Home >> Terrorism >> Terror Threats

     Email   Print 

The Dark Web Of Cyber Terror - The Threat That Got Lost in Traffic

Sammy Elrom - 12/2/2007

Addressing the issue of Cyber Terrorism in Nov 2004, Prof. Seymour Goodman, from the Sam Nunn School of Intl’ Affairs & College of Computing at Georgia Tech, stated that “there have currently been no cyber terrorist attacks or evidence of Al Qaeda or any other terrorist organizations attempting one”. “

We are much more imaginative in thinking what they could do to us then I suspect they are,". Nonetheless, Prof. Goodman warned against “the presumption that terrorist organizations simply do not have or will never recruit the people with the expertise to carry out a cyber attack”. Prof. Goodman stressed the need to take the threat of cyber terrorism seriously because “as terrorists begin to realize the full potential of such an attack, cyber terrorism will become more of a threat later.”

This quote is a typical example of the duality surrounding the issue of cyber terrorism. Experts, from both sides of the debate, try hard to adhere with one side but still don’t wonder to far from the consensus line. A significant number of professionals agree that the potential damage exists, but differ in whether the threat will materialize, and if so, what would be the real damage terrorists will be able to inflict to global support and processing systems.

The Nay and Yea Sayers
“… Concern about the potential danger posed by cyberterrorism is thus well founded. That does not mean, however, that all the fears that have been voiced in the media, in Congress, and in other public forums are rational and reasonable. Some fears are simply unjustified, while others are highly exaggerated. In addition, the distinction between the potential and the actual damage inflicted by cyberterrorists has too often been ignored, and the relatively benign activities of most hackers have been conflated with the specter of pure cyberterrorism” argues Gabriel Weimann in “Cyberterrorism: How Real Is the Threat”, and he is not alone. Many differentiate between the possibility and the capabilities that terror organizations have at hand to carry out cyber attacks that could create real chaos and crash critical infrastructure systems.
Another typical approach of those who believe that a cyber attack is negligible, is well presented in the 2002 report “Assessing the Risks of Cyberterrorism, Cyber War, and Other Cyber Threats”, published by the Center for Strategic & Intl’ Studies, by Jim Lewis, in which he states that "The idea that hackers are going to bring the nation to its knees is too far-fetched a scenario to be taken seriously. Nations are more robust than the early analysts of cyberterrorism and cyber warfare give them credit for. Infrastructure systems [are] more flexible and responsive in restoring service than the early analysts realized, in part because they have to deal with failure on a routine basis."
On the other side of the rainbow, experts like Frank Cilluffo who served with DHS in 2004 declared that "while Bin Laden may have his finger on the trigger, his grandchildren may have their fingers on the computer mouse,". In a more powerful and decisive opinion, other experts like Denning hereon, argue that “Future terrorists may indeed see greater potential for cyberterrorism than do the terrorists of today. Furthermore, the next generation of terrorists is now growing up in a digital world, one in which hacking tools are sure to become more powerful, simpler to use, and easier to access. Cyberterrorism may also become more attractive as the real and virtual worlds become more closely coupled. For instance, a terrorist group might simultaneously explode a bomb at a train station and launch a cyber attack on the communications infrastructure, thus magnifying the impact of the event. Unless these systems are carefully secured, conducting an online operation that physically harms someone may be as easy tomorrow as penetrating a website is today.”

Surprisingly, the results of a senior IT members survey conducted by Insight IT magazine in December 2006, show that “eighty-two percent of IT executives believe that a cyber-terrorist attack on U.S. companies is likely to occur in the next five years”. Furthermore, the same survey reports that “over half of companies over $1 billion report security breaches in the past 12 months, and 45 percent have been targeted by organized criminals. Penetration by spyware and viruses remain problems, but they're not the only ones: nearly half of all companies that have had security breaches say equipment containing company data has been lost or stolen.” This is what they really think, despite fat budgets and layers of protection invested by the companies to protect their system against penetration. Based on this survey and many similar results from repeated polling of IT professionals on this issue, there exists an obvious duality, characterized by an innate disbelief of terrorists capability to launch a powerful cyber attack in one hand, and the personal conviction and real fear, that such an attack could take place in any given moment.

The results support the fact that there is a constant growing threat that terrorists will use a massive cyber attack, as part of a multiple attack strategy. In his thorough description of this threat, Gregory J. Rattray wrote: “Increasingly, cyberterrorists can achieve effects in the US from nearly anywhere on the globe. Terrorist groups can access global information infrastructures owned and operated by the governments and corporations they want to target. Digital attackers have a wide variety of means to cause disruption and/or destruction. Response in kind by the US government against sophisticated attackers is near impossible due to the difficulty of pinpointing activity in cyberspace and legal strictures on tracing attackers”

Furthermore, the renowned historian and terror expert Walter Laquer, observed in his essay “Post Modern Terrorism" as early as September 1996: "… why assassinate a politician or indiscriminately kill people when an attack on electronic switching will produce far more dramatic and long-lasting results.”

