5
Cyberterrorism and Security Measures

S.E. Goodman


It would be more productive to expand our scope from “cyber terrorism,” a term lacking a widely accepted definition, to consider the following two pertinent questions:

  1. What would terrorists want to do in cyberspace?

  2. How do we try to deal with such activities?

To address these key questions, we first need to define our basic “who” and “what” we are discussing: Who are “terrorists”? What is “cyberspace”?

Terrorists are people, acting alone or as members of substate organizations (possibly with the support of a national government), who are deliberately trying to inflict mass casualties or cause other forms of costly consternation against civilian populations. At a minimum, these acts are intended to frighten these populations and to attract national or international attention.

Cyberspace is the set of all computer-communications networks. It is a major technology-enabled medium providing means of passage, the locus of objects of value, and parts of the control and management systems for critical processes and infrastructures.

The Internet is the largest single component of cyberspace, with a presence in more than 200 countries and approximately 1 billion users. For the most part, the Internet is built upon national and international telecommunications infrastructures, including the landlines of most public phone systems and wireless, and satellite communications. Beyond the Internet, these telecommunications infrastructures are more generally highly dependent on computing technology. Thus, by our definition, they are part of cyberspace.

Other critical infrastructures in the United States, and increasingly elsewhere in the world, depend on computer-communications systems for direct control and other functions. These include major forms of transportation, banking and finance, energy distribution, emergency preparedness and response, and public health.

Digital control and supervisory control and data acquisition systems (DC/SCADA) are computer-communications networks that are used by many



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 43
Science and Technology to Counter Terrorism: Proceedings of an Indo-U.S. Workshop 5 Cyberterrorism and Security Measures S.E. Goodman It would be more productive to expand our scope from “cyber terrorism,” a term lacking a widely accepted definition, to consider the following two pertinent questions: What would terrorists want to do in cyberspace? How do we try to deal with such activities? To address these key questions, we first need to define our basic “who” and “what” we are discussing: Who are “terrorists”? What is “cyberspace”? Terrorists are people, acting alone or as members of substate organizations (possibly with the support of a national government), who are deliberately trying to inflict mass casualties or cause other forms of costly consternation against civilian populations. At a minimum, these acts are intended to frighten these populations and to attract national or international attention. Cyberspace is the set of all computer-communications networks. It is a major technology-enabled medium providing means of passage, the locus of objects of value, and parts of the control and management systems for critical processes and infrastructures. The Internet is the largest single component of cyberspace, with a presence in more than 200 countries and approximately 1 billion users. For the most part, the Internet is built upon national and international telecommunications infrastructures, including the landlines of most public phone systems and wireless, and satellite communications. Beyond the Internet, these telecommunications infrastructures are more generally highly dependent on computing technology. Thus, by our definition, they are part of cyberspace. Other critical infrastructures in the United States, and increasingly elsewhere in the world, depend on computer-communications systems for direct control and other functions. These include major forms of transportation, banking and finance, energy distribution, emergency preparedness and response, and public health. Digital control and supervisory control and data acquisition systems (DC/SCADA) are computer-communications networks that are used by many

OCR for page 43
Science and Technology to Counter Terrorism: Proceedings of an Indo-U.S. Workshop infrastructures and industries to manage sensitive processes and physical functions. DC/SCADA systems now more commonly use the Internet to transmit data and control instructions rather than the dedicated networks that had been used before. These should be of particular concern with respect to terrorism. Very few of the “cyber” parts of these infrastructures were designed or implemented with security as much of a consideration, if it was considered at all. Most are riddled with vulnerabilities, which are defined as weaknesses that can be exploited through either hostile attack or accident. Many of these systems were designed to provide cheap and extensive network access. Unfortunately, this greatly increases the ability of malicious people to find and exploit vulnerabilities. What do we know or anticipate that terrorists want to do in cyberspace? I believe the answers to this question fall into three categories: to support their activities and infrastructure, but not directly through an attack to explicitly attack parts of the cyber infrastructure to use cyberspace as a means of attacking other targets It is certain that terrorists and their supporters have been engaging in extensive activities under category 1, and that they will continue to do so.22 This would cover communications, including encrypted communications with each other; recruiting and “advertising” (for example, via Web sites); and financial transactions such as money transfers and laundering. They are also likely to be scouring cyberspace for information on potential targets and on weapons of mass destruction. Examples of attacks under category 2 might include massive distributed denial of service (DDOS) attacks to bring down parts of a national or international information infrastructure for the purpose of humiliating governments or other parties (for example, high-profile or symbolic multinationals and religious organizations), and precision strikes against the communications of selected targets during intense crisis periods. Note that cyberspace can be attacked physically–by cutting communications lines or blowing up switches or computers with critical databases–as well as cybernetically. Possible attacks under category 3 would include compromising transportation or other supervisory control systems to cause disasters resulting in extensive consternation and costing many lives (for example, air traffic control, routing shipping containers, and process control for toxic chemical production). Cyber attacks might also be launched in conjunction with more traditional forms of terrorist attacks in order to severely exacerbate the consequences. For example, interference with the communications of emergency responders might occur during a biological attack. There have been several malicious attacks, accidents, and experiments via the use of red teams or simulations that convince many people that very serious attacks under categories 2 and 3 are possible. These include both “broadcast” attacks like those now commonly associated with viruses, and more precise, focused, sustained, and sinister attacks. We have yet to see the latter in a truly devastating form. 22 Weimann, Gabriel. 2006. Terror on the Internet, United States Institute of Peace Press, Washington, D.C.

