Types of Threats Associated with Information Technology Infrastructure
Most of the nation’s civil communications and data network infrastructure is not hardened against attack, but this infrastructure tends to be localized either in geography or in mode of communication. Thus, if no physical damage is done to them, the computing and communications capabilities disrupted in an attack are likely to be recoverable in a relatively short time. Although their scope or scale is limited, they are nonetheless potentially attractive targets for what might be called “incremental” terrorism. That is, terrorists could use IT as the weapon in a series of relatively local attacks that are repeated against different targets—such as banks, hospitals, or local government services—so often that public confidence is shaken and significant economic disruption results.
However, this report focuses primarily on catastrophic terrorism, and the committee’s analysis is aimed at identifying threats of that magnitude in particular and at proposing science and technology (S&T) strategies for combating them. Of course, serious efforts are needed to develop and deploy security technologies to harden all elements of the IT infrastructure to reduce the potential for damage from repeated attacks.
ATTACK ON IT AS AN AMPLIFIER OF A PHYSICAL ATTACK
Given IT’s critical role in many other elements of the national infrastructure and in responding to crises, the committee believes that the targeting of IT as part of a multipronged attack scenario could have the most catastrophic consequences. Compromised IT can have several disastrous effects: expansion of terrorists’ opportunities to widen the damage
of a physical attack (e.g., by providing false information that drives people toward, rather than away from, the point of attack); diminution of timely responses to an attack (e.g., by interfering with communications systems of first responders); and heightened terror in the population through misinformation (e.g., by providing false information about the nature of a threat). The techniques to compromise key IT systems—for example, launching distributed denial-of-service (DDOS) attacks against Web sites and servers of key government agencies at the federal, state, and local levels; using DDOS attacks to disrupt agencies’ telephone services and the emergency-response 911 system; or sending e-mails containing false information with forged return addresses so that they appear to be from trusted sources—are fairly straightforward and widely known.
2.2 OTHER POSSIBILITIES FOR ATTACK INVOLVING IT
When an element of the IT infrastructure is directly targeted, the goal is to destroy a sufficient amount of IT-based capability to have a significant impact, and the longer that impact persists, the more successful it is from the terrorist’s point of view. For example, one might imagine attacks on the computers and data storage devices associated with important facilities. Irrecoverable loss of critical operating data and essential records on a large scale would likely result in catastrophic and irreversible damage to the U.S. economy. However, most major businesses already have disaster-recovery plans in place that include the backup of their data in a variety of distributed and well-protected locations (and in many cases, they augment backups of data with backup computing and communications facilities).1 While no law of physics prevents the simultaneous destruction of all data backups and backup facilities in all locations, such an attack would be highly complex and difficult to execute and is thus highly unlikely.
Attacks on the Internet
The infrastructure of the Internet is another possible terrorist target, and given the Internet’s public prominence, it may appeal to terrorists as an attractive target. The Internet could be seriously degraded for a relatively short period of time by a denial-of-service attack,2 but such impact
is unlikely to be long lasting. The Internet itself is a densely connected network of networks that automatically routes around links that become unavailable,3 which means that a large number of important nodes would have to be destroyed simultaneously to bring it down for an extended period of time. Destruction of some key Internet nodes could result in reduced network capacity and slow traffic across the Internet, but the ease with which Internet communications can be rerouted would minimize the long-term damage.4 (In this regard, the fact that substantial data-networking services survived the September 11 disaster despite the destruction of large amounts of equipment—concentrated in the World Trade Center complex—reflected redundancies in the infrastructure and a measure of good fortune as well.)
The terrorist might obtain higher leverage with a “through-the-wires” attack that would require the physical replacement of components in Internet relay points on a large scale,5 though such attacks would be much harder to plan and execute. Another attack that would provide higher leverage is on the Internet’s Domain Name System (DNS), which translates domain names (e.g., example.com) to specific Internet Protocol (IP) addresses (e.g., 18.104.22.168) denoting specific Internet nodes. A relatively small number of “root name servers” underpins the DNS. Although the DNS is designed to provide redundancy in case of accidental failure, it has some vulnerability to an intentional physical attack that might target all name servers simultaneously. Although Internet operations would not halt instantly, an increasing number of sites would, over a period of time measured in hours to days, become inaccessible without root name servers to provide authoritative translation information. However, recovery from such an attack would be unlikely to take more than several days—damaged servers can be replaced, since they are generalpurpose computers that are in common use.