The writing was on the wall as early as the mid 90s, but again, nobody saw it, or preferred not to see it.

There is little doubt that the effectiveness of the means that could generate a digital attack continue to increase, meaning that the US will be more vulnerable to cyberterrorism. Terrorists using cyber terrorism have already reached a high degree of sophistication, developing technological attack tools and effective targeting strategies. On the other hand, Rattray points out that “limits to hitting back against cyberterrorism will remain a difficult problem”, recognizing that the threat is real, and that we are ill equipped to respond swiftly and decisively.

Can We Rely On Existing Protection Systems

Parallel to the industrial development worldwide and the emergence of new giant economies such as Russia, China and India, to mention just a few, the whole business community, the entire government system and the entire industries, not to mention the private sector and household connected systems, are today totally addicted to instant information which the internet provides. This reliance on information which did not exist only twenty years ago, created a new field of opportunities in which terrorism flourishes. Why? Because as the accessibility to the world wide web becomes more simple and the software more complicate, the easier it is to attack defined targets and bring them down crashing the whole structure and infrastructure connected to each other. Of course, IT companies, which have an invested interest obviously, IT managers and system administrators, not to mention many in the academia, dismiss the actual threat by pointing out that:

* each system is independent
* redundant system are in place
* there are emergency plans in case of a catastrophic event
* past experience and special war games have shown that the overall damage would be contained and systems would be reactivated faster than expected

Maybe so, but can anyone imagine a day without the internet and its ramifications into the businesses, industries and private users. What would be the price of a sudden business and e-commerce crash that will be sustained for only 24 hours? The answer is: between 17 to 24 billion dollars direct lose. And what would happen if the banking system alone will crash for 24 hours? A lose of approximately 30 billion.

It’s a well known fact that information is the life blood of commerce. Modern life has bestowed “information”, and real-time information specifically, as the most important factor in commerce. More so, is the ability to access it any time, anywhere, transfer, exchange and act upon it, all based on the assumption that the information is accurate, in real time and protected. This demands wider, deeper, faster and more sophisticated networks, an ever-growing infrastructure and a continuous demand for more: more speed, more security, more options and more information. But, we should beware of what we ask for because as the power of the internet and the infrastructure it’s based on increases so are the chances of non-malicious disruption, or better a focused terrorist attack on the system. Let alone the financial implications, the psychological impact on the whole Western system would be enormous, not to mention the disastrous impact on the military and security systems.

What is the likelihood of such a catastrophic event to ever unfold? Very high in my opinion, because we’ve seen the extreme changes in the way terrorists use the internet (detailed in Part One on this subject). It makes perfectly sense that the almost total reliance on the internet by business, government, military, academia and society in general, only emphasized what a huge target it became for terrorists to hit. Imagine a simultaneous attack targeting a critical infrastructure site like a nuclear power plant and its supporting and connecting network; beside the physical damage and the psychological effect, the collapse of the communication network may send a shock wave of secondary crashes impacting connected, related and remote networks and locations, which like a delayed earthquake shock create an unstoppable ripple effect. And it is not rocket science to comprehend that from the terrorists’ point of view scores of casualties may be the ultimate goal PR wise, but financial havoc and business chaos can be more destructive, because it impacts the immediate lives of everybody.

Sophistication, Complexity and Bait-Testing Attacks

Despite continuous investments in software, network architecture, technology and infrastructure, cyber terrorism becomes one of the most hard to protect challenges in combating terrorism.

What about redundancy, backup systems, layers of infrastructure protection, etc, one may ask. Well it exists but suffers from unprotected gaps, under-protected sub-systems, lack of periodical and costly software and hardware updated versions, but mostly, lack of IT professionals that understand both the technological and security challenge. Nonetheless, the most critical problem to deal with is that we really don’t know what the terrorists capabilities are. If the development in recent years is an indicator as to the technical and software level and IT development terrorists reached by analyzing their internet activity alone, then we have an undeniable problem in our hands. Another indicator comes from studying how terrorists prepared and launched cyber attacks against selected target, and the results may scare some nay sayers.

For example, a new identified trend regarding the rapid development of cyber terror is creating a big buzz lately. Professionals have expressed a growing concern related to the increase in the frequency of attacks on the Internet which display a significant augmentation in sophistication and a considerable increase in terrorists capability to detect and use weak spots in the protective software to attack networks, mainly sites that are aggressively anti-Islamic or anti-Jihad, including Muslims. Serious concerns continue to raise due to the interpretation of what those attacks mean, which is: the complexity and sophistication of the attacks is increasing, yet the attack launchers need lower and less professional skills to successfully produce an effective attack. What this means is that terrorists study every initiated attack and the response to it and learn what works and what doesn't, where were new vulnerabilities detected, what was the local response and what are the methods the attacked network initiated to detect and protect itself.

