---

Consider a coordinated, multi-pronged, untraceable assault on computers and networks controlling water treatment facilities, commercial air traffic, telecommunications nodes, municipal power grids, major financial institutions, or even lab tests for hospital patients.

Now imagine a scenario more disastrous than the world has yet to see.

Cyberterrorism experts from the government think tanks, the FBI, the Gartner Group, and others say it's only a matter of time before yet another horrific event will befall the United States of America. Even when traditional information security programs and disaster recovery plans are in place, these same experts come to a startling conclusion - we, as a nation, have a lot to learn about cyber attacks. To survive, we must understand the nature of cyberterrorism; what it looks like today, and what it will look like tomorrow. And we must act. Organizations that have low prioritized a comprehensive information security plan don't have much time. The rest must reexamine information defenses and recovery mechanisms in the light of this growing and, some say, inevitable threat because one thing's certain: It's a new world.

The Nature of the Beast
Academics quibble over the description of cyberterrorism. Mark Pollitt, special agent of the FBI Laboratory's Computer Analysis Response Team, said, "Cyberterrorism is the premeditated, politically motivated attack against information, computer systems, computer programs and data, which results in violence against noncombatant targets by subnational groups or clandestine agents."

Two points are worth noting. First, cyberterrorism is not restricted to cyberspace and may also be physical. The target, goals, and methods are what count. Secondly, cyberterrorism is carried out as policy, delivered by groups or agents, which translates into well coordinated, multi-pronged attacks originating from locations around the globe.

Terrorists with computers are nothing new. Like any new millennium global enterprise, terrorist organizations and their cells use email and the Internet to communicate and organize. In a report issued by Georgetown University for the House Armed Services Committee Special Oversight Panel on Terrorism (May 2000), Dr. Dorothy Denning cited widespread computer use by terrorist groups around the globe. According to Denning's report, Osama bin Laden's operation in Afghanistan was equipped with computers and communications equipment as early as 1996. Egyptian Afghan computer experts were said to have devised a communications network using email and chat rooms. Al Qaeda planned operations using this network. In 1998, U.S. News and World Report noted that 12 of the 30 groups on the US State Department's list of terrorist organizations had an Internet presence. By the time the Denning report was issued, virtually all terrorist organizations, including Hamas, the Revolutionary Forces of Colombia, Peru's Tupac Amaru, Japan's Aurn Shinrikyo (responsible for releasing poison gas in the Tokyo subway in 1995), and more were on the Web - some in a big way. Denning describes three sites run by Hizbollah - one is a chronicle of attacks against Israeli targets (www.moqawama.org), another a central press office site (www.hizbolah.org/), and the third is a news and information service using the Al Manar Television URL (www.almanar.co.lb).

Where, when, and how
A terrorist with an email address and chat room password is one thing; global cyberterrorism is a different animal. Tamil guerillas swamped Sri Lankan embassy computers with email in 1998. Spanish protesters did the same to the Institute of Global Communications. Hacktivists protesting the 1999 Kosovo bombings released denial of service (DOS) attacks against NATO computers. Then, a disgruntled Australian employee hacked water treatment computers causing an overflow of raw sewage.

Up to now, the difference between a simple hack and a cyber attack has been murky. But the lines are becoming more clear.

In August 1999, the Center for the Study of Terrorism and Irregular Warfare at the Naval Postgraduate School in Monterey, California issued "Cyberterror: Prospects and Implications." In the report, the Monterey team described three levels of cyberterror capability. The first is easily recognizable: Level One attackers construct basic hacks using tools readily available in the hacker community. There is little target analysis, command and control, and learning. This lack of sophistication often creates the illusion of random hack. At Level Two, more sophisticated attacks are possible by altering existing tools and attacking multiple targets simultaneously. Elementary target analysis and self-learning are emerging. Level Three attacks cause mass disruption against "integrated, heterogeneous defenses," and are possible using sophisticated, specialized cyber weapons created by the cyberterrorist organizations.

As the cyberterrorist's sophistication increases, so does the criticality of his targets. Today, most hackers ignore function and simply search for a weakened system or network. Cyberterrorists, on the other hand, will increasingly target specific economic or service functions. According to the Monterey report scenario, simple Web site defacement and DOS bombardments will evolve into firewall breaches and attacks on control systems for vital services such as telecommunication links, gas lines, energy grids, transportation system, and more - all accomplished with tools designed to attack specific function.

