infrastructures and industries to manage sensitive processes and physical functions. DC/SCADA systems now more commonly use the Internet to transmit data and control instructions rather than the dedicated networks that had been used before. These should be of particular concern with respect to terrorism.
Very few of the “cyber” parts of these infrastructures were designed or implemented with security as much of a consideration, if it was considered at all. Most are riddled with vulnerabilities, which are defined as weaknesses that can be exploited through either hostile attack or accident. Many of these systems were designed to provide cheap and extensive network access. Unfortunately, this greatly increases the ability of malicious people to find and exploit vulnerabilities.
What do we know or anticipate that terrorists want to do in cyberspace? I believe the answers to this question fall into three categories:
to support their activities and infrastructure, but not directly through an attack
to explicitly attack parts of the cyber infrastructure
to use cyberspace as a means of attacking other targets
It is certain that terrorists and their supporters have been engaging in extensive activities under category 1, and that they will continue to do so.22 This would cover communications, including encrypted communications with each other; recruiting and “advertising” (for example, via Web sites); and financial transactions such as money transfers and laundering. They are also likely to be scouring cyberspace for information on potential targets and on weapons of mass destruction.
Examples of attacks under category 2 might include massive distributed denial of service (DDOS) attacks to bring down parts of a national or international information infrastructure for the purpose of humiliating governments or other parties (for example, high-profile or symbolic multinationals and religious organizations), and precision strikes against the communications of selected targets during intense crisis periods. Note that cyberspace can be attacked physically–by cutting communications lines or blowing up switches or computers with critical databases–as well as cybernetically.
Possible attacks under category 3 would include compromising transportation or other supervisory control systems to cause disasters resulting in extensive consternation and costing many lives (for example, air traffic control, routing shipping containers, and process control for toxic chemical production). Cyber attacks might also be launched in conjunction with more traditional forms of terrorist attacks in order to severely exacerbate the consequences. For example, interference with the communications of emergency responders might occur during a biological attack.
There have been several malicious attacks, accidents, and experiments via the use of red teams or simulations that convince many people that very serious attacks under categories 2 and 3 are possible. These include both “broadcast” attacks like those now commonly associated with viruses, and more precise, focused, sustained, and sinister attacks. We have yet to see the latter in a truly devastating form.