By Jimmy Lee Shreeve
31 May 2006
According to cyber-security experts, the terror attacks of 11
September and 7 July could be seen as mere staging posts compared to
the havoc and devastation that might be unleashed if terrorists turn
their focus from the physical to the digital world.
Scott Borg, the director and chief economist of the US Cyber
Consequences Unit (CCU), a Department of Homeland Security advisory
group, believes that attacks on computer networks are poised to
escalate to full-scale disasters that could bring down companies and
kill people. He warns that intelligence "chatter" increasingly points
to possible criminal or terrorist plans to destroy physical
infrastructure, such as power grids. Al-Qa'ida, he stresses, is
becoming capable of carrying out such attacks.
Most companies and organisations seem oblivious to the threat.
Usually, they worry about e-mail viruses and low-grade hacker attacks.
But Borg sees these as the least of their worries. "Up to now,
executives and network professionals have worried about what
adolescents and petty criminals have been doing," he says. "In most
cases, these kinds of cyber attacks aren't very destructive. The
reason is that businesses generally have enough inventory and extra
capacity to make up for any short-term interruptions."
What companies and organisations should worry about, Borg insists, is
"what grown-ups could do" - terrorists or hardcore criminals. One key
target would probably be the vital Supervisory Control and Data
Acquisition (Scada) systems in power plants and similar industries.
"Chatter on Scada attacks is increasing," says Borg, referring to
patterns of behaviour that suggest that criminal gangs and militant
groups are now fully capable of unleashing such attacks.
"Control systems are a particular worry, because these are the
computer systems that manage physical processes. They open and shut
the valves, adjust the temperatures, throw the switches, regulate the
pressures," he says. "Think of the control systems for chemical
plants, railway lines, or manufacturing facilities. Shutting these
systems down is a nuisance. Causing them to do the wrong thing at the
wrong time is much worse."
Until now, hackers have usually targeted credit cards or personal
information on the web. More sophisticated hackers, however, are
beginning to focus on databases. The type of data most likely to be
hit, Borg says, might include a pharmaceutical company's drug
development databases, or programs that manipulate data, such as
formulas for generating financial statements.
"Many attacks of this kind would have two components. One would alter
the process control system to produce a defective product. The other
would alter the quality control system so that the defect wouldn't
easily be detected," Borg says. "Imagine, say, a life-saving drug
being produced and distributed with the wrong level of active
ingredients. This could gradually result in large numbers of deaths or
disabilities. Yet it might take months before someone figured out what
was going on." The result, he says, would be panic, people afraid to
visit hospitals and health services facing huge lawsuits.
Deadly scenarios could occur in industry, too. Online outlaws might
change key specifications at a car factory, Borg says, causing a car
to "burst into flames after it had been driven for a certain number of
weeks". Apart from people being injured or killed, the car maker would
collapse. "People would stop buying cars." A few such attacks, run
simultaneously, would send economies crashing. Populations would be in
turmoil. At the click of a mouse, the terrorists would have won.
Is Borg justified in his fears? All this sounds like a plot from a
thriller; it's hard to take it seriously. But intelligence reports in
the last year or so make for worrying reading. An assessment by the
British security service MI5 stated that "Britain is four meals away
from anarchy". And officials admit their greatest fears about
electronic attacks focus on the more exposed networks that make up the
"critical national infrastructure" - the systems Borg is concerned
US agencies are concerned that terrorists could combine electronic and
physical attacks to devastating effect, such as disrupting emergency
services at the same time as mounting a bomb attack.
Risk management analysts, equally edgy, are focusing on the financial
impact on businesses and economies. They believe that an online attack
would undermine public confidence in vital industries, especially
utilities. Nick Robson, a partner at JLT Risk Solutions, says: "A
cyber attack on, say, the power industry would cause communications
operations to close down for a period of time, expose customers to
loss of service, increase liability exposure and ultimately damage
reputation for service delivery."
