By Chris Cox
This article defines and explores the utilization of cyber capabilities in order to achieve traditional terrorism goals, while investigating the unprecedented role of non-state actors in both offensive and defensive capabilities. Included in this article are the results of investigation into the websites and web-based services of identified terrorist groups as well as several interviews with hackers in order to determine capability and intent.
“Hacking on the Internet is one of the key pathways to Jihad, and we advise the Muslims who possess the expertise in the field to target the websites and the information networks of big companies and government agencies of the countries that attack Muslims, and to focus on the websites and networks that are managed by the media center that fight Islam, Jihad and mujahideen.”
-(Al-Qaida video, “You Are Held Responsible Only for Thyself- Part 2”, June 3, 2011)
In the 1990’s, the buzz phrase was “Cyber Pearl Harbor.” Decades later, the term became “Cyber 9/11.” The terms may have changed, but the underlying (and as yet, unrealized) fear has not- our nation is vulnerable to cyber attack and our adversaries know it.
Cyberterrorism is a concept that is difficult to define and far more difficult to discern from other forms of cyber incidents such as hacking, economic espionage or state-sponsored cyberwarfare. In order to consider the concept, we must first consider the two components of the term and the implications of each; “cyber,” which in contemporary terms refers to the infrastructure, networks and systems that make up the shared electronic medium that enables online communication, and “terrorism,” which for the purposes of this article refers to the unlawful use of violence or threat of violence to instill fear and coerce governments or societies in support of goals which may be political, ideological or social. Therefore, in order to qualify as cyberterrorism, an act must be committed which furthers the goals of terrorism using or targeting the medium of cyberspace. While not necessarily an act of cyberterrorism, the use of cyber capabilities to support terrorist goals (e.g., fundraising, intelligence, training, recruiting and similar ends) must be considered when addressing the overall concern.
The potential for harm is significant; it’s not uncommon for one to entrust critical financial or personal information to their personal computer or mobile device. Much of the nation’s critical infrastructure, to include the electric grid, communications, water and other components, are directly or indirectly addressable via public networks as well, which opens up previously unforeseen avenues for attack. This threat was highlighted in 2010 when FBI director Robert Mueller noted, “Terrorists have shown a clear interest in hacking skills and combining real attacks with cyber attacks” and also in 2011 when President Obama revealed that “cyber intruders have probed our electrical grid.” Recently, in response to the new Flame worm, Internet security firm Kaspersky added, “…it’s important to understand that such cyber weapons can easily be used against any country. Unlike with conventional warfare, the more developed countries are actually the most vulnerable…”
Despite such provocative claims, however, one must exercise caution when making claims as to the realistic risk to life, livelihood and critical infrastructure. In order to constitute a ‘threat,’ an adversary must possess both the intent and the capability to carry out the act. In this context, there are two basic considerations: does the adversary have the intent to carry out a terrorist act, and do they have both the intent and capability to doing so using the cyber sphere?
Before considering the capability of any particular group, one must consider whether or not cyberterrorism in this context is within the realm of possibility. While it’s accurate to say that “cyber pearl harbor” has not occurred, the following examples demonstrate the significant damage and disruption that may be leveraged via cyber avenues. It is important to note that the following select examples are mostly attributed to cyber criminals or state actors, rather than terrorist factions; however, the potential for harm if instead initiated by terrorist forces is evident.
2000: Vitek Boden, an insider at a sewage treatment plant, used an Internet connection to release a million gallons of raw sewage along Queensland’s Sunshine Coast after being turned down for a government job. The sewage affected nearby parks, creeks and a hotel .
2003: Hackers from Romania compromised the computer systems used by the Antarctica scientific research station, at a time when 58 researchers and support staff relied on the system for life and medical support and station operations in 70 degrees below zero weather. While the motivation in this case was financial, a similar attack with the intent to do harm could have been disastrous. In their public statement, the FBI stated that the attack did “endanger the wellbeing of the South Pole researchers ”
2004: US Resident Rajib K. Mitra pleads guilty to disrupting Madison, Wisconsin’s police and fire emergency radio system in the timeframe surrounding Halloween festivities .
2007: In protest against Estonia’s decision to relocate the soviet World War II memorial, The Bronze Soldier of Tallinn and other war graves, Russian hackers brought down websites of Estonia’s parliament, banks, ministries and media .
