Thursday, May 18, 2006
According to a recent article, intelligence "chatter" indicates that criminals, terrorists or both (they can work together) may be contemplating cyberattacks that would, for example, target physical infrastructure capabilities such as power grids or institutions such as hospitals.
I've been interested in cyberterrorism for years. A friend and I published an article on it (In Defense of Cyberterrorism), in which we analyzed some of the scenarios that appear in the article I noted above, along with others. So I thought this would be a good time to opine about cyberterrorism -- Brenner on cyberterrorism, as it were.
There are two diametrically opposed schools of thought among computer security professionals, law enforcement officers, lawyers and others who think about cyberterrorism.
One is the FUD (fear, uncertainty and doubt) school: Those who take this view believe cyberterrorism is a myth. They argue that our computer systems are robust enough to resist any attempt to compromise them from the outside (more on this in a minute). Some claim that computer security firms hype the notion of cyberterrorism in order to frighten businesses and other entities into buying their services, services the companies say are essential to preserve computer systems from online analogues of the 911 attacks on the World Trade Center. Others who take this view suggest that government agencies do something similar, i.e., exaggerate the threat of cyberterrorism to maximize their funding.
The other school of thought is the Digital Pearl Harbor school: Those who take this view believe cyberterrorism represents a threat that is not merely analogous to the attacks on the World Trade Center, but that may pose a threat comparable to the Japanese attacks on Pearl Harbor. They contend that outside attackers could shut down power grids, disrupt communications and/or other essential services, cripple our economy and wreak various other kinds of havoc.
Before I proceed with Brenner-on-cyberterrorism, I want to note a caveat: Both schools tend to focus on "outside" threats, i.e., on terrorists who, working alone or in association with hired hackers, mount an external assault on domestic computer systems in an effort to shut them down, corrupt their operations or otherwise interfere with their proper functioning. This is the "purest," most obvious cyberterrorism scenario; it tracks much of what we have seen with cybercrime (hacking, cracking, viruses, etc. -- all external attacks). Since this is the primary focus of these two competing schools of thought, I am going to limit my comments to this scenario.
Before I proceed to those comments, however, I want to point out that there is another, actually more frightening cyberterrorism scenario: the "inside" threat. In this version, the terrorists plant someone inside a domestic operation -- a power company, a hospital, a financial institution, whatever seems a likely target. The "mole" may be in place for some time; there may, in fact, be multiple "moles," each located in a strategic position. These "moles" are in a position to have legitimate access to the computer systems which will be used in the attack. They are a virtual Fifth Column, seemingly trusted insiders who are actually rogue operatives. I fear that focusing too much on the external threat will lead us to underestimate the potential harms that can result from this inside threat.
But I digress. Time for Brenner-on-cyberterrorism.
I agree and disagree with both schools. I think the Digital Pearl Harbor conceptualization of cyberterrorism is simplistic and misses the point: I believe computer technology can be used effectively by terrorists, but not to achieve the same effects they accomplish with bombs and hijacked airplanes. I do not believe any cyberterrorist attack could ever have the visceral, awful impact of seeing those planes fly into the World Trade Center. That was a classic, perhaps the classic terrorist attack, because it not only produced the demoralizing effects associated with realizing that we can be physically attacked, it also showed how implements and incidents of everyday life can be turned against us. The mundane became awful -- we identified with the people in the WTC and with the people in the airplanes. And, unlike terrorist attacks in which we view the carnage after it has been inflicted, we were able to monitor the infliction of much of the carnage as it happened . . . which exacerbated our helplessness and horror.
I think cyberterrorism can have a similar impact insofar, and only insofar, as it disrupts the ordinary. I doubt, seriously, whether cyberterrorism could ever product (forgive me) the body count associated with the WTC or the Bali attacks, but I do not think that is the point of cyberterrorism. I think cyberterrorism is more about mind games than it is about carnage.
I think cyberterrorism could be used very effectively to undermine our sense of security, physical and/or financial. Take a simple example: Assume that ATM machines began to malfunction . . . first in Chicago, then in Seattle, then in Miami, then in Atlanta, then in Oklahoma City, then in Portland, then . . . . and on and on and on. The malfunctioning occurs in each city sequentially; perhaps it last basically the same period of time in each city . . . all of which makes it very clear that this is no accident. It seems to me that would be a dreadfully marvelous cyberterrorist mind game: We would not know if we could trust ATM's and, perhaps, the financial institutions that provide them.
Cyberterrorism to me is undermining our sense of security . . . undermining our trust in the things we take for granted. It could take more dramatic forms, such as shutting down power to the northeast states in January; that might, as I have been told, well result in many deaths. That would certainly be demoralizing. But a focused attack like that, and like the WTC, actually, I think, restricts the demoralizing effects of the attack. I can feel sorry for the people in the NE states, and I can fear that something similar might happen to me, but the harm, the carnage, is limited in scope.
If cyberterrorists were to mount something like my hypothetical ATM attacks, then follow that or combine that with other, similar attacks, it would have a very interesting effect, I think, on all of us. We would not confront carnage; we would confront the reality that our world was out of control.