From: InfoSec News (isnC4I.ORG)
Date: Wed Apr 04 2001 - 19:52:00 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://salon.com/tech/feature/2001/04/04/cyberterrorism/index.html

By Caroline Benner
April 4, 2001

Are you under 30? If so, jokes former National Security Advisor
Anthony Lake in his book "Six Nightmares," chances are you have enough
technical know-how to be a cyber-threat. And if you don't, says Lake,
you can find everything you need, including cyber-attack tools and
their instruction manuals, on the Internet. Armed with these tools,
"millions of computer-savvy individuals could wreak havoc against the
United States."

Lake isn't the only policy wonk warning us of our own vulnerability.
On March 22, National Security Advisor Condoleezza Rice and Richard
Clarke, who heads U.S. counter-terrorism efforts, issued a warning
against computer attacks that could disrupt vital services in the
United States. "It is a paradox of our times," said Rice, "that the
very technology that makes our economy so dynamic and our military
forces so dominating also makes us more vulnerable."

But vulnerable to what? If the alarmists are right, we have some
terrifying scenarios ahead of us: large-scale attacks on critical
infrastructure such as the food supply, emergency services, government
agencies, power grids, communication systems, air traffic control and
financial systems. Lake, whose chapter "e-Terror, e-Crime" is a
veritable case study in cyber-attack alarmism, worries that
cyber-attackers could crash planes; tamper with food or medicines to
poison populations; or disrupt the economy by shutting down electrical
and communication systems. "The genie is well outside the bottle," he
claims, now that attackers have jammed 911 lines in Miami, overwhelmed
the e-mail system at an Air Force base and infiltrated an unclassified
Pentagon computer.

To an extent, their fears are legitimate. In the last 20 years, the
number of people with computer skills has grown dramatically; there
are thousands of computer viruses and hundreds of millions of
potential targets. An Associated Press story on Rice's announcement
cited $400 million in financial losses due to computer attacks over
the last year. But just because there are plenty of cyber-savvy
individuals out there doesn't mean that the attacks we're likely to
face are going to be as damaging as Lake and others fear. And no one
among them is offering a careful analysis of what the threat may be
and where it will come from.

Part of the problem is that Lake and other alarmists don't distinguish
between the resources it takes to cause an expensive nuisance -- like
last year's denial-of-service attacks on Yahoo and eBay -- and the
skills, time and access one needs to create a devastating attack, like
crashing an airplane. In "Six Nightmares," Lake doesn't consider the
checks that protect infrastructure from such threats. He also fails to
ask an obvious question: If there are so many malicious hackers at
work (19 million, by Lake's count), why have their attacks been, by
and large, fairly innocuous?

"Certainly the large majority of attacks demonstrate no more than
script-kiddie skill level," says Tim Shimeall, a senior member of the
technical staff with the CERT Analysis Center, a center for Internet
security at Carnegie Mellon University.

Script kiddies, or unskilled criminal programmers, perform simple
exploits against underprotected systems using software tools and
instructions created by skilled programmers. They take a tool and run
it against multiple targets, hoping to hit one of them. These tools
can crack passwords, steal files, install malicious software in a
target or cause a denial-of-service attack, but are unlikely to cause
large-scale damage. "Script kiddies are getting their clickers on more
sophisticated tools, but they have little ability to do more than
launch them," says John Arquilla, associate professor of information
technology at the Naval Postgraduate School in Monterey, Calif.

Tools like these don't automate large-scale attacks on critical
infrastructure as much as reproduce attacks that more proficient
troublemakers have carried out in the past. And so what expert
cyber-terrorists don't do routinely -- widespread attacks on the
electrical grid, for instance -- just isn't an option for the vast
majority of maliciously minded delinquents.

Major acts of cyber-terrorism are considerably more difficult than
Lake and other alarmists suggest. Many tools -- which are usually
designed to attack popular operating systems and common network
protocols -- don't work against some critical infrastructures which
run on proprietary operating systems and protocols. Moreover, a new
attack tool can lose potency within weeks as patches for the newfound
vulnerability are created and applied by alert system administrators.
Challenges like these are enough to knock most script kiddies out of
the running. Large-scale destruction requires the ability to create or
modify tools, or to know how to use combinations of tools. The vast
majority of script kiddies just don't have those skills.

