Cyber-terrorism from fiction to reality

While preparing my two lectures for the Advanced NATO seminar that took place in Kiev, Ukraine, last week (sep 26 to 29, 2010) and had as topic "Cyber-Terrorism Prevention & Counteraction" - I had the occasion to go again through many books, reports and related documents on Cyber-Terrorism. Below are some key elements of the phenomenon, as a short introduction to this topic.

What strikes the reader the most while going through all these documents is the multitude of definitions that one can find for cyber-terrorism across authors, states and even among different security agencies in the same state.

In the same time, examples of actual cyber-terrorist activities are few and this comes not from the lack of such criminal events but from the difficulty of harmonizing the definitions. If we adopt a too narrow definition it will exclude many of the large scale cyber-attacks. Instead, a too broad definition would include in the category of cyber-terrorism too many of the actual cyber-crimes.

What are the key elements of cyber-terrorism?

• a cyber-attack or series of cyber-attacks destined to disrupt or otherwise cripple the functioning of computer systems and computer networks
• the computer systems or networks should, in theory, be part of the critical infrastructure - with direct impact on real life and/or economy 
• disruption or crippling of such systems and services should have direct or possible visible results or to create an important danger to life and/or economy
• there must be a political motivation behind such attacks - in the name of a political ideology or in furtherance of a political agenda with the intention to create panic, public danger, or to intimidate

Because no computer system is 100% secure and the vast majority of computers, including those controlling critical infrastructure are somehow connected to a network or even directly to Internet, there is, in theory, potential for such attacks.

In the same time, the computers that are not connected with the outside world, can be infected through other means - for instance an infected USB memory stick.

The large majority of the writings on the topic conclude showing that critical IT infrastructure - like computers coordinating flights on airports, systems controlling the production and distribution of energy, or computers controlling critical industrial processes - is never too well protected and proactive efforts should be taken to ensure security and safe operations of such systems.

On the other hand, there are many critiques on internet forums that this literature exaggerates on purpose this kind of dangers with the intent to draw funds for defense and computer security industry. Such opinions also underline the possibility that such possible threats are on purpose exaggerated by media in search of sensational news.

Even if this would be true - important cyber-attacks are taking place daily and most of the time it is very difficult to prove the political motivation behind them so that they would be categorized as cyber-terrorism. In any case, only at the end of an investigation - one could tell what was the motivation and if an attack was part of a political agenda (or not).

When discussing favoring aspects of cyber-attacks, aside from the almost every-day discovery of new computer systems vulnerabilities - one other aspect that puts a system or a network at risk is almost always present: the human factor.

Be it insufficient computer usage training or systems weakly configured, be it lack of adequate computer usage policies in organizations - we almost always find in grave cases some employee who, from lack of knowledge or from other reason, has neglected to take the necessary precautions and endangered the critical IT infrastructure putting it at risk.

More over, unlike not so many years ago - a characteristic of the today's cyber-crime modus operandi is the level of development and sophistication of the software tools used and the automation of the cyber-attacks and infection and controlling of the victim computer systems. 

Botnet networks - armies of civilian and institutional computers connected to Internet and infected with viruses that take commands and can be programmed to simultaneously attack from various places in the world a critical service or system connected to the Internet - have a proven disruptive capability.

To make this a cyber-terrorist activity we only need a political motivation. And such scenarios are easy to accomplish if we take into consideration the fact that such botnets are for hire and could be easily rented and used by a terrorist organization.

The most often example of possible cyber-terrorist attack we can find, in which botnets appear to be used si the attacks on Estonia in 2007. There are also other examples pointing out for instance the large scale impact - but most of the examples lack in showing beyond any doubt the political motivation aspect.

From theory to reality and practice

Research from computer security and antivirus companies in the last weeks have added a new aspect to all these digital doomsday's scenarios: the Stuxnet virus.

Much has been written on the topic of Stuxnet and much will be written from now on - because this virus has some interesting characteristics that bring some of the scenarios from imagination to reality. These aspects refer to the capacity of attacking and sabotaging critical IT infrastructure which, if malfunctioning, can cause visible results and even explosions of industrial facilities.

• this virus infects computers through USB memory sticks - no Internet connection needed
• it updates itself on the network using peer-to-peer technology
• it shows different behavior depending on the type of computer it has infected - if it's not an industrial digital control system (SCADA) it only does multiplication activity for spreading infection
• it detects if the computer it has infected is an industrial control computer and looks for connections to digital control devices for industrial processes
• it reprograms these devices and monitors their activity
• it hides the infection and reprogramming of the device from the operator who will never detect the change in the device's programming until, maybe, too late
• the  virus has been discovered in June 2010 - after it has already infected computers in various countries and continents
• it exploits 4 previously unknown vulnerabilities of the Windows operating system
• it is digitally signed with security certificates from two major manufacturers of computer spare-parts - the digital signature of the software is one of the methods widely used by antivirus software to identify legitimate software and it allowed the virus to pass undetected this security check

Various authors have long been imagined lots of scenarios in which critical IT infrastructure is attacked in various ways - Stuxnet is the first real life proof that such attacks are possible.

I will not get here into details about all the suppositions that have been made about this virus and its potential targets. I, however find it interesting that there has been found a way of reaching such critical computer systems and networks and reprogram them.

Even if this virus which has been deemed to be "the first real cyber-weapon" has not caused an explosion somewhere yet - we now have a precedent and an object of study and other potentially dangerous cyber-weapons can be built upon the research done on this one.

Prevention, Justice, Cooperation

Taking into account the essence of the cyber-terrorist phenomenon - which is that of cyber-attacks - discussions on this topic inevitably end in discussing combating cybercrime, prevention and security measures.

In my private practice I have met lots of computer users saying that viruses are inevitable, and the effort to keep your systems clean is too big, and that it's best to do your job than always taking care of our digital security in the way we operate IT.

Such individuals also argument that one single computer user protecting himself, has little or no impact on the global cyber-dangers phenomenon. Even so, having a security-aware behavior in IT operations, having a minimum set of security rules at home or at work when using computers and internet - must be part of the minimal education at all levels, starting from schools. In the same time it is necessary to implement computer usage policies in organizations and companies at all levels.

At legal level, there are also realities that favor computer crime: starting with the fact that cyber-crime is international in nature and there are different definitions of computer crimes from state to state making the task of prosecuting such crimes harder and ending with lack of harmonizing all the corresponding secondary laws like extradition procedures, for instance in some states. It is a huge and complex mechanism which requires lots of political will and many legal writings - and which at this time benefits cyber-criminals.

Even if we all wish that digital doomsday's scenarios remain simple scenarios, life offers us examples from time to time that such scenarios are in fact possible and come to life. Evolution is a trial-and-error process and lots of learning from such mistakes. Especially when we talk about computer security, most of the time security measures are challenged again and again until they fall. 

Unlike in firefighting where you are able to choose fire resistant materials for a certain amount of time or until a certain temperature is reached - in computer security there is no way of telling how long a new security measure will hold. 

It is desirable that mistakes are kept to a minimum, but for this, maybe we should not ignore warnings and stay alert.

More on the Stuxnet virus:

• Symantec - Stuxnet Introduces the First Known Rootkit for Industrial Control Systems
• Langner - Stuxnet is a directed attack -- 'hack of the century'
• TechNewsWorld - Stuxnet: Dissecting the Worm
• PCWorld -  Was Stuxnet Built to Attack Iran's Nuclear Program?
• CNet News -  Stuxnet could hijack power plants, refineries