Terrorism: Reducing Vulnerabilities and Improving Responses: U.S.-Russian Workshop Proceedings (2004)

Lewis M. Branscomb

Harvard University

In modern industrial societies, information technology may be exploited by terrorists as either a target or a weapon or both. Information technology (IT) is also essential in arranging defenses against terror attack. This multifaceted character of IT is unique among the technologies of concern to the counterterrorist.

As a target, not only the telecommunications and data network infrastructures might be subject to a cyberattack, but so might all of the other areas of critical infrastructure whose efficient functioning depends on computer controls, data management, and digital communications. Of particular concern are the Systems Control and Data Acquisition (SCADA) systems that are rapidly replacing operating engineers as the control elements in networked industrial applications. The electric power distribution industry is a particularly sensitive but not unique example. SCADA software is built outside the United States; it is difficult to prove that no trapdoors were implemented in the software. Furthermore, while more advanced power companies use encrypted communications through buried optical fiber to communicate among the SCADA computers, in some cases, unprotected Internet communications were still used after September 11, 2001.

As a weapon, IT is very familiar, for hackers have demonstrated how information systems may be used to defeat themselves since the beginning of the Internet. Most familiar are the viruses, worms, and Trojan horses; less familiar but more destructive are the sophisticated attacks that may allow the attacker to gain control of the software system (key-zero state).

A cyberattack on a nation’s communications and data network systems may be very disruptive and exact large penalties in inconvenience and in burdensome economic cost. Disruption, if repeated, of energy, telecoms, or transportation

and finance can exact high economic cost and public distress. There are attacks that could create more serious damage to communications, but they are probably more difficult for terrorists to accomplish. Examples might include

• cumulative delayed action attacks on critical infrastructures (Trojan horses) or backdoor traps in software or hardware, such as were mentioned by Dr. Ignatyev

• attacks that benefit from a corrupted insider, especially one with access to systems management

• attacks on soft but important targets such as the Internet; one example is attacks on root name servers, but since these files are replicated on other name servers, all must be successfully attacked

The National Academies study Making the Nation Safer: The Role of Science and Technology in Countering Terrorism concluded that most communications systems, while vulnerable to attack, are also resilient and can in most cases be brought back into service in a relatively short time.¹ Thus, cyberwarfare is not considered a weapon of mass destruction.

However, cybertechnology is accessible to terrorists; it is ubiquitous in target systems, critical to their proper functioning, and attacks can be deployed covertly from anywhere. Indeed, IT systems are also critical in all phases of counterterrorism:

• intelligence

• detection of imminent attacks

• response and damage mitigation when attack occurs

• forensic analysis and recovery

Thus, a cyberattack may be designed to inhibit all of these defensive functions, increasing the risk of attack and aggravating the consequences by inhibiting response and damage mitigation. In this way, a cyberattack may be used to amplify the effect of a more conventional attack using explosives or chemical, biological, or nuclear weapons.

The most serious threat from a cyberattack may be the use of the cyberattack to amplify a physical attack. A cyberattack may accomplish this in a variety of ways, for example,

• interference with emergency services and command/control communications

• unauthenticated false messages directing inappropriate actions; false information creating confusion and panic

• attacks on local critical infrastructure on which response and recovery depend

In each of these examples, the period of effectiveness of the attack need only be for a short time, perhaps a few hours or less, which may be significantly shorter than the time for recovery of the communications system in question.

There is another weapon that shares this characteristic: the portable device delivering an electromagnetic pulse (EMP) sufficiently strong to damage the operating condition of electronics systems such as computers, digital telephone switches, and the like, but not strong enough to permanently damage the hardware.

It follows that emergency operations centers (EOCs), such as those in all major cities, should be protected against both cyber- and EMP attacks on their information systems. We should be prepared for the likelihood that a well-planned terrorist attack might begin with an attack that removes the EOC from effectiveness for a few hours, during which time a major physical (or biological or chemical) attack occurs.

The National Academies study referenced above provided a variety of recommendations, some of which require changes to communications hardware, intended to reduce the effectiveness of cyberattacks. Among them are the following:

• ensure secure and interconnected communications among first responders and crisis managers

• develop and apply methods for high-reliability authentication of security messages

• develop ways to ensure that critical networks degrade slowly and reversibly when attacked

• devise systems for acquiring a snapshot of system state and preserve the most critical data in critical large systems under attack, to allow them to be recovered in most important respects as quickly as possible

Some longer-range research tasks were to

• develop telecommunications system software so that limited service will continue when in a volume-saturated state

• design self-adaptive networks that reconfigure automatically when attacked

• address the security needs of mobile wireless communications

• create better decision support tools for crisis managers

• address the security flaws in operating systems and network software

Underlying these practical research objectives is the need, at least in the United States, for expanded investments in basic research and advanced research education to address the general lack of strong security in computer operating systems and network software.

The lack of a full effort in computer security research is a consequence of the perception in the commercial world that the research performed in the 1970s and 1980s addressed commercial security concerns to an adequate degree. Consequently, the weak market for very high security resulted in a lack of investment and training in security research and development. Wm. A. Wulf addresses this issue in his paper.