Cyber Terrorism

Over the last few years, we have been deluged with the new, hyped up, techno-phrase – “cyber terrorism”. Many a noted expert has labeled cyber terrorism as a myth overused by fear mongers, moviemakers and sensationalists. Others have been quietly warning that the threat is real, new and remarkably hard to prevent.

Cyber terrorism is the use of computers, and the global communication medium—the Internet—to launch attacks and nefarious acts that harm, maim or kill innocent people. In order for cyber terrorism to be a real threat it first have to be possible, second has to be feasible and third has to be uncontainable. Unfortunately, cyber terrorism is not only possible, but has been demonstrated in isolated situations. The feasibility however is a little more suspect. The methods of containment of such acts is not very well known and opinions range all over the spectrum.

What makes cyber terrorism a possibility is the entrenched use of computers in almost all crucial facets of civilian life as well as military might. For example, is it possible, for a terrorist to infiltrate the computers of the US (or British, or Russian) military and launch a nuclear missile? While the answer is most likely, “no”, it is not a very emphatic no, which makes it scary.

Computers control things. From power plants, to telephones, from manufacturing of pharmaceutical products to a million other crucial things. Included in the computer-controlled list are systems that control airline traffic, perform airline reservation and scheduling, transportation systems, control water and oil pipelines and such. Disruptions in any one of these can easily cause loss of life or widespread chaos.

The Internet is a major vulnerability. When the Internet was designed, it was deigned to be highly reliable, not highly secure. What that means is that the designers took into consideration how to keep data traffic on the Internet flowing in spite of failures of the routing computers and communication links that make up the network. It was assumed that any computer connected to the Internet belonged to a responsible governmental or commercial enterprise and not to an unruly individual. This was not an unreasonable assumption, in 1975-1980 when the major technical blueprint of the Internet was laid out, the price of an average computer was much in excess of $100,000 and an unruly individual was not expected to possess one of those, let alone have the gadgetry, permission and communication prowess to connect it to the Internet, unnoticed.

The Internet allows a computer connected to the network to send a “packet” (a unit of data) to any other connected computer. Hence a person with a PC connected via a phone line, can send packets to a computer running the airline reservation system. When a packet arrives at the destination, a computer picks it up and performs some tasks to see why the packet came there and what to do in response. These tasks pre-assume a particular format of the packet, that is, the packet is supposed to contain a set of information, in specific bit positions signifying a myriad of network related properties. If the packet however does not contain data adhering to the prescribed format, then things can, and do go wrong.

Of course, this is attributable to bad software design at the receiving computer. Sadly such bad software is horrendously ubiquitous. At first, when it was noticed, software can be made do things it was not supposed to do, in response to bad packets, such information was hushed up to prevent embarrassment. Then more and more people discovered how to do nasty things using bad packets. As the floodgates opened, the so called “security holes” became a rather nasty nuisance.

But the bad software is like the proverbial genie in the bottle. It has escaped; it is deployed all around the world. How do we fix it? Not easily. In fact it is not possible to fix all the holes. The networking software it very complicated, and riddled with holes. As and when a hole is discovered and fixed, a new hole crops up. Millions of lines of networking code, in hundreds or thousands of software modules is not something that can be viably fixed.

The security holes allow a attacker to send some misformatted packets to a machine in a particular sequence and gain remote access to that machine. That is, the person launching the attack can then download software into that machine and run the software from a remote location. The downloaded software can do anything—steal data, delete data, start up controlling processes, use this computer to attack yet another computer and so on.

How do people know how to attack a computer? There are web sites all over the Internet telling people how to do it. These sites, called “phreaking” sites, have programs designed to use networking security holes to penetrate computers. For some reason, these sites are very attractive to young people with too much time on their hands. They are called “script kiddies”. The script kiddies download these programs (called scripts) and fire them up and send them marauding over the Internet looking for machines with vulnerable software. Often the script kiddies hit pay dirt, and find important sites (commercial and military) that they can penetrate and cause trouble.

The most common form of problem caused by script kiddies is to compromise machines belonging to naïve users, spread virus programs, and cause network contention by flooding network backbones with spurious traffic (Such flooding is known as denial of service attacks). While these are nefarious attacks they do not reach the levels that would be termed “terrorism”.

But, theoretically terrorism is a definite possibility. The easiest form of terrorism can be one that uses the denial of service attack. Suppose inhabitants of a country hostile to the US starts barraging the Internet sites of US corporations and the government with huge deluges of spurious packets. This would essentially disrupt the Internet communications of the US. Since the US has become horrendously dependent on the Internet for its commercial transactions it could, imaginably, have a significant economic impact.

Using the denial of service trick to gum up the Internet can be disruptive, but it is not quite akin to major acts of terrorism. Hence the question remains, is it possible to cause major harm and mayhem using computers. The answer is not clear. First, no one has ever done it (so far). Second, there is enough evidence that a lot of people are very hard at work to do it. Third, it is not easy, especially since not enough information exists on how to do it.

In fact, the US seems to be the target of many groups who want to infiltrate its infrastructure to commit heinous acts. While outwardly the US is putting on a media blitz targeted to impress upon everyone that security has been tightened up, in reality, security, especially computer security remains woefully weak.

Consider the well-known scenario of the US electric power grid. The entire country runs off of a common power supply grid. All generating station upload power to the grid and electric distribution systems download the power and supply it to the consumers. What if someone could enter a control computer of an electric power plant and shut the plant off? Shutting down one power plant would not cause much damage, as other plants would pick up the load. However simultaneous shutdown of a significant number can cause a serious problem. There would be sudden overload condition and the grid would enter an emergency mode, and all power plants supplying the grid would shut off. That would be a nationwide blackout.

What is worse is that if such a situation occurs, it is speculated that there is no smooth way to restore power. If a power plant was started up, it would trip immediately. Some experts speculate that if the grid is shut off, it may take weeks to restore power. Again, such a nefarious situation exists, as the designers of the grid did not take this possibility into account.

But is it possible to shut off a power plant? The answer is murky. The computers controlling power plants should not be connected to the Internet. They are not, yet they are. There are ways to remotely access these computers. Also these computers exchange data with each other and with various public computers, making them indirectly connected to the Internet. The saving grace is that details of the connectivity and shutdown techniques are not published information.

Secrecy is a dubious method of providing security. It is called “security through obscurity”. We do not know how to reach the computers that control nuclear missiles because the military keeps it a secret. The downside of the secrecy wall, is that historical data shows secrets can be discovered. The real road to security is to design it into every facet of secure systems such that even if you know how it works it cannot be penetrated. We know how to do that, but in the rush to make the cyber revolution happen, good design has been disregarded. Now we may be poised to pay the price.

Partha Dasgupta is on the faculty of the Computer Science and Engineering Department at Arizona State University in Tempe. His specializations are in the areas of Operating Systems, Cryptography and Networking. His homepage is at http://cactus.eas.asu.edu/partha