Clouds of Digital War
Will the Next Terrorist Attack Be Delivered Via
By Paul Eng
July 8 ‹ Many security experts fear that the
next big terrorist strike against the United
States might be on ‹ and through ‹ the
Internet and other vital interconnected computer
For example, terrorists might decide to take
out the nation's telecommunication networks by
modifying the software of computers that control
the switching network. Or, they might work their
way into the
digital software systems that help air traffic
controllers guide the thousands of planes that fly
over U.S. cities.
"It was unthinkable almost a year ago in the
general public mind that a common airplane would
be used in attacks against buildings," says
Simon Perry, vice president of security for
Computer Associates in Islandia, N.Y. "It's
the same here. IT [information technology] will be
used to attack the physical world."
Evidence of Possible Training
Sound farfetched? Perhaps.
But evidence is mounting that such cyber warfare
may be on the minds of al Qaeda terrorists.
As first reported in The Washington Post and
confirmed by ABCNEWS, U.S. investigators have
discovered there have been numerous anonymous
probes over the Internet for information regarding
the nation's emergency phone system,
water-distribution networks, and power grid ‹
all critical parts of the U.S. infrastructure.
Perhaps more disturbingly, officials also
confirmed to ABCNEWS that some of these
"probes" were focused on "digital
switches" ‹ devices designed to allow
authorized personnel to monitor and control
various aspects of a complex network of machines.
Perry says these control systems used to be
"esoteric systems" ‹ ones that used
proprietary interfaces and computer languages ‹
and were accessible only to those who were trained
in their specific designs.
But many such control systems are now based on the
same UNIX software and communication protocols
used by computers that are widely connected to the
Internet. And while most control systems aren't
connected directly to the Internet or accessible
through a simple Web page, they are connected to
other computer systems that typically are
And there have been cases where others ‹
typically disgruntled former employees or other
malicious insiders ‹ have used such hidden, but
still-vulnerable systems for their own exploits.
Peggy Weigle, chief executive officer of software
security firm Sanctum in Santa Clara, Calif.,
notes that just such an incident occurred a few
years ago in Australia.
In that case, a former employee of a
water-treatment plant had managed to gain control
of the digital switches and secretly reversed the
flow of fresh and sewer water. (The employee had
hoped that the company would hire him back in
order to solve the problem.)
While such incidents have been few and isolated,
some security experts worry that it won't remain
so for long.
A Mix of Old and Digital
"We've been talking about this kind of
[threats] for months," says Weigle.
"Just by looking at the organizations we've
been involved with ‹ financial institutions,
water-treatment plants, power plants ‹ they are
all vulnerable to attack."
And Weigle believes that the power of such
terrorist attacks could be devastating ‹
especially when coupled with an attack using
"Let's say they launch an attack on a power
station," says Weigle. "Someone's going
to call into the 911 emergency system. A lot of
these [phone] systems are based [on computer
protocols]. Can they be hacked? I think so. How
long would it take people to figure out the right
information on what was going on and what was
But some say that such wide-ranging network
attacks ‹ while possible ‹ are extremely
difficult to pull off.
"It would still be fairly difficult [to]
break in and jump through different
switches," says William Tang, chief executive
officer of Digital Security Consulting, an
Arcadia, Calif., company that advises the electric
power-generation industry. "There are some
process controls, if you decide to throw all 500
switches that control the power in Southern
California, it could alert a human before it does
Other experts note that companies and public
institutions aren't exactly unaware or insensitive
to the threats of Internet security.
George Hellyer, a director at security consulting
firm JANUS Associates in Stamford, Conn., says
that the years of attacks by hackers with viruses
and the recent unconventional attacks by
terrorists have stirred some movement by the
public and private sectors.
When it comes to addressing network security
issues, "we've seen changes over the last
several years," says Hellyer. "They're
thinking outside of the box and addressing what we
thought was unthinkable is now possible."
Keys to Survival
However, Hellyer and others note that awareness is
just the beginning and that both the government
and the corporate world still have a lot of work
to do when it comes to preparing for and
preventing a cyber attack using the nation's
information and support infrastructure.
For one, many believe that while corporations are
paying attention to the threats against their
networks, they aren't spending nearly the amount
they should be on security solutions.
"When you work out the percentage of
corporate budgets spent on IT security, it's less
than 1 percent," says Computer Associates'
Perry. "Most organizations spend more on
coffee that IT security." By Perry's
estimation, companies should be spending at least
100 times more on security measures.
And the money that companies do spend on network
security shouldn't go to just technology solutions
such as firewalls or network intruder detection
systems, but toward hiring smarter, security-savvy
people who will actually manage the various
Over the last two years, the number of computers
added to the Internet has more than doubled from
71 million to more than 146 million, says Alan
Paller, director of research at the SANS
Institute, a network security information
clearinghouse in Bethseda, Md.
"Yet, there has only been about 25,000 people
who can even spell 'security' that have been added
in those two years," says Paller. "We
need to up the security skills of these [network
engineers]. And that's not going to happen
Back to the Stories &