2000: “The Brigades of Tariq ibn Ziyad,” a Jihad group with the stated goal of using cyber capabilities to penetrate US Army networks and achieve their goals, launches a massive malware attack designed to impact businesses and government agencies. This particular attack was ideological based, reinforced by the official comment, “Listen to me about the reasons behind the 9 September virus that affected NASA, Coca-Cola, Google and most American gains. What I wanted to say is that U.S. doesn’t have the right to invade our people and steal oil under the name of nuclear weapons.” The creator of the video notes that the virus “wasn’t as harmful as it could have been .”
While only a few of many examples, the above cases clearly illustrate that the internet has already been “weaponized” and is seen as a viable medium over which to achieve political or ideological goals.
Fig 1: Selected examples of cyber security incidents
Former Homeland Security Director Tom Ridge warned, “Terrorists can sit at one computer connected to one network and can create worldwide havoc,” and the Australian Government’s Institute of Criminology assessed, “the potential damage which can be inflicted on our infrastructure – systems such as air traffic control, power, telecommunications, and the like, by a malicious person sitting at a keyboard on the other side of the planet, is mindboggling,” neither has been seen to a significant degree to date. However, to that there is no threat presupposes two things: that current and future security mechanisms are sufficient and that the threat is not evolving. Both statements are demonstrably false.
Given that the goal of terrorism includes the spread of fear and mass hysteria, FBI Special Agent John Chesson adds that non-violent acts can also be a concern, as “simple propaganda on the internet, such as that there will be bomb attacks during the holidays, can be considered cyberterrorism.” This is underscored by historical events, such as the 2005 incident in Sri Lanka in which a woman was killed and 50 others wounded in the panic resulting from a hoax bomb threat against a Saudi Arabian commercial flight . In another case, the false claim of a suicide bomber amongst the million or more Shia pilgrims making a pilgrimage resulted in the deaths of nearly 1,000 men, women and children who were trampled to death or pushed from bridges in the ensuing panic .
In the US, most of the critical infrastructure is privately controlled and operated and, while they perform an indispensable service to the public and are accordingly supported by the Department of Homeland Security, they’re not universally subject to the same strict cyber security regulations and requirements as government entities. For example, a classified military network is isolated from the publically accessible internet, while a small-town ambulance service is most likely not. This means that while Hollywood-style attacks where hackers gain control over our Nation’s nuclear arsenal is unlikely at best, the ability to interfere with emergency response to a planned explosion is well within the realm of possible.
The FBI-sponsored public-private collaboration known as Infraguard is one group that aims to bridge that gap. With 54,000 members as of March 2013 , Infraguard brings together academic institutions, businesses, law enforcement and other entities to share information and strategies to protect critical infrastructure. This relationship needs to build upon and further cultivate in order to bring together organizations and corporations formally entrusted with life-sustaining systems. This becomes more crucial when considered against the continuous actions of terrorist forces.
It’s undeniable that certain terrorist groups have demonstrated their intent to do harm to the United States and its citizens. According to the Federal Bureau of Investigation, there were over 11,500 terrorist attacks in 72 countries in 2010, with approximately 50,000 victims as a result. Of those, there were almost 13,200 fatalities, of which greater than half were civilian. In addition, there were 250 incidents of domestic terrorism between 1980 and 2000, including the 1995 Oklahoma City bombing (168 dead, 680 wounded) and the bombings and robberies perpetuated by the United Freedom Front (UFF) . Therefore, we can conclude that the overall intent exists and shall continue to do so.
The capability to use cyber capabilities in order to achieve terrorist goals is also relatively easy to determine. Relatively standardized control measures and security equipment helps to keep systems secure; automated network-based intrusion prevention systems watch for threats while each computer on a network most likely has its own host-based security suite. However, as computer security specialist and cryptologist Bruce Schneier noted, “If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.” While security-assistive software and hardware helps to increase the security posture of the system, there’s no such thing as “complete security” for any network that’s connected to the same public internet that’s expected to service 15 Billion devices by 2015 .
