Introduction

Literary Review There seems to be conflicting opinions as to how well governments (in this case the U.S., are addressing the possible threat of cyber-terrorism. Dr. Abraham Wagner while explaining the intricacies of the inter agency concern and awareness of US security establishment, he concludes that the preparedness and ability to respond to such threats is very little, very latein some cases US policy can only be described as silly.1 Joshua Green while cynical of the actual abilities of cyber-terrorists, he purports that the US government is well prepared quoting Michael Cheek who said the government is miles ahead of the private sector when it comes to cyber security. Yet Wagner disagrees on this statement as well explaining that the private and commercial sectors will be the most prepared and the government will be increasingly dependent on them for technology and services.2

Terror VS Crime: Defining Terrorism

1 2

Wagner 154 151 1

Before we can begin to discuss the inherent difference between cyber-terror and cyber crime we must first lay out the definition of terrorism as will be applied from here on. Dr. Abraham Wagner defines cyber-terror as the premeditated, politically motivated attack against information, computer systems, computer programs, and data that result in violence against noncombatant targets by sub-national groups of clandestine agents.3 While this definition is specific to cyber-terrorism it could be assumed (based on Wagners reference to David Rapoport which does not specifically refer to the use of violence against civilians) that his operational definition for terrorism does not make two very basic distinctions: the use of violence and the target being a civilian population. A more clear definition defines terrorism as the deliberate use of violence (or intended) against a civilian target for attaining political objectives.4 The main problem today in the international community is the lack of uniform definition and understanding of this very distinction in definition and policy. This prevents uniform and effective anti and counter terrorism measures on international scale. Using the later as the operational definition, we can lay the foundation for determining whether acts are terrorism or crime. Cyber-terrorism on different levels involves cyber-space or technological advancements to plan, organize and possibly even carry out an attack. The questions raised are: if technology (internet, networks etc) is used to aid terrorists in an attack and not carry out the attack in and of itself, is that cyberterror? How do we categorize a clear criminal act (hacking into a back acct and stealing funds then transferred to a terrorist cells acct) that supports a terrorist attack or organization? In what type of scenarios would this medium of technology be able to directly inflict violence on a civilian population? At this point it is imperative to get technical with the details of the cyber threat. Direct VS Indirect Use It is almost impossible for a terrorist to use the Internet to directly kill someone. A terrorist cannot (or never has)5 make a home computer explode and kill a civilian who is at home checking their email, from a remote location. As opposed to a direct weapon being used against civilians it is a medium or a tool to be used to perpetrate attacks. Having said this, if the intent of a particular act using cyberspace or related technology, is to result in violence against civilians than this would be considered a direct act of cyberterrorism. For example if an Al-Qaida operative was able to hack into the pentagon and retrieve missile codes and then use them to dispatch missiles to a population center, this would be considered a direct act of cyber-terrorism. A more simple example would be if a terrorist hacked into the computerized system of a railroad stations control center and caused two trains to collide. To further illustrate the difference between cyber crime and cyber terrorism is an event that occurred this past January. A 14-year-old boy adapted a television remote control unit to take control of the switching systems on the public trams in the city of Lodz, Poland, causing four derailments and injuring several passengers.6 While this attack was successful, it is not considered terrorism because he was not trying to validate or draw attention to a political agenda. If however the reason for this
3 4

Wagner 135 Ganor____ 5 Green 2? 6 http://www.darkreading.com/document.asp?doc_id=142996 accessed on 02/12/08 2