I find it troubling that many experts dismiss the enormous threat posed by dark web cyber attacks, because the reasons terrorists already use, and will intensify the inherit potential use of the internet as a powerful destructive weapon. Here is why:

* The count of potential targets is enormous and is growing by the day. Everything becomes a potential target, from private networks, institutions, academia, the military, the banking system, the government, the private business systems, public utilities, airlines , and many others
* The amount, the variety and the complexity of potential targets ensures that terrorists will find weaknesses and vulnerabilities to exploit
* The cyber space provides anonymity which is of course welcomed by the terrorists using it. methods. Operation wise, terrorist attackers, lake any other user use screen names and can log on an existing website without the need of identification or a proof of, making it very difficult for the protective agencies and law enforcement forces to track down the terrorists' real identity
* Both scientific and practical studies have shown that the entire critical infrastructures, as detailed in the list released by the DHS, including electric power grids, emergency services, oil and gas pipelines and refineries, the water system, airports and commercial ports, all are vulnerable to a cyber terrorist attack. But not only those systems are exposed; the military and intelligence networks are even more susceptible, although the consensus is that those networks are much better protected. This is a viable threat mainly because the infrastructures and servers/computers systems that run those networks are very complex and connected with each other in many subtle undetectable ways, making it effectively impossible to eliminate all potential weaknesses, not to mention problems that such system encounter routinely
* Terror based cyber attacks are launched remotely, a very appealing characteristic to terrorists. Not only that, but once triggered a cyber terrorism attack needs no more monitoring, supervision or presence on the web, and the results, if successful, can be heard and seen shortly on all media outlets.
* Cyber terror does not requires physical training, only recruiting of well trained IT professionals, which is an easy task. In addition, there is no need of psychological training, there is no physical risk and the chances of being caught are slim anyway, better than other, more dangerous alternatives, and all together easier and more safe.
* There is no need of subsequence investments since everything is virtual, remote and unidentifiable. If the professional knowledge exists, then the goals are set to fit the knowledge that such an IT terrorist can deliver. And the more accumulated knowledge is put in the game, the greater the threats.
* A crucial element and probably the main interim goal set by terrorists is receive as much as possible media coverage for as long as possible. Generating publicity, propaganda campaigns and using the internet as a recruiting tool have proven to be very effective, which makes the internet even more attractive as a strategic target

Why do IT experts minimize the threat

The first reason it that they are guessing because they don’t know the answer.It is not comprehendible that so many experts still hold the view that the terrorists don’t have the knowledge, the professionalism and the means to cause deep and sustainable damage to our infrastructure. Tens of thousand of hacking events and network take-over resulting in damages of billions of dollars happen every day, and the accumulated damage keeps mounting exponentially every year, in spite of better systems and better protection. We don’t have yet any potent means to differentiate between challenge-hacking and terrorism-driven - malicious intended hacking. So how can the nay sayers hold their ground? By pointing out that until now, there were no catastrophic results due to IT security breaching and attacks by hackers and/or terrorists. What they fail to tell, or prefer to forget, is that based on their own analysis, even results of several well-researched cyber attacks with no terror intentions, show that the immediate results and the fallout following the attack were disastrous. If so, what would be the result of a coordinated terrorist cyber attack?

Jihadi website become more and more “emancipated” and more upfront in defining the goals of their activity. Www.al-jinan.org for example, has recently redefines the e-Jihad: "The electronic jihad is the method and the means to inflict maximum human, financial and morale damage on the enemy by using the internet." The website reiterates the importance of organizing synchronized mass attacks on anti-Islamic websites and calls on fellow Jihadis to sign up for the list of targets and to study the techniques and programs used in e-Jihad.

E-Jihadists are encouraged to believe that they are engaging in an online form of true Jihad, which isn’t less important than physical Jihad, aspiring to become a shaiid (martyr). “The website distributes a program called Electronic Jihad that assists in overwhelming the servers of certain websites, thereby taking the websites offline, at least temporarily” writes Abdul Hammed Bakier in “Terrorism Focus” on 10/3/06).