Seven Pillars Revisited
Although the buzzwords vary, the principles of protecting the transmittal, processing, and storage of information are well known. To clarify, here are seven pillars of a comprehensive information security program: (I) the assessment of risk; (II) physical security; (III) intrusion control and information access management; (IV) system specification methodology; (V) employee education; (VI) business continuity including disaster recovery; and (VII) executive commitment.

I. Assessment of Risk.
You can hire consultants with $200 pens or buy expensive software packages, but a formal Risk Assessment process has one and only one goal - the scenario-based identification and prioritization of risks. For each identified risk (virus attack, a bomb, destruction of a key supplier), there's a subjective probability of occurrence and an estimation of loss. In this world of limited resources, situation with the highest risk resulting in the greatest loss are usually addressed first. High risk/medium loss situations would be addressed next, and low risk/low loss scenarios don't get much attention. Before September 11, the information protection risk assessment involved natural disaster or business calamities. "What happens if the data center floods?" "What if our ISP goes out of business?" "What if a major supplier is bought by a competitor?"

Bottom line: When assessing risk today, executives must consider for situations unthinkable just one year ago. Examples include specialized virus attacks with no known cures, the loss of critical suppliers, interruption of basic services such as power, or water, permanent loss of critical personnel, uninhabitable computing facilities, and grounded air travel.

II. Physical Security
Physical security and access control in data centers is nothing new. Every possible point of access to an organization's computing environment becomes a potential back door for a cyber attack. Any open port on any remote hub or switch is trouble. On the other hand, the cost of securing the physical infrastructure, even for a moderately sized organization, can easily approach millions of dollars. Telephony and data wiring closets shared with the janitors, physical plant maintenance personnel, and contractors must come under close scrutiny. Monitored access to all wiring closets must be considered. Conduct detailed background checks on any employee or contractor who will have physical access to rooms holding computing or communications equipment. Response to bomb threats - which may be received via email, instant messaging, or traditional sources - must be anticipated and rehearsed. On the technical side, special cabinets may be needed to secure wiring frames and racks. In some cases, data/telephony closets must be relocated altogether. Converting network hubs to switches can limit risk. Moving departmental servers to more secure locations - secure data centers or secure closets/room - is highly recommended.

III. Intrusion Control and Information Access
Intrusion control, long considered the first line of defense against hackers and viruses, is typically implemented using intrusion detection systems, firewalls, and email virus scans. Intrusion detection systems provide continuous monitoring of malicious transaction. Firewalls control IP port access to selected network resources or application information is usually controlled by simple-to-complex password systems.

Bulletproof intrusion control and information access will be the hallmark of any company serious about the protection of information assets. Every possible external access point must be examined. Ideally, every piece of information from the outside world should be intercepted and scanned before entry into the corporate intranet is allowed. This means the use of proxy servers for Web pages browsed by employees, pre scanning email for viruses, and the examination of all incoming TCP/IP traffic (regardless of port), such as FTP as well as application specific services. Any service that can't be prescanned (e.g. local POP mail) should be discontinued. A configuration placing all externally available services such as HTTP and FTP completely outside the corporate firewall must be developed. Updating virus fingerprints monthly or even weekly is no good. Virus fingerprints should be updated several times a day, and at least hourly during peak infections. Vendor Web sites must be constantly monitored for software patches. And don't forget the phones. Any desktop computer simultaneously connected to a modem and the corporate networks is a threat. When it comes to passwords and information access, password management policies must be developed and strictly enforced. Unused Ids must be identified and deleted. If not present, audit trails must be implemented and monitored. Any organization with Internet connections should begin a vulnerability assessment program that includes unannounced penetration testing and password cracking. Testing should take place from both inside and outside the firewall, and be performed by trained security professionals. No overworked network administrators allowed.

IV. System Specification
Whether buying or building, the system specification is the roadmap to the final product. When it comes to the system spec, system security is usually relegated to simple password policies and defining levels of access. As the threat of cyberterrorism increases, the 'Information Security' section of the Systems Specification, whether the system is purchased or programmed, takes on new meaning.