attack was in order to protest Polands domestic or foreign policy than this would follow the aforementioned explanation of a direct act of cyber-terror. More common than direct use of cyber-terror is the usage of terror organizations and operatives to get information for an attack, communicate, train, sabotage governement or civilian technology, and even funding their activities. Unlike the above direct use of technology to carry out attacks (i.e. using the technology as a weapon itself), indirect cyber-terrorism does not in its immediate use inflict violence on civilians, although it is a tool used to carry out such attacks or lead up to them or simply to just wreak havoc on a government or civilian infrastructure. A communicative example would be if a terrorist used the draft function of a web based email (such as gmail) while another operative signs on to this same account and reads the draft and deleting it, removing any way to trace the communication. In this example information that was transferred could be to activate a sleeper sell or communicate with operatives giving vital information or the go ahead to carry out an attack, but did not kill anyone in its primary purpose. A different example would be a computer network attack (CNA), or cyberattack. This disrupts the integrity or authenticity of data, usually through malicious code that alters program logic that controls data, leading to errors in output (for more detail, see Appendices A, B, and C). Once infected with malicious code, a computer can be remotely controlled by a hacker who may, via the Internet, send commands to spy on the contents of that computer or attack and disrupt other computers. A CNA attack can be used to get necessary information for an attack as well as cause confusion as cover for an attack. The last example of indirect use of cyber technology for terrorist purposes is for use of raising or attaining funds (illegally and legally). Al Qaeda for example has uses internet websites to collect funds through its various charity networks.7 This has become part of the solid and self supporting infrastructure that has allowed this terrorist organization its longevity and operational capabilities. Whether funds are attained legally or illegally the end result of what those funds helped actualize is what should be looked at in both cases. Indirect cyber-terrorism often borders or intertwines with cyber crime. This distinction is important because although it may benefit a terrorist or an organization (operationally or financially) it in itself does not constitute violence against civilians at that very stage or could be perfectly legal. Direct cyber-terrorism while more difficult is becoming more and more of a threat as technology encompases more of government security networks as well as public civilian technology (public transport etc). While it is important to understand the distinction between both types of cyber-terror they must both be seen as interrelated and important to the terrorist infrastructure and therefore policy should address both as well as their overlap. Specific Types of Cyber Attacks
The following sections describe the types of attacks that are actively being preformed on the Internet. DDos Distributed Denial of Service: Denial of a particular service will come in one of two forms: Complete consumption of a resource such as bandwidth, memory, CPU,
7

Abuza 3

file handles, or any other finite asset. Exploiting a weakness in the service to stop it functioning or causing the service to crash. Password Attack - An attacker (through the use of a program or application) simulates the requests of a typical user, attempting to gain valid credentials from an authentication system by large numbers of repeated authentication attempts, using different passwords. Man in the Middle - A man-in-the-middle attack (MITM) is an attack in which an attacker is able to read, insert and modify at will, messages between two parties without either party knowing that the link between them has been compromised. Privilege escalation - The act of exploiting a bug in an application to gain access to resources which normally would have been protected from an application or user. Example: A Microsoft Windows Service is usually configured to run under the Local System user account. A vulnerability such as a buffer overflow may be used to execute arbitrary code with privilege elevated to local system. Phishing attack (Social Engineering) - To launch a social engineering attack, an attacker uses human interaction (social skills) to obtain or compromise information about an organization or its computer systems (US CERT). Phishing attacks use email or malicious web sites to solicit personal, often financial, information from users. Industry Standards/ Best Practices Industry best practices are practices that have been determined from outside of the organization as helpful approaches to large numbers of organizations within that industry. These best practices may be reported in written sources based on investigative reporting or based on agreements or conventions of trade or professional groups. For example articles or books may be written about a practice that one company does that has improved their performance. This is a very common occurrence in the literature. The following sections summarize technologies and procedures that contribute to a good overall security posture. It is suggested to implement theses techniques and technologies in multiple overlapping layers in order to provide the appropriate level of security required by the organization. Intrusion Prevention (IPS) and Detection (IDS) IDS is a subset of IPS - you have to detect something before you can block it. IPS recognizes unique characteristics of attack traffic, and blocks it. Its strength over firewalls is that IPS can recognize the "content" of network traffic at a high enough rate to block malicious connections and allow legitimate traffic to get through. IDS monitor network traffic looking for tell-tale signs of attacks. IDS is an essential tool in identifying systems that have been compromised and in understanding how attacks worked, so the weakness can be eliminated. Discovery and Mitigation Discovery tools analyze network traffic to find evidence of new

devices and vulnerable or infected software (including worms and viruses) that appear inside your perimeter. Mitigation attempts to remove the threats. Firewalls and Anti-Malware Gateways Firewalls are the first line of defense; they block undesirable attempted connections from the outside world to an organizations private network. Traditional firewalls do not look inside the packets but rely on information in the packet headers: ports, source and destination addresses, and protocol state. Next generation firewalls incorporate traditional firewall functionality with intrusion prevention systems and anti-malware (viruses, worms, spyware, etc.) DDoS (Distributed Denial of Service) Defense Tools An epidemic of extortion is sweeping through web based businesses. "Pay us or we'll take your site down," say the thieves, and they can make their threats real. DDoS defense tools help organizations and Internet Service Providers defend against outages caused by DDoS attacks. Host Intrusion Prevention System If an attack gets through the network defenses, the last line of defense is at the PC or server being targeted by the attack. Host intrusion prevention tools identify and prevent malicious behavior at the operating system level. They have been effective in blocking Zero-Day attacks in some cases. Host based intrusion preventions are increasingly becoming part of endpoint security platforms that include firewalls and anti-malware capabilities. Network Access Control: Host-based Network Access Control capability has also been integrated with personal firewalls, anti-malware agents and other host-based software. Host-based NAC verifies configurations and patches. Personal computers that do not meet the enterprise standards are denied access until their configurations have been corrected. In this way, these important new tools protect users on an enterprise network from becoming infected by unprotected computers that are connected to the same network. Vulnerability Management and Penetration Testing Vulnerability management tools scan for vulnerabilities and monitor the organization's progress in eliminating the vulnerabilities that are found. The reports from these systems - especially graphical comparisons of progress for different divisions - often create strong top management support for improving security. File Encryption Credit card information and other valuable private data would be a lot safer if it were encrypted. With encryption in place, attackers who gain access through vulnerabilities would not be able to read or

