Michael Vatis is currently a partner in the law firm Steptoe & Johnson LLP. He served as Executive Director of the Markle Foundation Task Force on National Security in the Information Age. From 2001 to 2003, he was the Director of the Institute for Security Technology Studies at Dartmouth College.
The Challenge of Cyber Attacks
The global nature of the Internet and telecommunications networks means that cyber attacks can be launched from anywhere in the world, at low cost, and with incredible speed. With current technology, it is nearly impossible to predict in advance when an attack may begin. There is no longer the luxury of the 20-minute window from launch to landing of a nuclear-tipped intercontinental ballistic missile found in the Cold War. Cyber attacks therefore require swift responses and effective cooperation with international counterparts to detect and respond to an attack after it is underway.
Because cyber attacks are easy and cheap to carry out—requiring only a laptop and an Internet connection—the barrier to entry is low. That means almost anyone with a modicum of technological sophistication can carry out some form of attack—ranging from teenage hackers and virus writers to terrorist groups and nation-states. The capability of an attacker to cause damage depends mainly on his level of technological skill and the defenses implemented by his chosen target.
The motivations for attack can vary widely: attackers range from hackers bent on proving their skills to others in the hacking community, to criminals stealing credit card numbers, to extortion rings, to foreign intelligence services stealing military secrets, to terrorists or foreign armies wanting to cause widespread damage to the US economy and its capacity to project military power abroad.
The press and the general public have typically focused their attention on the most common, or at least the most visible, forms of cyber attacks. In the early and mid-1990s, that normally meant teenagers who broke into computers or defaced websites for “bragging rights” in the hacker community. In the late 1990s, virus writers unleashed fast-spreading viruses that temporarily disrupted corporate networks and personal computers, earning front-page headlines. Today, the focus is on identity thieves, some of whom break into the computers of universities, merchants, and other entities to steal credit card numbers, bank account information, and other useful personal information.
While these types of crimes are serious, they pale in comparison to the attacks that terrorists or foreign nation states could execute.
Cyber Terrorism
People often use the term “cyber terrorism” far too broadly, to refer to any sort of cyber attack, regardless of the motivation or identity of the attacker. In keeping with the US government’s general definition of terrorism, I define cyber terrorism more narrowly as computer-to-computer attacks intended to cause significant damage in order to coerce or intimidate a government or civilian population.
To date the United States has not seen significant instances of true cyber terrorism. Some people have taken the lack of precedent as proof that terrorists are not interested in such attacks and would prefer to continue engaging in bombings and other physical attacks that cause visceral fear and bloodshed. But that sort of thinking is similar to the pre-September 11 notion that terrorists would hijack airplanes only to hold the passengers hostage or fly to Cuba. The relevant question is not whether we have seen the method of attack before. The question is whether terrorists have the means and the motivation to use the method now or in the future. For cyber attacks, the answer to both is yes.
The means: terrorists are known to use information technology and the Internet to formulate plans, raise funds, spread propaganda, and communicate securely. Sympathizers of terrorists, in only loosely organized efforts, have often called for and occasionally carried out attacks on websites or communications links of governments or entities. In 2002, the US Federal Bureau of Investigation (FBI) received reports that Al Qaeda agents had probed government websites that contain information about nuclear power plants and other critical infrastructure. The Washington Post also reported in 2002 that browser logs of suspected Al Qaeda operatives revealed that they spent significant amounts of time on websites featuring hacking tools and other programs that facilitate cyber attacks. The means to execute a cyber attack exist.
The motivation: while terrorists may prefer attacks that cause blood and gore, physical and cyber attacks are not mutually exclusive. Osama bin Laden has spoken about his desire to use advanced technology to attack the West and its economy. Other Al Qaeda members or sympathizers also have occasionally talked of their desire to engage in cyber attacks. Now that we see Al Qaeda morphing into a loose coalition of like-minded but disparate groups and individuals spread around the world, it would seem more likely that cells would launch a broader array of attacks, including cyber attacks.
It would appear, then, that a cyber terror attack is the other shoe that has not yet dropped. Given the frequency with which other types of damaging attacks take place, a cyber terror attack seems inevitable.
Cyber Espionage
Foreign intelligence services have been using cyber tools as part of their information gathering and espionage tradecraft for at least 20 years. Between 1986 and 1989, for example, a ring of West German hackers penetrated numerous military, scientific, and industry computers in the United States, Western Europe, and Japan, stealing passwords, programs, and other information that they sold to the Soviet Union’s KGB. And in the last few years, the US government has experienced widespread intrusions into government systems in which unclassified but sensitive research information was stolen. Although the US government has not confirmed that these intrusions were state-sponsored, the attacks were traced back to Russia and China, at least suggesting the possibility of foreign espionage.
Of course, the US government is unlikely to announce what it knows about foreign espionage, preferring to engage in counterintelligence efforts to trace the intrusions, learn about the intruder’s methods and purpose, and contain the damage or plant misinformation. More worrisome is what the government does not know.
Given the weaknesses in US government agencies’ defenses and their ability to detect sophisticated attacks, it would be naïve to believe that the US government is aware of everything that is happening in its information networks. If it takes months for an agency like the US Veterans Administration to know that it lost a laptop with personal data of active and retired military personnel, imagine how long a sophisticated intruder—who gains access to a network, disguises his location, and erases network logs and other indications of his activities—could escape notice inside a government computer system.