In order to cause widespread damage, a terrorist element will consider a nation’s Critical Infrastructure as a viable target. The term ‘Critical Infrastructure’ refers to “systems and assets, whether physical or virtual, so vital to the United States that the incapacity of such systems and assets would have debilitating impact on security, national economic security, national public health or safety, or any combination of those matters, ” and includes food and agriculture, dams, energy, IT, postal services, banking and finance, communications, transportation, chemical, emergency services, healthcare and public health, nuclear facilities and water, among others. This term also includes those critical international services upon which we depend but have no control, such as shipping, airports and communications services operated by other nations. In order to service increasingly large geographic areas in a cost-restrained environment, sectors rely heavily on the use of Supervisory Control and Data Acquisition (SCADA) systems and Distributed Control Systems (DCS’s).
SCADA systems allow for remote monitoring of systems and their status; and include the capability to transmit commands from a remote location. For example, the remote monitoring and operation of railroad track switches, draw bridges and traffic control systems. DCS’s are a network of computers that provide processed information to a centralized control location while also possessing the capability to receive remote commands. Generally, a DCS is used at a single site, rather than distributed across a wide geographic location; however, a SCADA and DCS may be implemented within the same organization to work in tandem. In 1997, the President’s Commission on Critical Infrastructure Protection said of SCADA systems:
“From the cyber perspective, SCADA systems offer some of the most attractive targets to disgruntled insiders and saboteurs intent on triggering a catastrophic event. With the exponential growth of information system networks that interconnect the businesses, administrative and operational systems, significant disruption would result if an intruder were able to access a SCADA system and modify the data used for operational decisions, or modify programs that control critical industry equipment or the data reported to control centers”.
Although such systems were originally designed to be isolated from commercial networks, the practice of providing real-time data to customers and field technicians has necessitated the integration of SCADA components into the public sphere, introducing previously unforeseen vulnerabilities.
Despite certain best business practices, such as network segmentation and data filtering, there has been a general increase in the number or cyber-related incidents reported by the FBI’s Internet Crime Complaint Center (IC3), with over 300,000 complaints in 2010 totaling $622 Million in damages. Included in those complaints, according to Symantec, were businesses across six critical infrastructure categories; specifically, emergency services, energy, IT, finance, health care and communications. In their Critical Infrastructure Protection Study, they found that 53 percent of respondents within those six fields had experienced a politically motivated cyber-attack, and only a third of those surveyed reported that they were “extremely” prepared for a cyber attack .
With the creation of automated network exploitation tools and the availability of online training, we face an increasingly cyber-aware adversary that is growing in both capability and quantity. One example of the type of resource available for misuse by modern adversaries is TOR. The TOR Project was originally designed, implemented and deployed by the US Naval Research Laboratory to protect the content and source of government communications by reducing the risk of traffic analysis or network surveillance using the onion routing system. Now formally sponsored by the Electronic Freedom Foundation (EFF), the tool has gained wider use in the corporate world, the public sector and private use. In order to understand this technology, imagine a separate network overlaid on the public internet with successive relays passing encrypted traffic all over the world. The intermediate relays, excluding the entrance node, have no awareness of the actual source of the traffic and the data itself is encrypted via the onion protocol until passed from the exit node (where, conceivably, the traffic remains encrypted using the HTTPS protocol). The tool exists to conceal user identities, and it is very successful at doing so providing that the user takes basic precautions in their browsing habits . Additional protection is afforded by configurations that periodically change the location of the exit node, creating what is essentially untraceable network traffic that may appear to be originating in Germany at one time, and then ten minutes later from Switzerland. Based on this capability, a targeted hacking effort against critical infrastructure would be difficult to correctly attribute and, possibly, detect.
As the intermediate nodes are anonymized and all traffic between them is encrypted, the onion network provides for location-hidden services protected by a psuedo top-level domain referred to as “.onion,” which are only accessible while using a TOR client. This function obfuscates both the location and identity of the requester from the host and also the host from the requestor allowing for a high degree of security for both parties by eliminating the inherent security risks of traversing an exit node. An abundance of information and resources, both legal and illegal, are available via hidden services at minimal risk. For example, one may directly purchase illegal narcotics (using a built-in decentralized monetary system that protects both the origin and destination of funds), or browse child pornography as easily as anonymously provide information related to corporate wrongdoing (“whistleblowing”), or share information with fellow urban-exploration enthusiasts interested in the steam tunnels under Virginia Tech.