OCR for page 43
Science and Technology to Counter Terrorism: Proceedings of an Indo-U.S. Workshop It seems likely that there may be efforts by terrorists and others who serve them, to conduct probes or experiments along lines that might lead to attacks under categories 2 and 3. As far as we can tell, terrorists have not been responsible for any of the major attacks or accidents that have occurred in recent years under categories 2 or 3. So much has been written about such possibilities–and they have had some prominence in the media–that it is inconceivable that terrorists are not aware of them. So far, for reasons we can only speculate about, they do not seem to have chosen to pursue these possibilities with vigor and effect, or perhaps they have tried and failed. DEALING WITH CYBER-TERRORISTS It would seem prudent to expect that such attacks will be launched sooner or later. Therefore we should ask ourselves the following: How do we try to deal with terrorists in cyberspace? We start to answer this question by distinguishing between two forms of defense: passive and active defense.23 Passive defense is essentially target hardening. It largely consists of the use of various technologies and products (for example, firewalls, cryptography, intrusion detection) and procedures (for example, those governing outside dial-in or reconstitution and recovery) to protect the information technology (IT) assets owned or operated by an individual or organization. Some forms of passive defense may be dynamic, such as stopping an attack in progress, but by definition, passive defense does not impose serious risk or penalty on the attacker. Active defense by definition imposes serious risk or penalty on the attacker. Risk or penalty may include identification and exposure, investigation and prosecution, or preemptive or counter attacks. With only passive measures, the attackers are free to continue the assault until they either succeed or get frustrated and look elsewhere. Given the vulnerabilities of most cybersystems, the low cost of most attacks, and the ability of attackers to strike from positions of physical safety, a skilled and determined attacker may be more likely to succeed than to become frustrated. Some defensive actions, for example stopping an attack in progress, can be pursued using both passive and active means. Passively, the defender might plug a vulnerability hole in real time. Actively, the defender might try to locate and get back to the source of the attack. For several legal and other reasons, most forms of active defense will necessarily fall to governments.24 The effective pursuit of active forms of defense, with a high probability of correct identification and few false positives, is very challenging technologically. 23 Goodman, Seymour E. 2003. “Toward a treaty-based international regime on cyber crime and terrorism,” Cyber Security: Turning National Solutions into International Cooperation, Center for Strategic and International Studies Press, Washington, D.C., pp. 65-78. See: http://csis.org/pubs/2003_cyber.html 24 Goodman, Seymour E., Stephen J. Lukasik, and David W. Longhurst. 2003. Protecting Critical Infrastructures Against Cyber-Attack, Adelphi Paper 359, International Institute for Strategic Studies, London, U.K. See: http://www3.oup.co.uk/adelph/hdb/Volume_359/Issue_01/

