Cyberterror Not Yet a Credible Threat, Says Policy Thinktank

Trailrunner7 writes "A new report by a Washington policy think tank dismisses out of hand the idea that terrorist groups are currently launching cyber attacks and says that the recent attacks against US and South Korean networks were not damaging enough to be considered serious incidents. The report, written by James Lewis of the Center for Strategic and International Studies, looks at cyberwar through the prism of the Korean attacks, and calls the idea that terrorists have attack capabilities and just aren't using them 'nonsensical.' 'A very rough estimate would say that there is a lag of three and eight years between the capabilities developed by advanced intelligence agencies and the capabilities available for purchase or rental in the cybercrime black market. The evidence for this is partial and anecdotal, but the trend has been consistent for more two decades,' Lewis writes."

bring back the pr0n!

[thhamm]

cyberterror? someone posted something about 'What If They Turned Off the Internet?'. now that's a threat!
let me share somethin' special with you, which i call perry's perspective..

Re:bring back the pr0n!

[sopssa]

Well I think this whole "cyberterror" idea is pretty funny. I even remember that back in 2000 in school we had to write about some article where they described "cyber attacks from China goverment". Has anyone actually proven that China as a goverment is doing those? It still seems like a myth. Considering world is filled with script kiddies, and China+India together have half of the population on Earth, it's not surprising that many percentage of them could be from there.

Another thing is that it's quite hard to launch such a catastrophic, large-scale attack against the internet. Yeah, you can cause some minor annoyance or accidentally route traffic elsewhere like what happened with YouTube for ~30 mins a few years ago, but those are quickly fixed when upstream ISP's responsible notice.

Also isn't terror's one meaning to cause, well, terror? What are you going to on the internet, put a scary picture on google.com (if you even could hack it - I bet there have been many that have tried)? It just doesn't sum up.

Re:bring back the pr0n!

actually fear is easily caused online. you could do something virtual like download the entire customer database of some bank and put it up as a file on main page of google.com, you've just scared shitless the entire bank's customer base. or you could do something physical like hack google's data center, override all the security there, disable the cooling for servers, turn up all the processors to 100%, and watch as the entire server room exploded. or you could overload a nuclear power plant or something, the specifics dont really matter.
the point is that actions online are the same as actions in real life, except theres an extra layer of technology between you and the target.
terrorism has really redefined warfare in the sense that there's no more concrete enemy. therefore conventional tactics don't work against terrorists. you can't, for instance, go to some country and kill people and expect that to stop terrorism. there's really no simple solution, but what you have to do to combat terrorism is to figure out why the terrorism is happening, and try to fix that. every action has a stimulus, and if you dug deep enough, you could figure out what the initial stimulus for the terrorist was.

Re:bring back the pr0n!

[Penguinisto]

A lot of it depends on what's being attacked, and how.

A concerted effort to blow up / corrupt / poison the DNS root servers? Could be considered as something to worry about. A DDoS against any IP belonging to $targetNation, or even just all major banks belonging to $targetNation? Probably not as much (mostly due to the sheer size of the target, the bandwidth soaking that doing so would require, etc).

Re:bring back the pr0n!

[MichaelSmith]

A guy I work with likes to point out that we always protect against the last terrorist attack, not the next one. You have listed a bunch of things which probably won't work and are not a concern. We should try to think about the things which we are outside our idea of the scope of terrorist operations. Prior to 911 we didn't consider suicide hijackings to be a threat.

Re:bring back the pr0n!

[sopssa]

But if we consider that usually terrorism tries to get some point across (with inhuman ways) and get people to hear them, causing disturbance for the Internet would be quite stupid, as it's actually the first worldwide medium to get your word across without goverment control like with radio and tv. Terrorism doesn't do terror just for the fun of it, but there's always some reasoning behind it - sometimes rational, sometimes more irrational. However script kiddies do it just for the fun of it, to gain that small time period of fame for randomly hacking something.

Re:bring back the pr0n!

[demachina]

"What are you going to on the internet,"

The classic examples are hacking in to the computers that control the power grid(s) and causing a widespread blackout, taking down the air traffic control system, opening flood gates on a dam, or causing a wide spread phone/cell phone outage. Its open to debate how feasible these are but they are certainly plausible and the systems involved may all interact with the Internet now in one form or another.

I find this statement amusing to no end:

"A very rough estimate would say that there is a lag of three and eight years between the capabilities developed by advanced intelligence agencies and the capabilities available for purchase or rental in the cybercrime black market."

It basically implies that advanced intelligence agencies are years ahead in developing the tools for Cyberterrorism. If that were actually true, which I doubt, then why wouldn't you still be "afraid" some advanced intelligence agency will launch a cyber terror attack, or is this submission implying that just because a nation state does it, its not terrorism?

Re:bring back the pr0n!

[Runaway1956]

"Also isn't terror's one meaning to cause, well, terror? What are you going to on the internet, put a scary picture on google.com (if you even could hack it - I bet there have been many that have tried)? It just doesn't sum up."

A list of possible targets:
banking transactions being disrupted tends to terrorize people with money
taking down the power grid can be scary
disrupting mass transit can be scary
actually causing crashes of mass transit would be outright terroristic
publishing false news stories ranks somewhere between scary and terroristic
disrupting news services is at least mildly scary
disrupting or taking over Department of Defense networks can contribute to terror
actually STEALING Department of Defense secrets is REALLY scary
disrupting critical health care services - hospitals primarily, ambulances secondarily
disrupting police communications

While there aren't many ways to actually kill people with the intartubez, the potential for terror does exist. I've probably not exhausted all the means to spread confusion and/or terror - but those should be enough to cause concern.

Re:bring back the pr0n!

Having worked for three letter agencies, let me say that yes, China is engaged in this activity. Certainly the Russians, French, US, British, and any other country with a foreign intelligence service. In China's case, it's very hard to officially link it to the government because the PLA owns so many companies in the country they can have one of those entities engage in the action with plausible deniability.

As far as it not being a "real" threat, I'd ask the Estonians what they think about that....

Re:bring back the pr0n!

[sopssa]

The classic examples are hacking in to the computers that control the power grid(s) and causing a widespread blackout, taking down the air traffic control system, opening flood gates on a dam, or causing a wide spread phone/cell phone outage.

Except the last one, I dont think those systems should be running on the internet anyway. Even if some terrorist group isn't going to hit them, some script kiddie will.

Re:bring back the pr0n!

Wow, I'm kind of amazed at people being so casual given the history of individual hackers doing damage back in the days before security got semi tight. Exploits are found everyday. Cyber terrorism would be fairly cheap so the thought that no governments are pursuing it including ours is pretty naive. How expensive would it to be to outfit a hundred college students with computers and internet connections just to see what is possible? The CIA spends more than that on coffee. The terrorist have been using web sites already for years to get information out. Can they launch a major attack? Probably not but the Chinese likely can and there have been suspect events. Assuming the terrorist are ignoring the internet is bizarre. Our best defense has been how few actual terrorists there are and that they aren't exactly rocket scientists. Will they one day have the capability? I'd say it's a 100% like them eventually getting a nuclear weapon. We've got to stop attacking countries because of "possible" terrorist ties but we can't ignore likely scenarios simply because they haven't happened yet. Just one talented hacker siding with the terrorists could do a lot of damage. Is it possible to take the whole web itself down? I've heard both sides and I'm not convinced by either so I assume it's probably possible with enough preparation and resources. The simplest attack is just overloading the web. Can't be done? Nothing is infinite.

Re:bring back the pr0n!

[Jah-Wren+Ryel]

We should try to think about the things which we are outside our idea of the scope of terrorist operations. Prior to 911 we didn't consider suicide hijackings to be a threat.

I disagree. While it may be entertaining to worry about new and innovative ways to cause mass hysteria and panic, we should only give minor attention to potential attacks because, frankly, the field is so wide open that we could spend all our money and not protect us from 1% of it.

For example, even if we had taken suicide hijackers seriously before 911, what would we have done about it? Even after 911 99% of the effort is a total waste - the only useful measures taken have been reinforcing the cockpit doors, everything else has been a huge waste of money. Would we have been smart enough to do the cockpit doors before 911? Maybe, or maybe we would have spent the money somewhere else in that 99% of useless crap.

I think that attention and money should be spent primarily on making society robust, so that for any kind of failure, we can recover from it fairly quickly. Making sure first responders are well trained and well equipped with good communications ability is probably the best place to spend money because it covers almost all bases. Considering that acts of nature/god are orders of magnitude more frequent than acts of terrorism we get the added bonus of having our money spent on resources that make a difference in the both rare and the common case.

After first responders I think the best place to spend money is in the design phases of public systems, a stronger emphasis on fault tolerance and flexibility - in other words, simply good engineering. Sure, part of that design work should include considering concerted attacks, but we should assume that eventually an attack will succeed and then the question becomes "what are we going to do about it?" Some remote attack that causes a nuke power plant to shut down, or a generator to burn itself out is going to have the same consequences as any other reason for those events to occur for like an earthquake or even operator error. So the bulk of the engineering needs to go into efficiently recovering from those kinds of events regardless of cause - better failsafes and more redundancy for example.

