Atlantic Community:Open Think Tank Article "There's No Such Thing As Cyberterror"

There's No Such Thing As Cyberterror

James Andrew Lewis: I use the assault on Estonian computers to explain the difference between real terror and cyber mischief. Governments must take practical steps to minimize disruption in case of an attack.

Most of us have seen terrorism, if only on television. Compare the recent cyber attacks in Estonia to those scenes or experiences. The electronic interference in Estonia was not terrorism—in fact, the term “cyberterror” is senseless. Stop using it.

Terrorism requires violence and horror. On September 11th, for example, after a day of shocking images, riders of Washington’s subway system could still smell smoke in the tunnels from the burning Pentagon. In Estonia’s recent cyber incident, people were unable to access their bank accounts online.

What Really Happened
Estonia was a large, disruptive, cyber demonstration, akin to noisy mobs blocking traffic and preventing entrance to government Ministries. Computers connected to the Internet were overwhelmed with thousands of bogus messages and requests. Legitimate users were shut out and the computers, unable to handle the load, could no longer function. The attacks were launched automatically from “botnets,” a favored tool of cybercriminals that use thousands of hijacked computers for attacks.

No one died or was injured, dams did not burst, planes did not crash, and electricity was uninterrupted. If the events in Estonia were made into a blockbuster movie, it would star hordes of road-clogging Teletubbies, not Bruce Willis.

International Response
The attacks were first wrongly attributed to Russian government computers. Although a few official computers may have been part of the attacking botnets, it is more likely that Russian officials incited cybercriminals and hackers to punish Estonia for removing a large bronze statue of a Soviet soldier. Most former colonial powers accede to such changes—Britain did not unleash cybercriminals against India for dropping anglicized versions of city names—but Estonia’s relations with the former imperial power are closer and more complex.

It is not usually considered an act of war if a foreign government incites criminals and the disaffected to stage disruptive demonstrations in an opponent’s capital, but law and precedent are inadequate guides for cyber attack and likely to remain so for some time. It is easy to hide on the internet, and difficulties in attributing an attack complicate any response. At a minimum, we should regard the inciting nation as one unconstrained by international norms, whose actions and agents bear close watching. A treaty with such governments banning Internet attacks would be routinely violated and not worth the effort.

Increased Threats
But the Estonia attacks’ implications transcend Baltic tensions. While cyber protests are not new—Chinese, Taiwanese, and Korean hackers routinely take turns abusing government websites—the scale of the attacks, the brazen and immediate connection to a diplomatic dispute, and the links to cybercrime, deserve scrutiny. Cybercrime provides new tools, like massive botnets, for disruption. These tools can be purchased or rented from thriving online criminal communities and, when combined with a deep knowledge of the capacity and vulnerabilities of foreign networks, (many intelligence agencies have spent the last decade mapping opponent networks for exploitation or attack), they provide vast scope for mischief.

Bear in mind Estonia did not face the most damaging mode of cyberattack. Greater harm would ensue if attackers penetrated networks and scrambled or erased data and programs. Destroying tax and health records, disrupting flight and rail schedules, interfering with public utilities; all could have serious consequences. Larger countries would be more difficult to overwhelm than Estonia, but hackers could target individual agencies, key service providers or even entire cities.

Be Prepared
Cyber attacks are now part of international politics, and governments must be prepared to deal with them. Collective defense—sharing information and resources—can help, but computers are so intimately woven into the fabric of national infrastructures that the primary responsibility rests with national governments. The first step is to test important networks for vulnerability—using “red-teams” that mimic attackers. Cyber attacks are currently unpreventable, so governments must provide resiliency and redundancy for services and data supplied by computer networks.

Estonia’s response was timely and effective, and executed without little panic or media hyperbole. Other nations’ plans must account for the predilection for hysteria found in some media outlets, a preference that is abetted by those who argue that no one will pay attention to the cyber threat unless there is wild exaggeration that points to epic disaster.

We do not face disaster, but cyberspace cannot be an unguarded frontier and governments must prepare their defenses or else put their citizens at risk. Estonia was not the first cyberattack, and it will not be the last.

James Andrew Lewis is a senior fellow at the Center for Strategic & International Studies and director of their Technology and Public Policy Program. His experience with the U.S. Foreign Service and Senior Executive Service includes negotiations on arms transfers, advising the U.S. military, and developing new policies for national security and technology.

I like this Article! What's this?

Comments

July 25, 2007

Dio Diogenes Diognes, Free Lancer, (1)

I like this comment! What's this?

Please see what this writer says on the subject:

http://quasifictionalviews.blogspot.com/2007/07/cyber-warfare-techn...

July 25, 2007

GM Roper, Valley Counseling Centers, Inc., Bronze Contributor (12)

I like this comment! What's this?