OCR for page 43
Science and Technology to Counter Terrorism: Proceedings of an Indo-U.S. Workshop THREE STAGES OF DEFENSE In discussing more explicit forms of dealing with terrorist activities in cyberspace, it will be useful to consider three stages of defense: Prevention: How can we keep an attack from being launched? How can an attack be made to fail before reaching the target? Incident management, mitigating an attack, damage limitation: An attack has reached the target. How do we prepare for and conduct defense during an attack? How do we defeat the attack without loss? How do we identify and limit damage? Consequence management: What to do after an attack? For each of these stages, I will illustrate several basic approaches. A much more detailed and comprehensive breakdown is given in Protecting Critical Infrastructures Against Cyber-Attack.25 That source has a number of extensive tables organized by strategic objective (for example, mitigating cyber attacks). A set of strategic options appears under each strategic objective (for example, system owner terminal defense), and specific tactical objectives are listed under each of these (for example, defend against insiders). Required capabilities for each tactical objective (for example, compartmentalization on a need-to-know basis) and assessments of the locus of primary and secondary roles of responsibility (for example, primary role for owners and operators) follow. Note that the implied sequential nature of these stages is really an ongoing feedback loop. Attacks and the risk of attacks are a long-term hazard in cyberspace. With each attack, whether successful or thwarted, both the attacker and defender learn lessons that presumably will help make them better at what they do. Prevention A basic approach is to design the system to be secure from an attack from the beginning. If this is done properly, attacks may be prevented because they would be perceived to be futile, or if launched, they would cause no damage. A coarse analogy is that people armed only with rifles rarely attack heavy tanks. For the vast majority of IT systems, security was not a major design criterion, if it was considered at all, even with the original Advanced Research Projects Agency Network (ARPARNET), which was developed by the U.S. Department of Defense. If security were made a major design criterion for a new system, there is no doubt that it could be made more secure than most of its predecessors. However, there should be no delusion that we know how to design large, complex systems that can be kept and guaranteed safe and secure in today’s world. Since almost all cybersystems were not originally designed with security in mind, we have an enormous legacy of insecure systems that are used extensively. Improving security for such systems is largely a matter of afterthoughts and patchwork. The problem is compounded by security often being in conflict with design criteria that best promote 25 Lukasik, et al.

OCR for page 43
Science and Technology to Counter Terrorism: Proceedings of an Indo-U.S. Workshop the primary intents and needs of the organization. Access and throughput are examples of such design criteria. Added security is not just costly; it may also result in reduced efficiency and functionality. Furthermore, so far there does not seem to be much incentive for people to design or redesign systems to be much more secure. There has been much speculation that the design or redesign of systems will occur only in the aftermath of a “digital Pearl Harbor” or in response to the forces of legal liability or insurance necessities and standards. A postdesign and implementation variant is to try to prevent attacks by finding and fixing vulnerabilities before an attacker can try to exploit them. Red teams, test beds, or simulations may be used to do this. Another approach, at least to the often-serious threat of possible insider attacks, is to more thoroughly screen employees with potentially sensitive access. Another general way to try to prevent attacks is to take measures to ban them. This is most obviously done through domestic laws that define such attacks as criminal acts. Given the transnational characteristics of many networks, there would also have to be precise, internationally recognized norms and technical standards. The basic precept is that most people are law abiding and will not engage in criminal acts that are explicitly forbidden, and which carry a heavy penalty. Given the many technical and evidentiary problems of identifying cybercriminals and prosecuting them, nobody has any delusion that such laws would end criminal or terrorist activities in cyberspace. Nonetheless, they might reduce the enormous amount of malicious “noise” in cyberspace, and this would help make it easier to more readily identify more serious activities. They would also provide a necessary basis for encouraging people to report malicious cyberactivities, and for international cooperation in dealing with several kinds of problems. Deterrence has made a name for itself in other contexts, most notably in strategies for avoiding nuclear exchanges during the cold war. We can conceive of analogies in cyberspace. These would consist of declaratory policies that would be backed up with technical capabilities that provide a high probability of detection, identification, and retaliation or other forms of risk. Deterrence is an implicit or explicit form of intimidation. We must presume that the party who practices deterrence is prepared to respond and is capable of acting effectively in response to a triggering event. Various forms of preemption or interception may also be possible in this domain. Preemption is usually thought of as a counter-strike against an adversary who is about to attack. Interception is stopping an attack that has been launched from reaching the target. Both may be viewed as forms of prevention that are intensely urgent. Preemptive strikes or interceptions may be either cyber or physical. In cyberspace, the detection of intent and planning or of an early warning of an attack is especially intelligence intensive.26 Those who poke around cyberspace looking for intelligence and indicators may run into all sorts of jurisdictional, privacy, and other legal constraints and problems. There is no effective cyber-equivalent of detecting the initial heat and light given off by a missile being launched. Of the three main stages of defense, prevention has more active forms than the other two. The need to identify attackers or potential attackers, and to convince them that 26 In the United States, many of these activities are undertaken by the National Infrastructure Protection Center.

