Mark M. Pollitt
FBI Laboratory
935 Pennsylvania Ave. NW
Washington, D. C. 20535
Abstract:
This paper discusses the definition of cyberterrorism, its potential, and suggests an approach to the minimization of its’ dangers. The definition of cyberterrorism used in this paper is combines the United States Department of State’s definition of terrorism as politically motivated acts of violence against non-combatants with a definition of cyberspace as the computers, networks, programs and data which make up the information infrastructure. The conclusion is that by limiting the physical capabilities of the information infrastructure, we can limit it potential for physical destruction.
Keywords:
Terrorism, cyberspace, cyberterrorism, information infrastructure, computer security.
Disclaimer:
This paper was submitted by the author in connection with academic studies at George Washington University. It does not represent the policy, opinions, or conclusions of the United States Government or of the Federal Bureau of Investigation. The opinions expressed herein are wholly that of the author.
by Mark M. Pollitt
“We are at risk. Increasingly, America depends on computers. They control power delivery, communications, aviation, and financial services. They are used to store vital information, from medical records to business plans to criminal records. Although we trust them, they are vulnerable - to the effects of poor design and insufficient quality control, to accident, and perhaps most alarmingly, to deliberate attack. The modern thief can steal more with a computer than with a gun. Tomorrow’s terrorist may be able to do more damage with a keyboard than with a bomb.”(1)
Thus began the opening chapter of one of the foundation books in the computer security field. This book, commissioned by the National Academy of sciences, was the product of twenty-one experts in their field and was a proposed blueprint for future computer security in the United States. In the six years since this was written, computers and information technology has exploded. But most people, including those in the computer field, believe the above statement to still be true.
The combination of two of the great fears of the late twentieth century are combined in the term “cyberterrorism”. The fear of random, violent victimization segues well with the distrust and outright fear of computer technology. Both capitalize on the fear of the unknown. It is easy to distrust that which one is not able to control.
Terrorism, with it’s roots in the periphery of mainstream society, is feared. It is perceived as being random, incomprehensible and uncontrollable. Groups with obscure names and origins impact catastrophically on the innocent. It is, in fact, designed to be feared. That is its real power.
Technology is feared from two perspectives. First, it is by definition arcane. It is complex, abstract and indirect in its impact on individuals. Because computers do things that used to be done by humans, there is a natural fear related to a loss of control. People believe, that technology has the ability to become the master, and humanity the servant.
The popular press has further fueled the fires by “hyping” the concept of convergence. According to the press, one is lead to believe that all of the functions controlled by individual computers will all converge into a singular system. Further support for this scenario is the increase in “connectivity”. Many people conclude that the entire world will soon be controlled by a single computer system.
Ironically, these same people subjectively understand that since computers are products of, and operated by, human beings, they are not reliable in either a mechanical or logical sense. Certainly, there can be no doubt as to immense benefits from computer technology. With any technology, be it telephones or automobiles, there are risks. Most risks can be managed. It is the “unmanageable” risks that we fear. This paper will address what the risks and possibilities are of combining terrorism and computers.
Before we can discuss the possibilities of “cyberterrorism, we must have some working definitions. The word “cyberterrorism” refers to two elements: cyberspace and terrorism.
Another word for cyberspace is the “virtual world”. Barry Collin defines the virtual world as “symbolic - true, false, binary, metaphoric representations of information - that place in which computer programs function and data moves.”(2)
Terrorism is a much used term, with many definitions. For the purposes of this presentation, we will use the United States Department of State definition:
“The term ‘terrorism’ means premeditated, politically motivated violence perpetrated against noncombatant targets by sub national groups or clandestine agents.”(3)
If we combine these definitions, we construct a working definition such as the following:
“Cyberterrorism is the premeditated, politically motivated attack against information, computer systems, computer programs, and data which result in violence against noncombatant targets by sub national groups or clandestine agents.”
This definition is necessarily narrow. For the term “cyberterrorism” to have any meaning, we must be able to differentiate it from other kinds of computer abuse such as computer crime, economic espionage, or information warfare. I would suggest that the latter is a offensive and defensive function of governments.
In their essential elements computers do three things: they store information, they process information and they communicate. All of the myriad things that we associate with computers are really combinations of these three actions. An even simpler analogy is that a computer is like a box. You can put something into the box. You can take something out of the box (but not something that wasn’t already there) and you can manipulate the things in the box. What is surprising to most people is that the computer does not “control”. Computers, in and of themselves, do not act. They act either through humans or through devices attached to the computer.
This point is important. In order to discuss the role of computers with respect to terrorism, we must understand their limits. Short of electrocuting one’s self with the power supply or being so unfortunate as to walk under a falling machine, computers cannot, directly, kill or injure. That is not to say that there are not indirect risks of physical harm, nor direct risks of economic injury. Computers may communicate to other devices that do have physical actions which can cause death or injury. The direct risks of economic injury are perhaps the most significant of all the risks. While computers may be referred to as “weapons”, they act indirectly.
There are several typologies concerning the risks to computer systems. These can be categorized as outcome based or method focused. The latter focuses on the methodologies used to attack systems. The method focused is very useful for evaluating specific targets. It cannot successfully anticipate all technologies and is therefore not very useful for strategic planning. We will apply the outcome based methodology.
Several writers have suggested typologies for outcome-based risk assessment(4)(5)(6). While they differ in structure, they identify three key risk factors. These can be summarized as: access, integrity, and confidentiality. We shall take a moment to discuss the significance of each of these issues(7).