Re:bring back the pr0n!

Don't confuse "Cyberterrorism" with information warfare which is something that is really truly studied and implemented efficiently by the Chinese, Korean, Israeli, Russian militaries, with the US only now catching up. Terrorists blow things up for graphic shock value and because they believe in martyrdom, something computer hackers would (usually) be philosophically opposed to. On the other hand, computer hacking and military tactics go hand in hand: objective, resources, recon, planning, execution, extraction, and so on.

Also, don't confuse large scale attacks against "The Internet" with anything resembling cyberwar, which is something that involves discrete targets, objectives, and so forth. Cyberwar exercises performed by the US just this year showed it was possible to blow up electrical generators remotely via network attack. Imagine this on a large scale and you can easily see the possibility for real human/financial loss due to information-based attacks, especially against the US critical infrastructure which is well known for using lax security measures in its computer networking.

Re:bring back the pr0n!

[gmhowell]

And your post gets today's award for being a truffle amongst the shit that makes up slashdot.

Re:bring back the pr0n!

[iamsolidsnk]

Terrorism is meant to cause terror while performing everyday activities or a general sense of fear and paranoia in the general population. General public != internet-using public, and I find it hard to believe that any type of act committed in cyberspace would cause such feelings in any average internet-using person. Until cyber-activity gets to a point where such activity causes personal harm, whether psychologically or physically, I would say the term cyber-terrorism has no relevancy to the general public.

Re:bring back the pr0n!

[dkf]

A list of possible targets:

Get real...

banking transactions being disrupted tends to terrorize people with money

Terrorizing bankers? That's likely to win them a medal from everyone else...

disrupting mass transit can be scary

Except the safety-critical parts of mass transit systems are designed to fail safe. Disrupt them and all you get is a bunch of cross people on a stopped train; hardly terror.

actually causing crashes of mass transit would be outright terroristic

And also highly unlikely.

publishing false news stories ranks somewhere between scary and terroristic

Quick everyone! We've got to arrest the "journalists" at Fox News as terrorists!

disrupting news services is at least mildly scary

But disrupting all news sources is really difficult because they are a diverse bunch.

disrupting or taking over Department of Defense networks can contribute to terror

Are we talking about delaying the email of low-level folks (a way to boost productivity) or impacting a secure network? The DOD doesn't mix the internet with the properly secured stuff.

actually STEALING Department of Defense secrets is REALLY scary

And they take measures to try to prevent that, yes? That's why they have real counter-intelligence people.

disrupting critical health care services - hospitals primarily, ambulances secondarily
disrupting police communications

But emergency response doesn't go over the internet. There's just too many ways it can go wrong when it matters, even without malicious "hacker terrorists" in the mix. Non-emergency communications can usually wait, or switch to other channels (e.g., sending invoices by post).

Mostly disrupting the net means that people communicate more slowly (often not a disaster) or stops them goofing off on youtube at work; a lack of such things doesn't contribute to terror, but rather to boredom and irritation.

"How goes the great cyberterror attack?"
"Excellent! We've raised their productivity by 15% and encouraged a renaissance in the writing of letters!"
"Any actual terror?"
"Well... no. But we've made a vast number of middle manager put down their blackberries in frustration. That's got to count for something, yes?"

To be fair, you do have at least one reasonable point in your list (which I've broken out of your original order):

taking down the power grid can be scary

And apparently some power suppliers and grid operators are very exposed this way; this is Bad and needs to be fixed. (There's also what happens if a Smart Grid is implemented with lots of people being small providers of power at some times of the way through, say, solar or wind power. That's where things become a headache, because it will be really hard to make that many people properly secure their systems...)

Re:bring back the pr0n!

[darthwader]

I disagree. None of those situations you describe are terrifying. They are annoying. Disrupting the banking system means people don't get access to their assets for days or even weeks until it's straightened out. But it is eventually straightened out, and rational people know that. They also know that losing their money is not the same as literally losing an arm and a leg (as happens when you stand too close to an exploding bomb).

Even things like shutting down power or communications can cause deaths, but they are secondary deaths (e.g. people freeze to death because of no power, or preventable deaths happen because first responders didn't get there in time), and that just doesn't have the same emotional impact.

Causing crashes of mass transit is the only situation you described which I think qualify as terrorism, since it involves blood, gore, flames and people who are obviously and undeniably dead because of this action.

The thing we forget is that terrorism is NOT about killing the maximum number of people. It is about terrifying people so much that they lose all hope and stop wanting to fight back. Annoying people (even if it does cause some deaths) makes people want to fight more, and thus goes against the purpose.

Re:bring back the pr0n!

[demachina]

Air traffic control and power grids are inherently networked operations. You need to transfer planes from one control center to another, and to report loads or faults on the grid to various control centers, or turn generators on and off to balance load across wide areas. Only way you wouldn't have these functions on the Internet is if you go back to using phones to call people which is brutally inefficient and error prone. One hopes these networks are very secure VPN's but who knows.

Not sure if big dams have their flood gates under computer control but I know for a fact some smaller ones have some gates under computer control, especially ones with irrigation canals hooked to them.

Re:bring back the pr0n!

[maxume]

Not to belabor the point, as he is already rather overexposed, but Bruce Schneier repeatedly makes the point that funding good investigative police work is also an effective measure (because it is often the case that the bad guys are making mistakes, regardless of the particular vector they have chosen to focus on).

Re:bring back the pr0n!

[maxume]

'only' is a pretty strong word in that particular statement. For instance, imagine if someone ran a network very similar to the internet, except for all of the pesky public access.

Re:bring back the pr0n!

[blueg3]

Another thing is that it's quite hard to launch such a catastrophic, large-scale attack against the internet.

That's not the attack of interest.

Also isn't terror's one meaning to cause, well, terror? What are you going to on the internet, put a scary picture on google.com (if you even could hack it - I bet there have been many that have tried)? It just doesn't sum up.

While stealing, destroying, or maliciously altering important data -- financial or medical records, for example, or military technology -- are interesting attacks, most of the interesting cyberterrorism scenarios involve disabling or damaging non-Internet infrastructure, such as power generation.

Re:bring back the pr0n!

[demachina]

Building an isolated network covering the entire nation is very expensive. Just about all network activity is running over the same backbone. I think by saying virtual private network I was saying what you are saying. But, when you have hundreds of thousands of computers on a private network its exceptionally easy for someone to hang one of them on their LAN too and open the whole thing up to the Internet. If completely private networks were so easy I don't think you would read so many stories of defense contractors and the military getting hacked and losing huge quantities of sensitive, though not highly classifed, weapons design information.

Re:bring back the pr0n!

[maxume]

No, I was merely sniping at your overly categorical statement. It may well be that the internet is far more economic than the alternatives, but it certainly doesn't preclude them.

(The problem with using intrusions as an argument about the problems of running a private network is that the companies in question don't seem to face any consequences for the intrusions, so they have little or no incentive to actually work to prevent them...)

Re:bring back the pr0n!

[Monsuco]

Also isn't terror's one meaning to cause, well, terror? What are you going to on the internet, put a scary picture on google.com

You have gravely underestimated the power of goatse.

Re:bring back the pr0n!

[smoker2]

Having worked for three letter agencies, let me say that yes, China is engaged in this activity

PLO, IRA and ETA ?

Re:bring back the pr0n!

[uuddlrlrab]

I think you're hitting the nail on the head with your post. Bothering Google, or various other sites, even if it's for a day or two, would likely cause nothing more than a lot of annoyed muttering and sighs. However, there are still some things to consider.
As you say, the main goal of terror groups will be to intimidate and cause widespread panic and lasting fear. Now, how that's done depends largely on the environment. If we're talking domestically, e.g. in the US, and I'm going to assume we are, the greatest threats online IMHO are things like identity theft, financial fraud (they're always looking to fund their activities), target profiling, and causing temporary disruptions of service (power, emergency services, telecom, transportation, etc) just before an attack. Those are all places where vulnerabilities are definitely present, and where we could and should definitely make changes for the better. Such a glib assessment that there is no threat smacks of the same arrogance/ignorance that led a certain ship to be called "unsinkable."

Re:bring back the pr0n!

Disrupting the banking system means people don't get access to their assets for days or even weeks until it's straightened out.

So I'll be able to send you invoices for all my missed mortgage, utility and other bills when I can't get to my accounts?

Banks will always have ways to get money moved for their own purposes, but who cares if I miss payments. Just the penalties and hits on my credit score could be devastating if I'm already on the edge.

We're often told to keep a reasonable stash of cash at home in case the banks are unavailable. But even that is useless if the electric pump at the gas station is out and the electric cash registers at the grocery stores don't operate. Even if the cash drawer can be opened (and it likely can so cash can be put in a safe), no store will let their clerks run on paper. First off, without the computer, no one would know what the prices are. And no owner will trust kids to correctly add up a bill and make change.

Re:bring back the pr0n!

[graffitirock]

% echo $targetNation
Nepal

Why, man?

Re:bring back the pr0n!

[Monsuco]

To reply to two people at once

Terrorizing bankers? That's likely to win them a medal from everyone else...