Are the subjects the same? I read Dio's suggestion but it seems to me that while there may be, in fact, a type of warfare that can be termed cyber-warfare, I agree with Mr. Lewis that "cyberterror" is probably a misnomer. Cybercriminality anyone?

July 26, 2007

Member deleted

I like this comment! What's this?

James Andrew Lewis tells us that the term "cyberterror" is senseless and that we should stop using it. I am not sure that it is a very advisable approach.

Lewis gives us some significant information on the last cyber incident in Estonia, and that, in his view, this cannot be called cyberterror. However, we do not learn why the term itself should make no sense. I personally think it is highly dangerous to argue something like cyberterror does not exist.

The fact that we have not yet experienced a major incident that regard does imply nothing. Before 9-11 almost nobody would have thought that civilian aircraft could be turned into cruise-missile-like weapons only by using a few determined men armed with box cutters.

Lewis states terrorism requires violence and horror. That definition is quite vague, but even if we accept it as valid, it does by no means rule out that cyberterror is not possible. Terrorism in general lacks a commonly accepted definition accordingly it is difficult to define what actually constitutes terrorism in cyberspace.

However, I am sure we can agree that terrorists achieve their greatest effect when the shock wave their explosion has created results in a “media shock wave” that affects public and publicized opinion alike.

Until today we had to deal mostly with explosions caused by real bombs or IED’s. However, there is another type of bombs that can have disastrous effects, even when nobody is hurt or killed directly by their detonations: logic bombs. These devices have already proven to be highly effective during several incidents in the past.

Given the growing dependence of our societies on computer- and network-technologies a sophisticated logic bomb, detonated a the right time in the right place would have dramatic results. Just think of how vulnerable we really are.

It is not a catastrophe when people are unable to access their bank accounts online for a few hours or even days, that is right. However, we will face different challenges if should terrorists get access to important systems of national infrastructure, such as traffic, electricity or emergency services. What happens if terrorists should really manage to shut down critical parts of our infrastructure? We are be well advised not to rule out something like this could happen. It is certainly very difficult to achieve, it will requires a lot of time, effort and even more sophisticated knowledge, but it is by no means impossible.

The example of “irhabi007” (Arabic for “terrorist007”), one of the most-famous cyber-jihadists of the last years, and only recently sentenced to a 10-year prison sentence shows that it is our vital interest to take theses threats very seriously.

We do not know where and when a terrorist organization (there are of course more threats than just Al-Qaeda affiliated groups) will be ready to launch the first major cyberterror attack. However we must be aware that they are certainly trying hard and that they most likely to find a weak spot in our infrastructure eventually.

Lewis is right: Estonia was not the first cyberattack, and it will not be the last. We need to be prepared for more than just countering denial-of-service attacks.

August 16, 2007

Andreas Beckmann, Atlantische Initiative e. V., Silver Contributor (56)

I like this comment! What's this?

I fully agree with Jonas Boettler, and would like to add these remarks:

While the DoS attacks on Estonia certainly were not at all terror in the sense of people getting maimed by bombs, that does not mean they are not terror. For an individual even such seemingly harmless disturbances like a temporary exclusion from home banking can constitute terror (just on a substantially lower scale than bomb terror). There is a reason why we speak, for example, of people getting terrorized by stalkers, unsolicited phone calls, and other seemingly (to the outside observer) minor disturbances.

Second, terror need not be limited to harming people physically. Terror can also mean attacking a given economy, inflicting substantial economic damage. For example, many more than the three-thousand-and-something direct WTC victims of 9/11 experienced real terror: The destruction of billions of dollars of capital through indirect consequences of 9/11 caused millions of people to lose their jobs. While they, too, were not at all maimed or mutilated, they certainly experienced very real (and sometimes substantial) terror. Even DoS attacks could quite easily inflict such severe economic consequences. The only reason why we have not yet seen that happen lies in the fact that currently, these tools are in the hands of cyber criminals, not cyber terrorists. They want to make money and are thus not interested in too much destruction. Wait for the day some of the major botnets are rented by Al Quaeda.

Finally, more sophisticated cyber attacks can also lead to direct losses of life. A sustained interuption of the power grids, for example, could actually cause people to die, e. g. when they can not get the medical care they need, or the air condition elderly people need to survive on very hot days. Or think about the opening of dams, or severe explosions with toxines released, in the case of a successful cyber attack on the control systems of a chemical plant. The cyber vulnerabilities of modern industrial societies offer endless scenarios with real maiming, bleeding, and dying. Would Mr. Lewis then rethink his headline?

In sum, the relatively harmless DoS attacks against Estonia may not have inflicted much terror, but this example does not at all justify the sweeping (and grossly wrong) statement of Mr. Lewis' essays' title. If governments and citizens alike don't take careful precautions, we will see very REAL and painful cyberterror in the future.