"To carry out a large-scale attack against critical infrastructure
requires significant expertise," says Edward Felten, director of the
Secure Internet Programming Lab at Princeton University. A December
1999 study from the Naval Postgraduate School, "Cyberterror: Prospects
and Implications," elaborates on the sort of expertise that might be
necessary to execute attacks such as a "sustained total interruption
of some component of the national critical infrastructure across a
substantial customer base." Attackers would likely need sophisticated
programming skills as well as mastery of operating systems, network
and computer architectures, and security measures. They would need
time to fully analyze a target system, which may require insider
knowledge. They may also need organizational skills to employ multiple
simultaneous attacks from different locations.

A major cyber-attack takes skill and motive and so far, says Frank
Cilluffo, an editor of "Cybercrime, Cyberterrorism, Cyberwarfare," "we
haven't yet seen the marriage of the intent with the capability."

Lake believes that malicious hackers, or "crackers," could wreak havoc
against the United States just for the challenge of it, or to gain
prestige among their peers. But is this sufficient motivation
(especially given the criminal penalties) for real destruction?
Arquilla confirms that there have been instances when crackers were in
a position to do enormous damage and chose not to. He notes that most
hackers are looking for an intellectual challenge and their interests
are served better by a healthy information infrastructure than a
broken one.

Terrorists -- those with ample political motivation to carry out such
an attack -- are hindered by a lack of skills. According to the Naval
Postgraduate School study, large-scale acts by foreign terrorist
groups are likely a thing of the future since it takes a while to
develop the skill set necessary for such attacks. Purchasing outside
expertise is a possibility, but doing so introduces security risks for
the terrorist group.

When and if they do strike, cyber-attackers will find many of their
targets well guarded. Critical infrastructure systems are not sitting
ducks, waiting to be taken out by a skilled and motivated attacker.
Most systems have elaborate security measures in place, which may not
be foolproof, but do provide a measure of security. For starters,
critical infrastructure systems often have limited connections to
external networks, making them less susceptible to attack than more
open systems. Humans are also monitoring systems more closely than
they used to, which means that strange behavior is more likely to be
noticed quickly. Non-human checks tend to be effective too: Banks back
up their transactions daily and store the information offline.

Lake and other alarmists consistently ignore these and other
countermeasures against cyber-terrorism and overestimate the
likelihood of large-scale cyber-attacks. Take, for example, one of
Lake's nightmare scenarios, borrowed from James Adams' book "The Next
World War":

"A cyber-terrorist will remotely access the processing control systems
of a cereal manufacturer, change the levels of iron supplement, and
sicken and kill the children of a nation enjoying their food."

According to a standard medical text, a lethal dose of iron for a
child is between five and 10 grams. However, given that cereal
generally has less than one-half milligram of iron per serving, one
serving of cereal would need to contain 10,000 to 20,000 times the
normal amount of iron to kill the child eating it, an amount that
would render the cereal inedible. But it's hard to imagine the cereal
would ever even reach the breakfast table: Manufacturers routinely
test their products before shipping them to stores and, even prior to
that, would notice an increase in iron consumption.

While Lake and other alarmists fret over highly unlikely scenarios
such as that, they gloss over far more feasible and more likely
attacks.

We've seen the damage that ILOVEYOU-type viruses can do; they're
difficult to guard against and can have a significant economic impact.
But those viruses could be manipulated into far more damaging strains.
Information theft -- from credit card information to government
secrets -- continues to be a real threat. Small-scale attacks on
critical infrastructure, say, temporarily overwhelming a 911 system,
could be especially dangerous when combined with a physical strike,
like a subway bombing. Lake lumps threats like these in with major
attacks on infrastructure, making little distinction between likely,
smaller-scale threats and full-scale cyber-attacks.

Lake, Rice and Clarke have good reason to warn us of the danger of
cyber-attacks: There are people with the skills to cause real problems
and we don't have the experience to know how likely some of the
devastating attacks might be. But before our current spate of
minor-grade cyber-attacks graduates into serious threats, we should be
more realistic about what the damage is likely to be and from where we
can expect it to come. As Cilluffo points out, we have a window of
time to prepare for the threat. Let's at least understand the threat,
before it's too late.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERVSecurityFocus.com with a message body of
"SIGNOFF ISN".

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]