As there is no “google”-type service that autonomously catalogues sites for the .onion pseudomain, and addresses are hash-based rather than user-friendly (for example, http://a5ec6f6zcxtudtch.onion is the URL for an anonymous E-Mail service). Services are very difficult to identify unless explicitly shared. Because of this, information and plans may be openly shared with little concern as to exploitation, potentially supporting key terrorist goals of training, planning and equipping.
In this example, the tool itself is entirely neutral and its utilization depends on the intent of the user. The service, as a whole, is beneficial and has multiple legitimate uses to include military (TOR is issued to US intelligence teams for open-source intelligence), journalists (to protect their sources), government employees (to protect their affiliation and identity when travelling overseas), individuals (who value privacy or have legitimate reasons to be concerned for their security, such as the Iranian protestors in 2009 ), law enforcement and many others. However, the possibility also exists for exploitation by criminals, terrorists, hackers or other elements.
TOR is relatively easy to set up and configure, with pre-packaged software bundles and bootable-USB amnesiac operating systems (which erase all session data after each use) largely automating the process, cyber attacks can be simplified even further using automated tools and programs. One example is the Metasploit framework, which searches for system vulnerabilities and recommends exploitations; however, this tool still requires a certain degree of “cyber savvy” to properly utilize. In the likely (and historically observed) scenario that a large force of willing but unskillful participants may be dedicated to a certain cause, a software program like the “Low-Orbit Ion Cannon,” or LOIC, may be preconfigured and distributed via the web to great effect. Using this tool, the online hacking collective known as “Anonymous” successfully launched Distributed Denial of Service (DDOS) attacks against RIAA, the US Department of Justice, the MPAA, PayPal and organizations that opposed WikiLeaks . The tool offers minimal risk to participants, as the server’s logs are quickly overloaded by the sheer volume of concurrent connections resulting in a low detection rate for participants. Participation in such an effort may be metaphorically likened to an infantry-based human wave attack most notably associated with the first and second World Wars, whereas the attackers rely on overwhelming numbers of expendable units in order to achieve their aims. Similarly, we will see less reliance on such a rudimentary tactic as we face a more sophisticated, better trained and better equipped adversary; the greater the capability of the adversary, the more tactical the attack we will face.
The capability to launch cyber attacks against critical infrastructure using cyber resources is demonstrable and observable in historical case studies. It’s also undeniable that terrorist organizations exist which desire to do harm to the United States and its citizens. In order to demonstrate capability and intent (consequently substantiating risk), the remaining question is if organizations exist that have the intent to leverage such a capability.
Increasingly, terrorist organizations are realizing the value of the Internet as both a means of accomplishing their goals and as an objective in itself. In other words, the Internet can be seen as both a weapon and a target. This dual nature justifies the use of Western technologies by foreign organizations that would otherwise be bound to avoid its “corrupting” influence. For example, while the Qur’an is generally interpreted to disallow pornography, that’s exactly the medium that was used to hide several encrypted messages that were intercepted by police in Berlin. This type of act is specifically addressed in the Manchester Document, which states, “necessary permits the forbidden” when breaking religious code in order to achieve objectives .
This discovery is significant for two reasons; first, and most obviously, is that it highlights the continued use of modern technology in order to achieve the group’s objectives- specifically in this case encryption and steganography (remembering that neutral technologies that can be used to both nefarious and beneficial ends). Second, and perhaps more compelling, is the content itself. While the specific information contained in the files is not available to the public, what has been released indicates an intense aspiration among Al Qaeda leadership to reinvigorate the organization through violent terrorist actions in the face or restricted freedom of movement and greater surveillance. It is noted, in the documents, that anti-terrorism and intelligence efforts have significantly impeded the organization’s ability to conduct operations, requiring a change in tactics.
Indicative of this fact is the loose correlation that exists between funding allotted by the Department of Homeland Security (DHS) for antiterrorism expenditures and the cost of cyber security incidents reported by the FBI. While this trend should not be considered to be necessarily causative, it is at least suggestive of a relationship between the restriction of movement and an increase in non-conventional tactics. Note that each time anti-terrorism expenditures increase, so does the cost associated with cyber incidents; correspondingly, each time anti-terrorism expenditures decrease, so does the cost of cyber incidents . Given the significant variables associated with each metric, there’s no solid reason to suspect that the two are conclusively linked; however, it’s a relationship that one would expect to find if terrorist forces are pursuing electronic warfare strategies as a force multiplier.
