[Infowarrior] - The new breed of cyber-terrorist

Thu Jun 1 23:11:00 EDT 2006

(First I've heard of the CCU.......rf)

The new breed of cyber-terrorist
Could a ruthless new breed of cyber-terrorist cause meltdown at the click of
a mouse? Jimmy Lee Shreeve reports
Published: 31 May 2006
http://news.independent.co.uk/world/science_technology/article622421.ece

According to cyber-security experts, the terror attacks of 11 September and
7 July could be seen as mere staging posts compared to the havoc and
devastation that might be unleashed if terrorists turn their focus from the
physical to the digital world.

Scott Borg, the director and chief economist of the US Cyber Consequences
Unit (CCU), a Department of Homeland Security advisory group, believes that
attacks on computer networks are poised to escalate to full-scale disasters
that could bring down companies and kill people. He warns that intelligence
"chatter" increasingly points to possible criminal or terrorist plans to
destroy physical infrastructure, such as power grids. Al-Qa'ida, he
stresses, is becoming capable of carrying out such attacks.

Most companies and organisations seem oblivious to the threat. Usually, they
worry about e-mail viruses and low-grade hacker attacks. But Borg sees these
as the least of their worries. "Up to now, executives and network
professionals have worried about what adolescents and petty criminals have
been doing," he says. "In most cases, these kinds of cyber attacks aren't
very destructive. The reason is that businesses generally have enough
inventory and extra capacity to make up for any short-term interruptions."

What companies and organisations should worry about, Borg insists, is "what
grown-ups could do" - terrorists or hardcore criminals. One key target would
probably be the vital Supervisory Control and Data Acquisition (Scada)
systems in power plants and similar industries. "Chatter on Scada attacks is
increasing," says Borg, referring to patterns of behaviour that suggest that
criminal gangs and militant groups are now fully capable of unleashing such
attacks.

"Control systems are a particular worry, because these are the computer
systems that manage physical processes. They open and shut the valves,
adjust the temperatures, throw the switches, regulate the pressures," he
says. "Think of the control systems for chemical plants, railway lines, or
manufacturing facilities. Shutting these systems down is a nuisance. Causing
them to do the wrong thing at the wrong time is much worse."

Until now, hackers have usually targeted credit cards or personal
information on the web. More sophisticated hackers, however, are beginning
to focus on databases. The type of data most likely to be hit, Borg says,
might include a pharmaceutical company's drug development databases, or
programs that manipulate data, such as formulas for generating financial
statements.

"Many attacks of this kind would have two components. One would alter the
process control system to produce a defective product. The other would alter
the quality control system so that the defect wouldn't easily be detected,"
Borg says. "Imagine, say, a life-saving drug being produced and distributed
with the wrong level of active ingredients. This could gradually result in
large numbers of deaths or disabilities. Yet it might take months before
someone figured out what was going on." The result, he says, would be panic,
people afraid to visit hospitals and health services facing huge lawsuits.

Deadly scenarios could occur in industry, too. Online outlaws might change
key specifications at a car factory, Borg says, causing a car to "burst into
flames after it had been driven for a certain number of weeks". Apart from
people being injured or killed, the car maker would collapse. "People would
stop buying cars." A few such attacks, run simultaneously, would send
economies crashing. Populations would be in turmoil. At the click of a
mouse, the terrorists would have won.

Is Borg justified in his fears? All this sounds like a plot from a thriller;
it's hard to take it seriously. But intelligence reports in the last year or
so make for worrying reading. An assessment by the British security service
MI5 stated that "Britain is four meals away from anarchy". And officials
admit their greatest fears about electronic attacks focus on the more
exposed networks that make up the "critical national infrastructure" - the
systems Borg is concerned about.

US agencies are concerned that terrorists could combine electronic and
physical attacks to devastating effect, such as disrupting emergency
services at the same time as mounting a bomb attack.

Risk management analysts, equally edgy, are focusing on the financial impact
on businesses and economies. They believe that an online attack would
undermine public confidence in vital industries, especially utilities. Nick
Robson, a partner at JLT Risk Solutions, says: "A cyber attack on, say, the
power industry would cause communications operations to close down for a
period of time, expose customers to loss of service, increase liability
exposure and ultimately damage reputation for service delivery."