OCR for page 43
Science and Technology to Counter Terrorism: Proceedings of an Indo-U.S. Workshop there is a high probability that they will be punished is explicit or implicit in each of our discussions of prevention. Most forms of active defense will have to be conducted by governments. Intergovernmental cooperation will likely be an impetus for the further development of active defense strategies in areas such as the exchange of intelligence. In many cases, private entities engaging in active defense run the risk of being identified and mistaken for criminals. From a risk perspective, individual terrorists and terrorist organizations (even those supported by nation-states) are different from nation-states. Plausible denial is not important. Terrorists and terrorist organizations have few assets and no sovereign territory to protect from physical or other forms of counterattack or embargo. As a result, they are not sensitive to most of the possible consequences from nation-states that identification might entail. Terrorists who are prepared to perish during a spectacular attack may be less sensitive to preventative measures such as deterrence than criminals, industrial spies, hate mongers, or agents of nation-states who engage in other forms of cyberconflict. On the other hand, given the possibilities of catastrophic terrorism, it is particularly important for the defense to try to prevent attacks and identify and apprehend or otherwise punish potential attackers. Incident Management, Mitigating an Attack, Damage Limitation The first order of business in this stage of defense is to provide indications and warnings that an attack is taking place. This is easier to do at this stage than it was in the prevention stage. Nevertheless, it is difficult, and intrusion detection has become a particularly active area in research and development. Not surprisingly, detection and notification are more difficult and prone to false positives during the early stages of an attack, before significant damage has been done. To prevent penetration of the system at risk from the outside, we try to erect barriers and otherwise harden it. Both cyber and physical approaches are necessary. Passwords are the oldest, and still most widely used, cybertechnique. More recent and somewhat widely used techniques are firewalls and proxy servers. Like all forms of cyberdefense, these can be defeated, although it is possible to make them real barriers against many attempted attacks. Physical protection needs to consider several forms of penetration or attempts to isolate the system. These include attacks on electronics using electromagnetic pulses, and attempts to cut cable endings. A wide variety of forms of physical protection are possible, ranging from fences to biometrics. If the system is penetrated from the outside, a next line of defense is internal compartmentalization and containment. In this instance, the goals are to limit penetration and damage, protect surviving assets, and protect and gather information to help with recovery and response after the attack. Approaches include creating internal physical barriers and cyberbarriers through compartmentalization and need-to-know access controls, intrusion tolerance schemes, setting up decoys, maintaining protected redundancies, and hiding assets. All have both static (pre-positioned and unchanging during the attack) and dynamic variants. Another approach is automatic or partial shutdown and reallocation. A system that

OCR for page 43
Science and Technology to Counter Terrorism: Proceedings of an Indo-U.S. Workshop senses it is under attack would start erecting internal barriers that would not be tolerable during normal operations, in an attempt to isolate those parts of the system that had been compromised. It would also involve load-shedding strategies to reallocate surviving capabilities to the most important functions required by the organization. All of this amounts to various forms of real-time reassignment and reconfiguration under rapid degradation. Particular attention needs to be given to preserving and collecting information during an attack. This is done largely through audit and backup. Most defenders will need to find the most recent “clean” (pre-attack) state to facilitate effective recovery and resumption of operations. This is done most easily if the attack has a clear and precise starting time and backups are made regularly, or if the organization maintains a redundant “shadow” system. More insidious attacks that build up slowly and surreptitiously present a much more difficult problem in identifying a state where the information is uncorrupted and the system is free from inserted malicious code. It is also important to have strong audit functions to identify after the fact when an attack started and to collect information that might assist in the identification and apprehension of the attacker and help the organization better defend itself against similar attacks in the future. Organizations should establish security policies and plans for defending against attacks. Comprehensive planning should cover a spectrum of possible attacks that pose particular risk to the organization. They should include assessments both of requirements for essential functions and of particular needs in all of the defense categories discussed previously. Special attention should be given to preventing and dealing with insider attacks. Staff should know who to call for help. It might be a good idea to test the plan through the use of exercises. However, most organizations avoid live “fire drills” because they can be expensive, disruptive, and risky in their own right. Many information systems are delicate and their owners are afraid something will go wrong, resulting in the self-inflicted equivalent of a serious attack. Generally, we do not know how to design provably secure large, real-world systems. That goal may prove illusory, even from a theoretical standpoint. The various defensive approaches briefly described here are fairly general and should be pursued to protect both new and existing systems. None of them should be considered sufficient in and of itself. Taken together they form a multifaceted defense approach. Increasing the security for DC/SCADA systems poses particularly difficult problems. These systems are often small and self-contained, and have constrained power needs (including backup). Security may not readily fit with the space, real-time, or power requirements. Security measures could also reduce performance or be problematic in the synchronization of other more extensive processes. Additionally, most of these systems are in the private or mixed sectors (for example, airports). Their owners and operators may not have sufficient resources to secure them more effectively. From the standpoint of counter terrorism, we would imagine that attacking physical targets via control and management systems would result in the kind of mass casualties, damage, fear, and loss of confidence that terrorists favor. Many of these systems are vulnerable to tampering with control signals, especially by insiders. These category 3 uses of cyberspace by terrorists should be of particularly great concern. Most of the activity at this defensive stage is passive and might be described as “terminal defense,” because it is in the hands of the owners and operators of parts of

