(Usually I send my detailed comments only onto the IWS Limited List, but as the paper 
is so interesting I make an exception. I like the paper, even though the definition of 
Cyberterrorism is not the greatest one and I do not like the bit about the WWII as it 
is too simplistic ('know thy military history'), but the rest is good. WEN. 

Key sentence: '... but a brief review suggests that while many computer networks 
remain very vulnerable to attack, few critical infrastructures are equally vulnerable. 
...' as Scada systems & Co are usually not connected to the Internet.

'... A preliminary review of these factors suggests that computer network 
vulnerabilities are an increasingly serious business problem but that their threat to 
national security is overstated. Modern industrial societies are more robust than they 
appear at first glance. Critical infrastructures, especially in large market 
economies, are more distributed, diverse, redundant and self-healing than a cursory 
assessment may suggest, rendering them less vulnerable to attack. In all cases, cyber 
attacks are less effective and less disruptive than physical attacks. ...'

'Know thy military history'

It is annoying to see people mention examples in military history if they lack 
knowledge and make mistakes:

The author looks at the Strategic Bombing Campaign during WWII, but unfortunately you 
cannot really compare it to CNI attacks as even though the UK had a ministry for 
economic warfare its advice was mostly ignored by Bomber Harris who preferred to 
'flatten German cities' whilst the US urged the UK to attack the real Centre of 

'... What the survey [.S. Strategic Bombing Survey, Summary Report (European War), 
1945] found, however, is that industrial societies are impressively resilient. 
Industrial production actually increased for two years under the bombing.'

It is always risky to quote such an old survey as they might 'slightly bias' -- the 
Air Force wanted to make a business case for its bombers, ..., --especially if the 
academic in question lacks a detailed knowledge of the German War Economy. (Instead of 
reading a summary report I would recommend to read the 'The Effects of Strategic 
Bombing on the German War Economy' report which was published a month later. It gives 
a far more detailed overview. (Before someone asks, I do not have a url for it as I 
got a copy of it, but I do have some old notes from a Defence Economics course which 
focuses on economic warfare during WWII and two unpublished papers on the Nazi War 
Economy. If someone wants them please email me)).

Another example:

'... Comparing aerial and cyber attacks on hydroelectric dams helps provide a measure 
for cyber-threats. Early in World War II, the Royal Air Force mounted a daring attack 
on dams in the Ruhr, a chief source of electrical power for German industry. The raid 
was a success, the dams breached by bombs and, for a period of time, the electrical 
supply in the region was disrupted. ...'

This attack was based on wrong intelligence. An argument was put forwarded by the UK 
Ministry of Production (not the Ministry of Economic Warfare) that it would great 
opportunity to stop German industrial production in the Ruhr as the dam provided the 
electricity for those industries. Therefore without electricity German industry in the 
Ruhr would be forced to stop. The Ministry of Economic Warfare (MEW) questioned the 
assumptions on which this raid was based and concluded that the RAF might be able to 
hit the dam, but in the end the Germans have other means to produce electricity, such 
as coal fired plants to produce electricity. MEW was right and they said that worst 
which will happen that there would be massive flooding below the dam, some productions 
might be cut, but in the end the German will just compensate with coal fired plants. 

Anyway back to cyberterrorism. Some good quotes from the paper:

Risk to National Security:

' ... However, from a strategic military perspective, attacks that do not degrade 
national capabilities are not significant. From this perspective, if a cyber-attack 
does not cause damage that rises above the threshold of the routine disruptions that 
every economy experiences, it does not pose an immediate or significant risk to 
national security.

It is particularly important to consider that in the larger context of economic 
activity, water system failures, power outages, air traffic disruptions and other 
cyber-terror scenarios are routine events that do not affect national security. On a 
national level, where dozens or even hundreds of different systems provide critical 
infrastructure services, failure is a routine occurrence at the system or regional 
level, with service denied to customers for hours or days. ...'

Attack on CIP:

* Water

'... In the United States, the water supply infrastructure would be an elusive target 
for cyber attack. There are 54,064 separate water systems in the U.S. Of these, 3,769 
water systems serve eighty one percent of the population and 353 systems served 
forty-four percent of the population. However, the uneven spread of diverse network 
technologies complicates the terrorists’ task. Many of these water supply systems in 
the U.S., even in large cities, continue to rely on technologies not easily disrupted 
by network attacks. There have been cases in the U.S. when a community’s water 
supply has been knocked out for days at a time (usually as a result of flooding), but 
these have produced neither terror nor paralysis. ...'


