Slashdot Mirror
Cyberterror Not Yet a Credible Threat, Says Policy Thinktank
Trailrunner7 writes "A new report by a Washington policy think tank dismisses out of hand the idea that terrorist groups are currently launching cyber attacks and says that the recent attacks against US and South Korean networks were not damaging enough to be considered serious incidents. The report, written by James Lewis of the Center for Strategic and International Studies, looks at cyberwar through the prism of the Korean attacks, and calls the idea that terrorists have attack capabilities and just aren't using them 'nonsensical.' 'A very rough estimate would say that there is a lag of three and eight years between the capabilities developed by advanced intelligence agencies and the capabilities available for purchase or rental in the cybercrime black market. The evidence for this is partial and anecdotal, but the trend has been consistent for more two decades,' Lewis writes."
It seems to me that even if this report was accurate, we shouldn't be resting on our laurels until the threats become credible and too late to stop.
Its clear the best way to stop and prevent terrorism is at the point of planning or in the initial stages, not when the have assembled and planted the bomb. Cyberterrorism should be no different.
We wouldn't want the smoking gun to be a complete breach and shutdown of our networks would we. I favor a more proactive and preemptive approach. Attack them now before they can attack us. The best defense is a good offense.
Hy-Brasil is not sinking...nope, not happening. No need to panic, we are NOT sinking...
Funny may not give karma, but +5 Informative never made anyone snort coffee out their nose.
Beer/Vodka is always helpful.
Well I think this whole "cyberterror" idea is pretty funny. I even remember that back in 2000 in school we had to write about some article where they described "cyber attacks from China goverment". Has anyone actually proven that China as a goverment is doing those? It still seems like a myth. Considering world is filled with script kiddies, and China+India together have half of the population on Earth, it's not surprising that many percentage of them could be from there.
Another thing is that it's quite hard to launch such a catastrophic, large-scale attack against the internet. Yeah, you can cause some minor annoyance or accidentally route traffic elsewhere like what happened with YouTube for ~30 mins a few years ago, but those are quickly fixed when upstream ISP's responsible notice.
Also isn't terror's one meaning to cause, well, terror? What are you going to on the internet, put a scary picture on google.com (if you even could hack it - I bet there have been many that have tried)? It just doesn't sum up.
I am not worried about some scary foreign governments.
I am worried by something I really suffer from -- a permanent attack going on 24 hours a day, 7 days a week, 365 days in a normal year, 366 in a leap year, indistinguishable in nature from this "cyber-terror" scare talk, except it is real and harmful.
For no other recourse, I participate in a complex voluntary international network, and employ significant resources internally to mitigate this cyber attack. And all I can do is keep some part of it away, barely. Sometimes I suffer from the complexities of this very same mitigation system, when my services are denied by mistake.
And the governments, who btw also suffer from it, just keep tolerating it.
What I am talking about is called spam, and with the government of the largest spamming country being a bit more pro-active, it would decrease significantly. But the government does nothing, spending money on bullshit, instead of focusing on real problems.
My guess is, solving real problems is hard, and because of that less money are left for graft, so the interest of the politicians in solving them is significantly lower.
Sure, I agree that we might not see cyberterror attacks for years yet. Does that mean we should turn a blind eye to our infrastructure and ignore the issue of proper security?
A lot of it depends on what's being attacked, and how.
A concerted effort to blow up / corrupt / poison the DNS root servers? Could be considered as something to worry about. A DDoS against any IP belonging to $targetNation, or even just all major banks belonging to $targetNation? Probably not as much (mostly due to the sheer size of the target, the bandwidth soaking that doing so would require, etc).
Quo usque tandem abutere, Nimbus, patientia nostra?
A guy I work with likes to point out that we always protect against the last terrorist attack, not the next one. You have listed a bunch of things which probably won't work and are not a concern. We should try to think about the things which we are outside our idea of the scope of terrorist operations. Prior to 911 we didn't consider suicide hijackings to be a threat.
http://michaelsmith.id.au
But if we consider that usually terrorism tries to get some point across (with inhuman ways) and get people to hear them, causing disturbance for the Internet would be quite stupid, as it's actually the first worldwide medium to get your word across without goverment control like with radio and tv. Terrorism doesn't do terror just for the fun of it, but there's always some reasoning behind it - sometimes rational, sometimes more irrational. However script kiddies do it just for the fun of it, to gain that small time period of fame for randomly hacking something.
To me, all that fearmongering of "terrorists" (that don't exist) is creating terror itself. So all the censorship and surveillance on the net would be the actual "cyberterror". If there were a point in adding "cyber-" in front of everything. It's just plain terrorizing the people. For the usual reasons: To gain control over them.
Any sufficiently advanced intelligence is indistinguishable from stupidity.