OCR for page 43
Science and Technology to Counter Terrorism: Proceedings of an Indo-U.S. Workshop cyberspace who are mostly in the private sector. Serious questions remain as to who is responsible for defending the common areas in cyberspace, and how it would be done. Consequence Management There are two primary substages in this stage of defense: recovery and response. Recovery is largely about reconstituting IT assets so that the organization can operate as close to normal as possible as soon as possible. It is a passive form of defense. Response is concerned with identifying and punishing the culprits and learning lessons to enable the organization to better defend itself in the future. It is thus a more active form of defense. A sample of the tasks that would fall under recovery might include the removal or shutdown of hostile or defective entities a damage assessment survey of what is broken or altered, and what is not an automated or semiautomated process for assessing and quickly and effectively rationing and reallocating what is left prioritization of functions to be reconstituted restoration to pre-accident or pre-attack status without destroying evidence Carefully conceived and executed attacks can make recovery more difficult. For example, attacks that corrupt data or insert malicious code can be executed covertly over long periods of time and masked so that it will be difficult to know where to go for an unpolluted backup. Such corruption can take place over an extended time, simultaneously with the addition of many legitimate transactions that the owner does not want to lose during recovery. To date, most organizations that have suffered short-term attacks seem to have been able to recover fairly quickly and effectively, or at least they are not talking about their failures in this regard. Tasks that would fall under response include getting the right culprit: strong forms of accurate trace-back and forensic tools, perhaps some kind of “fingerprinting” measured retaliation: legal principles of in-kind and proportionate retaliation asymmetries: what to do about attackers with few IT assets or vulnerabilities? escalation: rating the damage to decide if we want to send a very strong message As was noted under the discussion of prevention, some of the singular features of high-impact terrorists make revenge more difficult, although it is probably more pressing than it is for ordinary cybercriminals, industrial spies, or agents of foreign governments. Terrorists are likely to be particularly dangerous people who intend to keep attacking. Presumably by this stage we know that we have been severely attacked by terrorists. A brief assessment of our overall capabilities to deal with terrorists using cyberspace would conclude that for most potential targets, we are technologically and procedurally weak in every aspect the three stages of cyber defense against skilled, patient, and determined attackers who are not likely to be easily deterred.