In addition, most companies today do not rely on the Internet to carry out their core business functions. Even if a long-term disruption to the Internet were a major disruption to an e-commerce company such as Amazon.com or Dell, most other companies could resort to using phones
and faxes again to replace the Internet for many important functions. (For example, the Department of the Interior has been largely off the Internet since December 5, 2001,6 but it has continued to operate more or less as usual.)
Because the Internet is not yet central to most of American society, the impact of even severe damage to the Internet is less than what might be possible through other modes of terrorist attack. However, current trends suggest that the reliance on the Internet for key functions is likely to grow in the future, despite the existence of real security threats, and so this assessment about lower levels of impact from attacks on the Internet may become less valid in the future.
Box 2.1 provides some historical examples of attacks on the Internet.
Attacks on the Public Switched Network
The telecommunications infrastructure of the public switched network is likely to be less robust than the Internet. Although the long-haul telecommunications infrastructure is capable of dealing with single-point failures (and perhaps even double-point failures) in major switching centers, the physical redundancy in that infrastructure is finite, and damaging a relatively small number of major switching centers for long-distance telecommunications could result in a fracturing of the United States into disconnected regions.7 Particular localities may be disrupted for a considerable length of time—in the aftermath of the September 11 attacks in New York City, telephone service in the downtown area took months to restore fully. Note also that many supposedly independent circuits are trenched together in the physical trenches along certain highway and rail rights-of-way, and thus these conduits constitute not just “choke points” but rather “choke routes” that are hundreds of miles long and that could be attacked anywhere.
An additional vulnerability in the telecommunications infrastructure is the local loop connecting central switching offices to end users; full recovery from the destruction of a central office entails the tedious rewiring of tens or hundreds of thousands of individual connections. Destruction of central offices on a large scale is difficult, simply because even an individual city has many of them, but destruction of a few central offices
For additional information, see <http://www.computerworld.com/storyba/0,4125,NAV47_STO66665,00.html>.
An exacerbating factor is that many organizations rely on leased lines to provide high(er)-assurance connectivity. However, these lines are typically leased from providers of telecommunications infrastructure and hence suffer from many of the same kinds of vulnerabilities as those that affect ordinary lines.
BOX 2.1 Historical Examples of Attacks on the Internet
associated with key facilities or agencies (e.g., those of emergency-response agencies or of the financial district) would certainly have a significant immediate though localized impact. However, the widespread availability of cellular communications, and mobile base-stations deployable in emergency conditions, may mitigate the effect of central office losses.
2.2.3 The Financial System
The IT systems and networks supporting the nation’s financial system are undeniably critical. The financial system is based on the Federal Reserve banking system, a system for handling large-value financial transactions (including Fedwire operated by the Federal Reserve, CHIPS, and SWIFT), and a second system for handling small-value retail transactions (including the Automated Clearing House, the credit-card system, and paper checks).8 By its nature, the system for retail transactions is highly decentralized, while the system for large-value transactions is more centralized. Both the Federal Reserve system and the system for large-value transactions operate on networks that are logically distinct from the public telecommunications system or the Internet, and successful information attacks on these systems likely necessitate significant insider access.9
Embedded/real-time computing in specific systems could be attacked. For example, many embedded computing systems could be corrupted over time.10 Of particular concern could be avionics in airplanes,
collision-avoidance systems in automobiles, and other transportation systems. Such attacks would require a significant insider presence in technically responsible positions in key sectors of the economy over long periods of time. Another example is that sensors, which can be important elements of counterterrorism precautions, could be the target of an attack or, more likely, precursor targets of a terrorist attack.
Control Systems in the National Critical Infrastructure
Another possible attack on embedded/real-time computing would be an attack on the systems controlling elements of the nation’s critical infrastructure, for example, the electric-power grid, the air-traffic-control system, the financial network, and water purification and delivery. An attack on these systems could trigger an event, and conceivably stimulate an inappropriate response that would drive large parts of the the overall system into a catastrophic state. Still another possibility is the compromise or destruction of systems and networks that control and manage elements of the nation’s transportation infrastructure; such an attack could introduce chaos and disruption on a large scale that could drastically reduce the capability of transporting people and/or freight (including food and fuel).
