(Usually I send my detailed comments only onto the IWS Limited List, but as the paper is so interesting I make an exception. I like the paper, even though the definition of Cyberterrorism is not the greatest one and I do not like the bit about the WWII as it is too simplistic ('know thy military history'), but the rest is good. WEN.
Key sentence: '... but a brief review suggests that while many computer networks remain very vulnerable to attack, few critical infrastructures are equally vulnerable. ...' as Scada systems & Co are usually not connected to the Internet. '... A preliminary review of these factors suggests that computer network vulnerabilities are an increasingly serious business problem but that their threat to national security is overstated. Modern industrial societies are more robust than they appear at first glance. Critical infrastructures, especially in large market economies, are more distributed, diverse, redundant and self-healing than a cursory assessment may suggest, rendering them less vulnerable to attack. In all cases, cyber attacks are less effective and less disruptive than physical attacks. ...' 'Know thy military history' It is annoying to see people mention examples in military history if they lack knowledge and make mistakes: The author looks at the Strategic Bombing Campaign during WWII, but unfortunately you cannot really compare it to CNI attacks as even though the UK had a ministry for economic warfare its advice was mostly ignored by Bomber Harris who preferred to 'flatten German cities' whilst the US urged the UK to attack the real Centre of Gravity. '... What the survey [.S. Strategic Bombing Survey, Summary Report (European War), 1945] found, however, is that industrial societies are impressively resilient. Industrial production actually increased for two years under the bombing.' It is always risky to quote such an old survey as they might 'slightly bias' -- the Air Force wanted to make a business case for its bombers, ..., --especially if the academic in question lacks a detailed knowledge of the German War Economy. (Instead of reading a summary report I would recommend to read the 'The Effects of Strategic Bombing on the German War Economy' report which was published a month later. It gives a far more detailed overview. (Before someone asks, I do not have a url for it as I got a copy of it, but I do have some old notes from a Defence Economics course which focuses on economic warfare during WWII and two unpublished papers on the Nazi War Economy. If someone wants them please email me)). Another example: '... Comparing aerial and cyber attacks on hydroelectric dams helps provide a measure for cyber-threats. Early in World War II, the Royal Air Force mounted a daring attack on dams in the Ruhr, a chief source of electrical power for German industry. The raid was a success, the dams breached by bombs and, for a period of time, the electrical supply in the region was disrupted. ...' This attack was based on wrong intelligence. An argument was put forwarded by the UK Ministry of Production (not the Ministry of Economic Warfare) that it would great opportunity to stop German industrial production in the Ruhr as the dam provided the electricity for those industries. Therefore without electricity German industry in the Ruhr would be forced to stop. The Ministry of Economic Warfare (MEW) questioned the assumptions on which this raid was based and concluded that the RAF might be able to hit the dam, but in the end the Germans have other means to produce electricity, such as coal fired plants to produce electricity. MEW was right and they said that worst which will happen that there would be massive flooding below the dam, some productions might be cut, but in the end the German will just compensate with coal fired plants. Anyway back to cyberterrorism. Some good quotes from the paper: Risk to National Security: ' ... However, from a strategic military perspective, attacks that do not degrade national capabilities are not significant. From this perspective, if a cyber-attack does not cause damage that rises above the threshold of the routine disruptions that every economy experiences, it does not pose an immediate or significant risk to national security. It is particularly important to consider that in the larger context of economic activity, water system failures, power outages, air traffic disruptions and other cyber-terror scenarios are routine events that do not affect national security. On a national level, where dozens or even hundreds of different systems provide critical infrastructure services, failure is a routine occurrence at the system or regional level, with service denied to customers for hours or days. ...' Attack on CIP: * Water '... In the United States, the water supply infrastructure would be an elusive target for cyber attack. There are 54,064 separate water systems in the U.S. Of these, 3,769 water systems serve eighty one percent of the population and 353 systems served forty-four percent of the population. However, the uneven spread of diverse network technologies complicates the terrorists’ task. Many of these water supply