"What are you going to on the internet,"
The classic examples are hacking in to the computers that control the power grid(s) and causing a widespread blackout, taking down the air traffic control system, opening flood gates on a dam, or causing a wide spread phone/cell phone outage. Its open to debate how feasible these are but they are certainly plausible and the systems involved may all interact with the Internet now in one form or another.
I find this statement amusing to no end:
"A very rough estimate would say that there is a lag of three and eight years between the capabilities developed by advanced intelligence agencies and the capabilities available for purchase or rental in the cybercrime black market."
It basically implies that advanced intelligence agencies are years ahead in developing the tools for Cyberterrorism. If that were actually true, which I doubt, then why wouldn't you still be "afraid" some advanced intelligence agency will launch a cyber terror attack, or is this submission implying that just because a nation state does it, its not terrorism?
@de_machina
"Also isn't terror's one meaning to cause, well, terror? What are you going to on the internet, put a scary picture on google.com (if you even could hack it - I bet there have been many that have tried)? It just doesn't sum up."
A list of possible targets:
banking transactions being disrupted tends to terrorize people with money
taking down the power grid can be scary
disrupting mass transit can be scary
actually causing crashes of mass transit would be outright terroristic
publishing false news stories ranks somewhere between scary and terroristic
disrupting news services is at least mildly scary
disrupting or taking over Department of Defense networks can contribute to terror
actually STEALING Department of Defense secrets is REALLY scary
disrupting critical health care services - hospitals primarily, ambulances secondarily
disrupting police communications
While there aren't many ways to actually kill people with the intartubez, the potential for terror does exist. I've probably not exhausted all the means to spread confusion and/or terror - but those should be enough to cause concern.
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
Having worked for three letter agencies, let me say that yes, China is engaged in this activity. Certainly the Russians, French, US, British, and any other country with a foreign intelligence service. In China's case, it's very hard to officially link it to the government because the PLA owns so many companies in the country they can have one of those entities engage in the action with plausible deniability.
As far as it not being a "real" threat, I'd ask the Estonians what they think about that....
Maybe you should just try switching to GMail. They seem to have completely beaten spam, at least I sure never get any since I switched.
@de_machina
The classic examples are hacking in to the computers that control the power grid(s) and causing a widespread blackout, taking down the air traffic control system, opening flood gates on a dam, or causing a wide spread phone/cell phone outage.
Except the last one, I dont think those systems should be running on the internet anyway. Even if some terrorist group isn't going to hit them, some script kiddie will.
Once you start down that route then your hypothetical ideas go three places: people who do not care, government investigative agencies, and actual terrorist groups.
The people who don't really care are probably the people with which you discuss these things.
The government investigative agencies, depending upon the quality of your hypothetical ideas, may begin to monitor or make inquiries about you. Many people are not comfortable with vague gray fuzzy inquiries from vague gray fuzzy characters. Look for the conditions in your workplace and the public places which you frequent to become more and more odd, discomforting, or passively hostile. Additionally, once investigative agencies begin to take notice of you because of your hypothetical musings you may find that the number of speeding tickets you receive goes up, or applications/resumes for employment are ignored or denied with vague and meaningless responses, or applications for apartment or condo rentals are similarly ignored or denied with vague and meaningless responses. Consider that paranoia does not begin with full light of black helicopters and an entourage or marked police cars. It begins with vague fuzzy gray inquiries made to your HR department, your bank manager, your insurance company, the local police department, your ISPs cybercrime response department, etc. Those things add up to create a negative stress in your life.
If actual terrorist groups take notice of your musings then they might adapt your ideas and act on them. If you have been covertly monitored, as above, you may become the object of deeper and harsher scrutiny.
Unless you are deliberately and specifically sanctioned by the government and on someone's official payroll then being brilliant, creative, and novel is not welcome in today's society of thought police and preemptive military invasion. Iraq had some things that US leaders were uncomfortable with, therefore they deserve to be invaded. A particular citizen has ideas or musings which the local chamber of commerce members are uncomfortable with, therefore they deserve to lose their job, their home, and be forced to leave town.
It all follows along perfectly from having a big brother government with unlimited financial resource and unchecked under-the-table influence.
the NPG electrode was replaced with carbon blac
We should try to think about the things which we are outside our idea of the scope of terrorist operations. Prior to 911 we didn't consider suicide hijackings to be a threat.
I disagree. While it may be entertaining to worry about new and innovative ways to cause mass hysteria and panic, we should only give minor attention to potential attacks because, frankly, the field is so wide open that we could spend all our money and not protect us from 1% of it.
For example, even if we had taken suicide hijackers seriously before 911, what would we have done about it? Even after 911 99% of the effort is a total waste - the only useful measures taken have been reinforcing the cockpit doors, everything else has been a huge waste of money. Would we have been smart enough to do the cockpit doors before 911? Maybe, or maybe we would have spent the money somewhere else in that 99% of useless crap.