Fig 2: Relationship between anti-terrorism expenditures and costs associated with cyber incidents
The use of the internet to support terrorist objectives is not new. In 2000, Manchester police captured a document while executing a search warrant. This document, allegedly created by Al Qaeda, outlined multiple strategies for operating in an asymetric environment, to include conducting surveilance, deception, acts of sabotage, assassination and kidnapping. Included in this document, under the heading titled Espionage, was the estimate that, “Using this public source openly and without resorting to illegal means, it is possible to gather at least 80% of information about the enemy .” If terrorist groups consider that a majority of actionable intelligence may be collected via unclassified, open source methods, then it’s a certainty that they’re making efforts to do so.
A review of several hundred websites affiliated with or in support of foreign and domestic terrorism revealed a growing interest in hacking and electronic warfare. While far from universal, multiple groups advocate hacking as a legitimate strategy and offer courses in “electronic warfare” or make automated tools available for download. In forums and the sites itself, there is a growing sentiment that cyber activities is a legitimate tactic, and is both encouraged and enabled. Given the intended audience of such sites, this directly recruits and arms potentially dangerous adversaries.
In June of 2011, Al Qaeda released a video titled, “You Are Held Responsible Only for Thyself” in which they encourage cyber attacks by all followers, noting that “there’s a place for the underground mujahedeen” and “youth participation in the electronic warfare is possible and easy.” While the segment includes video clips from multiple US government officials stating our vulnerability to cyber attacks, it ends with a question asked of Admiral Michael McConnell, former director of National Intelligence and the NSA, referring to the Admiral’s concerns of an attack against the power grid during the hottest parts of summer or the coldest parts of winder. “Is the United States ready for such an attack?” the interviewer asks. He replies, “No, the United States is not ready for such an attack.” By its prominent placement in the video, it’s clear that this is the image that Al Qaeda desires to convey to those among them that have the ability to act.
The Brigades of Tariq ibn Ziyad were formed in 2010 in order to further the goals of “electronic jihad.” Most notably, the group was responsible for distributing a mass-mailing worm that targeted US government and corporate systems, resulting in a significant disruption to their services5. Although the group claimed the capability to launch more damaging attacks, this example could be compared to the intent behind the Stuxnet work of 2010, which was designed to target and damage the capabilities of a specific target. Another group is the North American Earth Liberation Front (ELF), who said that cyber attacks support their objectives “by inflicting as much economic damage as possible, the ELF can allow a given agency to decide if it is in their best economic interest to stop destroying life for the sake of profit.”
Fig 3: “Electronic Jihad” site on a .onion domain
It’s beyond contestation that individuals and groups exist that possess the desire to enable terrorist acts against the United States, and have the intent and ability to do so using cyber capabilities. Therefore, a bona fide threat is demonstrable. However, on the whole, such groups have been reluctant to carry out such attacks. This reflects a general lack of expertise among groups that are primarily dedicated to traditional acts of physical terrorism, as indicated in the 2011 Al Qaeda video in which group leadership urges anyone with the “expertise in the field” to carry out such attacks and reference successful cyber attacks by others, rather than claiming the ability to do so themselves. Although slow to adopt such technologies and tactics, this will conceivably change in the future as the group develops a greater reliance on the Internet for recruiting, fundraising and operations, and more so should they recruit or hire those that already possess the desired skill sets.
One must wonder, however, if a sensational internet-based attack is really the most effective strategy to achieve the goals of cyber jihad. If it’s accepted that the internet itself is a viable target, particularly as it easily serves as a convenient example of western decadence and moral corruption, then severe restrictions on the internet itself when imposed by the target government would be perceived as a victory, particularly if it served to undermine the citizenry’s confidence in their government. Latin-American revolutionary Carlos Marighela developed a strategy based on the observation that terrorist acts would elicit a predictable reaction from the government, which often results in increasingly repressive measures in order to respond to the threat. In doing so, the populace would reject the perceived oppressive regime and eventually revolt against their own government . If this strategy were applied to the Internet, increased incidents of cybercrime and security incidents may serve to bolster the argument of well-meaning politicians as they propose measures to effectively censor the internet- a measure that’s overwhelmingly unpopular with users.
