(Usually I send my detailed comments only onto the IWS Limited List, but as the paper
is so interesting I make an exception. I like the paper, even though the definition of
Cyberterrorism is not the greatest one and I do not like the bit about the WWII as it
is too simplistic ('know thy military history'), but the rest is good. WEN.
Key sentence: '... but a brief review suggests that while many computer networks
remain very vulnerable to attack, few critical infrastructures are equally vulnerable.
...' as Scada systems & Co are usually not connected to the Internet.
'... A preliminary review of these factors suggests that computer network
vulnerabilities are an increasingly serious business problem but that their threat to
national security is overstated. Modern industrial societies are more robust than they
appear at first glance. Critical infrastructures, especially in large market
economies, are more distributed, diverse, redundant and self-healing than a cursory
assessment may suggest, rendering them less vulnerable to attack. In all cases, cyber
attacks are less effective and less disruptive than physical attacks. ...'
'Know thy military history'
It is annoying to see people mention examples in military history if they lack
knowledge and make mistakes:
The author looks at the Strategic Bombing Campaign during WWII, but unfortunately you
cannot really compare it to CNI attacks as even though the UK had a ministry for
economic warfare its advice was mostly ignored by Bomber Harris who preferred to
'flatten German cities' whilst the US urged the UK to attack the real Centre of
Gravity.
'... What the survey [.S. Strategic Bombing Survey, Summary Report (European War),
1945] found, however, is that industrial societies are impressively resilient.
Industrial production actually increased for two years under the bombing.'
It is always risky to quote such an old survey as they might 'slightly bias' -- the
Air Force wanted to make a business case for its bombers, ..., --especially if the
academic in question lacks a detailed knowledge of the German War Economy. (Instead of
reading a summary report I would recommend to read the 'The Effects of Strategic
Bombing on the German War Economy' report which was published a month later. It gives
a far more detailed overview. (Before someone asks, I do not have a url for it as I
got a copy of it, but I do have some old notes from a Defence Economics course which
focuses on economic warfare during WWII and two unpublished papers on the Nazi War
Economy. If someone wants them please email me)).
Another example:
'... Comparing aerial and cyber attacks on hydroelectric dams helps provide a measure
for cyber-threats. Early in World War II, the Royal Air Force mounted a daring attack
on dams in the Ruhr, a chief source of electrical power for German industry. The raid
was a success, the dams breached by bombs and, for a period of time, the electrical
supply in the region was disrupted. ...'
This attack was based on wrong intelligence. An argument was put forwarded by the UK
Ministry of Production (not the Ministry of Economic Warfare) that it would great
opportunity to stop German industrial production in the Ruhr as the dam provided the
electricity for those industries. Therefore without electricity German industry in the
Ruhr would be forced to stop. The Ministry of Economic Warfare (MEW) questioned the
assumptions on which this raid was based and concluded that the RAF might be able to
hit the dam, but in the end the Germans have other means to produce electricity, such
as coal fired plants to produce electricity. MEW was right and they said that worst
which will happen that there would be massive flooding below the dam, some productions
might be cut, but in the end the German will just compensate with coal fired plants.
Anyway back to cyberterrorism. Some good quotes from the paper:
Risk to National Security:
' ... However, from a strategic military perspective, attacks that do not degrade
national capabilities are not significant. From this perspective, if a cyber-attack
does not cause damage that rises above the threshold of the routine disruptions that
every economy experiences, it does not pose an immediate or significant risk to
national security.
It is particularly important to consider that in the larger context of economic
activity, water system failures, power outages, air traffic disruptions and other
cyber-terror scenarios are routine events that do not affect national security. On a
national level, where dozens or even hundreds of different systems provide critical
infrastructure services, failure is a routine occurrence at the system or regional
level, with service denied to customers for hours or days. ...'
Attack on CIP:
* Water
'... In the United States, the water supply infrastructure would be an elusive target
for cyber attack. There are 54,064 separate water systems in the U.S. Of these, 3,769
water systems serve eighty one percent of the population and 353 systems served
forty-four percent of the population. However, the uneven spread of diverse network
technologies complicates the terrorists’ task. Many of these water supply systems in
the U.S., even in large cities, continue to rely on technologies not easily disrupted
by network attacks. There have been cases in the U.S. when a community’s water
supply has been knocked out for days at a time (usually as a result of flooding), but
these have produced neither terror nor paralysis. ...'