It isn't just Western nations that fear a digital meltdown. This
month, the Malaysian government announced plans to establish a centre
to fight cyber-terrorism, which will provide an emergency response to
hi-tech attacks around the globe. Prime Minister Abdullah Ahmad Badawi
said the facility - to be located at the technology hub of Cyberjaya
outside Kuala Lumpur - would be called the International Multilateral
Partnership against Cyber-Terrorism, or Impact, and would be funded by
a combination of government revenue and the private sector.
Badawi said the threat of cyber-terrorism was too serious for
governments to ignore. "The potential to wreak havoc and cause
disruption to people, governments and global systems has increased as
the world becomes more globalised," he said. "The economic loss caused
by a cyber attack can be truly severe; for example, a nationwide
blackout, collapse of trading systems or the crippling of a central
bank's cheque clearing system."
While the case for cyber attack appears persuasive, some believe that
much of it is hype. "It's difficult to avoid comparisons with the
Millennium bug and the predictions of widespread computer chaos
arising from the change of date to the year 2000," says Tom Standage,
technology editor at The Economist magazine. "Then, as now, the alarm
was sounded by technology vendors and consultants, who stood to gain
Almost =A3400m was spent by the Government alone on preparations for the
Millennium bug. Computer consultants issued dire warnings of the
danger of an information technology breakdown that could paralyse
nations on New Year's Day 2000. When the clock struck midnight,
however, few problems were reported. There is scepticism that the bug
was ever a threat. As far as Standage is concerned, those in the
cyber-security industry - be they vendors boosting sales, academics
chasing grants or politicians looking for bigger budgets - always have
a "built-in incentive to overstate the risks".
But what of the Scada systems; surely they are highly vulnerable? "It
is true that utility companies and other operators of critical
infrastructure are increasingly connected to the internet," Standage
concedes. "But just because customers pay their bills online, it
doesn't follow that critical control systems are vulnerable to attack.
Control systems are usually kept entirely separate from other systems,
for good reason. They tend to be obscure, old-fashioned systems that
are incompatible with internet technology anyhow. Even authorised
users require specialist knowledge."
A simulation in 2002 by the US Naval War College concluded that an
"electronic Pearl Harbor" attack on America's infrastructure would
certainly cause serious disruption. But to pull it off would require
five years of preparation and a $200m budget. As US computer security
guru Bruce Schneier says: "If they want to attack, they will do it
with bombs like they always have."
But Richard Clarke, a former cyber-security expert in the Bush
administration, says this is complacent. "People claim no one will
ever die in a cyber-attack, but they're wrong. This is a serious
Clarke says that each time the US government has tested the security
of the electric power industry, he and his colleagues have been able
to hack their way in, "sometimes through an obscure route like the
billing system". He reveals that computer security officers at a
number of chemical plants have told him privately that they are very
concerned about the openness of their networks.
Scott Borg of the Cyber Consequences Unit goes along with this. He
believes the $93m budget for 2007 allocated to the Department of
Homeland Security to defend against cyber attack is justified. "Even
systems isolated from the internet are often accessible to thousands
of employees. How secure can any system be if thousands of people and
thousands of data ports can provide inside access to that system?"
The threat from software
IT security consulting firm Cyber Defense Agency (CDA) has warned the
US military, government and "critical infrastructure agencies" against
using outsourced commercial software which could be tampered with by
terrorists. CDA said that gas, electricity, telecommunications,
banking and water companies are among the services that could fall
foul of cyber terrorists exploiting "life-cycle" weaknesses buried
deep in the software code. Life-cycle attacks occur when one line of
code is programmed to open vulnerabilities within the software,
exposing the software and the company to external threats. "Outsourced
commercial software poses a silent but significant security risk to
the defence and welfare of the US," says Sami Saydjari, president of
CDA. "The chances of strategic damage from a cyber-terrorist attack on
the US increases the longer it takes to remedy the risks posed by
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.