To illustrate, consider the electric-power grid, which is one of the few, if not the only, truly national infrastructures in which it is theoretically possible that a failure in a region could cascade to catastrophic proportions before it could be dealt with. The electric-power grid is controlled by a variety of IT-based SCADA systems. (Box 2.2 describes some of the security issues associated with these systems.) Attacks on SCADA systems could obviously result in disruption of the network (“soft” damage), but because SCADA is used to control physical elements, such attacks could also result in irreversible physical damage. In cases in which backups for damaged components were not readily available (and might have to be remanufactured from scratch), such damage could have long-lasting impact. (Similar considerations apply to other parts of the nation’s infrastructure.)
An electronic attack on a portion of the electric-power grid could result in significant damage, easily comparable to that associated with a local blackout. However, if terrorists took advantage of the chaos caused by a local blackout, they could likely inflict greater physical damage than would be possible in the absence of a blackout.
Another plausible disaster scenario that could rise to the level of catastrophic damage would be an attack on a local or regional power system that cascaded to shut down electrical power over a much wider area and possibly caused physical damage that could take weeks to repair.
BOX 2.2 Security Vulnerabilities and Problems of SCADA Systems
Today’s supervisory control and data acquisition (SCADA) systems have been designed with little or no attention to security. For example, data in SCADA systems are often sent “in the clear.” Protocols for accepting commands are open, with no authentication required. Control channels are often wireless or leased lines that pass through commercial telecommunications facilities. Unencrypted radio-frequency command pathways to SCADA systems are common and, for economic reasons, the Internet itself is increasingly used as a primary command pathway. In general, there is minimal protection against the forgery of control messages or of data and status messages. Such control paths present obvious vulnerabilities.
In addition, today’s SCADA systems are built from commercial off-the-shelf components and are based on operating systems that are known to be insecure. Deregulation has meant placing a premium on the efficient use of existing capacity, and hence interconnections to shift supply from one location to another have increased. Problems of such distributed real-time dynamic control, in combination with the complex, highly interactive nature of the system being controlled, have become major issues in operating the power grid reliably.
A final problem arises because of the real-time nature of SCADA systems, in which timing may be critical to performance and optimal efficiency (timing is important because interrupts and other operations can demand millisecond accuracy): security add-ons in such an environment can complicate timing estimates and cause severe degradation to SCADA performance.
Compounding the difficulty of securing SCADA systems is the fact that information about their vulnerability is so readily available. Such information was first brought into general view in 1998-1999, when numerous details on potential Y2K problems were put up on the World Wide Web. Additional information of greater detail—dealing with potential attacks that were directly or indirectly connected to the President’s Commission on Critical Infrastructure Protection—was subsequently posted on Web pages as well. Product data and educational videotapes from engineering associations can be used to familiarize potential attackers with the basics of the grid and with specific elements. Information obtained through semiautomated reconnaissance to probe and scan the networks of a variety of power suppliers could provide terrorists with detailed information about the internal workings of the SCADA network, down to the level of specific makes and models of equipment used and version releases of corresponding software. And more inside information could be obtained from sympathetic engineers and operators.
By comparison with the possibility of an attack on only a portion of the power grid, the actual feasibility of an attack that would result in a cascading failure with a high degree of confidence is not clear; a detailed study both of SCADA systems and the electric-power system would probably be required in order to assess this possibility. However, because of the inordinate complexity of the nation’s electric-power grid, it would be difficult for either grid operators or terrorists to predict with any confi
dence the effects on the overall grid from a major disruptive event in one part of the system. Thus, any nonlocalized impact on the power grid would be as much a matter of chance as a foreseeable consequence.
