26 October 2009

The Myth of CyberTerrorism

I was woken shortly before midnight, on a chilly July evening in Auckland by the sound of a bomb. It was 1985, and the Greenpeace vessel Rainbow Warrior had been hit by two explosions, from limpet mines attached by two frogmen (I use that term very deliberately.) One man, Ferndando Pereira, was killed in the attack.

Most commentators now accept that this was an act of terrorism -- and indeed, the initial reaction of the French government was to condemn it as such. It was only twenty years later that French president Fran├žois Mitterrand admitted that he had personally authorised the bombing.

Was this an act of terrorism, albeit state-sponsored? In my view, absolutely. It was an act deliberately intended to terrorise Greenpeace and its supporters (although the agents concerned claimed that they had tried to avoid any loss of life.)

Now let's look at another case. Three years earlier, in June 1982, the Russian government was conducting pressure tests on its new trans-Siberian gas pipeline, which resulted in a catastrophic explosion -- allegedly with the force equivalent to three kilotons of TNT.

According to the 2004 book "At the Abyss: An Insider's History of the Cold War", written by Thomas C. Reed, this was a deliberate act of sabotage, carried out by the CIA as part of the cold war against the Soviet Union. Reed, a former Air Force secretary who served in the US National Security Council during the Reagan administration,

reported how the U.S. allowed the USSR to steal pipeline control software from a Canadian company. Unknown to the Russians, this software included malicious code (known as a Trojan horse) that caused a major explosion of the Trans-Siberian gas pipeline in June 1982. The Trojan ran during a pressure test on the pipeline and massively increased the usual pressure, causing the explosion. Reed writes:

"In order to disrupt the Soviet gas supply, its hard currency earnings from the West, and the internal Russian economy, the pipeline software that was to run the pumps, turbines, and valves was programmed to go haywire, after a decent interval, to reset pump speeds and valve settings to produce pressures far beyond those acceptable to pipeline joints and welds"

By creating an explosion with the power of a three-kiloton nuclear weapon, the U.S. managed to disrupt supplies of gas and consequential foreign currency earnings of the Soviet Union for over a year.

Was this an act of CyberTerrorism? In my view, yes. This was probably the very first documented case where computer-related sabotage was used to trigger major damage (although apparently with no loss of life.)

Subsequently, the world has witnessed hundreds of lesser cases of sabotage and attempts to compromise control systems and economic attacks, which might be classed as cyberterrorism -- but is there really a threat here of the same class as we are confronted by with "classical" terrorism -- i.e., suicide bombers, assassinations, anthrax letters or mass poisonings?

In my view, the threat of CyberTerrorism is largely a myth. A report published by James Lewis of the Washington think-tank Center for Strategic and International Studies, tends to support this view, claiming that although clearly many major states have the capability of undertaking CyberWarfare attacks which could be classed as acts of war, there are few, if any, non-state actors with these capabilities.

These days, the greater threat comes from organized criminal groups, and their targets are almost exclusively economic. It's now possible for a well-funded terrorist group to rent a botnet, but this begs the question -- what would be their target? In order for a terrorist attack to be effective, it has to by definition cause fear or terror, and few conceivable attacks could lead to loss of life necessary to achieve that.

Despite what several "B" movies and shows like "24" or "Law and Order" suggest, there are no super-powered hackers who can take over GPS satellites, hospital emergency equipment or air traffic control systems. Any failures are more likely to be collateral damage from economic attacks, or simple incompetence in the deployment of basic safeguards by those responsible for defense.

CyberTerrorism is a great buzzword, and is being used to attract millions of dollars in counter-terrorism funding, but the real risks should be seen as financial, and the attackers are far more likely to be from the world of organized crime rather than Al Queda.

No comments: