In a recent posting in Newsday, a reference that may have passed unnoticed was made to an incident occurring in the small Baltic nation of Estonia, once under the control of the Soviet Union. For three weeks this past April, the Russians engineered a massive cyber-attack on Estonia’s computer systems and web sites in retaliation for the removal of a World War II-era Soviet war memorial from downtown Tallinn, Estonia’s capital. Russia’s massive state-controlled telecommunications companies paralyzed Estonian web sites by sending more than 5,000 hits a second of bogus requests for information. It was cyber-warfare in the form of computer sabotage and it shook the NATO alliance of which Estonia is now a member.

According to the Newsday report:

‘This isn’t just a tempest in a European teapot. The United States is just as vulnerable to such (cyber) attacks, and it’s woefully unprepared for them. The Department of Homeland Security has a slot for a “cyber-security czar,” but the post has yet to be filled. And there is no staff to monitor the security of the nation’s key systems and put in place defenses against cyber-attacks as devastating as the ones that crippled Estonia for three weeks.’ [1]

While it is questionable whether al Qaeda could muster such cyber-power, it is fair guess that other enemies of the U.S. could. Consider this scenario:

It’s 4 a.m. on a sweltering summer night. Across much of the US, power plants are working overtime to generate enough electricity for the millions of air conditioners that are keeping the heat at bay. Rotating blackouts are the order of the day.

In another part of the country, six small groups of men and women gather. Traveling in rented vans to pre-arranged destinations just outside one of hundreds of electrical substations, and positioning themselves upwind from key high-voltage transmission lines, the groups unload their equipment. Those outside the substations assemble simple mortars from materials that they recently purchased from a hardware store, while those near the transmission lines use helium to inflate weather balloons with long silvery tails.

At a given time, the homemade mortars are fired sending showers of aluminum chaff over the substations. The balloons are then released and their aluminum tails float aimlessly into the transmission lines. These activities are being carried out in the South, the Southwest and the Eastern Seaboard, and they are timed to be carried out simultaneously. The centralized national power grid is already under immense strain and results in a massive short-circuit and a cascading power failure across the US. Traffic lights shut down. Water and sewage systems are disabled. Communications systems break down. The financial system and the national economy come to a screeching halt. [2]

Such is the vulnerability of our economic, technological and electronic systems to terrorist attack. Complex as modern societies are, they can be brought down in a heartbeat at virtually no cost and with almost complete anonymity by dedicated terrorists seeking to exploit our society’s growing complexity. An electromagnetic pulse (EMP) attack, for example, set off by a high altitude nuclear weapon (and possibly fired from submarines beneath the oceans that surround us) could shut down America’s economic, technological and electronic infrastructure as quickly as a well-placed cyber-attack. [3]

In his presentation to the Senate’s Judiciary Subcommittee on Terrorism, Technology and Homeland Security, Dan Verton, author of Black Ice: The Invisible Threat of Cyber-Terrorism (2003) explained the nature of the threat facing America and the world in the area of cyber-security. He explained:

“Before any meaningful discussion can be conducted on the nation’s vulnerability to cyber-terrorism, it is important to understand that there is no longer any separation between the physical, real world and the cyber-world. Computers and computer networks control real things in the “real” world, and many of those “things” are critical infrastructures such as electricity, drinking water and real-time financial transactions that have implications for both public safety and the national economy.” [4]

Verton noted in his research that he found evidence of unprotected wireless networks in use in hospitals, airline baggage checking systems at some of the largest U.S. air carriers; railroad track heating switches; uranium mining operations; water and waste water treatment facilities, security cameras, oil wells and water flood operations. He added that even the nation’s critical industrial infrastructures (especially the electrical grid) are vulnerable to computer attack as power companies (due in part to de-regulation and for profitability purposes) have transferred control of their electrical generation and distribution equipment from private, internal networks to national SCADA (Supervisory Control and Data Acquisition) systems that can now be accessed through the Internet. These SCADA systems manage the flow of electricity and natural gas and control numerous industrial systems and facilities. A terrorist’s ability to control, disrupt, or alter the command and monitoring functions performed by these mammoth computer systems could threaten regional and possibly national security. Verton argues that America’s energy sector would be the first domino to fall in a strategic cyber-terrorist attack against the United States.

Unknowingly, some utilities have made hacking into their SCADA systems relatively easy by continuing to use factory-set passwords that can be found in standard documentation available on the Internet. In some cases, power companies lack basic equipment that would even alert them to such hacking attempts. [5] Verton was especially concerned about this since his research revealed that Bin Laden’s goal is to bring these SCADA systems down. He noted that in January 2002, U.S. forces in Kabul discovered a computer in an al Qaeda office that contained models of a dam made with structural architecture and engineering software. The software would have enabled al Qaeda to study the best way to attack the dam and simulate its catastrophic failure. Other data seizures suggested that al Qaeda is studying these centralized SCADA systems for producing cascading failures across America possibly in conjunction with the next major attack.