Dedicated Computing Facilities
In many of the same ways that embedded computing could be attacked, dedicated computers such as desktop computers could also be corrupted in ways that are hard to detect. One possible channel comes from the extensive use of untrustworthy IT talent among software vendors.11 Once working on the inside, perhaps after a period of years in which they act to gain responsibility and trust, it could happen that these individuals would be able to introduce additional but unauthorized functionality into systems that are widely used. Under such circumstances, the target might not be the general-purpose computer used in the majority of offices around the country, but rather the installation of hidden rogue code in particular sensitive offices. Another possible channel for attacking dedicated computing facilities results from the connection of computers through the Internet; such connections provide a potential route through which terrorists might attack computer systems that do provide important functionality for many sectors of the economy. Examples of widely used Internet-based vectors that, if compromised would have a large-scale effect in a short time, include the operating systems upgrades and certain shareware programs, such as those for sharing music files. (It is likely that Internet-connected computer systems that provide critical functionality to companies and organizations are better protected through firewalls and other security measures than is the average system on the Internet, but as press reports in recent years make clear, such measures do not guarantee that outsiders cannot penetrate them.)
2.3 DISPROPORTIONATE IMPACTS
Some disaster scenarios could result in significant loss or damage that is out of proportion to the actual functionality or capability destroyed. In
particular, localized damage that resulted in a massive loss of confidence in some critical part of the infrastructure could have such a disproportionate impact. For example, if terrorists were able to make a credible claim that the control software of a popular “fly-by-wire” airliner was corrupted and could be induced to cause crashes on demand, perhaps demonstrating it once, public confidence in the airline industry might well be undermined. A more extreme scenario might be that the airlines themselves would ground airplanes until they could be inspected and the software validated.
To the extent that critical industries or sectors rely upon any element of the IT infrastructure, such disproportionate-impact disaster scenarios are a possibility. For this reason, certain types of attack that do not cause extensive actual damage must be considered to have some catastrophic potential. Accordingly, response plans must take into account how to communicate with the public for purposes of reassurance. (This point is beyond the scope of this report but is addressed in Making the Nation Safer.12)
THREATS IN PERSPECTIVE: POSSIBILITY, LIKELIHOOD, AND IMPACT
While the scenarios described above are necessarily speculative, it is possible to make some judgments that relate to their likelihood:
For a variety of reasons, state support of terrorism poses threats of a different and higher order of magnitude than does cybercrime or terrorism without state sponsorship. These reasons include access to large amounts of financial backing and the ability to maintain an actively adversarial stance at a high level for extended periods of time. For example, terrorists with the support of a state might be able to use the state’s intelligence services to gain access to bribable or politically sympathetic individuals in key decision-making places or to systematically corrupt production or distribution of hardware or software.
The most plausible threats are simple attacks launched against complex targets. The successful execution of complex attacks requires that many things go right, so simplicity in attack planning is an important consideration. Complex rather than simple targets are desirable because of the likelihood that the failure modes of a complex target are usually not
well understood by its designers, and thus there are many more ways in which failure can occur in such systems.
Attacks that require insider access are more difficult to carry out and thus less likely to occur than attacks that do not. Insiders must be placed or recruited and are not necessarily entirely trustworthy even from the standpoint of the attacker. Individuals with specialized expertise chosen to be placed as infiltrators may not survive the screening process, and because there is a limited number of such individuals, it can be difficult to insert an infiltrator into a target organization. In addition, compared to approaches not relying on insiders, insiders may leave behind more tracks that can call attention to their activities. This judgment depends, of course, on the presumed diligence of employers in ensuring that their key personnel are trustworthy, and it is worth remembering that the most devastating espionage episodes in recent U.S. history have involved insiders (i.e., Aldrich Ames and Robert Hanssen).
Attacks that require execution over long periods of time are harder and thus less likely to mount than attacks that do not. Planning often takes place over a long period of time, but the actual execution of a plan can be long as well as short. When a plan requires extended activity that, if detected, would be regarded as abnormal, it is more likely to be discovered and/or thwarted.
Terrorist attacks can be sustained over time as well as occurring in individual instances. If the effects of an attack sustained over time (perhaps over months or years) are cumulative, and if the attack goes undetected, the cumulative effects could reach very dangerous proportions. Because such an attack proceeds a little bit at a time, the resources needed to carry it out may well be less than those needed in more concentrated attacks, thus making it more feasible.