I think that attention and money should be spent primarily on making society robust, so that for any kind of failure, we can recover from it fairly quickly. Making sure first responders are well trained and well equipped with good communications ability is probably the best place to spend money because it covers almost all bases. Considering that acts of nature/god are orders of magnitude more frequent than acts of terrorism we get the added bonus of having our money spent on resources that make a difference in the both rare and the common case.
After first responders I think the best place to spend money is in the design phases of public systems, a stronger emphasis on fault tolerance and flexibility - in other words, simply good engineering. Sure, part of that design work should include considering concerted attacks, but we should assume that eventually an attack will succeed and then the question becomes "what are we going to do about it?" Some remote attack that causes a nuke power plant to shut down, or a generator to burn itself out is going to have the same consequences as any other reason for those events to occur for like an earthquake or even operator error. So the bulk of the engineering needs to go into efficiently recovering from those kinds of events regardless of cause - better failsafes and more redundancy for example.
When information is power, privacy is freedom.
And your post gets today's award for being a truffle amongst the shit that makes up slashdot.
Jesus was all right but his disciples were thick and ordinary. -John Lennon
Terrorism is meant to cause terror while performing everyday activities or a general sense of fear and paranoia in the general population. General public != internet-using public, and I find it hard to believe that any type of act committed in cyberspace would cause such feelings in any average internet-using person. Until cyber-activity gets to a point where such activity causes personal harm, whether psychologically or physically, I would say the term cyber-terrorism has no relevancy to the general public.
Here I am, here I remain.
Anyone who things "cyberterror" is not a credible threat is naiive, or completely clueless. Yes, terrorists use the Internet, and know how to get around being traced.
Everything that you described in your post is criminal action, not terrorist action.
Moved to http://soylentnews.org/. You are invited to join us too!
"Terrorism" requires terror, not inconvenience or annoyance.
A few years back, we had an accidental shutdown of the power supply of most of the eastern North America. It was very inconvenient, and it cost a huge amount of money, and it even resulted in the loss of some lives. But it wasn't terrifying. It was just annoying.
It's not about the amount of damage, it's about the effect. A cyberterror event like a power or communications failure could result in hundreds of deaths, but there's nothing to focus on. A car exploding next to a bistro may only kill two or three people, but it is far more effective terrorism.
For terrorism to be effective, it has to produce terror. That's an emotional reaction, not an intellectual one. And to get that emotional reaction, there has to be real tangible threats, like flames, blood and gore, falling rocks, etc.
I hate it when I make a joke and I get modded "+5 insightful". Mod the stupid comments "funny", not "insightful", pleas
A list of possible targets:
Get real...
banking transactions being disrupted tends to terrorize people with money
Terrorizing bankers? That's likely to win them a medal from everyone else...
disrupting mass transit can be scary
Except the safety-critical parts of mass transit systems are designed to fail safe. Disrupt them and all you get is a bunch of cross people on a stopped train; hardly terror.
actually causing crashes of mass transit would be outright terroristic
And also highly unlikely.
publishing false news stories ranks somewhere between scary and terroristic
Quick everyone! We've got to arrest the "journalists" at Fox News as terrorists!
disrupting news services is at least mildly scary
But disrupting all news sources is really difficult because they are a diverse bunch.
disrupting or taking over Department of Defense networks can contribute to terror
Are we talking about delaying the email of low-level folks (a way to boost productivity) or impacting a secure network? The DOD doesn't mix the internet with the properly secured stuff.
actually STEALING Department of Defense secrets is REALLY scary
And they take measures to try to prevent that, yes? That's why they have real counter-intelligence people.
disrupting critical health care services - hospitals primarily, ambulances secondarily
disrupting police communications
But emergency response doesn't go over the internet. There's just too many ways it can go wrong when it matters, even without malicious "hacker terrorists" in the mix. Non-emergency communications can usually wait, or switch to other channels (e.g., sending invoices by post).
Mostly disrupting the net means that people communicate more slowly (often not a disaster) or stops them goofing off on youtube at work; a lack of such things doesn't contribute to terror, but rather to boredom and irritation.
"How goes the great cyberterror attack?"
"Excellent! We've raised their productivity by 15% and encouraged a renaissance in the writing of letters!"
"Any actual terror?"
"Well... no. But we've made a vast number of middle manager put down their blackberries in frustration. That's got to count for something, yes?"
To be fair, you do have at least one reasonable point in your list (which I've broken out of your original order):
taking down the power grid can be scary
And apparently some power suppliers and grid operators are very exposed this way; this is Bad and needs to be fixed. (There's also what happens if a Smart Grid is implemented with lots of people being small providers of power at some times of the way through, say, solar or wind power. That's where things become a headache, because it will be really hard to make that many people properly secure their systems...)
"Little does he know, but there is no 'I' in 'Idiot'!"