OCR for page 43
Science and Technology to Counter Terrorism: Proceedings of an Indo-U.S. Workshop Although there has been, and continues to be, much discussion of what needs to be done about research and development and funding, so far there has been a lack of significant advances or the extensive application of security technology that is already available.27 Vulnerabilities are found almost every time serious attackers or red teams look for them. Systems are so complex that fixing some vulnerabilities just forces attackers to find others (or the fix may even create new vulnerabilities). The number of successful attacks, many of which go unperceived by their victims, continues to grow at least as fast as cyberspace itself. In 2003, the number of broadcast attacks by worms, viruses, and spam was record setting. Even old technology such as passwords and firewalls are not used as extensively and effectively as possible, and are often compromised. All of this occurs in spite of a heightened awareness of security problems and needs. Part of the problem is a combination of massive connectivity, with emphasis on widespread access, and a huge number of owners, operators, and users of cyberspace with greatly varying needs, motives, and resources. The domain of actors is much larger and more diversified than is the case with more traditional security issues. Security is reasonably effective in only a few areas. These include cryptology and software for dealing with worms, viruses, and distributed denial of service attacks similar to those we have already encountered. One area of concern that extends broadly across all of the stages of defense is the problem of insiders–people who have authorized access with the potential for abuse that can cause great harm. Insiders still probably account for a majority of successful penetrations for criminal purposes. The problem is complicated by changes in organizational relations and technical architectures that make “inside” and “outside” more difficult to even define. The possibility that a terrorist or a terrorist sympathizer might gain employment that would enable him or her to conduct a devastating attack or to provide critical information or access to others cannot be discounted or ignored. The two most general ways of dealing with infiltration are through deep pre-employment investigations, something that most non-government entities are neither capable of doing 27 Computer Research Associates. November 16-19, 2003. Four Grand Challenges in Trustworthy Computing. Washington, D.C. See: http://www.cra.org/Activities/grand.challenges/security/; Defense Advanced Research Projects Agency. 2003. Advanced Technology Office, Program Overview: Information Assurance. Briefing for the National Security Telecommunications Advisory Committee, December 16, 2003. Several Defense Advanced Research Projects Agency offices have extensive research and development agendas related to cybersecurity. See: http://www.darpa.mil/ato/programs.htm and http://www.ncs.gov/NSTAC/nstac.htm; Institute for Information Infrastructure Protection. 2003. Cyber Security Research and Development Agenda. Hanover, NH. See: http://www.thei3p.org/documents/2003_Cyber_Security_RD_Agenda.pdf; Lukasik, et al. cited above, and; National Research Council. 2002. High Impact Terrorism, Proceedings of a Russian-American Workshop. Washington, D.C. See: http://www.nap.edu/books/0309082706/html/. National Research Council. 2002. Making the Nation Safer: The Role of Science and Technology in Countering Terrorism, National Academy Press, Washington, D.C. See: http://www.nap.edu/html/stct/. President’s National Security Telecommunications Advisory Committee (NSTAC), the White House Office of Science and Technology Policy (OSTP), and the Georgia Tech Information Security Center (GTISC). May 13-14, 2003. Research and Development Exchange Proceedings: Research and Development Issues to Ensure Trustworthiness in Telecommunications and Information Systems that Directly or Indirectly Impact National Security and Emergency Preparedness. Georgia Institute of Technology, Atlanta, GA. See: http://www.ncs.gov/nstac/r&d2003theme.html

OCR for page 43
Science and Technology to Counter Terrorism: Proceedings of an Indo-U.S. Workshop nor permitted to do in many countries, and through stronger forms of containment and compartmentalization of access within an organization. Is cyberspace more secure today than 6 or 10 years ago? We do not even know how to provide a definitive answer. Most of us think the answer is no. For example, we believe that the growth of the Internet in the number and variety of connected new software and people, and the additional vulnerabilities this brings, is most likely outstripping the additional security being instituted by organizations and individuals. Several countries have given visible attention to national plans or strategies to secure cyberspace.28 The U.S. National Strategy to Secure Cyberspace is largely voluntary and suggestive. To date it does not seem to have resulted in dramatic improvements either within the U.S. government or in the mostly privately owned and operated national information infrastructure. If an effective Indian national cyberprotection strategy exists, I am not aware of it. Perhaps the development of a draft of such a strategy could be undertaken as a valuable joint project. The effort might also shed light on some possibilities for improving the U.S. national strategy. The three technological areas that I believe need the most immediate attention to deal with potential high-impact terrorism are technology for effectively gathering, evaluating, and acting on intelligence more secure DC/SCADA systems for managing critical physical and telecommunications infrastructures upgrading the capabilities and security of the information technologies for emergency responders Those who pursue counterterrorism measures must bear in mind that terrorists can easily hide within the societies they intend to harm, avoiding exposure until they actually carry out an attack. This is true in both physical space and cyberspace. Consequently, counterterrorism in both physical space and cyberspace is necessarily intelligence intensive. Terrorists and fellow travelers engaging in activities in category 1–which includes many who are not explicitly interested in pursuing what might be called cyberterrorism under categories 2 and 3 – are exposing themselves in a cyberspace shared and accessed by defenders. Counterterrorism must learn to take advantage of this exposure, and to do so without overly compromising civil liberties or rights (for example, privacy) of everyone who is not a terrorist. Perhaps the efforts that have received the most visibility in this regard are those that have been directed against terrorist financing. Initiatives under the first recommendation, such as the use of data-mining approaches or seeking to develop technologies to facilitate accurate trace-back and identification, have run into technical, policy, and legal problems. The recently shut down Total Information Awareness (TIA – later renamed Terrorist Information Awareness29) project under the U.S. Defense Advanced Research Projects Agency (DARPA) is perhaps the most notable case in point. Technically, it is very difficult to 28 Lukasik, et al. and The White House. February 2003. The National Strategy to Secure Cyberspace. See: http://www.whitehouse.gov/pcipb/. 29 This program was first established by the Department of Defense in February 2003 to research technologies that would aid in the tracking of personal information such as credit card information. In September 2003 the program was terminated.