Yes, I would sure love the person who stole my 401K.

publishing false news stories ranks somewhere between scary and terroristic

Gasp your right. In that case all bloggers should be shot. Markos Moulitsas should be shot twice, or at the very least made into even more of a laughing stock then he already is. All readers of blogs are guilty of aiding the enemy and should be punished by being forced to move out of their parent's basement.

actually STEALING Department of Defense secrets is REALLY scary

That's more cyber-spying than cyber-terror. That being said the NSA and CIA spend millions here.

Re:bring back the pr0n!

[Dorsai65]

Terrorising banks: Sure, no biggie -- right up until it happens for the eleventy-seventh time this year at YOUR bank, and you can't use your ATM/debit card/credit card...

Disrupting transit: Similar to above, but add in the perceived risk of actual physical harm.

Deliberately wrecking transit: "Highly unlikely"... like, say, crunching an airplane into a building on purpose?

Publishing false stories: Good thing bogus stories don't get spread by word of mouth as rumors...

Disrupting news sources: Unless, of course, one (or more) of them happens to be one you've come to use.

Penetrating Govt systems: Maybe not DoD, but how about something less "critical", like all the HEW records going into the bitbucket? Or hurricane predictions at the start of the season?

Actually GETTING secret govt data: Trusting soul, aren't you? What if Tim McVeigh and buddies had known where to steal some radioactive trash to add to their ANFO bomb?

Health services, et al: a hospital in England had to shut down for a while just from getting the Conficker worm; how much worse if somebody started screwing with meds? On a wide-spread basis? Or even just Operating Room scheduling, or billing? Hell, just patient admissions records?

Power grid: Hell with taking it down -- how about just borking it with unscheduled rolling brownouts, overvoltages, intermittently tripping random control relays, and so forth? Or just pushing supplies to borderline with a DDoS against the CoOps and the like?

Telecom systems: How happy would YOU be with a phone system that intermittently connected you to someone OTHER than the person you called? Or cell towers that randomly went out of service for varying periods of time? And if neither the phone company NOR the government or law enforcement could do anything about it?

TFA said that cyberterrorism isn't a credible threat yet -- which implies that it IS some threat, now. Me, I'm hoping they're not just whistling in the dark...

Re:bring back the pr0n!

[Herkum01]

Yeah, well what if they take away all your internet games, that would be something to be scared about.

Re:bring back the pr0n!

I find it hard to believe that any type of act committed in cyberspace would cause such feelings in any average internet-using person

This guy, disagrees.

Re:bring back the pr0n!

[dimeglio]

Sure they did consider suicide hijackings to be a threat. This was not new at all. They simply underestimated the willingness to pull it off or that it would have such an impact. Even the 911 terrorists themselves, I'm certain, were sure the towers would not fall as they did.

I consider cyberterrorism less of a threat to my health than drunk drivers are. Anyone who think otherwise, to me, is simply for self-interest purposes. It would simply feed the well known conspiracy theory that malware detection/removal companies are those who actually create so said malware.

Re:bring back the pr0n!

[_Sprocket_]

But if we consider that usually terrorism tries to get some point across (with inhuman ways) and get people to hear them, causing disturbance for the Internet would be quite stupid, as it's actually the first worldwide medium to get your word across without goverment control like with radio and tv.

You're assuming that:

1) Everyone in the world understands what the Internet offers.

2) That those who would target the Internet don't see it as a symbol of Western power / pride.

3) Everyone WANTS people to have access to a worldwide medium that gives them free access to thoughts and ideas not dictated by their regional government / society.

Re:bring back the pr0n!

[_Sprocket_]

Well I think this whole "cyberterror" idea is pretty funny. I even remember that back in 2000 in school we had to write about some article where they described "cyber attacks from China goverment". Has anyone actually proven that China as a goverment is doing those? It still seems like a myth. Considering world is filled with script kiddies, and China+India together have half of the population on Earth, it's not surprising that many percentage of them could be from there.

I view anything with the "Cyber" prefix that intends to be serious as suspect. It works great in science fiction. Most of what exists in the real world with such naming tends to be a lot of noise with little substance - mere marketing. So I have a lot of skepticism towards "cyberterror" at face value.

But I have a hard time being entirely dismissive of the concept. I've been witness to all manner of attacks on Government and defense contractor networks. Most of them have been very much the described script kiddies of various degrees of advancement. But there have also been very rare examples of sophisticated attackers who went after very interesting information. I know what these attackers collected. I know the initial hops that were used as vectors and drop-off points. But I can't say that I know who they were. Others from different sources have assured me that these attackers were funded by the Chinese. And while I could easily agree, I could also make and argument against it. I've seen plenty of bureaucrats read the worse of a situation they don't understand - life imitating War Games (the original - not the forgettable remake).

Ultimately, I find it as a problem of definition. "Terrorism" is a tactic. Of late, we've become much more familiar with the criminal application of this tactic on civilian targets. But we have to remember that terrorism has it's roots in espionage. And in that light, I have to say that information security is very much on the cutting edge of espionage. Extend that - and it could easily be one of the tools in a terrorist's campaign.

That doesn't mean I buy in to the whole "cyberterrorism" hand-wringing that likes to make appearances in various media. But it doesn't mean that the folks who aren't the ones who wave the concept around like a flag aren't busy assessing some real threats.

Re:bring back the pr0n!

Sigh. People are so blind when the truth is painful.

I work in oil and gas as an application developer for a company that shall go unnamed for very obvious reasons.

Because of "deadlines"--we are specifically forbidden to encrypt our application protocols, and logins weren't even over TLS until a year and a half ago. Some time after that I finally had half an hour of spare time to convert the database and login code to keep passwords encrypted. I was reprimanded a week later because a particular secretary with a direct logon to the production system (?!) could no longer LOOK UP USERS PASSWORDS when they forgot them. Of course, it's already routine practice to have ten people sharing one account rather than call IT and ask for a new account.

We perform remote control over the air, unauthenticated over plain old TCP/IP, and even the same text messages you could send on your cellphone. These systems control oil and gas wells, tanks, pipes, pipelines, and do all of the monitoring. In the next two weeks, we will be deploying this crap directly connected to very expensive control systems, including the main control computer of a processing facility itself. Forgive vagaries in the description please.

All this shit--pumped directly through somebody's browser--no VPN or A/V required. By the way--8 character passwords are too complicated--"You need to turn the allowed passwords to four digits". Yes, *I* know how to do two-factor authentication--but that is not an option.

Yeah--it'd take a lot of expert knowledge to cause a problem, or somebody with enough patience to sniff our traffic and reverse it. Or some kid with a trojan on the VP's laptop. I bet details would sell for a few hundred thousand to an interested person, which would be worth the time it'd take to decode it.

But this is the state of the internet in America and the rest of the world. You want to call me negligent? I advised my boss and email them the risks when they have us write this crap. They kept pushing the deadlines and cutting project funds for the past ten years--and I still get paid well. I probably should quit and go to another company--but I like my paycheck--just not their decisions.

From where I sit--it's a real risk, and it's a damned miracle some 14 year old with a port scanner and Brutus hasn't caused a problem yet.

Re:bring back the pr0n!

[Jurily]

So, what's the difference between an attacker looking for fun and an attacker with a political agenda?

Cyberterror is not a credible threat because we're already up to our necks with spammers, script kiddies, whatever. Whether or not they have reasons to do it other than "I want your money", we don't know and we don't care.

Re:bring back the pr0n!

[deodiaus2]

Well, what if the Chinese and Indians decided to jump un and down at the same time. Shit, we should be planning for this too!!

Re:bring back the pr0n!

[Anci3nt+of+Days]

I guess we didn't take Tom Clancy seriously enough.

Re:bring back the pr0n!

[Svartalf]

You hit it on the head of the nail in your last line there- the magic word here is " YET ". The last three ones are deeply troubling if you think about it and the power grid one's much, much more possible than most would think and they're just going to make it more doable with the current Smart Grid stuff they're planning on doing.

Re:bring back the pr0n!

Prior to 911 we didn't consider suicide hijackings to be a threat.

The CIA did. Link

Re:bring back the pr0n!

[Svartalf]

Heh... Rolling brownouts/blackouts over the entire country or a blackout that makes the 2003 East Coast one look like a picnic are very possible and doable right now with the infrastructure the way it is. Do you think that it will be annoying the populace or freaking them out at that point?

Re:bring back the pr0n!

[houghi]

The problem with protecting against the next way of attacking is that the protection is more harmfull then the (possible) attack itself.

Re:bring back the pr0n!

[TheRaven64]

In the Foundation series, the Foundation won a war because they stopped providing helpful but not essential consumer goods to the people attacking them. Eventually, the aggressor's population became so unhappy with their leaders depriving them of shiny toys that they rebelled. Obviously this is fiction, but it made a good point. People are much likely to care about small things that affect them directly than larger things that only affect other people.

Re:bring back the pr0n!

[darthwader]

The word for that is "sacntions", not "terrorism". And I think that, in general, history does not agree with Isaac Asimov. See Cuba for example.