I disagree. None of those situations you describe are terrifying. They are annoying. Disrupting the banking system means people don't get access to their assets for days or even weeks until it's straightened out. But it is eventually straightened out, and rational people know that. They also know that losing their money is not the same as literally losing an arm and a leg (as happens when you stand too close to an exploding bomb).
Even things like shutting down power or communications can cause deaths, but they are secondary deaths (e.g. people freeze to death because of no power, or preventable deaths happen because first responders didn't get there in time), and that just doesn't have the same emotional impact.
Causing crashes of mass transit is the only situation you described which I think qualify as terrorism, since it involves blood, gore, flames and people who are obviously and undeniably dead because of this action.
The thing we forget is that terrorism is NOT about killing the maximum number of people. It is about terrifying people so much that they lose all hope and stop wanting to fight back. Annoying people (even if it does cause some deaths) makes people want to fight more, and thus goes against the purpose.
I hate it when I make a joke and I get modded "+5 insightful". Mod the stupid comments "funny", not "insightful", pleas
And even on ordinary DSL modems and routers
What exactly are you proposing "government" do about it. Even if the U.S. "government" did something about it that leaves about a hundred other countries where it can originate. Its kind of sad when people want the nanny state to solve all their problems for them. Like I said Google solved the problem so there is no reason any other big email service can't, and if you are an admin running your own email server and you can't solve it then that is probably the most compelling argument I've heard for moving your email to the cloud.
@de_machina
This three to eight year lag is the spread of cyberweapons is supposed to reassure us? :-( What other weapons have three to eight year lags in being available to everyone?
We need to move beyond war, in part because it is too terrible to contemplate at this point:
http://educationanddemocracy.org/FSCfiles/C_CC2a_TripleRevolution.htm
We need to transition to "intrinsically secure" infrastructure:
http://en.wikipedia.org/wiki/Brittle_Power
that we protect by means of "mutual security":
http://www.beyondintractability.org/audio/morton_deutsch/?nid=2430
We need to move beyond current defense ideology in the USA based on competitive profit-maximizing centralized brittle infrastructure that we try to defend by unilateral dominance (at a cost of about a trillion dollars a year in the USA).
A 21st century issue: the irony of technologies of abundance in the hands of those still thinking in terms of scarcity.
Air traffic control and power grids are inherently networked operations. You need to transfer planes from one control center to another, and to report loads or faults on the grid to various control centers, or turn generators on and off to balance load across wide areas. Only way you wouldn't have these functions on the Internet is if you go back to using phones to call people which is brutally inefficient and error prone. One hopes these networks are very secure VPN's but who knows.
Not sure if big dams have their flood gates under computer control but I know for a fact some smaller ones have some gates under computer control, especially ones with irrigation canals hooked to them.
@de_machina
Not to belabor the point, as he is already rather overexposed, but Bruce Schneier repeatedly makes the point that funding good investigative police work is also an effective measure (because it is often the case that the bad guys are making mistakes, regardless of the particular vector they have chosen to focus on).
Nerd rage is the funniest rage.
'only' is a pretty strong word in that particular statement. For instance, imagine if someone ran a network very similar to the internet, except for all of the pesky public access.
Nerd rage is the funniest rage.
The main stream news STILL does not want to admit that cyber 'terror' (like the attacks on twitter, facebook and in S. Korea) were conducted via WINDOWS zombie computers, as part of a segment of the greater BOTNET.
There is only ONE reason why they may not want to admit Microsoft Windows allows BOTNETS and that is MONEY.
If the mainstream media where to announce that all of Microsoft Windows computers have a major security flaw that can only be fix properly by rewritting the Kernel and File system permission design, would potentially seriously hurt the Economy. Think about all the people that would stop shopping Online... it is actually better 'economically' to just let cyber criminals phish away and get all our credit card numbers and steal some poor souls identity, than to cause mass hysteria.
Let's identify the real culprit. COMPUTERS! There is ONE... No TWO REASONS we have BOTNETS. COMPUTERS! and HIGHSPEED INTERNET! Clearly these two threats need to be removed and we will be safe from BOTNETS. Also ELECTRICITY! We should stop producing ELECTRICITY because it facilitates BOTNETS.
If the mainstream media were to reveal that COMPUTERS and ELECTRICITY were behind BOTNETS we would realize teh only way to stop the BOTNETS was to redesign all the USERS to not be SUSCEPTIBLE to PERSUASION and SOCIAL ENGINEERING. But then we would have an apocalypse on our HANDS. And then if we told them that their FAMILY MEMBERS were the most likely PEOPLE to STEAL THEIR IDENTITIES families would fall APART under paranoia and suspicion. Think of all the PEOPLE who would stop leaving their HOMES because they were too AFRAID that their AUNT would steal their IDENTITY.
Another thing is that it's quite hard to launch such a catastrophic, large-scale attack against the internet.
That's not the attack of interest.
