CDA in the News
Could a ruthless new breed of cyber-terrorist cause meltdown at the click of a mouse? Jimmy Lee Shreeve reports
31 May 2006
According to cyber-security experts, the terror attacks of 11 September and 7 July could be seen as mere staging posts compared to the havoc and devastation that might be unleashed if terrorists turn their focus from the physical to the digital world.
Scott Borg, the director and chief economist of the US Cyber Consequences Unit (CCU), a Department of Homeland Security advisory group, believes that attacks on computer networks are poised to escalate to full-scale disasters that could bring down companies and kill people. He warns that intelligence "chatter" increasingly points to possible criminal or terrorist plans to destroy physical infrastructure, such as power grids. Al-Qa'ida, he stresses, is becoming capable of carrying out such attacks.
Most companies and organisations seem oblivious to the threat. Usually, they worry about e-mail viruses and low-grade hacker attacks. But Borg sees these as the least of their worries. "Up to now, executives and network professionals have worried about what adolescents and petty criminals have been doing," he says. "In most cases, these kinds of cyber attacks aren't very destructive. The reason is that businesses generally have enough inventory and extra capacity to make up for any short-term interruptions."
What companies and organisations should worry about, Borg insists, is "what grown-ups could do" - terrorists or hardcore criminals. One key target would probably be the vital Supervisory Control and Data Acquisition (Scada) systems in power plants and similar industries. "Chatter on Scada attacks is increasing," says Borg, referring to patterns of behaviour that suggest that criminal gangs and militant groups are now fully capable of unleashing such attacks.
"Control systems are a particular worry, because these are the computer systems that manage physical processes. They open and shut the valves, adjust the temperatures, throw the switches, regulate the pressures," he says. "Think of the control systems for chemical plants, railway lines, or manufacturing facilities. Shutting these systems down is a nuisance. Causing them to do the wrong thing at the wrong time is much worse."
Until now, hackers have usually targeted credit cards or personal information on the web. More sophisticated hackers, however, are beginning to focus on databases. The type of data most likely to be hit, Borg says, might include a pharmaceutical company's drug development databases, or programs that manipulate data, such as formulas for generating financial statements.
"Many attacks of this kind would have two components. One would alter the process control system to produce a defective product. The other would alter the quality control system so that the defect wouldn't easily be detected," Borg says. "Imagine, say, a life-saving drug being produced and distributed with the wrong level of active ingredients. This could gradually result in large numbers of deaths or disabilities. Yet it might take months before someone figured out what was going on." The result, he says, would be panic, people afraid to visit hospitals and health services facing huge lawsuits.
Deadly scenarios could occur in industry, too. Online outlaws might change key specifications at a car factory, Borg says, causing a car to "burst into flames after it had been driven for a certain number of weeks". Apart from people being injured or killed, the car maker would collapse. "People would stop buying cars." A few such attacks, run simultaneously, would send economies crashing. Populations would be in turmoil. At the click of a mouse, the terrorists would have won.
Is Borg justified in his fears? All this sounds like a plot from a thriller; it's hard to take it seriously. But intelligence reports in the last year or so make for worrying reading. An assessment by the British security service MI5 stated that "Britain is four meals away from anarchy". And officials admit their greatest fears about electronic attacks focus on the more exposed networks that make up the "critical national infrastructure" - the systems Borg is concerned about.
US agencies are concerned that terrorists could combine electronic and physical attacks to devastating effect, such as disrupting emergency services at the same time as mounting a bomb attack.
Risk management analysts, equally edgy, are focusing on the financial impact on businesses and economies. They believe that an online attack would undermine public confidence in vital industries, especially utilities. Nick Robson, a partner at JLT Risk Solutions, says: "A cyber attack on, say, the power industry would cause communications operations to close down for a period of time, expose customers to loss of service, increase liability exposure and ultimately damage reputation for service delivery."
It isn't just Western nations that fear a digital meltdown. This month, the Malaysian government announced plans to establish a centre to fight cyber-terrorism, which will provide an emergency response to hi-tech attacks around the globe. Prime Minister Abdullah Ahmad Badawi said the facility - to be located at the technology hub of Cyberjaya outside Kuala Lumpur - would be called the International Multilateral Partnership against Cyber-Terrorism, or Impact, and would be funded by a combination of government revenue and the private sector.
Badawi said the threat of cyber-terrorism was too serious for governments to ignore. "The potential to wreak havoc and cause disruption to people, governments and global systems has increased as the world becomes more globalised," he said. "The economic loss caused by a cyber attack can be truly severe; for example, a nationwide blackout, collapse of trading systems or the crippling of a central bank's cheque clearing system."
While the case for cyber attack appears persuasive, some believe that much of it is hype. "It's difficult to avoid comparisons with the Millennium bug and the predictions of widespread computer chaos arising from the change of date to the year 2000," says Tom Standage, technology editor at The Economist magazine. "Then, as now, the alarm was sounded by technology vendors and consultants, who stood to gain from scaremongering."
Almost £400m was spent by the Government alone on preparations for the Millennium bug. Computer consultants issued dire warnings of the danger of an information technology breakdown that could paralyse nations on New Year's Day 2000. When the clock struck midnight, however, few problems were reported. There is scepticism that the bug was ever a threat. As far as Standage is concerned, those in the cyber-security industry - be they vendors boosting sales, academics chasing grants or politicians looking for bigger budgets - always have a "built-in incentive to overstate the risks".
But what of the Scada systems; surely they are highly vulnerable? "It is true that utility companies and other operators of critical infrastructure are increasingly connected to the internet," Standage concedes. "But just because customers pay their bills online, it doesn't follow that critical control systems are vulnerable to attack. Control systems are usually kept entirely separate from other systems, for good reason. They tend to be obscure, old-fashioned systems that are incompatible with internet technology anyhow. Even authorised users require specialist knowledge."
A simulation in 2002 by the US Naval War College concluded that an "electronic Pearl Harbor" attack on America's infrastructure would certainly cause serious disruption. But to pull it off would require five years of preparation and a $200m budget. As US computer security guru Bruce Schneier says: "If they want to attack, they will do it with bombs like they always have."
But Richard Clarke, a former cyber-security expert in the Bush administration, says this is complacent. "People claim no one will ever die in a cyber-attack, but they're wrong. This is a serious threat."
Clarke says that each time the US government has tested the security of the electric power industry, he and his colleagues have been able to hack their way in, "sometimes through an obscure route like the billing system". He reveals that computer security officers at a number of chemical plants have told him privately that they are very concerned about the openness of their networks.
Scott Borg of the Cyber Consequences Unit goes along with this. He believes the $93m budget for 2007 allocated to the Department of Homeland Security to defend against cyber attack is justified. "Even systems isolated from the internet are often accessible to thousands of employees. How secure can any system be if thousands of people and thousands of data ports can provide inside access to that system?"
The threat from software
IT security consulting firm Cyber Defense Agency (CDA) has warned the US military, government and "critical infrastructure agencies" against using outsourced commercial software which could be tampered with by terrorists. CDA said that gas, electricity, telecommunications, banking and water companies are among the services that could fall foul of cyber terrorists exploiting "life-cycle" weaknesses buried deep in the software code. Life-cycle attacks occur when one line of code is programmed to open vulnerabilities within the software, exposing the software and the company to external threats. "Outsourced commercial software poses a silent but significant security risk to the defence and welfare of the US," says Sami Saydjari, president of CDA. "The chances of strategic damage from a cyber-terrorist attack on the US increases the longer it takes to remedy the risks posed by outsourced software."