(mis)use the private information. File encryption protects important information from prying eyes of hackers and co-workers. More effective technologies provide for key escrow or key recovery if a user loses the key or the key's pass phrase. Secure Communication These products(i.e. SSH, SFTP, SSL, WPA, etc.), which ensure that information is not read or corrupted during transmission, range from protection against casual browsing to near military-grade cryptography. Virtual private networks save communication cost by enabling users to access their corporate networks through low-cost Internet connections, but they encrypt the data when it travels over the network. VPNs should be used in conjunction with policy enforcement technology to ensure the endpoints are secure. Strong Authentication Strong authentication verifies a user's identity without transmitting passwords over the network. This tool solves the security issues associated with password-only systems -- phishing, social engineering, shoulder surfing, network sniffing and password cracking.

Secure Information and Event Management These solutions bring together data from IDS, firewall, vulnerability management, server logs and others to give an enterprise an overall picture of the security of the organization. They can be especially effective in verifying a system's vulnerability to a particular attack before raising an alarm.

Forensics Tools Some attackers get through and when they do enterprises need to find out what they accessed, what they damaged, and how they got in. Finding those answers is very challenging, but it is a task made easier through the use of forensics tools that intelligently and rapidly study the disk images and other evidence available after an attack.

Log Management Log monitoring is generally the only way to know when problems have actually happened on your systems, but it is time consuming and boring, so most organizations do a very poor job at it. LM systems aggregate, analyze and archive all the log data to provide an audit trail of system and user activity, and to alert administrators to unusual and suspicious activity. Log management is becoming a standard capability of SIEM systems.

Psychology of Cyber-Terror The effectiveness of terrorism as modus operendi depends on the utilization of 8 fear on behalf of the public to cause mass hysteria and even pressure their elected government. If this is the case in a suicide bomb attack in a mall, how then does this same objective transfer to cyber space? To begin with the lack of direct cyber attacks makes the fear of the unknown even more dramatic. When people are left to exaggerate and create futuristic scenarios about the possibilities of cyber-attacks it can be even worse than if they had a tangible example to be afraid of. In these such cases terrorism uses the victims own imagination against him.9 Rapid technological advancements create more mediums for the terrorists to work in, while increased dependency of citizens and infrastructure in the daily uses of the internet logically creates more uncertainty on behalf of the citizens. Fears of cyber-crime and the hype it receives is immediately transferred to fears of cyber crime. If my identity can be forged, or my credit card details stolen online than they can just as easily physically harm me through this medium and technology. This type of logic shows the transfer of a rational fear (online scandals or hacks) to an irrational fear. A major aspect of terrorisms hysteria is the concept of irrational fear10. The fear of being killed in a bomb attack on a main thoroughfare is not rational. A rational fear would that of sudden death in a car accident since this is statistically more common (especially in Israel). In this case the fear of cyber-terror is even more irrational than traditional terrorism because of its probability and actual danger. In the most traumatic example of nuclear weapons, the fear of a cyber-terrorist hacking in to a government system to fire these is more science fiction than probable fact. In this case nuclear weapons are air gapped, meaning they are not physically connected to the internet and are therefore inaccessible to outside hackers.11 The battle over the emotions of the public continues to be the struggle in effective counter-terrorism strategy. Policy Suggestions The biggest advantage of terrorists and their organizations when opposing governments is to move around the static legislation in place. Especially in the realm of technology that is constantly changing it is perfect ground for them to take advantage of this ineptitude. Ideal course of action would include layered safeguards and an active body that is in charge both of continual preparation of the civilian population as well as informing policymakers and government officials of the changing threat.
The principle of Defense in Depth teaches us not to put all our eggs in one basket, and that no single defense strategy will protect our assets fully. Defense in Depth takes the approach of applying defensive counter measures in multiple layers one atop the other in an attempt improve the resiliency and overall strength of
8

