Replies

The Clouds of Digital War Will the Next Terrorist Attack Be Delivered Via Cyberspace?

By Paul Eng ABCNEWS.com

July 8 — Many security experts fear that the next big terrorist strike against the United States might be on — and through — the Internet and other vital interconnected computer networks.

And the suspected attacks won't just deny Net surfers access to their favorite Web site or increase the risk of damaging computer viruses through e-mail. Rather, experts say the next cyber attack could actually lead to physical damage to real-world targets.

For example, terrorists might decide to take out the nation's telecommunication networks by modifying the software of computers that control the switching network. Or, they might work their way into the digital software systems that help air traffic controllers guide the thousands of planes that fly over U.S. cities.

"It was unthinkable almost a year ago in the general public mind that a common airplane would be used in attacks against buildings," says Simon Perry, vice president of security for Computer Associates in Islandia, N.Y. "It's the same here. IT [information technology] will be used to attack the physical world."

Evidence of Possible Training

Sound farfetched? Perhaps. But evidence is mounting that such cyber warfare may be on the minds of al Qaeda terrorists.

As first reported in The Washington Post and confirmed by ABCNEWS, U.S. investigators have discovered there have been numerous anonymous probes over the Internet for information regarding the nation's emergency phone system, water-distribution networks, and power grid — all critical parts of the U.S. infrastructure. Perhaps more disturbingly, officials also confirmed to ABCNEWS that some of these "probes" were focused on "digital switches" — devices designed to allow authorized personnel to monitor and control various aspects of a complex network of machines.

Vulnerable Switches?

Perry says these control systems used to be "esoteric systems" — ones that used proprietary interfaces and computer languages — and were accessible only to those who were trained in their specific designs.

But many such control systems are now based on the same UNIX software and communication protocols used by computers that are widely connected to the Internet. And while most control systems aren't connected directly to the Internet or accessible through a simple Web page, they are connected to other computer systems that typically are available online.

And there have been cases where others — typically disgruntled former employees or other malicious insiders — have used such hidden, but still-vulnerable systems for their own exploits.

Peggy Weigle, chief executive officer of software security firm Sanctum in Santa Clara, Calif., notes that just such an incident occurred a few years ago in Australia.

In that case, a former employee of a water-treatment plant had managed to gain control of the digital switches and secretly reversed the flow of fresh and sewer water. (The employee had hoped that the company would hire him back in order to solve the problem.)

While such incidents have been few and isolated, some security experts worry that it won't remain so for long.

A Mix of Old and Digital

"We've been talking about this kind of [threats] for months," says Weigle. "Just by looking at the organizations we've been involved with — financial institutions, water-treatment plants, power plants — they are all vulnerable to attack."

And Weigle believes that the power of such terrorist attacks could be devastating — especially when coupled with an attack using conventional means.

"Let's say they launch an attack on a power station," says Weigle. "Someone's going to call into the 911 emergency system. A lot of these [phone] systems are based [on computer protocols]. Can they be hacked? I think so. How long would it take people to figure out the right information on what was going on and what was wrong?"

But some say that such wide-ranging network attacks — while possible — are extremely difficult to pull off.

"It would still be fairly difficult [to] break in and jump through different switches," says William Tang, chief executive officer of Digital Security Consulting, an Arcadia, Calif., company that advises the electric power-generation industry. "There are some process controls, if you decide to throw all 500 switches that control the power in Southern California, it could alert a human before it does that."

Other experts note that companies and public institutions aren't exactly unaware or insensitive to the threats of Internet security.

George Hellyer, a director at security consulting firm JANUS Associates in Stamford, Conn., says that the years of attacks by hackers with viruses — and the recent unconventional attacks by terrorists — have stirred some movement by the public and private sectors.

When it comes to addressing network security issues, "we've seen changes over the last several years," says Hellyer. "They're thinking outside of the box and addressing what we thought was unthinkable is now possible."

Keys to Survival

However, Hellyer and others note that awareness is just the beginning and that both the government and the corporate world still have a lot of work to do when it comes to preparing for and preventing a cyber attack using the nation's information and support infrastructure.