Verton stated that al Qaeda is using the Internet to collect information on potential targets in the U.S., especially critical economic nodes. Modern software, he noted, enables them to study structural weakness in facilities as well as allows them to predict the cascading failure effect of attacking these various systems. The purpose is to cripple the U.S. economy forcing the withdrawal of U.S. military personnel from Saudi Arabia and the entire Middle East and isolating Israel economically and militarily. Targeting corporate America is the vehicle to accomplish this.

Nor is space exempt from cyber-attack. According to French counter-terrorism judge Jean-Louis Bruguire:

‘Some of these groups have the capacity for hijacking satellites. Capturing signals beamed from space, terrorists could devastate the communications industry, shut down power grids, and paralyze the ability of developed countries to defend themselves.’ [6]

The fear of crippling the U.S. economy through the commission of acts of terrorism became a front-and-center issue on August 1, 2004 when Pakistani authorities revealed that interrogation of a captured al Qaeda operative had resulted in information to the effect that al Qaeda planned to use car bombs or other modes of attack against prominent financial institutions including the New York Stock Exchange and the Citigroup buildings in Manhattan; Prudential Financial in Newark; and the International Monetary Fund and World Bank in Washington. The operatives were found with blueprints of the Prudential Financial site. [7] Eight weeks before, on May 27, the SITE Institute drew attention to this possibility by distributing a translation of the 7th issue of Al-Battar, al Qaeda’s bimonthly Internet training manual. The translation made plain the terrorist group’s desire to hit financial targets as a means of disrupting economic progress in America.

Truth be told, nowhere is the line more difficult to draw than in the sphere of cyber-security. That is because the goal of an act of terror is not military victory but to damage the morale of the people. If local and federal leaders were to respond ineffectively to a biological attack or an electrical blackout caused by sabotage, they could lose the confidence of the people. Repeated attacks might even lead to chaos. Worse, a sophisticated terrorist group could attack a power grid and because of the interdependence of these multiple systems, cause a blackout as a prelude to an even bolder and deadlier attack akin to the hijacking of passenger-laden jetliners on September 11, 2001. A U.S. government advisory panel has concluded that a foreign intelligence service or a well-supported terrorist group “could conduct a structured attack on the national electric power grid electronically, with a high degree of anonymity, and without having to set foot in the target nation,” according to a report issued by the GAO (Government Accountability Office), the investigative arm of Congress. The technologies that direct transportation, water supplies, energy and emergency systems – including police, fire and rescue teams – are vulnerable to a combination of a traditional terrorist assault and a cyber-attack that would amplify catastrophic results, experts and federal officials testified.

Recognizing this, on September 18, 2002, the Presidents’ Critical Infrastructure Protection Board (which recognized the vulnerability of our national Information Technology systems) released its draft National Strategy to Secure Cyberspace, a 65-page report with some 24 strategic goals and 80 recommendations. [8] The text described how the country’s manufacturing, utilities, financial, and communications sectors have become increasingly dependent on Information Technology (IT) for their most essential operations. The Report not only identified the threats to national security but went further to identify the specific vulnerabilities. It noted that a common defense in cyberspace required a response by both the public and private sectors, and recognized that everyone had to act to secure “their portion of real estate in cyberspace.”

The problem is that while the Report correctly noted that some 85% of the nation’s critical infrastructure was owned by the private sector, the Board’s idea of partnership seemed to rely almost entirely on the “private sector” to organize, fund, and carry out the steps needed to protect its IT resources. How realistic this is, is a matter of some conjecture. The August 14, 2003 power blackout throughout Northeastern and Midwestern United States and Canada (the largest blackout in North America’s history that interrupted electrical power to millions of people) was caused by the failure of a “node,” or connecting point, in an electrical service grid. It should have been a wake-up call as well. Though not the result of a terrorist attack, it highlighted the importance that should be given to the Report’s recommendations especially concerning the country’s electrical infrastructure because it made it clear to potential terrorists where the systems’ weaknesses lie. With an estimated cost of between $50B and $100B, the government must review its priorities with a view to closing a potentially disastrous gap in our national security.

The Report suggested that states should consider a Cyber Corps scholarship program; a Cyberspace Academy linking IT security and forensics programs; and a recognized certification program in Cyber-security. It said that law enforcement and national security communities should (not must) develop a system to detect a national cyber attack and plan for a response. But these recommendations were expressed in voluntary terms only with even a proposal for a Cyberspace Network Operations Center (managed by the private sector) couched in terms of an idea for private companies to consider with federal agencies encouraged to explore ways of cooperating with it.