However, you do raise a good point about "things that affect them directly". I think terrorism, to be effective, requires people to think that it could have affected them. So a random car bomb that kills 10 people is terrifying, because people think they could have been one of those people. On the other hand, thousands of people dying each year because they drink and drive is not frightening, because everyone thinks "I don't do that, so I'm safe".

So terrorism is all about large things that affect other people who are just like you, and make you think it could have affected you just as easily.

Re:bring back the pr0n!

Having worked for three letter agencies, let me say that yes, China is engaged in this activity. Certainly the Russians, French, US, British, and any other country with a foreign intelligence service. In China's case, it's very hard to officially link it to the government because the PLA owns so many companies in the country they can have one of those entities engage in the action with plausible deniability.

As far as it not being a "real" threat, I'd ask the Estonians what they think about that....

I was thinking Georgians myself, but since you already made the point....

I'm less worried about the military application of governments, and more worried about the individual or small groups with the means to manipulate high impact systems. The world is built on simple principals that most people operate in a mostly ethical manner for one reason or the other. Similar to network theory, the world is built on simple trusts. When you can't trust anyone else... that's when everything comes to a grinding halt.

I wouldn't say it's paranoid, but there is a definite vulnerability that we have multiple points in history that show how the mighty and unaware can fall...

I'd rather not be caught with my pants down, thank you.

Re:bring back the pr0n!

[lsatenstein]

Re loss of internet. We had a power outage in the ISPs building, where his routers, unknown to him, were not on the ups or generators. Since our telephone system was also voip, we were left only with Cell phone access. We suddenly realized that as a modern service industry business, without the internet, we are as good as dead. Killing the internet would be disasterous situation world wide.

"not yet credible"

You haven't seen the amount of probing foreign governments do to our defense networks. I'm amazed DoD networks function at all. The bulk of the attacks are, of course, script kiddies worldwide. However many national governments are putting very brilliant work into attacking our networks. Right now the focus is on extracting data, but given the compromised silicon I've seen, anything is possible.

anon for a reason.

Re:"not yet credible"

[siddesu]

I am not worried about some scary foreign governments.

I am worried by something I really suffer from -- a permanent attack going on 24 hours a day, 7 days a week, 365 days in a normal year, 366 in a leap year, indistinguishable in nature from this "cyber-terror" scare talk, except it is real and harmful.

For no other recourse, I participate in a complex voluntary international network, and employ significant resources internally to mitigate this cyber attack. And all I can do is keep some part of it away, barely. Sometimes I suffer from the complexities of this very same mitigation system, when my services are denied by mistake.

And the governments, who btw also suffer from it, just keep tolerating it.

What I am talking about is called spam, and with the government of the largest spamming country being a bit more pro-active, it would decrease significantly. But the government does nothing, spending money on bullshit, instead of focusing on real problems.

My guess is, solving real problems is hard, and because of that less money are left for graft, so the interest of the politicians in solving them is significantly lower.

Re:"not yet credible"

[demachina]

Maybe you should just try switching to GMail. They seem to have completely beaten spam, at least I sure never get any since I switched.

Re:"not yet credible"

Maybe they should, maybe they shouldn't. What has that to do with GP's topic of government doing shit to prevent it from happening?

Re:"not yet credible"

[demachina]

What exactly are you proposing "government" do about it. Even if the U.S. "government" did something about it that leaves about a hundred other countries where it can originate. Its kind of sad when people want the nanny state to solve all their problems for them. Like I said Google solved the problem so there is no reason any other big email service can't, and if you are an admin running your own email server and you can't solve it then that is probably the most compelling argument I've heard for moving your email to the cloud.

Re:"not yet credible"

[siddesu]

Google (or anybody) hasn't solved any spam problem, they keep doing what I do - spend money/resources to filter it on the server side. Everyone else who is running an email server does the same. The effort and resources are still wasted, whether the clueless lusers see it or not.

The "government" (especially that of the US, which is still the top spammer, accounting for more spam than the next 9 in the top list) can do many things -- like hitting the spammers and their customers hard, and press other governments to the same. They do it very well for a lot of things (including "intellectual property" rights) already.

Instead, we see large budgets spent on "cyber terror", tons of spam, and people with their heads up in the cloud, or darker places.

Re:"not yet credible"

Rubbish.

Now that it's common knowledge that Google filters spam with a near 100% success rate, how many spammers do you think still waste their time and resources trying to send additional spam that will never get through? It's not exactly rocket science for spammers to filter all the gmail addresses from their list to focus on their remaining genuine addresses.

Result - google has far less spam to bother with compared to other email providers, and their server side money/resources can be reduced accordingly.

Now what happens if everybody gets as good as google? Spam is dead, there would be no economic incentive to carry on producing it.

Re:"not yet credible"

[siddesu]

You post assumptions you pulled out of your ass, but that doesn't mean real world works the way you think it does.

Here is a post to get you started, from the horse's mouth. This is for their "enterprise" filtering system, there are links for the gmail one as well. Notice how "total volume of spam" they get keeps increasing, just like everyone else's.

http://googleenterprise.blogspot.com/2009/07/q2-2009-spam-trends.html

Your perspective is the luser perspective, you're content with a problem as long as you don't see it.

Re:"not yet credible"

[mister_playboy]

I am not worried about some scary foreign governments.

I am worried by something I really suffer from -- a permanent attack going on 24 hours a day, 7 days a week, 365 days in a normal year, 366 in a leap year, indistinguishable in nature from this "cyber-terror" scare talk, except it is real and harmful

I actually thought you were going to say "the erosion of our civil liberties in the name of fighting terrorism".

Re:"not yet credible"

[Monsuco]

What I am talking about is called spam, and with the government of the largest spamming country being a bit more pro-active, it would decrease significantly. But the government does nothing, spending money on bullshit, instead of focusing on real problems.

Dude, we are in the middle of 2 wars, facing nuclear threats from Iran and North Korea, in a deep recession, facing constant terrorist threats, and facing the eventual collapse of Social Security and Medicare threatening everyone's retirement future. I suspect this is a much bigger problem then messages in your inbox saying "EnL@Rge y0r P3n1$".

Re:"not yet credible"

You're facing nuclear threats from Iran and North Korea? You're delusional, my friend, better see a doctor or something.

I shirley hope you can pay for it.

Re:"not yet credible"

[AllynM]

Did said think tank read this?

http://www.foreignaffairs.com/articles/65499/wesley-k-clark-and-peter-l-levin/securing-the-information-highway

This little tidbit is available in the full version of the article text:

In 1982, a three-kiloton explosion tore apart a natural gas pipeline in Siberia; the detonation was so large it was visible from outer space. Two decades later, the New York Times columnist William Safire reported that the blast was caused by a cyber-operation planned and executed by the CIA. Safire's insider sources claimed that the United States carefully placed faulty chips and tainted software into the Soviet supply chain, causing the chips to fail in the field. More recently, unconfirmed reports in IEEE Spectrum, a mainstream technical magazine, attributed the success of Israel's September 2007 bombing raid on a suspected Syrian nuclear facility to a carefully planted "kill switch" that remotely turned off Syrian surveillance radar.

Yup. No Cyberterrorism to see here. Riiiight.

Re:"not yet credible"

the United States carefully placed faulty chips and tainted software into the Soviet supply chain,

Yeah, this is totally the same as hacking yr networks over teh internets.

Re:"not yet credible"

I can pay for it. And don't call me Shirley.

Re:"not yet credible"

Looks like you were being a bit selective - you "forgot" to post the more recent link showing a small decline in spam. Could it be that spammers are getting smarter?

http://googleenterprise.blogspot.com/search/label/spam%20and%20security%20trends

Or do you have an "explanation" for why spammers choose to carry on spamming useless email addresses? Is there a secret conspiracy against google?

I am almost always right about everything, I don't really know why I'm bothering wasting my time replying to you.

Re:"not yet credible"

ps oh yes, and in November 2008 the spam graphs which you hold as conclusive proof peaked at 95, about double what they are for today.

http://googleenterprise.blogspot.com/search/label/Postini

But never mind, you did a great job of proving that spam volumes went up during an arbitrary period - the hugely significant quarter 2 of 2009.

You must have known you were presenting misleading information, why the fuck are you bothering? Tosser.

Re:"not yet credible"

[Svartalf]

Oh, Cyberterrorism is a bit more than what you say- it's just the media hyping up that stuff and I wish they'd quit, but it's not the type of news people want to hear for the real stuff (and it doesn't make ratings...)

Not that you can't get similar results with select SCADA networks and the regular rad hax0ring skillz...they're not at all secure, even after they applied "security" to them... Seriously. If you compromize the right part of the network, you can do the same things we purportedly did to Russia here with the natural gas pipelines. Ditto a similar stunt with the electric power grid. They SAY they've secured things. Perhaps they have in some utilities. They might have secured the SCADA head-end- and then again, they may have leakage from their "standalone" network. It gets found all the time. And we won't get into what might or might not be done to the remote end, which typically has LESS security than the head end might have.

Thank god.

[mirix]

I was having a hard time sleeping, waking up with cold sweats, worried sick.

Looks like i can finally get some rest.

Re:Thank god.

[sopssa]

Beer/Vodka is always helpful.

That's Why We Must Be Proactive now

It seems to me that even if this report was accurate, we shouldn't be resting on our laurels until the threats become credible and too late to stop.