For legacy systems, passwords will remain the first line of defense against unauthorized access. As new systems are developed, stronger security features can be designed and included from the get-go. A more dangerous world demands useable biometric identification methods. If passwords are used, sophisticated policies and password management tools are more important in the new world. Under the covers, audit trails and audit analysis methods identifying, not only unauthorized access, but also abnormal usage patterns, must be specified. When purchasing a system, vendor personnel can be a critical issue. Vendor employees and other contractors should agree contractually to abide by corporate security policies. Purchasers of large systems must now be concerned about personnel screening techniques used for vendor personnel and other outside contractors. Screening vendor personnel not important? Just before the Japanese subway poison gas attack, the country's Metropolitan Police Department acquired a software package for tracking police vehicles including unmarked cars. Members of the Aum Shinrikyo cult developed and sold the software to law enforcement officials.

V. Employee Education
All employees, especially computer users, should be trained, retrained, and trained again to expect an increase in malicious cyber activity. Permanent telephone numbers and email addresses for reporting suspicious activity should be established. Being on the alert for suspicious physical activity as well as questionable cyber activity is equally important. For users managing local desktops and servers, frequent virus updates and software patches are mandatory. Critical resources should be moved under the auspices of the central technology organization for consistent management and disaster recovery.

VI. Business Continuity and Disaster Recovery
For many organizations, business continuity and disaster recovery are inconvenient costs forced by auditors and regulatory agencies. Departmental business continuity plans (many created as a result of Y2K) are sadly out of date.

Business continuity plans allow an organization's functional units, like departments, to continue doing business even though computing and communications resources have been damaged or destroyed. Important issues include the offsite storage of critical paper forms and reports, supplier/customer contacts, employee lists - anything required to keep the business running. Complex viruses and global attacks mean organizations' continuity plans must plan for the possibility of an extended Internet outage, and even interruptions in normal telecommunications services. Disaster recovery is the plan for restoring the company's computing and communications capabilities. An organization may lease a hot site - a remote location outfitted with critical hardware and software. Drop-shipment contract for the rapid shipment of equipment may be required. An organization without realistic business continuity and disaster recovery plans is an organization asking for trouble.

After surveying recovery efforts, information security specialists across the country, including the Gartner Group, have suggested changes and additions to traditional plans. First and foremost, a corporate emergency response team must be established. In any attack or disaster, this becomes the focal point for the coordination of activities, including the issuance of public statements. Disaster recovery plans dependent on air travel (e.g. shipping backup tapes to remote hot sites) should be reexamined. Look for hot sites closer to home. Remote placement of mirrored resources such as storage area networks (SANS) is a viable disaster recovery strategy. Consider partnering with competitors for disaster recovery services. With landlines and cellular towers destroyed, the Internet became a primary source of communication. Post September 11, the Gartner Group recommends Internet multi-homing - the configuration of multiple Internet connections purchased from different vendors. One surprising Gartner finding - during crises, commercial instant messaging became an important communication vehicle. AOL Messenger or MSN Messenger accounts should be established for key personnel.

Sadly, the rehearsal of disaster recovery/business continuity plans must cover the possibility of personnel loss. An hour before a disaster recovery rehearsal begins, one executive should draw a team members' name out of a hat and categorize them as dead, injured, or missing. Cross training is more important than ever.

VII. Executive Commitment
Exact costs for information security will be dictated by the nature of the business and the results of formal risk assessment. In company's first attempt to calculate the total cost of ownership (TCO), the Gartner Group report called "The Price of Information Security" (June 8, 2001, Note Number R-11-6534) describes five categories of an information security TCO chart of accounts, hardware, people, software, external services, and physical security. These categories are divided into 28 activities. For an international company with $600,000,000- in revenues and 3,600 end users, average total cost of a comprehensive information security program could approach $600,000 per year.

It's a new world, and cyberterrorism is a part of it. No longer an activity to appease the audit department, comprehensive information security must become an integral part of the corporate computing environment. Executive and information professionals must devote the time, money, thought, and resources to protect mission critical information resources because like it or not, it's only a matter of time.

(Kirk Kirksey has over 25 years of computing experience both in the United States and abroad. He currently serves as the vice president for information resources at the University of Texas Southwestern Medical Center at Dallas.)