The problem with the Report is that it set no concrete deadlines for actions to secure agency systems and networks and what is stated as optional and voluntary should have been defined as mandatory and compulsory. Alan Kotok, a renowned computer security expert has noted that:

“The Report should set deadlines for companies and agencies to comply with steps to tighten security. Private companies and agencies used this approach for Y2K and had success. Why not do it again?”

And Bruce Schneier of Counterpane Internet Security, an expert in the field, suggests that time is not on our side:

“Computing today is unsafe at any speed, but we can minimize the dangers. We need to realize that there will probably always be the potential that someone could break into any system and there will probably always be people that will push the edge to try to find that hole or gap in viable systems.” [9]

Schneier suggests that we have to minimize those opportunities by being proactive in systems security. He sees “complexity” as the root cause of security vulnerabilities and systems are becoming more complex each and every day. Hackers understand this better than anyone. They are out there homing in on points of weakness and spending the time necessary to break down the system or the software. To test a company’s security, he realizes that companies must perform expensive and time-consuming manual reviews and most companies simply don’t have the time or expertise to perform this task. He suggests that software companies segregate functions into “modules” to reduce complexity, therefore creating a more secure product. Better to have a breach in security for one system, than a breach that would shut down the entire operating system for the nation. Better to have a module breached than an entire security system compromised.

The concern arises, in part, because of a little known penetration that occurred during the summer of 2002. At that time, The Washington Post reported that security consultants (in an effort to test military computer security systems) hacked into scores of confidential military and government computers without approval exposing vulnerabilities that specialists said opened the networks to electronic attacks and spying. [10] Although the consultants were inexperienced, they were able to identify and penetrate unprotected PCs and then roamed at will through sensitive files containing military procedures, personnel records and financial data. The penetration allowed them to read radio encryption techniques, the use of laser targeting systems and other field procedures. Another maintained hundreds of personnel records containing Social Security numbers, security clearance levels and credit card numbers. A NASA computer contained vendor records, a company bank account and financial routing numbers was also penetrated.

But the greatest fear is that a catastrophic chemical, biological and nuclear attack, combined with a cyber attack crippling emergency support and rescue services could have a devastating impact upon the American psyche. In fact, that was the conclusion drawn from Operation Black Ice – the first major infrastructure interdependency exercise that took place in November 2000 in preparation for the 2002 Winter Olympics in Utah. Sponsored by the U.S. Department of Energy and the Utah Olympic Public Safety Command, the goal was to prepare federal, state, local and private-sector officials for the unexpected consequences of a major terrorist attack or series of attacks throughout the region where athletes and spectators from around the world would be gathering. In the end, Black Ice demonstrated in frightening detail how the effects of a major terrorist attack or a natural disaster could be amplified by a simultaneous cyber-attack against the computers that manage the region’s critical infrastructures.

Based upon the experience of Black Ice and a follow-up exercise code-named Blue Cascades all sectors demonstrated (according to the Hart-Rudman Task Force on Homeland Security) only a “surface level understanding of interdependencies and little knowledge of the critical aspects of other infrastructures” particularly during long-term disruptions. Moreover, most companies and government officials did not recognize their own overwhelming dependency on IT-related resources to continue business operations and to execute recovery plans.

According to the findings of a Council on Foreign Relations Report of an Independent Task Force “America Still Unprepared – America Still in Danger”:

“Sixty percent of the Northeast’s refined oil products are piped from refineries in Texas and Louisiana. A coordinated attack on several key pumping stations – most of which are in remote areas, are not staffed, and possess no intrusion detection devices – could cause mass disruption to these flows. Nearly fifty percent of California’s electrical supply comes from natural gas power plants and thirty percent of California’s natural gas comes from Canada. Compression stations to maintain pressure cost up to forty million dollars each and are located every sixty miles on a pipeline. If these compressor stations are targeted, the pipeline would be shut down for an extended period of time. A coordinated attack on a selected set of key points in the electrical power system could result in multi-state blackouts. While power might be restored in parts of the region, within a matter of days or weeks, acute shortages could mandate rolling blackouts for as long as several years. Spare parts for critical components of the power grid are in short supply; in many cases, they must be shipped from overseas sources…” [11]

…all of which leads to another major aspect of the problem.

The Microsoft Dilemma

Computing is essential to industrialized societies. As time passes, all societal functions become more deeply dependent on it – power infrastructure, food distribution, air traffic control, emergency services, banking, telecommunications, and virtually every other large scale endeavor is today coordinated and controlled by networked computers. For a terrorist sleeper cell with knowledge of information technology, the potential to cause great harm and to disrupt the electronic lifeblood of our country represents a clear and present danger.