Its clear the best way to stop and prevent terrorism is at the point of planning or in the initial stages, not when the have assembled and planted the bomb. Cyberterrorism should be no different.

We wouldn't want the smoking gun to be a complete breach and shutdown of our networks would we. I favor a more proactive and preemptive approach. Attack them now before they can attack us. The best defense is a good offense.

Re:That's Why We Must Be Proactive now

[thhamm]

Its clear the best way to stop and prevent terrorism is at the point of planning or in the initial stages

yes exactly, because changing things so that noone will have to resort to terrorism is just too easy. and expensive. and inconvenient.

Re:That's Why We Must Be Proactive now

well what do they hate about us? it isnt exactly that we have religious freedom to choose any religion we like, it is more that we use that religious freedom to choose any religion including ones that arent islam. it is that they have what we want and we are not necessarily using it to promote islam if we trade with them. the problem is that they dont want you to exist, if you would be willing to die or at least agree with them on everything they would be happy. so feel free to make them happy. the problem with irrational people is they are irrational and often the product of an irrational environment. yeah we would couldve not invaded iraq, supported israel, tortured their terrorists etc but in the end they want you to believe in the one true god and that they are falling short of his will if they dont fight every non believer where ever he may stand to the best of their ability, for how can you love all of man kind like the true god wants if you dont do every thing to save his immortal sole which lasting much longer than any material goods he may have in this life is much more important.

Re:That's Why We Must Be Proactive now

[John+Hasler]

On the contrary. It's too inexpensive and too convenient. Worst of all, it might actually work (though not with politicians in charge).

Re:That's Why We Must Be Proactive now

[sopssa]

It's not only what's happening with Middle-East. For example IRA, which is considered as terrorism group in the UK, "sought to remove Northern Ireland from the United Kingdom and bring about a united Ireland by force of arms and political persuasion.". Not knowing fully whats behind it, but it seems they have a clear purpose that isn't so irrational (and didn't the area used to belong to Ireland people before?). Obviously even you must understand that they're not causing "terror" just for the fun of it, but have some agenda do so (usually so they can get people to hear their agenda, what the goverment doesn't allow)

Re:That's Why We Must Be Proactive now

[bertoelcon]

Obviously even you must understand that they're not causing "terror" just for the fun of it, but have some agenda do so (usually so they can get people to hear their agenda, what the goverment doesn't allow)

But online you get groups or cyber-terrorist script kiddies that do it for the lulz because the repercussions don't really exist.

Re:That's Why We Must Be Proactive now

[Korin43]

But the internet hate machine is limited to harassing kids who like Twilight and making TIME polls say funny things. They're hardly a serious threat to anyone.

Re:That's Why We Must Be Proactive now

yes exactly, because changing things so that noone will have to resort to terrorism is just too easy. and expensive. and inconvenient.

The terrorists' main grievance is that they have not yet killed or converted everyone in the world to their loopy, insane version of Islam. To "change things so that no one will have to resort to terrorism" means to kill or convert everyone who is not a terrorist.

Re:That's Why We Must Be Proactive now

[Sylos]

If I had mod points...I'd mod you up.

Re:That's Why We Must Be Proactive now

[rtb61]

Of course to create the whole threat of 'cyber terror' they always claim, script kiddies taking over digitally controlled infrastructure. You know, take over the power plant and cause a melt down, disable traffic lights or even take control of air traffic control systems. The ultimate defeat of that crazy crap, has always been the same, if it doesn't need to be connected to the internet, then don't connect it to the internet.

Now if it is a system that lives depend on and some greedy idiot connected it to the internet, improperly secured, just to save a few bucks regardless of the risks and consequences, then they are criminally negligent and it is a toss up of who is more guilty of a crime in those circumstances then negligent admin or the script kiddie.

With the low cost of network infrastructure, creating parallel networks is the only sensible choice, internal secure and locked down hardwired and an 'external' network for email and internet access.

Re:That's Why We Must Be Proactive now

The best defense is a good offense.

And we have Iraq as a shining example of how well this approach works.

Re:That's Why We Must Be Proactive now

Sounds like your talking about all religions, if they were happy to let anyone believe a religion other than their own why do they keeping knocking on my door to find out if i have heard the word of jesus/krishna/budda or those crazy mormons.

But seriously, you can't blame religions for everything. The whole israel thing is less religion and more britains fault, after the second world war we felt sorry for the jews and displaced a chunk of the populance in the middle east so we could give the land to the jews, not exactly the brightest idea ever conceived. Terrorism is usually based on someone doing something that one group doesn't like and then refusing to see that they have done something wrong (see the ira and northern ireland). Forget invading iraq, it was done in a stupid way but it needed to be done sooner or later, what we shouldn't have done was prop sadam up for the previous couple of decades, continue to trade with him while he was gassing the kurds and generaly help support dictatorships. Then maybe half the country wouldnt see us as oppresors when we finaly turn up or train the taliban while they were of use to us (fighting the russians in the 80's) then just turning them loose to take over a country and leave them to produce huge amounts of drugs and slaughter anyone they don't like for 20 years until we finaly get round to building a pipeline across the country. A lot of these problems were caused by ignorance ages ago and have been running so long that neither side really knows how to fix it, what won't work is blind hate, oooh your religon is different to mine, you must be evil (im not talking about just muslims here, christians and most other religions can be put in the same category).

Help end religous wars and stop religion now.

Re:That's Why We Must Be Proactive now

In the rare case when a nuclear plant has been subverted via the Internet, the nuclear plant systems were, in fact, not connected to the Internet. However, some of the HR systems were web-enabled. The HR systems establish a connection back to the plant systems (i.e., they were on the same intranet). So, it's not really as simple as declaring that the plant systems be disconnected from the Internet. You also have to ensure that every system that might connect to the plant system is, itself, disconnected from the Internet. In practice, this is not an easy task.

Re:That's Why We Must Be Proactive now

[Proteus+Child]

Until someone decides that they'd be useful deniable assets and cons them into doing something heinous, like a DDoS attack against an insecure SCADA box hanging on the end of a DSL line somewhere.

Re:That's Why We Must Be Proactive now

[Haven'tAClue]

A good friend is a sysop on a local government site. He is bewildered by an entire network sending very small packets to China.com, a communication ISP. The traffic is continuous, is difficult to distinguish, uses port 80 and the packets originate from his 130+ machines which run a variety of OS's; some without much of an OS. When I look at the sophistication of this process, combined with the massive load it places on the receiving server(s), I come up with a government entity with an agenda.

Of course they would say that

[SilverHatHacker]

Hy-Brasil is not sinking...nope, not happening. No need to panic, we are NOT sinking...

Re:Of course they would say that

well the alternative if they are wrong is that all these thoughtfull cyber terrorists are sitting out there with the awesome attacks ready but just not using them. Personally I don't think terrorists are the sort of people that sit around twiddling there fingers when they have a viable means to attack, especially in an area where a viable means of attack is in constant flux.

Re:Of course they would say that

[SilverHatHacker]

Or, in the words of Captain Jack Sparrow, "When you've only got one shot, it's best to wait for the opportune moment." If I were going to take down a government network, I would wait until my country was poised to take advantage of the confusion and disorder (either by military means or otherwise), not just launch it whenever I felt like it.
Keep in mind that terrorist is a buzzword now, and means 'generic enemy' rather than 'psychological warrior'. Just like 'Commie' during the Cold War, or 'Nazi' during WWII.

Re:Of course they would say that

You are dealing with the IT world now, opportunities and vulnerablities are constantly changing, sitting on attack vectors is not like sitting on a nuke waiting for the best opportunity to use it, most vectors have used by dates. Most attack vectors, unless you have found some new and innovative type that no one has considered, could be closed to the attacker at anytime through patches, upgrades or changing tech. while Terrorist is a buzzword now, there are definable real terrorist groups that would love to hurt america as america is responsible for the existence of many of these groups in the first place.

Sticking head in sand 101

This is not a good attitude to take. As any decent sysadmin knows, there is a lot a blackhat who manages to obtain root or Administrator can do to damage a company:

There are the easy things an attacker can do. Trash files, copy off data to sell in the black market or competitors, use the boxes as a grounds for an attack, or for P2P servers for unsavory things.

Then, there are the more subtle things that can be done. Editing of E-mail, impersonation of people's identities in order to screw up sales, or cause lawsuits, even things that can get a company and its officers in deep trouble with the SEC. If a blackhat is good, there wouldn't be any evidence left behind of the intrusion, so people could face prison terms and juries are not going to believe "that email was forged" when it came from the right Exchange server and so on.

A good hacker can cause untold amounts of subtle damage, all it takes is taking time, learning how a target company might function, and what clients. Then, if there is a large bid being taken, perhaps edit the Word document and change the bid to be so low that it realistically cannot be done, or just high enough that the bidder doesn't take it.

Anyone who things "cyberterror" is not a credible threat is naiive, or completely clueless. Yes, terrorists use the Internet, and know how to get around being traced.

Re:Sticking head in sand 101

[Fluffeh]

Anyone who things "cyberterror" is not a credible threat is naiive, or completely clueless. Yes, terrorists use the Internet, and know how to get around being traced.