There is another factor, one which cannot be predictably restrained or controlled- that of the non-state hacker, which has the potential to play a decisive role in the event of unrestrained cyber warfare. There is a formal process to respond to a coordinated cyber attack against US interests, which includes the Department of Homeland Security, the Defense Security Service, the Department of Defense and other agencies depending on the nature, source and scope of the threat. “The US has the capability to defend itself, but response to a state sponsored or OCONUS [Outside of the Continental US] cyber attack has many considerations that are affected by international treaties and possibly ongoing US Government covert operations,” says Special Agent Chesson. “Non-state hackers are more likely going to harm response capabilities if they interfere with the official response.”
Unlike government forces, however, independent hackers and hacking collectives are unrestricted by laws or rules of engagement. In the hypothetical scenario of a cyber attack, which is found to originate from a commercial web host that houses multiple legitimate business websites, government entities are bound by international law and treaty, while hackers are restricted only by a collective sense of morality or willingness to subvert local law. An example of this exists in those that self-identify with the collective known as Anonymous, which launched an effort in 2010 dubbed “Operation DarkNet,” in which they targeted commercial web servers that hosted child pornography. Although illegal, as a result of their actions, 40 child porn sites with hundreds of Gigabytes of images and videos were taken down and the names of over 1,500 site visitors and administrators were published . The morality of the effort is a matter of personal interpretation.
A properly crafted tool would be able to perform surveillance on the very network used by terrorist forces to facilitate their plot. The Flame worm is a textbook example of this fact; the malware is designed for intelligence-gathering, specifically to capture computer screenshots, record audio via the microphone and steal computer files. Such a tool, if deployed, would allow one to effectively map a terrorist contact network by surreptitiously capturing data and tracking communications. While arguably a valid target, legal issues exist for official channels which aren’t a factor for non-state hackers.
Non-attributional interviews with 43 self-proclaimed hackers, conducted for this article, showed certain trends and considerations that highlight the unpredictable yet potentially decisive role that could be expected to be played by this ethereal force. Respondents varied in age, skill level and affiliation, the overwhelming majority from the US that were interviewed stated that, in the event of a large-scale cyber attack against the United States, they would leverage their skill sets to assist in the defense of critical infrastructure, partially if they were potentially impacted by the loss of electricity, water or other essential services. Also telling is the finding that the majority believe that “patriotic hacking” is justifiable by non-government entities if it protects government interests (41% saying it is, with 32% saying it is not) while an even greater percentage felt that it’s morally justifiable to hack into a commercial web server or network in order to restrict the commission of a crime (69% saying that it is justifiable, and only 13% saying it is not). Perhaps most significant is the finding that 59% of respondents felt that hackers or hacking groups have the ability to either multiply or impede the traditional military or cyber warfare capabilities of a nation, with such scenarios as disrupting communications, spreading disinformation (which may be made to appear to come from official sources or websites), disable military capabilities, disable critical infrastructure or attack personal computer systems, versus only 5% that don’t feel that such groups can have an impact (with 36% saying they were “unsure”). This is noteworthy, as it captures the sentiment of the groups themselves, who believe that they may play a particular role if motivated to do so.
As the military, government and private industries grow to develop their role in our nation’s cyber defense, the public must also realize that they play a critical part in our collective defense against cyber terror. Infected computers, known as “bots,” may be remotely leveraged into greater attacks, further insulating the actual attacker from prosecution. Individual users must recognize that poor security practices may have a greater impact than the one to their personal data.
Although tempting to consider, the answer to the threat of cyberterrorism isn’t in security technology alone, but in training, awareness and an increased relationship between public and private entities and coordinated response by appropriate national and international agencies. The Internet continues to grow as an indispensable part of our daily lives. As such, we must accept that its very presence has shaped and changed our culture into one that is increasingly dependent on online services. Only by acknowledging that this technology is being used as a vector for terrorist action, and also that it is a target in itself, can we make available the collaborative resources available to defend our nation against this new domain of warfare. In the end, one thing must be remembered; our adversaries had the intent and capability to initiate cyber attacks, they know that we’re vulnerable, and are developing the skills and tactics to exploit the fact.