Cyber Attack Possible During Time of Terror
Sept. 23, 2003 — -- Evildoers commandeer thousands of home computers, creating a virtual army that knocks down chunks of the Internet. Computer infections hit a nuclear plant, crash a 911 system, snarl train service and shut down ATMs. A neighborhood glitch compromises air traffic control computers.
It's all happened before, security experts say.
Luckily for America, it hasn't happened all at once — yet.
There is skepticism, but some fear it could. The recent accidental power outage which took out tens of millions of electricity consumers also spurred concerns.
"The Northeast power blackout … could happen as a result of a terrorist attack using cyber [methods]," said Richard Clarke, America's former cybersecurity czar, now an ABCNEWS consultant.
"[There are] a lot of people in the Department of Homeland Security that believe the only terrorist events worth worrying about are the ones with explosions and bodybags, and that's a very 20th-century way of looking at the problem," Clarke added. "In the 21st century, cyberspace is what controls the country."
Many key targets may be accessible online, said Alan Paller, director of research for the SANS Institute, which trains computer security experts.
"Because of the need for remote management, a very large percentage of the systems that run the critical infrastructure are connected to the Internet, in spite of claims to the contrary by officers of those companies; they just don't know," Paller said.
The federal government is concerned — spending just under $5 billion per year to protect its cyber networks from teenage hackers, identity thieves, foreign enemies and terrorists alike, Clarke said. Private industry also is spending huge sums to defend against attacks that could conceivably cripple the stock market, air travel or power plants.
Online Rogues
Terrorist groups have never launched a documented cyberattack against American interests, but al Qaeda appears to have done online reconnaissance in search of U.S. vulnerabilities, Clarke said. In addition, hacking tools have been found on seized al Qaeda computers, and the terror group is said to use the Internet as a communications tool.
But some computer security professionals note the lack of prior al Qaeda cyber attacks, and have a hard time imagining a terrorists using cyber methods for a 9/11 style attack.
"If their goal was to disrupt things, there are easier, cheaper ways … that don't leave footprints all over the Internet" to tip off authorities, said Jeff Moss, organizer of the annual Def Con computer hacker's convention, and owner of Black Hat, a computer security company.
On the other hand, it may not take al Qaeda to terrorize.
"The effects of a software programming error, the effects of somebody making a mistake or the effects of someone attacking, they're all the same," said Winn Schwartau, author of Information Warfare: Chaos on the Electronic Superhighway, and numerous other books on the subject.
"If, for example, somebody modifies a whole lot of records at a hospital … and suddenly a lot of prescriptions and information about the patients are changed, and they start dying off, do you call that terror?" Schwartau asked. "If you tamper with a nuclear reactor, is that terror?"
Foreign governments also may be a concern. Chinese officials have said they consider cyber attacks to be a potential war weapon, and they could be a part of the U.S. arsenal as well, Clarke suggested.
‘Perfect Storm’ Too Complicated?
But while enemy governments may pose a threat, skeptics suspect massive online attacks might not be attractive to terrorists who'd more easily use a bomb.
For one thing, the amount of work that might be needed for a "perfect storm of cyberattacks" is hard to fathom, said Moss, the hacker convention organizer.
"You can pick any one isolated thing and figure out how to defeat it, but to spread that all across the nation at once … that would be like trying to solve 300 problems," Moss said. "Everything is so fantastically complex these days. Just finding somebody who's an expert in cell phones is difficult because there's [perhaps] 15 different standards."
And, he added, once the problems are solved, "Why spend all your time coming up with the most secretive, zero-day, computerized exploit, when one guy with a hacksaw in a manhole could probably cause just as many problems?"
Some believe an effective, pinpoint attack on infrastructure — either by computer or hacksaw — would require enormous technical knowledge about plants' mechanical functions and how to exploit them.
"You're not going to give an Afghani Taliban guy a computer in the hills of Afghanistan and take down the Internet," Schwartau said. "I care about the guy who used to be in a cave in Afghanistan … who studies engineering at Columbia University and gets a job at a power plant."
But some might say planting industrial moles is not be beyond al Qaeda, which had operatives train as pilots capable of flying jetliners into targets as preparation for 9/11.
"If you look at who is in al Qaeda … many of them had advanced training in computer science," Clarke said. "The notion that these people are a bunch of primitives sitting around in caves reading the Koran, who know nothing about technology, is just cultural bias."
Documented Cases
Though there is no documented cyber attack by a terrorist group, at least one prior infrastructure cyber attack was intentional.
In March and April 2000, an engineer and scorned job applicant apparently remotely seized the controls of a pumping station in Australia and released raw sewage into waterways, possibly in an effort to get a job cleaning up the mess, according to Australian news reports. He was sentenced to two years in prison.
Far more often, many point out, frightening glitches have been blamed on out-of-control viruses or worms that did not intend to target infrastructure.
Such was the case in January, when the Slammer computer worm, which targets Microsoft software, crippled two computer systems for monitoring pressure and temperature during accidents at FirstEnergy Nuclear's Davis-Besse nuclear power plant in Ohio.
"It was definitely not targeted; it was just the Slammer worm having collateral damage," Paller said. "What this proves is the system being connected to the Internet."
The Nuclear Regulatory Commission concluded there was no public safety risk from the crippled systems — not formally considered safety systems — and noted NRC rules require actual safety-related computer systems to be isolated and inaccessible. Still, citing the incident, the NRC in recent weeks notified nuclear plant operators of "a potential vulnerability of their computer network server to infection" from computer worms.
The Northeast blackout may have started with a physical failure, rather than a computer attack, but some see potential cyber peril in the apparent snowballing of a local transmission-line problem into a power outage for 50 million people. Perhaps knowledge of such a cascading domino effect, combined with cases of computer worm hits on infrastructure, could show tech-savvy malefactors just how vulnerable America's infrastructure might be to a well-placed shove.
"If they can't do it after the lesson that we just showed them, they've got to be blithering idiots," Schwartau said of the blackout. "It was a blueprint on how to attack us."
He also pointed to a phone line outage in 1991 that left to the partial collapse of the air traffic control systems for New York-area airports as a sector open to potential problems.
Other real-life examples were the collapse of a West coast bank ATM system in January, an attack which hit some Washington state 911 emergency systems and the closing of the Maryland's Motor Vehicle Administration for two days after a computer worm hit this year.
A similar fate hit the CSX rail freight network in August — causing widespread shutdowns and delays on rail lines. The Sobig.F computer worm was blamed.