'... A risk assessment by the Information Assurance Task Force of the National 
Security Telecommunications Advisory Committee concluded “Physical destruction is 
still the greatest threat facing the electric power infrastructure. Compared to this, 
electronic intrusion represents an emerging, but still relatively minor, threat.” 

* Transportation (Air)

'... We are not yet at a stage where computer networks operate aircraft remotely, so 
it is not possible for a cyber-attacker to take over an aircraft. Aircraft still carry 
pilots who are trained to operate the plane in an emergency. Similarly, the Federal 
Aviation Authority does not depend solely on computer networks to manage air traffic, 
nor are its communications dependent on the Internet. The high level of human 
involvement in the control and decision making process for air traffic reduces the 
risk of any cyber attack. In a normal month storms, electrical failures and 
programming glitches all ensure a consistently high level of disruption in air 
traffic. Pilots and air traffic controllers are accustomed to unexpected disruptions 
and have adapted their practices to minimize the effect. ...'

* Manufacturing:

'... Manufacturing and economic activity are increasingly dependent on computer 
networks, and cyber crime and industrial espionage are new dangers for economic 
activity. However, the evidence is mixed as to the vulnerability of manufacturing to 
cyber attack. A virus in 2000 infected 1,000 computers at Ford Motor Company. Ford 
received 140,000 contaminated e-mail messages in three hours before it shut down its 
network. E-mail service was disrupted for almost a week within the company. Yet, Ford 
reported, “the rogue program appears to have caused only limited permanent damage. 
None of its 114 factories stopped, according to the automaker. ...'


'.... An analysis of the risk of cyber terrorism is also complicated by the tendency 
to initially attribute cyber events to military or terrorist efforts when their actual 
source is civilian recreational hackers. ...'

'... While the press has reported that government officials are concerned over Al 
Qaeda plans to use the Internet to wage cyber-terrorism, these stories often recycle 
the same hypothetical scenarios previously attributed to foreign governments’ 
cyber-warfare efforts. The risk remains hypothetical but the antagonist has changed 
from hostile states to groups like Al Qaeda. ...'


'... Cyber crime is a serious and growing threat, but the risk to a nation-state in 
deploying cyber-weapons against a potential opponent’s economy are probably too 
great for any country to contemplate these measures. For example, writers in some of 
China’s military journals speculated that cyber attacks could disable American 
financial markets. The dilemma for this kind of attack is that China is as dependent 
on the same financial markets as the United States, and could suffer even more from 
disruption. ...'


'... Much of the early analysis of cyber-threats and cyber security appears to have 
“The Sky is Falling” as its theme. The sky is not falling, and cyber weapons seem 
to be of limited value in attacking national power or intimidating citizens. 

... To understand the vulnerability of critical infrastructures to cyber attack, we 
would need for each target infrastructure a much more detailed assessment of 
redundancy, normal rates of failure and response, the degree to which critical 
functions are accessible from public networks and the level of human control, 
monitoring and intervention in critical operations. This initial assessment suggests 
that infrastructures in large industrial countries are resistant to cyber attack.  ...

... Terrorists or foreign militaries may well launch cyber attacks, but they are 
likely to be disappointed in the effect. Nations are more robust than the early 
analysts of cyber-terrorism and cyber-warfare give them credit for, and cyber attacks 
are less damaging than physical attacks. Digital Pearl Harbors are unlikely. 
Infrastructure systems, because they have to deal with failure on a routine basis, are 
also more flexible and responsive in restoring service than early analysts realized. 
Cyber attacks, unless accompanied by a simultaneous physical attack that achieves 
physical damage, are short lived and ineffective. However, if the risks of 
cyber-terrorism and cyber-war are overstated, the risk of espionage and cyber crime 
may be not be fully appreciated by many. ...'


Assessing the Risks of Cyber Terrorism, Cyber War and Other Cyber Threats: James A. 

Center for Strategic and International Studies
December 2002

Full Report: 


IWS INFOCON Mailing List
@ IWS - The Information Warfare Site

Reply via email to