Will the Next Terrorist Attack Be Delivered Via Cyberspace?

The Clouds of Digital War
Will the Next Terrorist Attack Be Delivered Via Cyberspace?
By Paul Eng

July 8 ‹ Many security experts fear that the next big terrorist strike against the United States might be on ‹ and through ‹ the Internet and other vital interconnected computer networks.

For example, terrorists might decide to take out the nation's telecommunication networks by modifying the software of computers that control the switching network. Or, they might work their way into the
digital software systems that help air traffic controllers guide the thousands of planes that fly over U.S. cities.

"It was unthinkable almost a year ago in the general public mind that a common airplane would be used in attacks against buildings," says Simon Perry, vice president of security for Computer Associates in Islandia, N.Y. "It's the same here. IT [information technology] will be used to attack the physical world."

Evidence of Possible Training

Sound farfetched? Perhaps.

But evidence is mounting that such cyber warfare may be on the minds of al Qaeda terrorists.

As first reported in The Washington Post and confirmed by ABCNEWS, U.S. investigators have discovered there have been numerous anonymous probes over the Internet for information regarding the nation's emergency phone system, water-distribution networks, and power grid ‹ all critical parts of the U.S. infrastructure.

Perhaps more disturbingly, officials also confirmed to ABCNEWS that some of these "probes" were focused on "digital switches" ‹ devices designed to allow authorized personnel to monitor and control various aspects of a complex network of machines.

Vulnerable Switches?

Perry says these control systems used to be "esoteric systems" ‹ ones that used proprietary interfaces and computer languages ‹ and were accessible only to those who were trained in their specific designs.

But many such control systems are now based on the same UNIX software and communication protocols used by computers that are widely connected to the Internet. And while most control systems aren't connected directly to the Internet or accessible through a simple Web page, they are connected to other computer systems that typically are available online.

And there have been cases where others ‹ typically disgruntled former employees or other malicious insiders ‹ have used such hidden, but still-vulnerable systems for their own exploits.

Peggy Weigle, chief executive officer of software security firm Sanctum in Santa Clara, Calif., notes that just such an incident occurred a few years ago in Australia.

In that case, a former employee of a water-treatment plant had managed to gain control of the digital switches and secretly reversed the flow of fresh and sewer water. (The employee had hoped that the company would hire him back in order to solve the problem.)

While such incidents have been few and isolated, some security experts worry that it won't remain so for long.

A Mix of Old and Digital

"We've been talking about this kind of [threats] for months," says Weigle. "Just by looking at the organizations we've been involved with ‹ financial institutions, water-treatment plants, power plants ‹ they are all vulnerable to attack."

And Weigle believes that the power of such terrorist attacks could be devastating ‹ especially when coupled with an attack using conventional means.

"Let's say they launch an attack on a power station," says Weigle. "Someone's going to call into the 911 emergency system. A lot of these [phone] systems are based [on computer protocols]. Can they be hacked? I think so. How long would it take people to figure out the right information on what was going on and what was wrong?"

But some say that such wide-ranging network attacks ‹ while possible ‹ are extremely difficult to pull off.

"It would still be fairly difficult [to] break in and jump through different switches," says William Tang, chief executive officer of Digital Security Consulting, an Arcadia, Calif., company that advises the electric power-generation industry. "There are some process controls, if you decide to throw all 500 switches that control the power in Southern California, it could alert a human before it does that."

Other experts note that companies and public institutions aren't exactly unaware or insensitive to the threats of Internet security.

George Hellyer, a director at security consulting firm JANUS Associates in Stamford, Conn., says that the years of attacks by hackers with viruses and the recent unconventional attacks by terrorists have stirred some movement by the public and private sectors.

When it comes to addressing network security issues, "we've seen changes over the last several years," says Hellyer. "They're thinking outside of the box and addressing what we thought was unthinkable is now possible."

Keys to Survival

However, Hellyer and others note that awareness is just the beginning and that both the government and the corporate world still have a lot of work to do when it comes to preparing for and preventing a cyber attack using the nation's information and support infrastructure.

For one, many believe that while corporations are paying attention to the threats against their networks, they aren't spending nearly the amount they should be on security solutions.

"When you work out the percentage of corporate budgets spent on IT security, it's less than 1 percent," says Computer Associates' Perry. "Most organizations spend more on coffee that IT security." By Perry's estimation, companies should be spending at least 100 times more on security measures.

And the money that companies do spend on network security shouldn't go to just technology solutions such as firewalls or network intruder detection systems, but toward hiring smarter, security-savvy people who will actually manage the various networks.

Over the last two years, the number of computers added to the Internet has more than doubled from 71 million to more than 146 million, says Alan Paller, director of research at the SANS Institute, a network security information clearinghouse in Bethseda, Md.

"Yet, there has only been about 25,000 people who can even spell 'security' that have been added in those two years," says Paller. "We need to up the security skills of these [network engineers]. And that's not going to happen overnight."

Back to the Stories & Articles Page