Plans that call for repeated attacks are less likely to succeed than those calling for a single attack. For example, it is true that repeated attacks against the Internet could have effects that would defeat efforts to repair or secure it after one initial attack. Such an onslaught would be difficult to sustain, however, because it is highly likely to be detected, and efforts would be made to counter it. Instead, an adversary with the where-withal to conduct such repeated attacks would more likely make the initial strike and then use the recovery period not to stage and launch another strike against the Internet but to attack the physical infrastructure; this strategy could leverage the inoperative Internet to cause additional damage and chaos. (Of course, the fact that physical attacks may be more difficult to conduct must also be taken into account.)
The IT infrastructure (or some element of it) can be a weapon used in an attack on something else as well as being the target of an attack. An attack using the IT infrastructure as a weapon has advantages and disad
vantages from the point of view of a terrorist planner. It can be conducted at a distance in relative physical safety, in a relatively anonymous fashion, and in potentially undetectable ways. However, the impact of such an attack (by assumption, on some other critical national asset) would be indirect, harder to predict, and less certain.
Some of the scenarios described above are potentially relevant to information warfare attacks against the United States—that is, attacks launched or abetted by hostile nation-states and/or directed against U.S. military forces or assets. A hostile nation conducting an information attack on the United States is likely to conceal its identity to minimize the likelihood of retaliation, and thus it may resort to sponsoring terrorists who can attack without leaving clear national signatures.
The committee wishes to underscore a very important point regarding terrorist threats to the IT infrastructure—they are serious enough to warrant considerable national attention, but they are, in the end, only one of a number of ways through which terrorists could act against the United States. Thus, the likelihood of some kind of terrorist attack against or using the IT infrastructure must be understood in the context of a terrorist organization that may have many other types of attack at its disposal, including (possibly) chemical, biological, nuclear, radiological, suicide, and explosive attacks. This point is important because terrorists, like other parties, have limited resources. Thus, they are likely to concentrate their efforts where the impact is largest for the smallest expenditure of resources.
Many factors would play into a terrorist decision to use one kind of attack or another. The particular kinds of expertise and level of resources available, the effect that the terrorists wished to produce, the publicity they wished to gain, the complexity of any attack contemplated, the symbolic value of an attack, the risk of being caught, the likelihood of survival, the defenses that would be faced if a given attack was mounted, and the international reaction to such an attack are all relevant to such a decision. How any given terrorist will weigh such factors cannot be known in advance.
For example, terrorists who want to create immediate public fear and terror are more likely to use a physical attack (perhaps in conjunction with an attack using IT to amplify the resulting damage) than an attack that targets IT exclusively. The reason is that the latter is not likely to be as cinematic as other attacks. What would television broadcast? There would be no dead or injured people, no buildings on fire, no panic in the streets, and no emergency-response crews coming to the rescue. (This is not to say that an attack targeting IT exclusively could not shake public
confidence—but it would not have the same impact as images of death and destruction in the streets.)
Note also that “likelihood” is not a static quantity. While it is true, all else being equal, that it is appropriate to devote resources preferentially to defending against highly likely attacks, the deployment of a defense that addresses the threat of a highly likely Attack A may well lead to a subsequent increase in the likelihood of a previously less likely Attack B. In short, terrorists may not behave in accordance with expectations that are based on static probability distributions. It is therefore very difficult to prioritize a research program for countering terrorism in the same way that one might, for example, prioritize a program for dealing with natural disasters.
How likely are terrorist attacks on the IT infrastructure or attacks using the IT infrastructure compared to terrorist attacks spreading small-pox or smuggling a stolen nuclear weapon into the United States? For obvious reasons, the committee is not in a position to make such judgments. But while the considerations discussed in this section make certain types of attack more or less likely, none of the scenarios described in Section 2.2 can be categorically excluded.
This fact argues in favor of a long-term commitment to a strategic R&D program that will contribute to the overall robustness of the telecommunications and data networks and of the platforms associated with them. Such a program would involve both fundamental research into the scientific underpinnings of information and network security as well as the development of deployable technology that would contribute to information and network security. Ultimately, the strengthening of the nation’s IT infrastructure can improve our ability to prevent, detect, respond to, and recover from terrorist attacks on the nation.13