conventional explosives (e.g., a single hacker breaking into a nominally unsecured system that does not tunnel into other critical systems) is not the primary focus of this report.
In the context considered here, the adversary must be conceptualized as a very patient, smart, and disciplined opponent with many resources (money, personnel, time) at its disposal. Thus, in an information technology context, the “lone hacker” threat—often described in terms of maladjusted teenage males with too much time on their hands—is not the appropriate model. Protection against “ankle biters” and “script kiddies” who have the technical skills and understanding as well as the time needed to discover and exploit vulnerabilities is of course worth some effort, but it is important as well to consider seriously the larger threat that potentially more destructive adversaries pose.
Information technology (IT) is essential to virtually all of the nation’s critical infrastructures, which makes any of them vulnerable to a terrorist attack on the computer or telecommunications networks of those infrastructures. IT plays a critical role in managing and operating nuclear-power plants, dams, the electric-power grid, the air-traffic-control system, and financial institutions. Large and small companies rely on computers to manage payroll, track inventory and sales, and perform research and development. Every stage in the distribution of food and energy from producer to retail consumer relies on computers and networks. A more recent trend is the embedding of computing capability in all kinds of devices and environments, as well as the networking of embedded systems into larger systems.1 And, most obviously, IT is the technological underpinning of the nation’s communications systems, from the local loop of “plain old telephone service” to the high-speed backbone connections that support data traffic. These realities make the computer and communications systems of the nation a critical infrastructure in and of themselves, as well as major components of other kinds of critical infrastructure, such as energy or transportation systems.
In addition, while IT per se refers to computing and communications technologies, the hardware and software (i.e., the technological artifacts
Computer Science and Telecommunications Board, National Research Council. 2001. Embedded, Everywhere: A Research Agenda for Networked Systems of Embedded Computers. National Academy Press, Washington, D.C. (Note that most Computer Science and Telecommunications Board reports contain many references to relevant literature and additional citations.)