When terrorists turn to the Internet

It's 8 a.m., morning rush hour in New York. People and cars move slowly and somewhat irritably toward the city. Suddenly, the power goes down and traffic lights cease working. Everything comes to a complete stop. Meanwhile, half a country away, the water system malfunctions in Detroit. Then, in Dallas, air traffic becomes dangerously chaotic as guidance systems go offline.

On the surface, it seems like a series of unconnected events. But information security experts say it could also be the sign of a terrorist cyber-attack - well-coordinated, extremely effective, and so anonymous it leaves its targets not quite sure what happened.

While the above situation has never taken place, many industry experts say it could. In fact, they're somewhat surprised it hasn't already.

The United States government and US businesses know that developing an effective response to cyber-terrorism is essential. This, at least, is the first step, even though they have a long way to go in addressing the problem.

This is the new world of cyber-terrorism.

No other country or group can approach the US conventional-weapon superiority. This is why many terrorists find information terrorism an attractive alternative to traditional forms of terrorism. Cyber-terrorism allows terrorists - both foreign and domestic - to inflict damage with no harm to themselves and little chance of being caught. It is a way for the "weak" to attack the "strong," particularly to disrupt a stronger force at a key time during an operation.

If you want to understand terrorism in the Information Age, you need to understand how it has changed since the 1970s, says Harvey Kushner, chairman of the criminal-justice department at Long Island University and an expert on terrorism.

"We have moved away from state-sponsored terrorism," Dr. Kushner says. "The old model of the hierarchical or 'organized crime' group, no longer exists. These days, terrorists move in loose groups, constellations with free-flowing structures. So these days terrorism - both the traditional kind and cyber-terrorism - is more the act of the freelancer or the individual. This is true both internationally and nationally."

This doesn't mean states don't play a role in cyber-terrorism, Kushner says. It's just different from the one they played in the past.

"States find ways to encourage this behavior. They will use incendiary rhetoric to inflame passions. This will enrage some freelancer, who will then commit an act of cyber-terrorism. The Chinese hacker attacks on US targets after the bombing of the Chinese Embassy in Belgrade are a perfect example. And it comes at no cost to the state, which can say it had nothing to do with the attack," he says.

So who is the modern cyber-terrorist?

"The popular image is very out of kilter with reality," says James Adams, head of Infrastructure Defense, an organization founded to help governments and businesses deal with cyber-warfare and terrorism. "You know, the image of the 18-year-old with a ponytail who spends 20 out of 24 hours over a computer, hacking into a site because it gives him a rush."

In fact, says Mr. Adams, cyber-terrorism is likely to be committed by Russian organized crime, or white supremist groups, or religious cults and extremists, to name a few examples.

These groups tend to work in the loose manner Kushner describes, and detailed in a 1999 report on cyber-terrorism, "Countering the New Terrorism," by the Rand Corp. It describes the structure of these new networked organizations as "SPIN": segmented, polycentric, ideologically integrated networks.

These SPIN groups are not just using the computers to launch attacks, but also to coordinate their activities.

For instance, the Rand report notes that Saudi religious extremist Osama bin Laden's organization "appears to have widely adapted information technology." Egyptian members of Mr. bin Laden's network are said to have helped devise a communications network that relies on the Web, e-mail, and electronic bulletin boards so that members can exchange information without running a major risk of being caught by US counterterrorism organizations.

A third way that terrorists use the Internet is to tell their "story" directly to the public. Several terrorists groups have used the Web not only to bypass traditional news media, but also to influence how the media report on a terrorist act. (For more on how terrorists use the Web to publicize their message, visit the Monitor's Web site, www.csmonitor.com).

But it may not be long before groups like bin Laden's use their technological expertise to launch a cyber-attack.

"With respect to the availability of desirable targets via cyberspace, terrorists are likely to choose to employ electronic attacks only if the reachable assets are attractive targets, and as infrastructure industries continue to modernize their information systems to take advantage of the benefits of [information technology], this situation will become more likely," notes a report in the fall 1997 issue of Survival, "Information Technology and the Terrorist Threat."

"Cyber-terrorism really is a result of the Internet," says Ed Roche of The Concours Group, an international firm that studies Internet security issues. "Terrorism certainly existed before the Internet, but in order to do it, you had to be there. With the Internet, a group in, say, Madras, India, can bring down Con-Ed."

Dr. Roche, who believes there will be a major cyber-terrorist attack on the US in the next two years, says it is corporate, rather than government, information structures that are most at risk.

"There is a very poor sense of security in many of these enterprises. Intranets are also a real security problem. And I don't see these factors changing anytime soon."

But what about the simple hacker? One problem with cyber-terrorism, note computer security experts, is that it's hard to tell if a cyber-attack has been launched by a rogue state, a terrorist, or a couple of kids in their garage. For instance, one of the most damaging cyber-attacks on the US military infrastructure was launched by an Israeli youth with help from some teenagers in California.

As a result, computer-security experts and justice organizations like the FBI now treat all cyber-attacks the same, regardless of the source - a situation that has enraged many hackers. Yet part of the reason security experts may be responding this way could be the fear that these "innocent" hackers could turn their talents to more ominous purposes.

While the article in Survival notes that terrorism is more extreme and "far more aberrant than prankish hacking," there is no doubt that acts of hacking can have the same consequences as acts of terrorism.

"Regarding the question of whether hackers today will be terrorists of tomorrow, one can only point to the fact that some hackers have been willing to act in concert to attack the telecommunications infrastructure, and insofar as an infrastructure attack constitutes terrorism, hacker terrorism has already occurred." A recent example of hacker terrorism (or is it?) is the Internet worm - Worm.ExploreZip - that created havoc in computer e-mail systems around the world, but particularly at corporations such as Microsoft, Intel, and NBC (see worm article

page 13).

Protecting against hackers also raises other issues, says Ron Moritz, director of the technology office for Finjan Software Inc., which specializes in mobile-telephone code security. For instance, how far can the government go to protect itself before it infringes on personal liberties?

"It is possible to send a large current down a phone line and wipe out an individual's computer. But can we do that? Is it right to do that? For instance, where is the line 'online' between civil disobedience and terrorism?"

Mr. Moritz points to an attempt by the New York-based Electronic Disturbance Theater to "block the entrance" of a number of sites in an effort to support the Zapatista movement in Mexico. When the EDT invited people to "sign" a petition that would attempt to overload the Pentagon's Web site and computers, the Pentagon fired back a Java software program that crashed the machine of the person who had signed the petition on the EDT site.

Another problem may be that while news media coverage is needed to raise awareness of cyber-terrorism, it could lead to bad decisionmaking, according to Glenn Buchan in his 1996 report for the Rand Corp., "Information War and the Air Force: Wave of the Future? Current Fad?"

"There needs to be constant discussion of what the situation is," Kushner says. "In the past, we knew who our enemies were. For instance, on the battlefield, they wore different uniforms than us. But if no one wore uniforms, we wouldn't know who was on our side or who to fight. What our technology has done is make us naked."

*Part 1 ran June 24. Part 3 next week will look at how cyber-criminals use the Internet to steal millions of dollars at a time.