April 2003 Mfg.Trust

Mfg.Trust is a monthly feature of the
            NCMS InfraGard Manufacturing Industry Association
                        Infrastructure assurance for manufacturers
                                    Powered by NCMS.

This month: Cyber Terrorism – The Issues Minus the Hype

See the Resources Page for this Story 

Editor's Preface:

Editor's Preface:
You and I are not likely to be “terrorized” because we can’t get our email for a day. We may have been annoyed or inconvenienced – but not terrorized – when our ATM machine was shut down as a precaution during the Slammer worm attack recently.

Yet security professionals across the nation were quietly thankful that the originator of the Slammer worm was courteous enough to launch it on a Saturday, and did not add a payload.

Since Cyber Terrorism often does not touch individuals directly, reporting about it is often viewed as overblown - hype. But there are real national issues which are explored in this article.

As always, this article is accompanied by a rich Resources page. Many prior Mfg.Trust articles (see http://trust.ncms.org, select Publications Index tab) and online classes (see http://products.ncms.org) have dealt with security defenses.

Editor

Cyber Terrorism

Terrorism involves the unlawful use or threatened use of force or violence against people or property with the intention of intimidating or coercing societies or governments, often for ideological or political reasons.

Fortunately, computers don’t exercise violence against people (although I can understand people exercising violence against computers!). Thus cyber-terrorism achieves violence through the systems that computers control. The nationally symbolic targets in the financial, utilities, communications, transportation, or industrial sectors systems are particularly lucrative.

The Environment

Howard Schmidt, Chairman of the President’s Critical Infrastructure Protection Board points out in his recent article “Securing Cyberspace” that, “One of the greater paradoxes of the information age is that while we have greater access to more information than at any time in our history, we have become increasingly vulnerable to any disruptions as a result.” He goes on to illustrate that the critical infrastructures of this country have become dependent on cyberspace and interdependent with each other.

New Demands on Law Enforcement and “International” Crime

FBI Director Robert Mueller characterizes the threats to cyber security as two separate and related problems. The first is the growth of traditional crimes that have migrated online: fraud, identity theft, copyright infringement, child pornography and exploitation. The second problem is a new category of crime that includes computer intrusions, denial of service attacks, and cyber terrorism. These types of attacks obviously did not exist in the days before computers, networks, and the Web. Yet today they have the potential to ruin businesses, cause staggering financial losses, threaten our national security, an even cost lives. Addressing these threats poses special problems for law enforcement due to the rapid speed of change in skills required to address the problem, and the distinctly international nature of these crimes.
 

Technology Blurs the Distinction between a Criminal Act and an Act of War

A US Senate report entitled, Crime, Terror and War: National Security & Public Safety in the Information Age, points out “technology blurs the distinction between a criminal act and an act of war.” (See resources page. The report is most interesting in light of today’s realities, as it was written in 1998.) It states:

“In the face of these threats, we are coming to reexamine the meaning of national security, and the traditional ways in which government has provided for the common defense. When national security threats transcend our borders, it is clear that domestic tranquility cannot be the exclusive province of law enforcement agencies. Nor can the military confine itself to defending against threats that arise only abroad.

For guardians of the nation’s security, and defenders of the Constitution, I believe there is an important dividing line that we need to ponder: Where does national security leave off, and domestic security begin? What are the threats to our safety and security, and how can would-be aggressors be deterred? How can we defend against new adversaries who would exploit the weapons of the information age? What is the right national security strategy to protect America today? And what are the policies, plans, and programs needed to carry out that strategy? These questions are affecting the responsibilities we assign defense agencies, the intelligence community, and law enforcement agencies, and the relationships among them.”

These are the serious concerns voiced in 1998 that framed the argument for a Department of Homeland Security.

The transition between Law Enforcement and National Defense is also addressed more recently by Scott Charney, former Chief of the Computer Crime and Intellectual Property Section of the U.S. Department of Justice in testimony (see resources page).

“To protect citizens against crime, we hire, train, and equip law enforcement personnel. To protect us against those who would steal our military secrets or attack our vital state interests, we rely upon the intelligence community, both affirmatively to collect foreign intelligence, and defensively through counter-intelligence techniques. Counterintelligence techniques are also used to protect economic secrets from foreign threats. Finally, to address the military threat posed by another state, we fund a military, supporting personnel, equipment and weapons. In short, depending upon the threat, we deploy a different resource, and each resource plays by its own set of rules.

This traditional model works, however, only when one can identify the nature of the attack; specifically, who is attacking and for what reason. This traditional model fails in the Information Age because when computers are under attack, the “who” and “why” are unknown.

[Further,] “the notion that only states have access to weapons of war is no longer correct, at least not if information warfare is considered. Simply put, we have distributed a technology that is far more powerful than most that are placed in the public domain. Traditional vigilance regarding states that support terrorism, political unrest, or are otherwise considered “rogue” (i.e., “nations of concern”) are now supplemented by threats from “individuals of concern,” a far larger pool, and one that is harder to identify and police. As a result, an attack upon the Defense Department may come not only from a foreign nation conducting information warfare, but also from juveniles on the West Coast, as it did in Solar Sunrise (the case name for a widespread attack against the U.S. Department of Defense). To the extent the country detects a cyber attack but does not know who is attacking (a juvenile, a criminal, a spy, or a nation-state bent on committing information warfare), what resources should it deploy in response?”

Privacy and Encryption Policy

The impact on citizens of the US Senate debate reported in “Crime, Terror and War: National Security & Public Safety in the Information Age” (cited above) quickly focused on privacy and encryption. The report pointed out:

“There are two separate issues embedded in the encryption policy debate. The first focuses on a domestic matter: how do we maintain individual privacy of communication, while also maintaining law enforcement’s ability to read encrypted communications when authorized by the court under constitutional authority?”

“The second issue has an international dimension: how do we prevent foreign countries with policies inimical to the United States, terrorist groups, and organized crime from obtaining encryption technologies that would undermine our intelligence collection efforts?”

This argument with three parts continues today: (1) encryption technology is vital for protecting personal and commercial data. People need to be able to operate information systems with ease, and with confidence that their privacy is secured. (2) The government needs to have secure systems, to protect sensitive information and national security communications. (3) However, unbreakable code in the hands of criminals adds a terrible tool for unlawful acts.

Conclusions

As citizens, we demand it all: privacy, free markets, public safety, and national security.

The nation faces reconsideration of how to balance our contradictory objectives in a data rich, sometimes anonymous environment. We must revisit our legal, economic, and social regimes, rethinking how we protect data, promote economic growth, ensure the effectiveness of law enforcement, and respond to an attack when lacking critical decisional facts.

If you liked Mfg.Trust, please forward it to a colleague in your company!