- 7 pages
- For Official Use Only
- April 10, 2008
• Thus far, there have been no known successful cyber attacks conducted by al Qaeda sympathizers or affiliates against US national infrastructure.
• The federal government has placed increased emphasis on the cyber threat, citing it in the Annual Threat Assessment of the Director of National Intelligence, released in February 2008, and hosting the nation’s largest cyber security exercise, Cyber Storm II, in March 2008.
• Cyber attacks in New Jersey have been carried out by local animal rights extremists employing low-level techniques targeting Internet sites and e-mail systems of companies and businesses associated with animal research programs.
• Cyberterrorism is an attractive option for foreign-born and domestic terrorists who value its anonymity, potential to inflict massive damage, psychological impact and media appeal. As a new, more computer-savvy generation of terrorists comes of age, the threat of cyber-terror attack is likely to increase.
Cybercrime: Criminal activities that specifically target a computer or network for damage or infiltration. The use of computer(s) as a tool to conduct criminal activity.
Terrorism: To coerce a government or its people in furtherance of political or social objectives through the use of violence.
Cyberterrorism: The convergence of cyberspace and terrorism in the effort to conduct a premeditated, politically motivated use of computers as weapons or as targets, by sub-national groups or clandestine agents intent on violence, to influence an audience or cause a government to change its policies.
Cyberterrorism exists as, and can be understood as, any action that falls within guidelines set forth in Terrorist Capabilities for Cyberattack:
Overview and Policy, produced by the Congressional Research Service. In this publication, Cyberterrorism has occurred when an action’s effects or intent produce results greater than that of general crime, regardless of what kind of actor initiated the sequence.
• Effects-based: Cyberterrorism exists when computer attacks result in effects that are disruptive enough to generate fear comparable to a traditional act of terrorism, even if done by criminals.
• Intent-based: Cyberterrorism exists when unlawful or politically motivated computer attacks are done to intimidate or coerce a government or people to further a political objective, or to cause grave harm or severe economic damage.
The Cyber Attack Continuum
While to the best of our knowledge terrorist groups have not yet employed cyber tools as a weapon against U.S. critical infrastructure on a large scale, their acquisition of computer expertise and reliance on information technology to formulate plans, raise funds, spread propaganda, and engage in secure communications represent clear warning signs. The cyber or digital world is not only a vast resource used and targeted by terrorists, but also criminal gangs, foreign intelligence services, and hackers – individuals whose mission is to break into private, public, or classified network systems. These groups may share some of the same objectives, regardless of their primary motivation. They may seek to acquire sensitive, proprietary or classified information, personal identity information, financial resources, property, and other materials of intrinsic value. Cyber-terrorists have the additional goal of destruction and disruption to critical information infrastructure.
Cyber attacks can be divided into three categories, which help quantify the different skills and resources required to carry out such an attack:
• Simple-Unstructured: Simple-Unstructured attacks are the most common. These are amateurish attacks with relatively minimal consequences.
• Advanced-Structured: Advanced-Structured attacks are more sophisticated and thus more consequential having greater emphasis on targeting and focus done prior to an attack, the result being a more debilitating attack.
• Complex-Coordinated: Complex-Coordinated attacks are the most advanced and most troublesome type of attack where success could mean a network shutdown.
Attacks on computers can come in many forms, but the most likely methods can include any number of the following: 1) disrupting equipment and hardware reliability, 2) changing processing logic, or 3) stealing or corrupting existing data or information.6 Any category or method can involve:
• Directing conventional kinetic weapons against computer equipment, a computer facility, or transmission lines to create a physical attack that disrupts the reliability of equipment.
• The power of electromagnetic energy, most commonly in the form of an electromagnetic pulse (EMP), can be used to create an electronic attack (EA) directed against computer equipment or data transmissions. By overheating circuitry or jamming communications, EA disrupts the reliability of equipment and the integrity of data.
• Malicious code can be used to create a cyber attack, or computer network attack (CNA), directed against computer processing code, instruction logic, or data. The code can generate a stream of malicious network packets that can disrupt data or logic through exploiting a vulnerability in computer software, or a weakness in the computer security practices of an organization. This type of cyber attack can disrupt the reliability of equipment, the integrity of data, and the confidentiality of communications.