For one, many believe that while corporations are paying attention to the threats against their networks, they aren't spending nearly the amount they should be on security solutions.

"When you work out the percentage of corporate budgets spent on IT security, it's less than 1 percent," says Computer Associates' Perry. "Most organizations spend more on coffee that IT security." By Perry's estimation, companies should be spending at least 100 times more on security measures.

And the money that companies do spend on network security shouldn't go to just technology solutions such as firewalls or network intruder detection systems, but toward hiring smarter, security-savvy people who will actually manage the various networks.

Over the last two years, the number of computers added to the Internet has more than doubled from 71 million to more than 146 million, says Alan Paller, director of research at the SANS Institute, a network security information clearinghouse in Bethseda, Md.

"Yet, there has only been about 25,000 people who can even spell 'security' that have been added in those two years," says Paller. "We need to up the security skills of these [network engineers]. And that's not going to happen overnight."

RELATED STORIES

Survey: U.S. Not Ready for Cyber-Attacks
Report: Al Qaeda May Be Planning Web Attacks
Govt. Warns Against Cyber-Terrorism
Silicon Insights: Cyber-Terrorism Protection

US electrical grid 'vulnerable to terrorism'

WASHINGTON - A growing number of security experts in and out of the US government are worried that potentially hostile states and even a rebuilt Al-Qaeda could wreak havoc through simultaneous and coordinated assaults on sensitive points on the electrical grid.

In an extraordinary manuscript translated by the CIA, two young colonels in China's People's Liberation Army wrote in 1999 that the United States had become so powerful militarily that waging conventional war against the superpower would be suicidal.
Prime target -- EPA

Instead, they argued in their book, Unrestricted Warfare, that in the event of war, China should take the battle to the US home front and assault its critical infrastructure and economy.

'If you're charged with imagining that you are in the crosshairs of the United States and your job is to prepare some war plan, the logic these guys came up with is pretty compelling,' said Mr Steven Flynn, a senior fellow on the Council on Foreign Relations who directed its independent task force on homeland security.

'They say, categorically, no way can we marshal resources or technology to conduct conventional warfare. We have to adapt, take it to the enemy, target their critical infrastructure.'

The Pentagon has conducted secret simulations which concluded that foreign powers or technologically sophisticated terrorist organisations could, with a few keystrokes on a computer, shut down the entire electrical grid.

Industry officials said that during the second half of last year, 60 per cent of the country's power and energy companies experienced hacking attacks. None was successful.

The Sept 11, 2001 attacks have also driven the industry to beef up conventional security by hiring more guards, building better fences and installing more sensors.

And during the past several years, cyber security has improved significantly. Passwords at power plants are changed routinely, anti-virus software is often upgraded and firewalls are getting better.

Counter-terrorism experts said the dissipated Al-Qaeda and associated terrorist organisations are unlikely to marshal the time and resources to launch a sophisticated attack on America's infrastructure.

But if allowed to reconstitute, these groups could be a threat, said Mr Flynn and others.

The authorities discovered an Al-Qaeda safe house in Pakistan last year that was devoted to training terrorists for computer hacking and cyber warfare.

The former director of the CIA's counter-terrorism centre, Mr Vincent Cannistraro, said on Saturday that a number of Al-Qaeda terrorists captured in the past two years were 'very advanced...computer specialists'.

The grid has many other vulnerabilities, Mr Flynn said.

If the electrical transformer for the Port of Los Angeles and Long Beach in California were blown up, for instance, it could take months, even under a crash programme, to bring electricity back to the vital port facility, which handles more than 30 per cent of the nation's imports in terms of dollar value.

There are no spare transformers, he said, and it normally takes two years from order to delivery for a new one. Most are built in South Korea.

Similarly, he said, if the turbines in the western provinces of Canada that feed gas through pipelines to numerous electric power plants in the American West were destroyed, several of the plants would shut down.

This would overload the system and result in brownouts, 'for a long, long time as you try to find replacement capacity', Mr Flynn said. -- LAT-WP