The word terror comes from the Latin terrere meaning to frighten or to scare (Weimann 33). 9 Ganor in Green (37) 10 Ganor ___ ppt 11 In addition the CIA and FBI classified computer systems are air gapped as well (Green). 7

your security posture. Because the threats we confront come in many forms and from various sources, it is important that, should a particular security safety net fail, there is another layer of protection. The vital importance of these additional layers becomes apparent when newly discovered viruses or vulnerabilities are exploited. They serve not only to keep the asset safe but, in many instances act as a buffer, slowing down the threat or attacker until a resolution can be found or initiated and the damage from the attack can be cleaned up. Another important point to remember is that we must learn from our mistakes and as part of our Defense in Depth strategy make adjustments to our defenses to ensure that the vulnerabilities that were exploited are fixed and that safety measures are put in place to keep the incident from happening again in the future. Security starts with knowledge. Perhaps the weakest link in our security defenses is ourselves, the human factor. Whether it is our lack of technical knowledge or our ignorance of the unknown, we are the single biggest vulnerability. We compromise our security measures by doing things like picking simple passwords, or downloading potentially unsafe files, we give away important clues and information that makes us easy targets to viruses, hackers, and malicious perpetrators.

The Congressional Committee on Cyber-Terrorism Appointed on this the 22nd day of December 2007. Presenting to: The legislative board for the Dept of Homeland Security

Objective: To outline a preliminary policy guidline to address both the immediate and long range threat of cyber-terrorism. We the committee see the governement as responsible for spear heading defense of the cvilvians but also being an active partner with them to fight this and other terrorist threats. We have identified two areas that need to be addressed in order to address the threat of cyber-terror either perceived or actual: Civilian Realm and Government realm. Based on the submitted research we the committee have identified the following as the most pertinent threats in the realm of cyber/ and technology: -In light of the current use in this regard we suggest the following measures to be legislated: Government: -Not insight fear by over exaggerating threat (other political goals?) -Proactively bolstering unity and community and dissecting the terrorists ploy to a logical tactic that can be dealt with. -Dealing directly with all terrorism -Non-static council to deal with New Technology within this the cyber-threat or cyberterror unit. - Stop comments from officials like: If an attack comes today with information warfare..it would be much, much worse than Pearl Harbor. Richard Clarke bush appointed head of cyber-security in the White house after September 11. -educate law makers so they dont have irrational fear. -Keep press in check and part of process as much as possible Cyber-attacks by Al Qaeda Feared, Terrorists at Threshold of Using Internet as a Tool of Bloodshed, Experts say. Headline in Washington Post- from Green. In addition we deem it necessary for the governement body outlined above to bolster the internal defense mechanisms of the public by carrying out the following preliminary actions: -courses -media control -Phsch control

Citizens -educate themselves about cyber threats -Understand the tactics of terrorists to break down their phsycological advantage -Act rationally

Finally, state use of force is subject to international norms and conventions that may be in- voked or at least consulted; terrorists do not abide by international laws or norms and, to maximize the psychological effect of an attack, their activities have a deliberately unpredictable quality.12

Bibliography Abuza, Zachary. Funding Terrorism in Southeast Asia: The Financial Network of Al Qaeda and Jemaah Islamiya. Contemporary Southeast Asia. Vol. 25, 2003. http://www.questia.com/googleScholar.qst;jsessionid=HyvDD5WhTD9Xsp6yGPVJ0hJZ Yryn8XQppFGnGqY9H25Nx7yvLCQf!687718197?docId=5002554167 Addicott, Jeffrey. Chapter8: Cyberterrrorism. Terrorism Law: Materials, Cases and Comments. Tucson, AZ: Lawyers & Judges Publishing Company, Inc, 2007. Pages 275297. Denning, Dorothy. Cyber-warriors: Activities and Terrorists Turn to Cyberspace. Harvard International Review. Vol XXIII, No. 2. Summer 2001. Green, Joshua. The Myth of Cyber Terrorism. The Washington Monthly. Nov, 2002. http://www.washingtonmonthly.com/features/2001/0211.green.html Wagner, Abraham R. Cyber-Terrorism: Evolution and Trends. Post Modern Terrorism: Trends, Scenarios, and Future Threats. (Ed: Boaz Ganor). The International Policy Institute for Counter-Terrorism, 2005.

Weiman, Gabriel. Terror on the Internet: The New Arena, the New Challenges. Washington, DC. US Institute of Peace Press. 2006.
Wilson, Tim. Teenage Hacker Takes Over Polish Tram System. Darkreading: Risky
12

Cronin 33 10

Buisness. January, 11, 2008. http://www.darkreading.com/document.asp?doc_id=142996

11