According to London-based computer security firm, mi2g Ltd., global damage from malicious software inflicted as much as $107 billion in global economic damage in 2003. It estimates that the “SoBig” worm, which helped make August 2003 the costliest month in terms of economic damage, was responsible for nearly $30 billion in damage alone. The NIMDA and Slammer worms that attacked millions of Windows-based computers were examples of a ‘cascade failure’ – they spread from one computer to another at an incredibly high rate of speed. Why? Because these worms did not have to guess much about the target computers since nearly all computers have the same vulnerabilities….which leads to Microsoft – the computer giant that has honed computer complexity to an art.

Microsofts’ operating systems are notable for their incredible complexity and complexity is the first enemy of security. According to IDC Research, Microsoft Windows represented 94% of the consumer client software sold in the United States in 2002. A cyber-attack designed for Windows would endanger an overwhelming majority of the population. Online researcher OneStat.com estimates Microsoft Windows’ market share exceeds 97%. Penetrating such a system would lead to a cyber-catastrophe. If Microsoft had real market competition from another vendor, not all of us would be running the same software.

Many experts in the field are critical of these monopolistic practices in producing increasingly complex software which make the end users of the world computer community almost totally dependent upon a single operating system from a single vendor – in effect, a single operating system that is subject to the same vulnerabilities the world over. Experts feel that this magnifies the security risk and opens the entire global infrastructure to being disrupted by a single blow (the same viruses and worms at the same time) since most of the world’s computers run Microsoft’s operating systems.

The alternative, they argue, is diversification. This fundamental principle assures that, like farmers who grow more than one crop, those of us who depend on computers will not see them all fail simultaneously when the next blight hits. As Daniel Greer pointed out in his controversial 2003 24-page Report titled: “Cyberinsecurity: The Cost of Monopoly”:

“In the interests of national security, the government must confront the security effects of a monopoly and acknowledge that competition policy is entangled with security policy from this point forward…Attacking national infrastructures is…done with computers – often hijacked computers. Thus, threats to computing infrastructures explicitly and inherently risk harm to those very societies in proportion to their dependence on them. A prior history of catastrophe is not required to make such a finding. You should not have to wait until people die…” [12]

It should be noted that Greer was the chief technology officer for a technology firm that worked closely with Microsoft Corporation and was fired subsequent to the publication of his study of the insecurity of Microsoft software.

Survivability is all about preparing for failure so as to survive it. If governments are going to be responsible for the survivability of our technological infrastructures, then whatever governments do will have to take Microsoft�’ dominance into consideration. Working on cyber-defenses with the cooperation of private industry must become a top U.S. government priority. America is vulnerable to cyber-attack because it is the most cost-effective way for our enemies to immobilize our complex, interdependent computer-linked social, economic, emergency-response and financial systems, and little is being done to prevent it. Paradoxically, success in the “war on terror” is likely to make terrorists turn increasingly to unconventional weapons such as cyber-terrorism. The more technologically developed we become, the more vulnerable we become to cyber-attacks against our social, economic, industrial and financial infrastructures. And as a new, more computer-savvy generation of terrorists comes of age, this danger will only increase.

Endnotes:

  1. “The future of warfare: U.S. must guard against cyberattacks,” Newsday, June 1, 2007.
  2. Thomas Homer-Dixon, “The Rise of Complex Terrorism,” Foreign Policy, January/February 2002.
  3. Report of the Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack, Volume 1, Executive Report, 2004; Center for Security Policy, Decision Brief No. 05-D08, February 15, 2005.
  4. U.S. Senate Committee on the Judiciary, “Panel 2 – Virtual Threat, Real Terror: Cyberterrorism in the 21st Centurys, ” Testimony of Dan Verton, February 20, 2004.
  5. Justin Blum, “Hackers Target US Power Grid,” Washington Post, March 11, 2005; Robert Lemos, ‘SCADA system makers pushed toward security,’ SecurityFocus, July 26, 2006.
  6. Lawrence Wright, “The Terror Web,” The New Yorker, August 2, 2004.
  7. Eric Lichtblau, ‘U.S. Warns of High Risk of Qaeda Attack,’ The New York Times, August 2, 2004. 
  8. Alan Kotok, White House cyber-security plan cites big threats, offers little action (http://www.suite101.com/article.cfm/us_techno_politics/95277)
  9. Bruce, Schneier, “Words of Warning from a Cyber-Security Guru,” Business Week, December 29, 1999.
  10. Robert O’Harrow Jr., “Sleuths Invade Military PCs with Ease,” Washington Post, August 16, 2002; Page A01. 
  11. Council on Foreign Relations Report of an Independent Task Force: “America Still Unprepared – America Still in Danger,” p. 26.
  12. Daniel Greer, “Cyberinsecurity: The Cost of Monopoly”, Computer & Communications Industry Association, 2003.