OCR for page 43
Science and Technology to Counter Terrorism: Proceedings of an Indo-U.S. Workshop trawl through the vast expanses of cyberspace to obtain actionable intelligence without a huge number of false positives, and without the risk of compromising the civil rights of law-abiding citizens. The pursuit of the first recommendation is also plagued with problems of jurisdiction that are greatly compounded by the easy transnational access provided by many components of cyberspace, most notably the Internet. What may be perceived as serious in one country whose cyberinfrastructure may be used as part of a terrorist action may not even make the legal radar screen of others that are part of an attack that crosses multiple sovereign physical jurisdictions. Most countries have given little or no thought to explicitly making serious crimes of the activities described under categories 1, 2, and 3. Seeking widely adopted national laws criminalizing activities under at least categories 2 and 3 is an important objective. Having such laws on the books may also legitimatize the subject of serious cyberattacks in ways that help achieve progress under the second and third recommendations as well. In addition, enforcement and prosecution of these laws are also critical elements of the cybersecurity. One possible Indo-U.S. project might be to look into the status of such laws in both countries, and to propose either new laws or explicit improvements to existing law. Such an effort would require substantial interdisciplinary participation. All of cyberspace comes to the ground somewhere. Although not necessarily impossible, identifying and tracing a terrorist to a physical location is not easy. The effort is fraught with technical and jurisdictional problems. Nonetheless, cases of high-impact terrorism may be so singular that the effort needs to be made. The owners and operators of DC/SCADA systems are a small, but very important, subset of users of cyberspace in our context. Under the second recommendation, potential vulnerabilities in this area are of especially great concern and must be given priority by those national governments that are in positions to do so. This would include providing various forms of assistance and technology to the private owners and operators of digital control and management systems. Particular attention should be given to transportation systems because for decades they have been highly favored by terrorists both as targets and as the means of delivering an attack. Emergency response is plagued by severe fragmentation of communications between multiple players at both national and local levels. Among other problems, this makes for information and command-and-control problems during intense high-impact crises when the resources of many jurisdictions need to be brought to bear effectively and on very short notice. There are also problems with building, maintaining, and effectively using use of databases with critical information. For example, information on biological or chemical substances in a database for emergency first responders might quickly and effectively be brought to bear at the locus of a catastrophic attack. From a technological standpoint, regarding to the third recommendation it is not difficult to upgrade the capabilities and security of the information technologies for emergency responders in the United States and elsewhere. The primary retardants to making progress are political and financial. Cyberspace is plagued by a great deal of conflict and by other problems that are beyond the scope of this paper. It is probably the fastest growing domain for a wide assortment of malicious activities and crimes, including nuisance hacking, Web site vandalism, fraud and other financial crimes, and the use of the Internet to lure children to

OCR for page 43
Science and Technology to Counter Terrorism: Proceedings of an Indo-U.S. Workshop meetings that result in their assault, kidnapping, or murder. There are many other hostile, natural, and accidental cyberhazards. For example, spam and pornography plague tens of millions of users on a continuous basis, and computer accidents have turned off the lights in large geographic regions. As with other domains, terrorism is one very serious but relatively low probability threat on a spectrum of other hazards. From a cost and societal perspective, particular attention might be given to defenses against cyberterrorism that can also contribute to defense against other cyberhazards, and vice versa. This view has been voiced about other risk domains, such as defending against bioterrorism and improving public health capabilities more generally to deal with natural and accidental epidemics. All three of the recommendations mentioned in this paper should help to address these wider needs.