The following are three recent cyber-terror events – one plot and two actual attacks – that illustrate the scope of the threat:
• On 16 January 2008, a Central Intelligence Agency (CIA) cybersecurity analyst made a statement at a security conference attended by international government officials, engineers, and security managers from North American energy companies and utilities. He discussed attempted cyber intrusions into utilities outside the US which were followed by extortion demands, and in one instance resulted in a power outage affecting multiple cities.
• In April and May 2007, pro-Russian hackers launched numerous attacks on servers throughout Estonia in response to the removal of Soviet era statues in the capital of Estonia, Tallinn. Experts stated that they had never before seen cyber attacks of such sophistication, coordination, and scale. This method of attack is commonly known as a DoS attack, or denial-of-service. This tactic targets central servers, flooding them with false requests, eventually overloading the capacity of the processor and leading to a complete downing of all services. Targets included various hosting services, government websites and a large part of the commercial sector. Estonia, ranked as one of the highest users of Internet technology worldwide, is largely dependent on data networks. These attacks crippled vital daily functions.
• In early 2007, Scotland Yard uncovered an al Qaeda plot to infiltrate and destroy a high-security Internet hub in the United Kingdom. The Internet facility was undoubtedly an attractive target because it contains numerous servers vital to UK Internet operations and is a clearinghouse for the majority of Internet activity in and out of Britain. In addition, it appears that the terrorists were planning to steal sensitive information located on the servers and then launch a cyber attack designed to undermine the UK’s economic and business sectors.
Cyberterrorism in New Jersey
Historically, cyberterrorism in New Jersey has been used by animal rights extremists who have employed low-level techniques including worms, viruses and denial-of-service attacks to target the websites and e-mail systems of companies and businesses associated with animal research programs. In most cases, this form of cyber disruption involves the sending of thousands of emails en masse to corporate email addresses. These attacks typically target a single business, and do not constitute a threat to the safe operation of the Internet as a whole.
New Jersey remains a valuable target as it possesses a wealth of critical information infrastructure, much of which is inherently interdependent. New Jersey is strategically located along a heavy transit corridor for people and goods, and is a major node along the fiber path from the Northeast to Philadelphia and Washington, DC. Furthermore, New Jersey is one of the wealthiest states in the country and is home to many Fortune 500 companies. Any disruption to the State’s economy could have a drastic impact on the national economy and thus the nation’s economic stability.
Worst Case Scenario
A “worst case” cyber attack scenario would involve either a massive cyber attack or both a physical attack and a cyber attack carried out simultaneously. The federal government has conducted several tests and exercises designed to measure the viability and impact of such an attack:
• In July 2002, the US Naval War College developed a scenario entitled “Digital Pearl Harbor” to examine the effects of a coordinated cyberterrorism event. In this event, computer security experts attacked critical infrastructure systems simulating state-sponsored cyberwarfare. This test showed that the most vulnerable of systems included the Internet itself as well as the computer systems that are part of the financial infrastructure. This test also showed that the US telecommunications infrastructure would be able to withstand such an attack due to the built-in system security redundancy that would prevent widespread damage. It also noted that such an attack on the US “was only a slight possibility.”
• In February 2006, the Department of Homeland Security (DHS) held Cyber Storm, the first national cyber exercise. The most important finding from this exercise was the need for better interagency-communication during such attacks. Other key findings included the need for a formal contingency plan of response, better correlation of multiple incident reporting between public and private sectors, public messaging to minimize damage through individual protective responses, and the overall need for better training tools, and processes of response.
• In March 2007, researchers at Idaho National Laboratories (INL) conducted an experiment labeled “Aurora Generator Test.” This test was designed to show the effects of a cyber attack on a power network by targeting a power generator. The generator was forced to shut down after receiving malicious commands from an outside source. This test demonstrated that in the event that enough generators were targeted simultaneously, a system failure is possible.
• And in early March 2008, DHS conducted Cyber Storm II, the nation’s largest cyber security exercise. Mandated by Congress, the exercise was designed to simulate a coordinated cyber attack on information technology, communications, chemical, and transportation systems and assets. Participants were from federal, state and local governments, the private sector, and the international community. The exercise and the participants: 1) Examined organizations’ capability to prepare for, protect from, and respond to cyber attacks’ potential effects; 2) Exercised strategic decision making and interagency coordination of incident response(s) in accordance with national level policy and procedures; 3) Validated information sharing relationships and communications paths for collecting and disseminating cyber incident situational awareness, response and recovery information; and 4) Examined means and processes through which to share sensitive information across boundaries and sectors without compromising proprietary or national security interests.