Everything that you described in your post is criminal action, not terrorist action.

Re:Sticking head in sand 101

[Svartalf]

And terrorist action isn't at all criminal?

A terroristic act is a criminal act done with the intent to sow terror amongst the populace. Each of these things could be part of a bigger play- and the company was a hypothetical instead of what might be done, say with the government at large doing the same sorts of things. It could just as easily be done with the SCADA systems like some keep telling people (myself included...). It's not chicken little going the sky is falling. It's not the little boy who cried wolf.

Sure, the media's hyping it up right now. Doesn't make it any less of a troubling concern that we should address instead of sticking our heads in the sand over it. Sure, the media's got it wrong on a lot of things. Doesn't make the real threats any less real- just un-exploited at this time.

Not yet - shouldn't we still care?

[DeadPixels]

Sure, I agree that we might not see cyberterror attacks for years yet. Does that mean we should turn a blind eye to our infrastructure and ignore the issue of proper security?

Re:Not yet - shouldn't we still care?

[phantomfive]

That would go along with the strategy of the US government for the last while now. Ignore the threat of a housing meltdown for nearly a decade until it is too late and nothing can be done about it. Ignore the national deficit and ballooning budget until it is too late and there is nothing we can do about it (actually there is still time on that one, just not much). Ignore the levees until it is too late and an entire city is under water. Ignoring the real problems while instead focusing on things that seem more exciting is a long habit among government elected officials. California is it's own case study of this.

On the other hand, you don't want to go overboard....as Eisenhower said, "We will bankrupt ourselves in the vain search for absolute security." There has to be balance.

Re:Not yet - shouldn't we still care?

[awc]

just use linux, then we'll be good to go.

Re:Not yet - shouldn't we still care?

[Monsuco]

Sure, I agree that we might not see cyberterror attacks for years yet. Does that mean we should turn a blind eye to our infrastructure and ignore the issue of proper security?

No but societies have scarce resources with alternative uses and realizing how big a risk this presents versus how big a risk other potential problems present helps us assign priorities. If you are worried about someone breaking in to your house, priority number one should be to get in the habit of locking your doors when not using them. Looking at things like motion lights are good, but locking doors is the best problem to solve first. It is all about relative risk.

Re:Not yet - shouldn't we still care?

Why is Windows any less secure than any other OS? I'd say that Windows 7 run without access to Administrator, MSE (licensed at no charge), and some basic sanity is just as secure as any other UNIX.

Please cite something showing that Windows is obviously less secure than other operating systems. Windows has ASLR, multiple privilige reduction mechanisms, the ability to separate executable code from non executable data, ACLs, and many other security features.

Windows managed by poor sysadmins can mean compromise, but any OS managed by lousy admins is an easy target for blackhats. This was true when Solaris was the primary Internet based OS in the mid 1990s, and holds true now.

Re:Not yet - shouldn't we still care?

[Svartalf]

I contend that we're not even at the "locking your doors" stage on a good portion of things out there. I don't think they've figured out the "lock" part of the whole equation there in at least a few of the cases.

terror?

[Fuzzums]

my spambox is fullfilled with cyber terror

Depends on the definition.

[Hurricane78]

To me, all that fearmongering of "terrorists" (that don't exist) is creating terror itself. So all the censorship and surveillance on the net would be the actual "cyberterror". If there were a point in adding "cyber-" in front of everything. It's just plain terrorizing the people. For the usual reasons: To gain control over them.

Re:Depends on the definition.

[wizardforce]

Even if these terrorists did exist, it wouldn't be worth throwing our freedoms away to stop them.

Re:Depends on the definition.

Cyberterrorist's are looking for new ways to harm us, and so are we.

Re:Depends on the definition.

all that fearmongering of "terrorists" (that don't exist)

Go tell an Israeli that terrorists don't exist. Or an Iraqi, a New Yorker, a Lebanese or Egyptian Christian, or someone from Beslan or Bali.

Re:Depends on the definition.

[u801e]

The problem is that governments overuse the "terror" adjective. Many of the incidents in question are criminal in nature (e. g., kidnappings in Iraq). The correct term for the subject at hand is "cyber-criminal."

Re:Depends on the definition.

Even if these terrorists did exist, it wouldn't be worth throwing our freedoms away to stop them.

Someone mod this guy up please.

Re:Depends on the definition.

[Svartalf]

Okay...

In what way is putting decent security measures, including intrusion detection, into your SCADA network going to be throwing away your freedoms?

It's not.

Instead of decrying the hype and putting up counter rhetoric, why don't we start asking the troubling questions of people and insisting upon getting better answers that will actually mitigate the problem? Doing the rhetoric is as bad as the hype and will just leave us open for another incident like 9/11.

Creative thinking ahead

[HomelessInLaJolla]

Once you start down that route then your hypothetical ideas go three places: people who do not care, government investigative agencies, and actual terrorist groups.

The people who don't really care are probably the people with which you discuss these things.

The government investigative agencies, depending upon the quality of your hypothetical ideas, may begin to monitor or make inquiries about you. Many people are not comfortable with vague gray fuzzy inquiries from vague gray fuzzy characters. Look for the conditions in your workplace and the public places which you frequent to become more and more odd, discomforting, or passively hostile. Additionally, once investigative agencies begin to take notice of you because of your hypothetical musings you may find that the number of speeding tickets you receive goes up, or applications/resumes for employment are ignored or denied with vague and meaningless responses, or applications for apartment or condo rentals are similarly ignored or denied with vague and meaningless responses. Consider that paranoia does not begin with full light of black helicopters and an entourage or marked police cars. It begins with vague fuzzy gray inquiries made to your HR department, your bank manager, your insurance company, the local police department, your ISPs cybercrime response department, etc. Those things add up to create a negative stress in your life.

If actual terrorist groups take notice of your musings then they might adapt your ideas and act on them. If you have been covertly monitored, as above, you may become the object of deeper and harsher scrutiny.

Unless you are deliberately and specifically sanctioned by the government and on someone's official payroll then being brilliant, creative, and novel is not welcome in today's society of thought police and preemptive military invasion. Iraq had some things that US leaders were uncomfortable with, therefore they deserve to be invaded. A particular citizen has ideas or musings which the local chamber of commerce members are uncomfortable with, therefore they deserve to lose their job, their home, and be forced to leave town.

It all follows along perfectly from having a big brother government with unlimited financial resource and unchecked under-the-table influence.

Re:Creative thinking ahead

[xenn]

Hmm. Your ideas are intriguing to me and I wish to subscribe to your newsletter.

Re:Creative thinking ahead

[dbIII]

Iraq had some things that US leaders were uncomfortable with

Yes, things like dragging half of their equivalent of congress out the back and forcing the other half to shoot them. It makes everybody that knows it in anything faintly resembling a Democracy uncomfortable.
But that's not a reason for the invasion, earlier administrations were quite happy to deal with them and some current military allies such as Algeria are far more of a basket case. There were plenty of stupid, petty, greedy or strategic reasons to have a lot of US military sited at the head of the Persian Gulf or have a war timed nicely for an election but Iraq has nothing at all to do with the views you've expressed above.
Data crossmatching combined with the increasing blurring of the line between the public and private sector in areas such as intellegence are a problem, especially due to the lack of accountability, secret blacklists and confidential information or unverified hearsay being shared with potential employers. The future is heading more towards "Brazil" instead of "1984" where the mistakes of the inexperienced, poorly trained or poorly educated could end up putting you on some secret blacklist. Some unaccountable idiot like the one that punished an airline and a planeload of passengers to teach Cat Stevens a lesson for being a Muslim may take a dislike to you and put something nasty on your file. It really is bizzare that a perceived threat to Democracy encouraged a slow shift towards what is really the Stalinism that was written about in 1984.
The good news is that those that were firmly behind that shift to a more authoritarian government and a diminishment of Democracy are in terror of what Obama could do with such power so they are now opposed. This will slow things down and prevent crossmatching of all information on everyone or similar policies.

Re:Creative thinking ahead

[StikyPad]

Sounds like somebody's been watching too many X-Files reruns...

There will be a vague gray fuzzy knock on your door shortly. Do not remove any of the crawlies from under your skin -- there's no time for that now. Pack only what you need, wrap your cash in tinfoil to attenuate the signal from the embedded tracking devices, and just RUN!!! When you arrive at the previously agreed-upon meeting place, then we can use my ultrasonic humidifier to examine you and find out how many organs they've already stolen. Obviously the brain is a leading candidate...

Re:Creative thinking ahead

are you referring to something like 'gang-stalking' or 'workplace mobbing?'

Cyber Terror and BOTnets

[nulled]

The main stream news STILL does not want to admit that cyber 'terror' (like the attacks on twitter, facebook and in S. Korea) were conducted via WINDOWS zombie computers, as part of a segment of the greater BOTNET.

There is only ONE reason why they may not want to admit Microsoft Windows allows BOTNETS and that is MONEY.