Also isn't terror's one meaning to cause, well, terror? What are you going to on the internet, put a scary picture on google.com (if you even could hack it - I bet there have been many that have tried)? It just doesn't sum up.
While stealing, destroying, or maliciously altering important data -- financial or medical records, for example, or military technology -- are interesting attacks, most of the interesting cyberterrorism scenarios involve disabling or damaging non-Internet infrastructure, such as power generation.
Building an isolated network covering the entire nation is very expensive. Just about all network activity is running over the same backbone. I think by saying virtual private network I was saying what you are saying. But, when you have hundreds of thousands of computers on a private network its exceptionally easy for someone to hang one of them on their LAN too and open the whole thing up to the Internet. If completely private networks were so easy I don't think you would read so many stories of defense contractors and the military getting hacked and losing huge quantities of sensitive, though not highly classifed, weapons design information.
@de_machina
Once the terrorists have taken down all their pr0n sites, we'll probably get red alert.
There are two rules for success:
1. Never tell everything you know.
No, I was merely sniping at your overly categorical statement. It may well be that the internet is far more economic than the alternatives, but it certainly doesn't preclude them.
(The problem with using intrusions as an argument about the problems of running a private network is that the companies in question don't seem to face any consequences for the intrusions, so they have little or no incentive to actually work to prevent them...)
Nerd rage is the funniest rage.
Google (or anybody) hasn't solved any spam problem, they keep doing what I do - spend money/resources to filter it on the server side. Everyone else who is running an email server does the same. The effort and resources are still wasted, whether the clueless lusers see it or not.
The "government" (especially that of the US, which is still the top spammer, accounting for more spam than the next 9 in the top list) can do many things -- like hitting the spammers and their customers hard, and press other governments to the same. They do it very well for a lot of things (including "intellectual property" rights) already.
Instead, we see large budgets spent on "cyber terror", tons of spam, and people with their heads up in the cloud, or darker places.
Is this the Same Think tank that George Bush used when he announced that Iran had discontinued its Nuclear enrichment program in 2003?
I mean eve if this is a head-fake, its a pretty dumb one.
Sig Battery depleted. Reverting to safe mode.
Also isn't terror's one meaning to cause, well, terror? What are you going to on the internet, put a scary picture on google.com
You have gravely underestimated the power of goatse.
The Gospel according to lolcat
Cyberterror could do some nasty things, such as stealing financial information; but as far as disrupting vital systems, we're pretty safe... because computers and software are so damn unreliable that nobody EXPECTS them to work all the time. Every business and organization should KNOW, from experience, that their computer system could go belly up at any time, and have backup methods and redundancies ready to go.
I'd wager that lots of cyber-terrorist attacks would just seem like a normal Monday. If a computer glitch could kill a million people... well, that's probably going to happy terrorist or not.
PLO, IRA and ETA ?
You post assumptions you pulled out of your ass, but that doesn't mean real world works the way you think it does.
Here is a post to get you started, from the horse's mouth. This is for their "enterprise" filtering system, there are links for the gmail one as well. Notice how "total volume of spam" they get keeps increasing, just like everyone else's.
Your perspective is the luser perspective, you're content with a problem as long as you don't see it.
I think you're hitting the nail on the head with your post. Bothering Google, or various other sites, even if it's for a day or two, would likely cause nothing more than a lot of annoyed muttering and sighs. However, there are still some things to consider.
As you say, the main goal of terror groups will be to intimidate and cause widespread panic and lasting fear. Now, how that's done depends largely on the environment. If we're talking domestically, e.g. in the US, and I'm going to assume we are, the greatest threats online IMHO are things like identity theft, financial fraud (they're always looking to fund their activities), target profiling, and causing temporary disruptions of service (power, emergency services, telecom, transportation, etc) just before an attack. Those are all places where vulnerabilities are definitely present, and where we could and should definitely make changes for the better. Such a glib assessment that there is no threat smacks of the same arrogance/ignorance that led a certain ship to be called "unsinkable."
Odi profanum vulgus et arceo
I am not worried about some scary foreign governments.
I am worried by something I really suffer from -- a permanent attack going on 24 hours a day, 7 days a week, 365 days in a normal year, 366 in a leap year, indistinguishable in nature from this "cyber-terror" scare talk, except it is real and harmful
I actually thought you were going to say "the erosion of our civil liberties in the name of fighting terrorism".
Do what thou wilt shall be the whole of the Law
What I am talking about is called spam, and with the government of the largest spamming country being a bit more pro-active, it would decrease significantly. But the government does nothing, spending money on bullshit, instead of focusing on real problems.
Dude, we are in the middle of 2 wars, facing nuclear threats from Iran and North Korea, in a deep recession, facing constant terrorist threats, and facing the eventual collapse of Social Security and Medicare threatening everyone's retirement future. I suspect this is a much bigger problem then messages in your inbox saying "EnL@Rge y0r P3n1$".