*Power
'... A risk assessment by the Information Assurance Task Force of the National
Security Telecommunications Advisory Committee concluded “Physical destruction is
still the greatest threat facing the electric power infrastructure. Compared to this,
electronic intrusion represents an emerging, but still relatively minor, threat.”
...'
* Transportation (Air)
'... We are not yet at a stage where computer networks operate aircraft remotely, so
it is not possible for a cyber-attacker to take over an aircraft. Aircraft still carry
pilots who are trained to operate the plane in an emergency. Similarly, the Federal
Aviation Authority does not depend solely on computer networks to manage air traffic,
nor are its communications dependent on the Internet. The high level of human
involvement in the control and decision making process for air traffic reduces the
risk of any cyber attack. In a normal month storms, electrical failures and
programming glitches all ensure a consistently high level of disruption in air
traffic. Pilots and air traffic controllers are accustomed to unexpected disruptions
and have adapted their practices to minimize the effect. ...'
* Manufacturing:
'... Manufacturing and economic activity are increasingly dependent on computer
networks, and cyber crime and industrial espionage are new dangers for economic
activity. However, the evidence is mixed as to the vulnerability of manufacturing to
cyber attack. A virus in 2000 infected 1,000 computers at Ford Motor Company. Ford
received 140,000 contaminated e-mail messages in three hours before it shut down its
network. E-mail service was disrupted for almost a week within the company. Yet, Ford
reported, “the rogue program appears to have caused only limited permanent damage.
None of its 114 factories stopped, according to the automaker. ...'
Terrorism
'.... An analysis of the risk of cyber terrorism is also complicated by the tendency
to initially attribute cyber events to military or terrorist efforts when their actual
source is civilian recreational hackers. ...'
'... While the press has reported that government officials are concerned over Al
Qaeda plans to use the Internet to wage cyber-terrorism, these stories often recycle
the same hypothetical scenarios previously attributed to foreign governments’
cyber-warfare efforts. The risk remains hypothetical but the antagonist has changed
from hostile states to groups like Al Qaeda. ...'
Cybercrime
'... Cyber crime is a serious and growing threat, but the risk to a nation-state in
deploying cyber-weapons against a potential opponent’s economy are probably too
great for any country to contemplate these measures. For example, writers in some of
China’s military journals speculated that cyber attacks could disable American
financial markets. The dilemma for this kind of attack is that China is as dependent
on the same financial markets as the United States, and could suffer even more from
disruption. ...'
Conclusion:
'... Much of the early analysis of cyber-threats and cyber security appears to have
“The Sky is Falling” as its theme. The sky is not falling, and cyber weapons seem
to be of limited value in attacking national power or intimidating citizens.
... To understand the vulnerability of critical infrastructures to cyber attack, we
would need for each target infrastructure a much more detailed assessment of
redundancy, normal rates of failure and response, the degree to which critical
functions are accessible from public networks and the level of human control,
monitoring and intervention in critical operations. This initial assessment suggests
that infrastructures in large industrial countries are resistant to cyber attack. ...
... Terrorists or foreign militaries may well launch cyber attacks, but they are
likely to be disappointed in the effect. Nations are more robust than the early
analysts of cyber-terrorism and cyber-warfare give them credit for, and cyber attacks
are less damaging than physical attacks. Digital Pearl Harbors are unlikely.
Infrastructure systems, because they have to deal with failure on a routine basis, are
also more flexible and responsive in restoring service than early analysts realized.
Cyber attacks, unless accompanied by a simultaneous physical attack that achieves
physical damage, are short lived and ineffective. However, if the risks of
cyber-terrorism and cyber-war are overstated, the risk of espionage and cyber crime
may be not be fully appreciated by many. ...'
**************************************************************************
Assessing the Risks of Cyber Terrorism, Cyber War and Other Cyber Threats: James A.
Lewis
Center for Strategic and International Studies
December 2002
Full Report:
http://www.csis.org/tech/0211_lewis.pdf
IWS INFOCON Mailing List
@ IWS - The Information Warfare Site
http://www.iwar.org.uk
