launched against the critical infrastructure by a terrorist or terrorist group. Dennis McGrath of the Institute of Security Technology Studies at Dartmouth College reportedly observed that, “We hear less and less about a digital Pearl Harbor.
Cyberterrorism is not at the top of the list of discussions.”37
In May 2005, the CIA reportedly conducted a classified war game, dubbed “Silent Horizon,” to practice defending against a simulated widespread cyberattack directed against the United States. The national security simulation was considered significant because many U.S. counterterrorism experts feel that far-reaching effects from a cyberattack are highly unlikely.38 However, other observers believe that tests of countermeasures, even for unlikely events, may sometimes be prudent.
Many cyber security observers are concerned that U.S. government efforts to
date have not effectively prepared the nation for a catastrophic cyberattack. A
Business Roundtable report issued in June 2006 found three “cyber-gaps” that are
keeping the United States from being prepared to recognize and respond to a
cyberattack: (1) the lack of established indicators that would indicate an attack is
underway; (2) a failure to identify who is responsible for restoring affected
infrastructure; and (3) a lack of dedicated resources to assist in returning cyber
35 Robert Gates, former CIA director, warned that the threat of cyberterrorism should be taken particularly seriously. Keith Lourdeu, deputy assistant director of the FBI Cyber Division, stated that “our networked systems make inviting targets for terrorists due to the potential for large-scale impact on the nation.” Douglas Schweitzer, “Be Prepared for Cyberterrorism,” Computerworld, April 6, 2005. However, others believe that infrastructure systems are robust and could recover quickly. Richard Forno, “Shredding the Paper Tiger of Cyberterrorism,” Security Focus, September 25, 2002, at [http://www.securityfocus.com/ printable/columnists/111]. See also, CRS Report RL32114, Computer Attack and Cyberterrorism: Vulnerabilities and Policy Issues for Congress, by Clay Wilson. 36 Scott Nance, “Debunking Fears: Exercise Finds ‘Digital Pearl Harbour’ Risk Small,” Defense Week, April 7, 2003, at [http://www.kingpublishing.com/publications/dw/]. William Jackson, “War College Calls Digital Pearl Harbor Doable,” Government Computer News, August 23, 2002, at [http://www.gcn.com/vol1_no1/daily-updates/19792-1.html]. 37 “CIA Overseeing 3-Day Wargame on Internet,” Associated Press, May 25, 2005. 38 Ted Bridis, “‘Silent Horizon’ War Games Wrap up for the CIA,” USA Today, May 26, 2005, at [http://www.usatoday.com/tech/news/techpolicy/2005-05-26-cia-wargames_x.htm].
CRS-11
operations to a pre-attack condition.39 Due to increased security measures applied to
physical facilities and U.S. government efforts to track and engage groups in their
home countries, many believe the internet will increasingly play a bigger role in
terrorist support and operational efforts. Many observers that monitor the Internet
suggest that due to the effects of intensified counterterrorism efforts worldwide,
Islamic extremists are gravitating toward the Internet, and are succeeding in
organizing online where they have been failing in the physical world. Terrorist
groups increasingly use online services for covert messaging, through steganography,
anonymous e-mail accounts, and encryption.40
Inconsistent Reporting of Terrorists’ Cyber Activities
Some security observers argue that a lack of consistent reporting on the true nature of the cyber-security threat is a direct by-product of the federal government’s lack of strategy and inability to clarify assignments for the numerous departments and agencies that have some responsibility for the issue. Others note that the numerous recent governmental organizations are the reason for the delay in progress, and also predict that as DHS and the Office of the Director of National Intelligence mature, the issue of cyber-security assessments and reporting may receive a higher priority.
