Background and Introduction
WHAT IS TERRORISM?
Terrorism is usually defined in terms of non-state-sponsored attacks on civilians, perpetrated with the intent of spreading fear and intimidation. Terrorism can occur on many different scales and can cause a wide range of impacts. For many Americans, the events of September 11, 2001, changed dramatically their perceptions of what terrorism could entail. In the space of a few hours, thousands of American lives were lost, and property damage in the tens of billions of dollars occurred—an obviously high-impact event. However, as illustrated by the subsequent anthrax attacks, widespread disruption of key societal functions, loss of public confidence in the ability of governmental institutions to keep society safe, widespread loss of peace of mind, and/or pervasive injury to a society’s way of life also count as manifestations of “high impact.” It is on such high-impact, catastrophic dimensions of terrorism that the Committee on the Role of Information Technology in Responding to Terrorism decided to concentrate in order to keep the analytical focus of this report manageable.
The committee does not mean to suggest that only events of the magnitude of those on September 11 are worth considering. But the committee is primarily addressing events that would result in long-lasting and/or major financial or life-safety impacts and that would generally require a coordinated response among multiple agencies, or are in many other respects very complicated to manage. Damaging and destructive though individual attacks are, the digital equivalent of a single car bomb with
conventional explosives (e.g., a single hacker breaking into a nominally unsecured system that does not tunnel into other critical systems) is not the primary focus of this report.
In the context considered here, the adversary must be conceptualized as a very patient, smart, and disciplined opponent with many resources (money, personnel, time) at its disposal. Thus, in an information technology context, the “lone hacker” threat—often described in terms of maladjusted teenage males with too much time on their hands—is not the appropriate model. Protection against “ankle biters” and “script kiddies” who have the technical skills and understanding as well as the time needed to discover and exploit vulnerabilities is of course worth some effort, but it is important as well to consider seriously the larger threat that potentially more destructive adversaries pose.
THE ROLE OF INFORMATION TECHNOLOGY IN NATIONAL LIFE AND IN COUNTERTERRORISM
Information technology (IT) is essential to virtually all of the nation’s critical infrastructures, which makes any of them vulnerable to a terrorist attack on the computer or telecommunications networks of those infrastructures. IT plays a critical role in managing and operating nuclear-power plants, dams, the electric-power grid, the air-traffic-control system, and financial institutions. Large and small companies rely on computers to manage payroll, track inventory and sales, and perform research and development. Every stage in the distribution of food and energy from producer to retail consumer relies on computers and networks. A more recent trend is the embedding of computing capability in all kinds of devices and environments, as well as the networking of embedded systems into larger systems.1 And, most obviously, IT is the technological underpinning of the nation’s communications systems, from the local loop of “plain old telephone service” to the high-speed backbone connections that support data traffic. These realities make the computer and communications systems of the nation a critical infrastructure in and of themselves, as well as major components of other kinds of critical infrastructure, such as energy or transportation systems.
In addition, while IT per se refers to computing and communications technologies, the hardware and software (i.e., the technological artifacts
of computers, routers, operating systems, browsers, fiber-optic lines, and so on) are part of a larger construct that involves people and organizations. The display on a computer system presents information for a person who has his or her own psychological and emotional attributes and who is usually part of an organization with its own culture and standard operating procedures. Thus, to understand how IT might fail or how the use of IT might not achieve the objectives desired, it is always necessary to consider the larger entity in which the IT is embedded.
IT also has a major role in the prevention, detection, and mitigation of terrorist attacks.2 This report focuses on two critical applications. First, emergency response involves the agencies, often state and local, that are called upon to respond to terrorist incidents—firefighters, police, ambulance, and other emergency health care workers, and so on. These agencies are critically reliant on information technology to communicate, to coordinate, and to share information in a prompt, reliable, and intelligible fashion. Second, information awareness involves promoting a broad knowledge of critical information in the intelligence community to identify important patterns of behavior. Advances in information fusion, which is the aggregation of data from multiple sources for the purpose of discovering some insight, may be able to uncover terrorists or their plans in time to prevent attacks. In addition to prevention and detection, IT may also help rapidly and accurately identify the nature of an attack and aid in responding to it more effectively.
1.3 THE INFORMATION TECHNOLOGY INFRASTRUCTURE AND ASSOCIATED RISKS
The IT infrastructure can be conceptualized as having four major elements: the Internet, the conventional telecommunications infrastructure, embedded/real-time computing (e.g., avionics systems for aircraft control, supervisory control and data acquisition [SCADA] systems con
trolling electrical energy distribution), and dedicated computing devices (e.g., desktop computers).
Each of these elements plays a different role in national life, and each has different specific vulnerabilities. Nevertheless, the ways in which IT can be damaged fall into three categories.3 A system or network can become:
Unavailable. That is, using the system or network at all becomes very difficult or impossible. The e-mail does not go through, or the computer simply freezes, or response time becomes intolerably long.
Corrupted. That is, the system or network continues to operate, but under some circumstances of operation, it does not provide accurate results or information when one would normally expect. Alteration of data, for example, could have this effect.
Compromised. That is, someone with bad intentions gains access to some or all of the capabilities of the system or network or the information available through it. The threat is that such a person could use privileged information or system control to further his or her malign purposes.
These types of damage are not independent—for example, an attacker could compromise a system in order to render it unavailable.
Different attackers might have different intentions with respect to IT. In some cases, an element of the IT infrastructure itself might be a target to be destroyed (e.g., the means for people to communicate or to engage in financial transactions). Alternatively, the target of the terrorist might be another kind of critical infrastructure (e.g., the electric-power grid), and the terrorist could either launch or exacerbate the attack by exploiting the IT infrastructure, or use it to interfere with attempts to achieve a timely and effective response.
In short, IT is both a target and a weapon that can be deployed against other targets. Counterterrorist activities thus seek to reduce the likelihood that IT functionality will be diminished as a result of an attack or as a result of the damage that might come from the use of IT as a weapon against valued targets.
A terrorist attack that involves the IT infrastructure can operate in one of several modes. First, an attack can come in “through the wires” as a hostile program (e.g., a virus or a Trojan horse program) or as a denial-
of-service attack.4 Second, some IT element may be physically destroyed (e.g., a critical data center or communications link blown up) or compromised (e.g., IT hardware surreptitiously modified in the distribution chain). Third, a trusted insider may be compromised (such a person, for instance, may provide passwords that permit outsiders to gain entry);5 such insiders may also be conduits for hostile software or hardware modifications. All of these modes are possible and, because of the highly public and accessible nature of our IT infrastructure and of our society in general, it is impossible to fully secure this infrastructure against them. Nor are they mutually exclusive, and in practice they can be combined to produce even more destructive effects.