systems in the U.S., even in large cities, continue to rely on technologies not easily disrupted by network attacks. There have been cases in the U.S. when a community’s water supply has been knocked out for days at a time (usually as a result of flooding), but these have produced neither terror nor paralysis. ...' *Power '... A risk assessment by the Information Assurance Task Force of the National Security Telecommunications Advisory Committee concluded “Physical destruction is still the greatest threat facing the electric power infrastructure. Compared to this, electronic intrusion represents an emerging, but still relatively minor, threat.” ...' * Transportation (Air) '... We are not yet at a stage where computer networks operate aircraft remotely, so it is not possible for a cyber-attacker to take over an aircraft. Aircraft still carry pilots who are trained to operate the plane in an emergency. Similarly, the Federal Aviation Authority does not depend solely on computer networks to manage air traffic, nor are its communications dependent on the Internet. The high level of human involvement in the control and decision making process for air traffic reduces the risk of any cyber attack. In a normal month storms, electrical failures and programming glitches all ensure a consistently high level of disruption in air traffic. Pilots and air traffic controllers are accustomed to unexpected disruptions and have adapted their practices to minimize the effect. ...' * Manufacturing: '... Manufacturing and economic activity are increasingly dependent on computer networks, and cyber crime and industrial espionage are new dangers for economic activity. However, the evidence is mixed as to the vulnerability of manufacturing to cyber attack. A virus in 2000 infected 1,000 computers at Ford Motor Company. Ford received 140,000 contaminated e-mail messages in three hours before it shut down its network. E-mail service was disrupted for almost a week within the company. Yet, Ford reported, “the rogue program appears to have caused only limited permanent damage. None of its 114 factories stopped, according to the automaker. ...' Terrorism '.... An analysis of the risk of cyber terrorism is also complicated by the tendency to initially attribute cyber events to military or terrorist efforts when their actual source is civilian recreational hackers. ...' '... While the press has reported that government officials are concerned over Al Qaeda plans to use the Internet to wage cyber-terrorism, these stories often recycle the same hypothetical scenarios previously attributed to foreign governments’ cyber-warfare efforts. The risk remains hypothetical but the antagonist has changed from hostile states to groups like Al Qaeda. ...' Cybercrime '... Cyber crime is a serious and growing threat, but the risk to a nation-state in deploying cyber-weapons against a potential opponent’s economy are probably too great for any country to contemplate these measures. For example, writers in some of China’s military journals speculated that cyber attacks could disable American financial markets. The dilemma for this kind of attack is that China is as dependent on the same financial markets as the United States, and could suffer even more from disruption. ...' Conclusion: '... Much of the early analysis of cyber-threats and cyber security appears to have “The Sky is Falling” as its theme. The sky is not falling, and cyber weapons seem to be of limited value in attacking national power or intimidating citizens. ... To understand the vulnerability of critical infrastructures to cyber attack, we would need for each target infrastructure a much more detailed assessment of redundancy, normal rates of failure and response, the degree to which critical functions are accessible from public networks and the level of human control, monitoring and intervention in critical operations. This initial assessment suggests that infrastructures in large industrial countries are resistant to cyber attack. ... ... Terrorists or foreign militaries may well launch cyber attacks, but they are likely to be disappointed in the effect. Nations are more robust than the early analysts of cyber-terrorism and cyber-warfare give them credit for, and cyber attacks are less damaging than physical attacks. Digital Pearl Harbors are unlikely. Infrastructure systems, because they have to deal with failure on a routine basis, are also more flexible and responsive in restoring service than early analysts realized. Cyber attacks, unless accompanied by a simultaneous physical attack that achieves physical damage, are short lived and ineffective. However, if the risks of cyber-terrorism and cyber-war are overstated, the risk of espionage and cyber crime may be not be fully appreciated by many. ...' ************************************************************************** Assessing the Risks of Cyber Terrorism, Cyber War and Other Cyber Threats: James A. Lewis Center for Strategic and International Studies December 2002 Full Report: http://www.csis.org/tech/0211_lewis.pdf IWS INFOCON Mailing List @ IWS - The Information Warfare Site http://www.iwar.org.uk