Terrorists more frequently use new information technologies for their plans. The threat of cyber terrorism or the use of network tools for putting out of action significant components of national infrastructure is steadily increasing. At the same time the concept “cyber terrorism”ť is cloaked with myths. And what is its concrete definition? As mentioned by Sarah Gordon (2003, p.4) Cyber terrorism is the convergence of terrorism and cyberspace. Further, to qualify as cyber terrorism, an attack should result in violence against persons or property, or at least cause enough harm to generate fear. Attacks that lead to death or bodily injury, explosions, plane crashes, water contamination, or severe economic loss would be examples. Serious attacks against critical infrastructures could be acts of cyber terrorism, depending on their impact.
The concept of cyber terrorism, having left the borders of fantastic novels, nowadays is widely discussed in mass media, government and corporate levels. The threat of cyber-attacks is real, and the risks associated with them are evaluated by specialists as high. On the other hand, there are a lot of myths and speculations around the notion of cyber terrorism. Inadequate assessment of cyber terrorism risks is connected with the fact that it is necessary to determine the probability of successful cyber attack and the rate of probable harm for the accurate evaluation. The first value can be adequately evaluated only after a complex examination of computer network security. While only the owner or system administrator can estimate cyber attack damage. In addition, so long as mostly all serious cyber attacks have not a Â«human factorÂ», use the methods of social engineering and Â«insider informationÂ», risk estimation becomes significantly hard.
For example, some specialists may consider that the protection of the external perimeter of the corporate network is brilliantly organized. However, being not experts in cyber attacks, they failed to take into account a small hole in the protection system, which appeared after the installation of new information terminal and its linking to the provider of information services. This hole is quite enough for a skilled cracker to bypass multi-component and costly control system of network access.
According to the Washington Post, in 1998 the 12-year-old hacker broke into the computer system that controlled the water go-out of Theodore Roosevelt Dam in Arizona. The article cited that in case of its opening, the water could flood the city with 1 million population.
Hacker actually broke into the computers of water station, but he could never get the control of the dams. Experts that had investigated the incident concluded that there was no threat for human life or material values. This incident presented by the media in a misrepresented form, could serve as a metaphor for today’s debates about vulnerability of wire.
While in theory there is a possibility of electronic intrusions upon the critical systems, resulting in the damage of Â information infrastructure elements and creating physical threat, the obtainment of control from the outside is an extremely difficult task requiring highly specialized knowledge, and it relates to the need of overcoming not only the computer security mechanisms.
Practical assessment of cyber terrorism risks was the aim of the studies under the code name “Digital Pearl Harbor”ť, conducted by the Naval College of the United States, together with the company Gartner. In these studies experts with the roles of cyber terrorists, simulated a large-scale cyber attack on the national network infrastructure.
According to the results of the studies, it was concluded that such cyber attacks could indeed put out of action the systems of telecommunications in densely populated areas, but it will not result in death or other catastrophic consequences.
Cyber attacks differ according to the sites of attack: the attacks on the data and the attacks on the control system.
The attacks of the first type have the goal to violate confidentiality, integrity, or availability of information. The majority of network attacks belong to this category, including theft of credit card numbers, hacking sites, and DoS-attacks. Attacks on the control systems task to disable or receipt the control over operations, used for maintaining physical infrastructure: control of water resources, electricity, railways, etc. Despite the reality of such attacks, the security experts say that as long as cyber attacks can only lead to temporary inaccessibility of some critical data, but not to the loss of lives or destruction of physical infrastructure, but however, indirectly it may be possible.
We must recognize that cyber attacks could have serious consequences, although not related with the damaging of human life and health. Many energy companies and utilities manage control their resources through the systems of control and data acquisition (Supervisory Control and Data Acquisition – SCADA), which theoretically could be vulnerable.
Experts from the company Riptech, a well-known provider of information security, on the base of their experience in examination of many large American industrial enterprises, make a conclusion about the vulnerability of critical for the U.S. economy SCADA-systems.
SCADA-type systems can be attacked by the creation of excess load, which may lead to fail or incorrect functioning of the system. This, in turn, can lead to failures in other parts of the supervisory control system, which are the members of the enterprise’s computer network. Thus, in 1996, the electricity was cut off along the West Coast of the USA during 9 hours: a fall of the tree on the transmission equipment in combination with some other factors led to a cascade unplugging of other elements of the electric grid. In 1990 a similar event occurred with the commutator AT & T, the failure of which caused a chain reaction leading to failure of telecommunication network throughout the United States. In principle, a similar effect could be the result of the successful hacker attacks.