Access is the ability of authorized parties to obtain information or cause actions to be taken as specified. That ability to operate the computer or obtain information can be limited or eliminated in several fashions. The information (data), programs (instructions) or the physical device can be destroyed. The computer system can also be interfered with to the extent that the system becomes so unreliable that it is useless. This interference can occur within the computer system’s storage and/or processing or with respect to its’ communications pathways.
Clifford Stoll, author of the “Cuckoo’s Egg”, once told this author that the worst thing that could happen to him, as a astro-physicist, was for someone to alter the fifth decimal place of the constant Pi. He reasoned that all of his calculations would be flawed and all of his work would then be useless. This reasoning highlights the reliance that we place on computerized data. If it is not correct, it may be worse than its’ destruction.
The mantra of the late 20th century is that information is power. This has become a reality. The possession of accurate, timely information is the key to competitive advantage. This is true regardless if you are a superpower government or a small business person. Computers have created new risks (and rewards) concerning the discovery of information which it originator wished to remain confidential. There is an inevitable trade-off between availability and privacy.
I have outlined the risks in the context of information. But, these same risks apply to computers designed for the control of processes. In effect, anything that can happen to information, can happen to processes controlled by computers.
Are these risks being currently being exploited? The answer is an unequivocal yes. Do these exploitation’s directly impact the public? Indirectly yes. However, the impact is rarely serious or fatal. Why? The human being has not been taken out of the loop.
Could these vulnerabilities be utilized by terrorist elements? Certainly. These risks are independent of motive or perpetrator. These risks are structural to the use of computers. Let’s examine some commonly presented scenarios.
Collin(8) suggests a number of scenarios. I will discuss several of them. One that he proposes is for a “hacker” to take over the process control computers on a cereal manufacturing line. The subject then alters the amount of iron supplement added to a fatal dose. Boxed cereal then sickens and kills a nation of children.
There are a number of fallacies concerning this script. The quantity of an additive providing nutritional benefit is minimal. The quantity necessary to change s nutritious additive to become toxic is greater by a substantial amount, if it is even possible! Presumably, when the usual quantities of additive run out on the production line, someone will notice the increased consumption. Most food manufacturers conduct routine product testing for just such eventualities. It is a business necessity in this litigious world. It is also likely that the taste of the altered product will be changed, and not for the better. I submit that this may be possible, but the likelihood of success is minimal.
Another commonly offered scenario involves the air traffic system. The world’s air traffic control system is highly computerized. The “terrorist” either obtains control of the system or alters the system in such a fashion that airplanes are flown into each other, resulting in mass death.
This scenario requires that the entire human element and the structure of the rules involving the control of aircraft are ignored(9). The computers used in the air traffic control system do not control anything. They merely provide an aid to the human controller. Even if he/she were deceived by the computer, there is other human beings in the loop. A basic tenant in pilot training is “situational awareness”. From the first day of training, pilots are taught to be aware of not only their location, direction and altitude, but those of all other aircraft. Pilots routinely catch errors committed by air traffic controllers. It is the spectacular human failures that result in aircraft collisions. Further, the “rules of the road” for aircraft operations anticipate the complete failure of the air traffic control system. In fact, the rules are designed to work where there is no air traffic control at all! Thousands of flights are conducted each day in bad weather, around the world without the benefit of an ATC system at all!
A similar scenario is proposed concerning the operation of a subway or train system. Brief reflection will show that failures of the electronic and mechanical controls are anticipated. That is why few of these systems are not “manned”. It should also be noted that mechanical failures are much more common and catastrophic in nature and affect.
The current state of cyberspace is such that information is seriously at risk. The impact of this risk to the physical health of mankind is, at present, indirect. Computers do not, at present, control sufficient physical processes, without human intervention, to pose a significant risk of terrorism in the classic sense. Therein rest two lessons.
The definition of terrorism needs to address the fundamental infrastructure upon which civilization is increasingly dependent. A proactive approach to protecting information infrastructure is necessary to prevent its becoming a more serious vulnerability.
As we build more and more technology into our civilization, we must ensure that there is sufficient human oversight and intervention to safeguard those whom the technology serves.
(1) National Research Council, “Computers at Risk” National Academy Press, 1991.
(2) Collin, Barry C., “The Future of CyberTerrorism”, Proceedings of 11th Annual International Symposium on Criminal Justice Issues, The University of Illinois at Chicago, 1996 http://www.acsp.uic.edu/OICJ/CONFS/terror02.htm
(3) United States Dept. of State, “Patterns of Global Terrorism”, Washington, DC, 1996
(4) Parker, Donn. “Crime by Computer”, Charles Scribner’s Sons, New York 1976
(5) Icove, David, et al. “Computer Crime - a crimefighter’s handbook”, O’Reilly & Assoc., Sebastopole, California, 1995.
(6) Barrett, Neil, “Digital Crime”,Kogan Page Limited, London, 1997
(7) Power, Richard, “Current and Future Danger”, Computer Security Institute, San Francisco, 1995
(8) Collin, Barry C., “The Future of CyberTerrorism”, Proceedings of 11th Annual International Symposium on Criminal Justice Issues, The University of Illinois at Chicago, 1996 http://www.acsp.uic.edu/OICJ/CONFS/terror02.htm
(9) Federal Aviation Administration, “Instrument Flying Handbook”, Government Printing Office, 1980