The Gospel according to lolcat
Terrorizing bankers? That's likely to win them a medal from everyone else...
Yes, I would sure love the person who stole my 401K.
publishing false news stories ranks somewhere between scary and terroristic
Gasp your right. In that case all bloggers should be shot. Markos Moulitsas should be shot twice, or at the very least made into even more of a laughing stock then he already is. All readers of blogs are guilty of aiding the enemy and should be punished by being forced to move out of their parent's basement.
actually STEALING Department of Defense secrets is REALLY scary
That's more cyber-spying than cyber-terror. That being said the NSA and CIA spend millions here.
The Gospel according to lolcat
Did said think tank read this?
http://www.foreignaffairs.com/articles/65499/wesley-k-clark-and-peter-l-levin/securing-the-information-highway
This little tidbit is available in the full version of the article text:
In 1982, a three-kiloton explosion tore apart a natural gas pipeline in Siberia; the detonation was so large it was visible from outer space. Two decades later, the New York Times columnist William Safire reported that the blast was caused by a cyber-operation planned and executed by the CIA. Safire's insider sources claimed that the United States carefully placed faulty chips and tainted software into the Soviet supply chain, causing the chips to fail in the field. More recently, unconfirmed reports in IEEE Spectrum, a mainstream technical magazine, attributed the success of Israel's September 2007 bombing raid on a suspected Syrian nuclear facility to a carefully planted "kill switch" that remotely turned off Syrian surveillance radar.
Yup. No Cyberterrorism to see here. Riiiight.
this sig was brought to you by the letter
Terrorising banks: Sure, no biggie -- right up until it happens for the eleventy-seventh time this year at YOUR bank, and you can't use your ATM/debit card/credit card...
Disrupting transit: Similar to above, but add in the perceived risk of actual physical harm.
Deliberately wrecking transit: "Highly unlikely"... like, say, crunching an airplane into a building on purpose?
Publishing false stories: Good thing bogus stories don't get spread by word of mouth as rumors...
Disrupting news sources: Unless, of course, one (or more) of them happens to be one you've come to use.
Penetrating Govt systems: Maybe not DoD, but how about something less "critical", like all the HEW records going into the bitbucket? Or hurricane predictions at the start of the season?
Actually GETTING secret govt data: Trusting soul, aren't you? What if Tim McVeigh and buddies had known where to steal some radioactive trash to add to their ANFO bomb?
Health services, et al: a hospital in England had to shut down for a while just from getting the Conficker worm; how much worse if somebody started screwing with meds? On a wide-spread basis? Or even just Operating Room scheduling, or billing? Hell, just patient admissions records?
Power grid: Hell with taking it down -- how about just borking it with unscheduled rolling brownouts, overvoltages, intermittently tripping random control relays, and so forth? Or just pushing supplies to borderline with a DDoS against the CoOps and the like?
Telecom systems: How happy would YOU be with a phone system that intermittently connected you to someone OTHER than the person you called? Or cell towers that randomly went out of service for varying periods of time? And if neither the phone company NOR the government or law enforcement could do anything about it?
TFA said that cyberterrorism isn't a credible threat yet -- which implies that it IS some threat, now. Me, I'm hoping they're not just whistling in the dark...
--- Asking inconvenient questions for over 30 years...
This is digg, not slashdot. Facts are not welcome here. Yes, I work for another such agency. Yup, we've even seen hostile code in silicon. The chinese are a real threat.
Yeah, well what if they take away all your internet games, that would be something to be scared about.
"Not yet?" Maybe "not ever." Cyber-sabotage? Sure. But people are pretty jaded about computers. Windows still has huge marketshare. Bring all of society crashing down and I'm still not sure it'll be "terror." People will be pissed, but will they feel the safe has become unsafe? Either they already think that, or they never will.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Sure they did consider suicide hijackings to be a threat. This was not new at all. They simply underestimated the willingness to pull it off or that it would have such an impact. Even the 911 terrorists themselves, I'm certain, were sure the towers would not fall as they did.
I consider cyberterrorism less of a threat to my health than drunk drivers are. Anyone who think otherwise, to me, is simply for self-interest purposes. It would simply feed the well known conspiracy theory that malware detection/removal companies are those who actually create so said malware.
Views expressed do not necessarily reflect those of the author.
Ok, it's an acronym, possibly not a real word. But SCADA (jfgi) is the most likely target we need to defend against in any cyberattack. SCADA systems measure voltages, control levels and flip switches on industrial and civil infrastructure systems such as those controlling water and sewerage systems, and running petrochemical plants.
Most of the truly scary scenarios are being looked at by security experts now (disclosure: the company I work for is involved in this sort of work) and a lot of SCADA systems have enjoyed for years the security of simply not being on the net, or are now the subject of isolation efforts as people realise the potential for malice. However, there are a number of SCADA networks that are connected to the Internet, for reasons of cost and convenience.