More than 80% of critical network infrastructure is owned by the U.S. private companies, which in many cases are not sufficiently competent in the questions of information security and which can be influenced with the help of targeted state programs. Consultants on information security found out that many businesses had the internet network connection from the controlling terminals of SCADA, which could potentially lead to serious incidents. For example, in November 2001, someone V. Bowden was sentenced to two years imprisonment for using the web, wireless radio and theft for realization of polluted water drain into the river near the coast Maruchidora (Queensland, Australia). Previously, Bowden worked as a consultant in the water project and committed the crime after he had been denied in full time work. He tried to get access to system of water purification for 45 times before he managed to accomplish the flushing of the polluted water into the water.
Since 11 September 2001, many concepts of security support were subjected to revision on both national and corporate level. Security of SCADA-systems was proclaimed as one of the main aims of the National Strategy for the security supply in the sphere of the US cyberspace.
But while even the most serious cyber attacks are far from the scenario of mass destruction according to their consequences. The incident with water contamination in Queensland, for example, did not endanger human lives and cost about 13 thousands of dollars, spent on water purification, which was effectively performed by staff members.
It is very difficult to attack something, if you do not have specific knowledge in this sphere. Even if a hacker, for example, would succeed to increase the level of chlorine in the water reservoirs at water purification plants, the poisoned water will not get into the water supply system, because it passes five tests. The Environmental Protection Agency requires companies to investigate the presence of more than 90 species of poisonous substances in water. A more simple and dangerous attack is a direct physical addition of toxic substances in water reservoirs by the terrorist.
The computer network of the railway industry is one of the largest in the United States and it controls 500 railroads, so the federal government has always paid more attention to the protection of information in it. Periodically, some incidents take place there with network attacks, but, according to Nancy Wilson, the vice-president of the Association of American Railroads, they have never been accepted seriously, as companies in other sectors take serious measures in reservation data and equipment, which in most cases provide an adequate level of security.
The most vulnerable for cyber attacks, according to experts’ opinion, is the infrastructure of the network itself.
Some vulnerabilities can lead to serious consequences and in the absence of cyber-attacks. The case when, in 1997, the engineer of one of the Internet-providers had changed the two lines of code in the configuration of the router, led to the shutdown of almost all post in the Global Network for three hours. Nevertheless, despite the seriousness of the accident, this incident can not be named as the catastrophic one. The total damage was so great due to the fact that little damage was caused to a large number of companies simultaneously.
In October 2002 the most unprecedented attack in the history of the Internet against the entire infrastructure was committed – thirteen root DNS-servers were subjected to a distributed DoS-attack. According to the words of consortium Internet Software Consortium chairman Paul Wicks only four of them managed to resist. Great level of redundancy inherent for the structure of the network in general, allowed avoiding the delays in passing traffic, despite the failure of two-thirds of the root elements of the infrastructure.
The concept of cyber terrorism is often used for political speculation and the impact on public opinion. The real state of things, staying not so frightening, does not inspire even the causes for optimism. Cyber-attacks could have indeed serious consequences, although not related with the endamagement to life and health of people, massive destruction and other disasters. In the worst scenario, a well-planned massive cyber attack may temporarily put out of action the telecommunication systems in densely populated areas.
From the point of law enforcement officers’ view the greatest threat is not the vulnerability of the Network, but its provided global telecommunications for the criminal world, which are extremely difficult to track.
Unfortunately it is sorrowful to recognize but the rates of cyber crimes and cyber terrorism are still rising. During the previous year different companies lost nearly 5 billions of dollars because of the attacks on intellectual property.
Michael Freeman, Scott Dynes, Adam Golodner (2005, p.5) mention that government IT spending is budgeted at $59 billion for 2004, $4.7 billion of which is going to cyber security. Private industry (including those in critical infrastructures) spent approximately $17 billion on cyber security in 2001 and this number is expected to increase to $45 billion by 2006. This amount roughly corresponds to 0.0025% of revenue ($25 for every $1 million), or 0.25% of the average company’s IT budget.
Moreover this year the global financial crisis promotes the increase of such crimes, because today it is not just an act of protest or vandalism, it is the way of earning illegal money.