If the mainstream media where to announce that all of Microsoft Windows computers have a major security flaw that can only be fix properly by rewritting the Kernel and File system permission design, would potentially seriously hurt the Economy. Think about all the people that would stop shopping Online... it is actually better 'economically' to just let cyber criminals phish away and get all our credit card numbers and steal some poor souls identity, than to cause mass hysteria.

Re:Cyber Terror and BOTnets

[im_thatoneguy]

The main stream news STILL does not want to admit that cyber 'terror' (like the attacks on twitter, facebook and in S. Korea) were conducted via WINDOWS zombie computers, as part of a segment of the greater BOTNET.

There is only ONE reason why they may not want to admit Microsoft Windows allows BOTNETS and that is MONEY.

If the mainstream media where to announce that all of Microsoft Windows computers have a major security flaw that can only be fix properly by rewritting the Kernel and File system permission design, would potentially seriously hurt the Economy. Think about all the people that would stop shopping Online... it is actually better 'economically' to just let cyber criminals phish away and get all our credit card numbers and steal some poor souls identity, than to cause mass hysteria.

Let's identify the real culprit. COMPUTERS! There is ONE... No TWO REASONS we have BOTNETS. COMPUTERS! and HIGHSPEED INTERNET! Clearly these two threats need to be removed and we will be safe from BOTNETS. Also ELECTRICITY! We should stop producing ELECTRICITY because it facilitates BOTNETS.

If the mainstream media were to reveal that COMPUTERS and ELECTRICITY were behind BOTNETS we would realize teh only way to stop the BOTNETS was to redesign all the USERS to not be SUSCEPTIBLE to PERSUASION and SOCIAL ENGINEERING. But then we would have an apocalypse on our HANDS. And then if we told them that their FAMILY MEMBERS were the most likely PEOPLE to STEAL THEIR IDENTITIES families would fall APART under paranoia and suspicion. Think of all the PEOPLE who would stop leaving their HOMES because they were too AFRAID that their AUNT would steal their IDENTITY.

Security through obscurity.

Why does it have to be Windows? There is at least one botnet on Macs.

Re:Security through obscurity.

[sopssa]

And even on ordinary DSL modems and routers

Cyberterrorism is a silly concept

[darthwader]

"Terrorism" requires terror, not inconvenience or annoyance.

A few years back, we had an accidental shutdown of the power supply of most of the eastern North America. It was very inconvenient, and it cost a huge amount of money, and it even resulted in the loss of some lives. But it wasn't terrifying. It was just annoying.

It's not about the amount of damage, it's about the effect. A cyberterror event like a power or communications failure could result in hundreds of deaths, but there's nothing to focus on. A car exploding next to a bistro may only kill two or three people, but it is far more effective terrorism.

For terrorism to be effective, it has to produce terror. That's an emotional reaction, not an intellectual one. And to get that emotional reaction, there has to be real tangible threats, like flames, blood and gore, falling rocks, etc.

Re:Cyberterrorism is a silly concept

I'm with ya, pal. I get annoyed when people die too.

Re:Cyberterrorism is a silly concept

[icegreentea]

If New York lost power for more than a week (especially in the middle of winter or summer), there would be real terror. By day four, you'll have fucking retarded amounts of looting. Plus all the deaths from exposure. Maybe the thought of it won't induce terror in us now. But if it did happen, the very idea of shit like that happening in your city would very much induce a terror response. Seriously.

Re:Cyberterrorism is a silly concept

...real tangible threats, like flames, blood and gore, falling rocks...

Dick Cheney with a shotgun.. I kid! I kid! I love Dick...

Re:Cyberterrorism is a silly concept

[turkeydance]

yes....go ahead and cut off my grandchildren's twitter. show that air traffic controllers are really human. and...please make my doctor actually talk face-to-face with my nurse. go ahead. dare ya.

Re:Cyberterrorism is a silly concept

[Zerth]

And that's why I have a generator and half a dead animal in the freezer.

Stupid power company spends more on advertising than they do on maintenance around here, went a week without winter before last and didn't much care for it.

Re:Cyberterrorism is a silly concept

[Monsuco]

If New York lost power for more than a week (especially in the middle of winter or summer), there would be real terror. By day four, you'll have fucking retarded amounts of looting. Plus all the deaths from exposure. Maybe the thought of it won't induce terror in us now. But if it did happen, the very idea of shit like that happening in your city would very much induce a terror response. Seriously.

Loss of power does not in any way mean law enforcement would simply abandon the city. I suspect more property damage would occur in a sports riot than in an overloaded power grid. It would be a problem, but police would still be there, and they have probably trained for such scenarios.

Re:Cyberterrorism is a silly concept

[TubeSteak]

A few years back, we had an accidental shutdown of the power supply of most of the eastern North America. It was very inconvenient, and it cost a huge amount of money, and it even resulted in the loss of some lives. But it wasn't terrifying. It was just annoying.

Now imagine if N. Korea or Iran had caused it.
Would it still be annoying or would it be a tangible threat?

Personally: I'm betting a large portion of the populace would call it an Act of War.

Re:Cyberterrorism is a silly concept

A few years back, we had an accidental shutdown of the power supply of most of the eastern North America. It was very inconvenient, and it cost a huge amount of money, and it even resulted in the loss of some lives. But it wasn't terrifying. It was just annoying.

That's an interesting example you bring up.

It happened due to a design or operational flaw, according to later reports. But what if it had been intentional, cyber-based or just some guy hitting the right switches.

Assuming humpty dumpty got put together again, with no further "incidents", what would have been the difference?

Same effect, different cause.

Well, in one case, we call it terrorism and script the next level of security theater. In the other case, we investigate and shaft the low-level people and put the high-rollers on TV to say "measures have been taken to avoid this in future.".

Re:Cyberterrorism is a silly concept

[a+whoabot]

From New_York_City_blackout_of_1977#Effects:

"Looting and vandalism were widespread, especially in the African American and Puerto Rican communities, hitting 31 neighbourhoods, including every poor neighbourhood in the city."

Re:Cyberterrorism is a silly concept

And to get that emotional reaction, there has to be real tangible threats, like flames, blood and gore, falling rocks, etc.

None of these terrify me more than losing the 'net.

Re:Cyberterrorism is a silly concept

[Jeff+DeMaagd]

Great point. I think electronic infrastructure security should be beefed up, but I doubt it would be done in an intelligent manner.

Re:Cyberterrorism is a silly concept

[jamromhem]

I am going to have to disagree with you completely. A couple years back a government system was compromised. This system contained a large sum of information on military service members. This information included addresses station assignments deployment information birth dates social security numbers. If you think this to be a simple "inconvenience" please post all of your similar information here for us to use as we see fit. Let's break this down a little so you understand why this causes terror. 1. A couple years ago groups were targetting family members of deployed soldiers to cause distraction and harm. A distraught soldier (term to include airmen sailors and marines for sake of not typing all repeatedly throughout this) is not at his peak in combat and is more likely to make "mistakes". 2. Most of the above mentioned information is all that is needed to falsify an identity and present yourself as one of these people Now, I have personally seen the effects of cyber attacks and it terrorizing people. The reaction of many service members durring this time was obviously not "discomfort" or "inconvenience". I would think theass reaction accross the armed forces to resemble a controlled terror. Controlled only through training and discipline.

Re:Cyberterrorism is a silly concept

[Svartalf]

The police would be overwhelmed as there's most definitely a disparity of people to police officers. Training not withstanding, if you're outnumbered 1000:1 (and they would be...) there's a threshold that if the crowd in question goes over, the cops will be injured or killed as the crowd takes them at some point.

You put too much faith in law enforcement. It only works well when the bulk of the populace are law abiding. When the population largely is not law abiding and obviously outnumbers the enforcement for the law- then stronger measures are needed; but don't work much better. Just look at Iraq or Afghanistan.

Re:Cyberterrorism is a silly concept

[apoc.famine]

tangible threats, like flames, blood and gore, falling rocks,

WOW addicts stumbling down streets, moaning incoherently...

Re:Cyberterrorism is a silly concept

NK and Iran are too smart to directly cause an action. I'm sure you won't see an IP log with their TLD.

Instead, what will happen is that they will get a third party proxy to do the dirty work for them, probably out of Afghanistan, Pakistan, or the country being attacked. You will see some revolutionary element tasked or given the resources to do the action, so there will be no provable links to the real puppet master, especially provably enough to retaliate via a military strike.

Re:Cyberterrorism is a silly concept

[sorak]

It may not be "terror", but if they could cripple our economy for a few days, then that would be an effective tool for them. Executives and politicians would not be yelling "run for your lives, our website is down!", but they would be worried, and they would be willing to change the way they did business if it were the only way to prevent this from happening again. In this respect cyberterror could be the most effective means of terror there is, as it would directly hurt the wallets of the people who have the most power in this country.

Re:Cyberterrorism is a silly concept

[StikyPad]

It's not about the effect, it's about the intent. The effect and reaction are up to *us*.

The best cyber security

When a company detects an intrusion, instead of trying to prevent it, divert it ....

Send them to an area full of porn. That will disrupt their concentration and make the careless and easy to detect.

Remember, most of the cyber-terrorist are sexually frustrated people who are technology smart, but not common sense smart.

cyborterror is a hollywood myth

it makes for silly movies, and sillier reality. enough said.