Not all these systems have been secured, and some are still vulnerable. I'd call that a scary scenario. And yes, you can do damage by fiddling with the settings, to the point of damaging water mains or (quite literally) spreading crap over the landscape. So, any security pros out there with a civil infrastructure page in your portfolio, start asking those embarrassing questions. It's important.
Do not mock my vision of impractical footwear
But if we consider that usually terrorism tries to get some point across (with inhuman ways) and get people to hear them, causing disturbance for the Internet would be quite stupid, as it's actually the first worldwide medium to get your word across without goverment control like with radio and tv.
You're assuming that:
1) Everyone in the world understands what the Internet offers.
2) That those who would target the Internet don't see it as a symbol of Western power / pride.
3) Everyone WANTS people to have access to a worldwide medium that gives them free access to thoughts and ideas not dictated by their regional government / society.
Well I think this whole "cyberterror" idea is pretty funny. I even remember that back in 2000 in school we had to write about some article where they described "cyber attacks from China goverment". Has anyone actually proven that China as a goverment is doing those? It still seems like a myth. Considering world is filled with script kiddies, and China+India together have half of the population on Earth, it's not surprising that many percentage of them could be from there.
I view anything with the "Cyber" prefix that intends to be serious as suspect. It works great in science fiction. Most of what exists in the real world with such naming tends to be a lot of noise with little substance - mere marketing. So I have a lot of skepticism towards "cyberterror" at face value.
But I have a hard time being entirely dismissive of the concept. I've been witness to all manner of attacks on Government and defense contractor networks. Most of them have been very much the described script kiddies of various degrees of advancement. But there have also been very rare examples of sophisticated attackers who went after very interesting information. I know what these attackers collected. I know the initial hops that were used as vectors and drop-off points. But I can't say that I know who they were. Others from different sources have assured me that these attackers were funded by the Chinese. And while I could easily agree, I could also make and argument against it. I've seen plenty of bureaucrats read the worse of a situation they don't understand - life imitating War Games (the original - not the forgettable remake).
Ultimately, I find it as a problem of definition. "Terrorism" is a tactic. Of late, we've become much more familiar with the criminal application of this tactic on civilian targets. But we have to remember that terrorism has it's roots in espionage. And in that light, I have to say that information security is very much on the cutting edge of espionage. Extend that - and it could easily be one of the tools in a terrorist's campaign.
That doesn't mean I buy in to the whole "cyberterrorism" hand-wringing that likes to make appearances in various media. But it doesn't mean that the folks who aren't the ones who wave the concept around like a flag aren't busy assessing some real threats.
Comment removed based on user account deletion
So, what's the difference between an attacker looking for fun and an attacker with a political agenda?
Cyberterror is not a credible threat because we're already up to our necks with spammers, script kiddies, whatever. Whether or not they have reasons to do it other than "I want your money", we don't know and we don't care.
Well, what if the Chinese and Indians decided to jump un and down at the same time. Shit, we should be planning for this too!!
I guess we didn't take Tom Clancy seriously enough.
Isn't the whole issue here risk management? If a cyber threat exists, what is the response we can/ will take?
The ITU took the possibility of cyber-threats seriously enough to to form IMPACT - The International Multilateral Partnership Against Cyber-Terrorism.
You hit it on the head of the nail in your last line there- the magic word here is " YET ". The last three ones are deeply troubling if you think about it and the power grid one's much, much more possible than most would think and they're just going to make it more doable with the current Smart Grid stuff they're planning on doing.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
Heh... Rolling brownouts/blackouts over the entire country or a blackout that makes the 2003 East Coast one look like a picnic are very possible and doable right now with the infrastructure the way it is. Do you think that it will be annoying the populace or freaking them out at that point?
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
Oh, Cyberterrorism is a bit more than what you say- it's just the media hyping up that stuff and I wish they'd quit, but it's not the type of news people want to hear for the real stuff (and it doesn't make ratings...)
Not that you can't get similar results with select SCADA networks and the regular rad hax0ring skillz...they're not at all secure, even after they applied "security" to them... Seriously. If you compromize the right part of the network, you can do the same things we purportedly did to Russia here with the natural gas pipelines. Ditto a similar stunt with the electric power grid. They SAY they've secured things. Perhaps they have in some utilities. They might have secured the SCADA head-end- and then again, they may have leakage from their "standalone" network. It gets found all the time. And we won't get into what might or might not be done to the remote end, which typically has LESS security than the head end might have.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
And terrorist action isn't at all criminal?
A terroristic act is a criminal act done with the intent to sow terror amongst the populace. Each of these things could be part of a bigger play- and the company was a hypothetical instead of what might be done, say with the government at large doing the same sorts of things. It could just as easily be done with the SCADA systems like some keep telling people (myself included...). It's not chicken little going the sky is falling. It's not the little boy who cried wolf.