It isn't just Western nations that fear a digital meltdown. This month, the
Malaysian government announced plans to establish a centre to fight
cyber-terrorism, which will provide an emergency response to hi-tech attacks
around the globe. Prime Minister Abdullah Ahmad Badawi said the facility -
to be located at the technology hub of Cyberjaya outside Kuala Lumpur -
would be called the International Multilateral Partnership against
Cyber-Terrorism, or Impact, and would be funded by a combination of
government revenue and the private sector.

Badawi said the threat of cyber-terrorism was too serious for governments to
ignore. "The potential to wreak havoc and cause disruption to people,
governments and global systems has increased as the world becomes more
globalised," he said. "The economic loss caused by a cyber attack can be
truly severe; for example, a nationwide blackout, collapse of trading
systems or the crippling of a central bank's cheque clearing system."

While the case for cyber attack appears persuasive, some believe that much
of it is hype. "It's difficult to avoid comparisons with the Millennium bug
and the predictions of widespread computer chaos arising from the change of
date to the year 2000," says Tom Standage, technology editor at The
Economist magazine. "Then, as now, the alarm was sounded by technology
vendors and consultants, who stood to gain from scaremongering."

Almost £400m was spent by the Government alone on preparations for the
Millennium bug. Computer consultants issued dire warnings of the danger of
an information technology breakdown that could paralyse nations on New
Year's Day 2000. When the clock struck midnight, however, few problems were
reported. There is scepticism that the bug was ever a threat. As far as
Standage is concerned, those in the cyber-security industry - be they
vendors boosting sales, academics chasing grants or politicians looking for
bigger budgets - always have a "built-in incentive to overstate the risks".

But what of the Scada systems; surely they are highly vulnerable? "It is
true that utility companies and other operators of critical infrastructure
are increasingly connected to the internet," Standage concedes. "But just
because customers pay their bills online, it doesn't follow that critical
control systems are vulnerable to attack. Control systems are usually kept
entirely separate from other systems, for good reason. They tend to be
obscure, old-fashioned systems that are incompatible with internet
technology anyhow. Even authorised users require specialist knowledge."

A simulation in 2002 by the US Naval War College concluded that an
"electronic Pearl Harbor" attack on America's infrastructure would certainly
cause serious disruption. But to pull it off would require five years of
preparation and a $200m budget. As US computer security guru Bruce Schneier
says: "If they want to attack, they will do it with bombs like they always
have."

But Richard Clarke, a former cyber-security expert in the Bush
administration, says this is complacent. "People claim no one will ever die
in a cyber-attack, but they're wrong. This is a serious threat."

Clarke says that each time the US government has tested the security of the
electric power industry, he and his colleagues have been able to hack their
way in, "sometimes through an obscure route like the billing system". He
reveals that computer security officers at a number of chemical plants have
told him privately that they are very concerned about the openness of their
networks.

Scott Borg of the Cyber Consequences Unit goes along with this. He believes
the $93m budget for 2007 allocated to the Department of Homeland Security to
defend against cyber attack is justified. "Even systems isolated from the
internet are often accessible to thousands of employees. How secure can any
system be if thousands of people and thousands of data ports can provide
inside access to that system?"

The threat from software

IT security consulting firm Cyber Defense Agency (CDA) has warned the US
military, government and "critical infrastructure agencies" against using
outsourced commercial software which could be tampered with by terrorists.
CDA said that gas, electricity, telecommunications, banking and water
companies are among the services that could fall foul of cyber terrorists
exploiting "life-cycle" weaknesses buried deep in the software code.
Life-cycle attacks occur when one line of code is programmed to open
vulnerabilities within the software, exposing the software and the company
to external threats. "Outsourced commercial software poses a silent but
significant security risk to the defence and welfare of the US," says Sami
Saydjari, president of CDA. "The chances of strategic damage from a
cyber-terrorist attack on the US increases the longer it takes to remedy the
risks posed by outsourced software."