Need to move to mutual security model

[Paul+Fernhout]

This three to eight year lag is the spread of cyberweapons is supposed to reassure us? :-( What other weapons have three to eight year lags in being available to everyone?

We need to move beyond war, in part because it is too terrible to contemplate at this point:
http://educationanddemocracy.org/FSCfiles/C_CC2a_TripleRevolution.htm

We need to transition to "intrinsically secure" infrastructure:
  http://en.wikipedia.org/wiki/Brittle_Power
that we protect by means of "mutual security":
    http://www.beyondintractability.org/audio/morton_deutsch/?nid=2430

We need to move beyond current defense ideology in the USA based on competitive profit-maximizing centralized brittle infrastructure that we try to defend by unilateral dominance (at a cost of about a trillion dollars a year in the USA).

Re:

you simply dont understand.

They'll change their mind soon

[bursch-X]

Once the terrorists have taken down all their pr0n sites, we'll probably get red alert.

Re:The net was designed to survive a nuke attack

[icebike]

Is this the Same Think tank that George Bush used when he announced that Iran had discontinued its Nuclear enrichment program in 2003?

I mean eve if this is a head-fake, its a pretty dumb one.

The Saving Grace

[Toonol]

Cyberterror could do some nasty things, such as stealing financial information; but as far as disrupting vital systems, we're pretty safe... because computers and software are so damn unreliable that nobody EXPECTS them to work all the time. Every business and organization should KNOW, from experience, that their computer system could go belly up at any time, and have backup methods and redundancies ready to go.

I'd wager that lots of cyber-terrorist attacks would just seem like a normal Monday. If a computer glitch could kill a million people... well, that's probably going to happy terrorist or not.

Re:The Saving Grace

[Valdrax]

Every business and organization SHOULD know, from experience, that their computer system could go belly up at any time, and have backup methods and redundancies ready to go.

Fixed that for you. Unfortunately, many don't.

This is digg, not slashdot

This is digg, not slashdot. Facts are not welcome here. Yes, I work for another such agency. Yup, we've even seen hostile code in silicon. The chinese are a real threat.

Cyber "terror"?

[Sloppy]

"Not yet?" Maybe "not ever." Cyber-sabotage? Sure. But people are pretty jaded about computers. Windows still has huge marketshare. Bring all of society crashing down and I'm still not sure it'll be "terror." People will be pissed, but will they feel the safe has become unsafe? Either they already think that, or they never will.

Cyberterrorism...

Isn't that what 4chan is for?

Re:Cyberterrorism...

[Svartalf]

And me for want of mod points...

Just let me point out

Okay, granted, I didn't read the article.

But, it seems to me, terrorism in America wasn't really taken seriously until 2 planes flew into the World Trade center. Up, until then, attacks on the Cole, WTC bombing 1, and even the Oklahoma city bombing were pretty much discounted as insignificant and manageable threats.

Now we have overkill/misdirected resources to combat bottled water.

Didn't I read, not too long ago in Slashdot, about some scientisty types that claimed a properly coordinated attack on key infrastructure powergrid systems could darken the west coast?

I'm just sayin', it'd be pretty foolish to discount a cyberattack just because uncle sam sez so.

Re:Just let me point out

[Svartalf]

Just the west coast?

Heh...they understated it, actually. It's a bit worse than you'd think. And it's been that way for, oh, 6 or more years now- and some of them even know that this is the case.

One word - SCADA

[Nefarious+Wheel]

Ok, it's an acronym, possibly not a real word. But SCADA (jfgi) is the most likely target we need to defend against in any cyberattack. SCADA systems measure voltages, control levels and flip switches on industrial and civil infrastructure systems such as those controlling water and sewerage systems, and running petrochemical plants.

Most of the truly scary scenarios are being looked at by security experts now (disclosure: the company I work for is involved in this sort of work) and a lot of SCADA systems have enjoyed for years the security of simply not being on the net, or are now the subject of isolation efforts as people realise the potential for malice. However, there are a number of SCADA networks that are connected to the Internet, for reasons of cost and convenience.

Not all these systems have been secured, and some are still vulnerable. I'd call that a scary scenario. And yes, you can do damage by fiddling with the settings, to the point of damaging water mains or (quite literally) spreading crap over the landscape. So, any security pros out there with a civil infrastructure page in your portfolio, start asking those embarrassing questions. It's important.

Re:One word - SCADA

[Svartalf]

THANK YOU!

And I'd go so far as to say most of them have not been properly secured. Just putting up TLS security to secure the links isn't good enough. Just piling DNP3 authentication or comparable for other SCADA protocols on top of things isn't good enough.

I've been asking the embarrassing questions for a while now. Which reminds me...need to pester the NIST guys again over something... :-D

Not Yet a Credible Threat, So...

[Sam+the+Nemesis]

Let's wait till it becomes one.

</sarcasm>

Comment removed

[account_deleted]

Comment removed based on user account deletion

oversight

[daedlanth]

5 years ago I and some friends of mine were "playing" and we seen the F.B.i.. I'm not trying to be nonsensical but this is LOL in teen-age terms. Really, feds, you NEED juice. daed

Risk Management?

[Anci3nt+of+Days]

Isn't the whole issue here risk management? If a cyber threat exists, what is the response we can/ will take?

The ITU took the possibility of cyber-threats seriously enough to to form IMPACT - The International Multilateral Partnership Against Cyber-Terrorism.

Maybe, maybe not...

[prometx42]

It seems that cybersecurity is only as good as who is administering it. If we take the object lesson of British Hacker Gary McKinnon, who is actually now in the process of being extradited to the U.S. to face prosecution for hacking various Pentagon and other miltary computers, he claims that various "highly sensitive" systems (running Windows operatin systems at the time) where on the network with the then default password "Admin".

In fact Mr. McKinnon doesn't really consider himself to be a very accomplished hacker at all, but that the systems he infiltrated were simply easy to break into. Not only was he able to easily gain access, but while on these networks logged IPs from numerous other individuals from various other countries who were after the same "free candy". Having the capability to be totally secure and doing the proper "housekeeping" necessary to be and remain secure are often two different things.

It seems as though U.S. Cybersecurity may be mistaking the obvious fear of punishment for breaching sensitive systems, for a lack of ingenuity and skill on the part of potential troublemakers on its networks, which is a pretty big mistake. That is how it seems at least

Reframe Question and It's a Little Clearer

[obscuro]

Looking for a cyber-terrorist THREAT is a bit like looking for a needle in a haystack. Looking for VULNERABILITIES to a cyber-terrorist attack is like wading through mud in a swamp. You can't write tomes of complaints about security vulnerabilities in OSes, lame users getting cracked, and slack admin practices and then chimes in about how cyber-terrorism is no big deal?! We're sitting ducks.

THis is why we go to Defcon

[Gyorg_Lavode]

There was actually a really interesting talk at Defcon this year where they characterized how different countries approach cyber warfare or crime.

The speaker spent a good amount of time on China and it's history. What it boiled down to is China's cyberware abilities are kind of like militias. They're different local groups tied tightly to the government and to academia.

In contrast, the US seems to either be research associated with academia or action explicitly part of military groups, (like the cyber command thing). (The speaker indicated this was because the US had such strict laws against accessing other people's computers.) Russia seems to be heavily supported by organized crime and other countries have other motivations.

The point being that you really can't apply the US model to other countries. Thats why it's hard to nail down and say "China is doing evil" or "Russia is doing evil" or "the US is doing evil". Each country is multiple facets and different facets of each country are associated with cyberware.

Re:The net was designed to survive a nuke attack

[LoadWB]

It may have been designed that way, but in practice the bean-counters have said "why are we paying for all this redundancy?!" and we cannot even handle a simple hurricane-caused fiber sever.

I think you've got the order backwards here

[sean.peters]

Iraq had some things that US leaders were uncomfortable with, therefore they deserve to be invaded.

Actually, the decision process went more like this: 1) Iraq deserves to be invaded. 2) How can we justify invading them? 3)I know, let's say they have nukes!

Oh, yeah, and 4) profit (for oil companies).

yes, but

[sean.peters]

Air traffic control and power grids are inherently networked operations.

"Networked" != "accessible via the internet". While it's possible to break into some of these kinds of networks, it generally requires 1) physical access to a terminal (for wired networks) or 2) at least physical proximity to the system (for wireless networks).

I think it's highly, highly unlikely that bad guys in China or Pakistan or whatever are going to be able to break into systems controlling big, dangerous infrastructure like this. Your worst threat (as always) is almost certainly the disgruntled employee or former employee.

But what's the real threat

[sean.peters]

Isn't it true that the main threat from the Chinese, et al, is industrial espionage? I find it very, very difficult to believe that it's even possible to do things like bring down power plants, screw around with dams, etc, over the internet.

Hear, hear

[sean.peters]

A cyberterror event like a power or communications failure could result in hundreds of deaths, but there's nothing to focus on.

What's more, it probably wouldn't even become APPARENT that the event was caused by a "terrorist" until long after the fact. That really limits the utility of this kind of thing from the "terrorist's" standpoint - it's hard to terrorize people when they don't even realize you've done something.