Sure, the media's hyping it up right now. Doesn't make it any less of a troubling concern that we should address instead of sticking our heads in the sand over it. Sure, the media's got it wrong on a lot of things. Doesn't make the real threats any less real- just un-exploited at this time.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
It seems that cybersecurity is only as good as who is administering it. If we take the object lesson of British Hacker Gary McKinnon, who is actually now in the process of being extradited to the U.S. to face prosecution for hacking various Pentagon and other miltary computers, he claims that various "highly sensitive" systems (running Windows operatin systems at the time) where on the network with the then default password "Admin".
In fact Mr. McKinnon doesn't really consider himself to be a very accomplished hacker at all, but that the systems he infiltrated were simply easy to break into. Not only was he able to easily gain access, but while on these networks logged IPs from numerous other individuals from various other countries who were after the same "free candy". Having the capability to be totally secure and doing the proper "housekeeping" necessary to be and remain secure are often two different things.
It seems as though U.S. Cybersecurity may be mistaking the obvious fear of punishment for breaching sensitive systems, for a lack of ingenuity and skill on the part of potential troublemakers on its networks, which is a pretty big mistake. That is how it seems at least
And me for want of mod points...
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
Just the west coast?
Heh...they understated it, actually. It's a bit worse than you'd think. And it's been that way for, oh, 6 or more years now- and some of them even know that this is the case.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
The problem with protecting against the next way of attacking is that the protection is more harmfull then the (possible) attack itself.
Don't fight for your country, if your country does not fight for you.
Looking for a cyber-terrorist THREAT is a bit like looking for a needle in a haystack. Looking for VULNERABILITIES to a cyber-terrorist attack is like wading through mud in a swamp. You can't write tomes of complaints about security vulnerabilities in OSes, lame users getting cracked, and slack admin practices and then chimes in about how cyber-terrorism is no big deal?! We're sitting ducks.
Every rule has more than one consequence.
The speaker spent a good amount of time on China and it's history. What it boiled down to is China's cyberware abilities are kind of like militias. They're different local groups tied tightly to the government and to academia.
In contrast, the US seems to either be research associated with academia or action explicitly part of military groups, (like the cyber command thing). (The speaker indicated this was because the US had such strict laws against accessing other people's computers.) Russia seems to be heavily supported by organized crime and other countries have other motivations.
The point being that you really can't apply the US model to other countries. Thats why it's hard to nail down and say "China is doing evil" or "Russia is doing evil" or "the US is doing evil". Each country is multiple facets and different facets of each country are associated with cyberware.
I do security
It may have been designed that way, but in practice the bean-counters have said "why are we paying for all this redundancy?!" and we cannot even handle a simple hurricane-caused fiber sever.
In the Foundation series, the Foundation won a war because they stopped providing helpful but not essential consumer goods to the people attacking them. Eventually, the aggressor's population became so unhappy with their leaders depriving them of shiny toys that they rebelled. Obviously this is fiction, but it made a good point. People are much likely to care about small things that affect them directly than larger things that only affect other people.
I am TheRaven on Soylent News
Actually, the decision process went more like this: 1) Iraq deserves to be invaded. 2) How can we justify invading them? 3)I know, let's say they have nukes!
Oh, yeah, and 4) profit (for oil companies).
"Networked" != "accessible via the internet". While it's possible to break into some of these kinds of networks, it generally requires 1) physical access to a terminal (for wired networks) or 2) at least physical proximity to the system (for wireless networks).
I think it's highly, highly unlikely that bad guys in China or Pakistan or whatever are going to be able to break into systems controlling big, dangerous infrastructure like this. Your worst threat (as always) is almost certainly the disgruntled employee or former employee.
Isn't it true that the main threat from the Chinese, et al, is industrial espionage? I find it very, very difficult to believe that it's even possible to do things like bring down power plants, screw around with dams, etc, over the internet.
What's more, it probably wouldn't even become APPARENT that the event was caused by a "terrorist" until long after the fact. That really limits the utility of this kind of thing from the "terrorist's" standpoint - it's hard to terrorize people when they don't even realize you've done something.
The word for that is "sacntions", not "terrorism". And I think that, in general, history does not agree with Isaac Asimov. See Cuba for example.
However, you do raise a good point about "things that affect them directly". I think terrorism, to be effective, requires people to think that it could have affected them. So a random car bomb that kills 10 people is terrifying, because people think they could have been one of those people. On the other hand, thousands of people dying each year because they drink and drive is not frightening, because everyone thinks "I don't do that, so I'm safe".
So terrorism is all about large things that affect other people who are just like you, and make you think it could have affected you just as easily.
I hate it when I make a joke and I get modded "+5 insightful". Mod the stupid comments "funny", not "insightful", pleas