Time and time again we see the typical arrogant approach so many security and IT experts take when analyzing terrorists cyber attack capabilities. One can’t but wonder if it isn’t the same denying approach almost all experts have taken between the first attack on the Twin Towers in 1993 and the 9/11 attack. All signs and warnings were there but buying-in the collective dismissal of Al-Qeida’s capability reminds me very much of the today’s situation. Just follow the following examples:

* "These guys are so well protected because it's core to their business. They see these attacks constantly and they're able to fend them off very handily" , said Jose Nazario a senior security & software engineer at Arbor Works", talking about the competency of terrorists on the Internet. “Al Qaeda uses the internet to communicate but seems much more interested in physical attacks," he added
* Johannes Ulrich, chief research officer of the SANS Institute said last year that "Russian spammers have much more firepower than Al Qaeda could ever get because they're much more technologically sophisticated"
* On November 3rd this year, one of the “scoop” titles on the issues read “Al Qaeda cyber-jihad threat dismissed by researchers” citing various experts that again went to diminish or dismiss a potential cyber attack, mainly because “they are far away from being able to deal with our present protection systems”. Experts from McAfee Corp advised organizations “not to lose sleep over reports that Al-Qeida would target Western websites in a mass-cyber attack”
* Marcus Sachs, SANS Internet Storm Center director ridiculed the terrorists’ abilities and dismissed the threat by stating: “…Folks, let’s get serious about this for a few minutes. I know that this is politically incorrect, but the odds of a terrorist group ‘terrorizing’ the internet with cyber-bullets and e-bombs are about as small as the odds of the Morse Code coming back as a primary means of communication. It’s not zero, but it’s also not much more than zero…”
* “There are several organizations that track attacks over the Internet. Over the last six months, less than 1% of all attacks originated from countries on the U.S. government's Cyber Terrorist Watch List, while 35% originated from inside the United States”, declared Frank Washkuch, a renowned expert recently. It seems from the way his statement was made that 35% of hacking efforts coming from inside the US is not something we should worry about. Could it be that those non-sophisticated attacks are a teaching stage and a preliminary on-site study as part of a coordinated effort to prepare the grounds for a major attack; Is there anybody out there that can convince us the opposite. Mr. Washkuch went on to say that “The terrorists use the internet for the same thing everybody else does - communicating with each other. They also use it to raise money through criminal activity, then launder it via one of the many electronic payment systems. Ever look at the spam and phishing junk mail you receive? It’s not just the Russian Business Network operating in the shadows. With the internet providing near-perfect communications and a seemingly endless supply of money why would a terrorist group want to blow it up?”. This fold-blind approach is one on the main reasons all the experts didn’t see the 9/11 coming, although the information and facts were available. Shouldn’t those expert exercise more self discipline by not being so categoric that such an attack is not possible? I believe they should.
* Every example experts provide is intended to differentiate between the “reality” as seen by them and the popular belief regarding the nation’s exposure to the threat. They prefer to use as supportive proof the analysis of major system crashes which happened due to internal problems, maintenance procedures and accidental events of virus penetration into networks, to show that it occurred mostly because of mistakes made by users. Even if all those network crashes took place for the reasons the experts believe it did, doesn’t it also proof that potentially terrorists could at least repeat such events, to say the least? How many main frame, multi-level networks and secondary systems have to crash before the financial, monetary and business industries are forced to close, not to mention the military, intelligence and government institutions? Nobody really knows, yet we’re repeatedly told that the level of danger is exaggerated. So who is the the real exaggerator, the media, the experts or the public?

Conclusions

We are bombarded daily by unsupported, sometimes doubtful evidence showing that the threat is not critical, reassuring us that terrorists are far from being able to launch a major dark-web cyber attack equivalent to the impact of 9/11. The following quote is one of hundred like it: “Amid all the dire warnings and alarming statistics that the subject of cyber terrorism generates, it is important to remember one simple statistic: so far, there has been no recorded instance of a terrorist cyber attack in the US”.

True, but not so evident at it may sound, because if one gathers the hundred of cyber attempts and cyber attacks of what the nay sayers define as “kid hacking”, there is a growing volume of small damages that are painful to the attacked target which accumulates into a rather wider, deeper and more powerful disturbances of the networks and flow of information. And hasn’t this same phrase in various versions been chanted by renowned professionals and experts regarding Al-Qeida’s capabilities until the very day of 9/11 when the first of Twin Towers was hit? Haven’t we been told then that Al-Qeida had limited potential? Haven’t we been reassured then that “we have taken all deemed necessary protective means to thwart such an attack?” We have been brain-washed by experts, the media and the academia, and most of us believed them.

Let’s not repeat this dreadful mistake twice, let’s not underestimate the enemy’s capabilities, especially not those of the renewed, regenerated thriving Al-Qeida. Let’s not decide in advance what their real capabilities are. We definitely know what their final goal is, the total reign of radical, fanatic Wahhabism and total Jihad on Earth. And let us not forget that Jihadists are not rushing anything; they believe that time is in their favor.

Part three of this series will deal with the rapid technological progress terrorists are focused on, some scary, yet viable scenarios, and what is the least we can do, to slow them down at least and buy time to develop pinpointed technologies that can successfully retain the threat within a defined space. If necessary, part four will follow.