A Most Dangerous Link

By Colonel Steven P. Bucci, U.S. Army (Retired)

The Most Dangerous

In the range of possible threats, an attack by another nation is easy to understand and resonates most readily. Developed nations, acting as peer competitors, are the most dangerous potential cyber threat. Even some weak nations can develop an asymmetric cyber capability.

Nations are capable because they possess power of many varieties, hard and soft, including military, economic, industrial bases, and scale of assets. They can marshal intellectual capital to develop cyber armies-large numbers of operators with the best equipment, skilled at developing and using ever-evolving forms of attack. Cyber warriors can be used to facilitate conventional intelligence, signals, and mobility assets, making them even more effective, or use conventional assets to enhance the effect of cyber events. Some nations can also use their considerable coercive powers to harness civilian assets that fall outside the public sector. This can be done by requiring active or passive collusion with the government or by manipulating public sentiment to stir patriotic fervor while providing guidance (i.e., targeting) and tools to the faithful. This complicates attribution and gives governments some degree of cover. 2

Nation-state threats come in two groups. The first is a full-scale cyber attack. The closest example of this was the assault made on Estonia in 2007. There, the highly developed network of a small country was temporarily brought to its knees. Portrayed by some as a simple display of public outrage over the moving of a statue, most felt there was more going on and that a government hand was at play. Former Chairman of the Joint Chiefs of Staff, retired Marine Corps General Peter Pace stated that more than 1 million computers from over 70 countries were used in this event. 3

The other possibility is the cyber-supported kinetic attack. To date, only the 2008 assault on Georgia fits this category. Georgia was not as cyber-dependent as was Estonia, but the assault that preceded the Russian military's ground attack into disputed Ossetia severely hindered Georgia's response. In his 29 May 2009 Cyber Review, President Barack Obama cited this as the future of warfare. This assessment was supported by the U.S. Cyber Consequences Unit report analyzing the Georgian campaign. 4 General Pace described it this way:

[T]heir "cyber special operations forces" isolated the president by disabling all his cyber connectivity, then their "cyber air force" carpet bombed the entire national network, and finally their "cyber Delta Force" infiltrated and rewrote code that kept their network from working correctly even after it was brought back up. It was a highly sophisticated attack. 5

In an interesting twist, there has been one known defensive use of cyber attack. During the Israeli Defense Force's incursion into Gaza at the beginning of 2009, a massive distributed denial of services attack was launched against numerous Israeli networks. It did not hinder the attack, but did give the Israeli government a jolt given their dependence on cyber means for communicating internally. 6

Today's cyber espionage or probing of defenses can, in the blink of an eye, be turned into a massive attack on the infrastructure of an adversary. Georgia in particular demonstrated that cyber attacks could be used to disable defenses and blind intelligence capabilities in preparation for a kinetic strike. These methods can slow defensive reactions by clouding the operational picture or fouling communications. Such an attack could bring down key command and control nodes, paralyzing any response. It can also hinder the ability to rally consequence-management assets. Continued intrusions will not only keep victims from striking back with any real effect, but may make them ineffectual in mobilizing their first-responder forces at home. 7

Such a large-scale attack across the territory of a target country can only come from a nation. Fortunately, that is not very likely because of old-fashioned deterrence. In the same way our cyber and physical infrastructures make us vulnerable to this scenario, those capabilities and kinetic forces used in the attack are also targets, as is the remainder of the attacker's infrastructure.

Additional Cyber Threats

Lower-level threats can be directed at an individual, a company, a government agency, or a nation. The same techniques are used to exploit a lazy home computer user, an inefficient corporate information technology system, or a weak national infrastructure defense.

The lowest danger is the individual hacker. He operates for personal benefit-pride or financial gain-and constitutes an annoyance. The hacker category also includes small groups who write malware, sometimes called "hacktivists," who attack small organizations because of personal or political grievances. Also at the low-end are small criminal enterprises. They operate Internet scams and bilk people out of personal information.

Four threats can be considered medium level: terrorist use of the Internet, espionage, organized crime, and terrorist attacks. The first three, which occur regularly and define the ongoing significant threats faced each day, can have extremely detrimental effects on a person, business, government, or region. The fourth is an emerging threat, which combines two existing threats.

Cyber crime is a booming business that began as an offshoot of individual hackers and has grown into a huge and expanding industry that steals, cheats, and extorts the equivalent of billions of dollars. Whether it is a simple scam to get the gullible to give up money and allow access to accounts, or sophisticated technical means of harvesting mass amounts of data, cyber crime is motivated by money. Perhaps the most lucrative target today is commercial data. This goes well beyond personal identity and financial information. Infiltrating businesses and stealing industrial secrets, pharmaceutical formulas, and like data can reap huge profits.

Latin American utility facilities are reportedly having their supervisory control and data acquisition systems hacked and seized by criminals. Attackers have threatened to shut down a facility or cause accidents for which the owners would be liable if the attackers were not paid enormous sums. The seriousness of the threats is unknown as in each case the ransom was paid.

The most interesting and frightening criminal threat is the rise of botnets-networks of software robots. Crime syndicates may not command an entire nation of computers, but they have developed worldwide networks of computers controlled without their owners' awareness. These zombie networks serve their criminal masters without question or hesitation for distributed denial of service attacks, phishing, and malware distribution. They are also rented out for cash. This is the origin of a new and very dangerous potential.

The so-called Korean virus attacks in July 2009 were actually more akin to this type of scenario than the previously noted nation attacks. The perpetrators used a virus to build a spontaneous botnet specifically for this set of attacks. The same code that captured the zombies also gave the commands regarding what and when to attack. While this situation has been dismissed by some as little more than a spam-like annoyance, we should take note of a few key aspects. Although several U.S. entities, including DOD and the White House, fended off these attacks easily, others faired less well. Several organizations were down for days. The government weathered this event passably, but the unevenness of success is troubling. We have yet to achieve a consistent level of cyber protection, and this creates gaps and seams that can easily be exploited by sophisticated adversaries. It should not be dismissed, but should be-yet another-wake-up call. 8

Present Terrorist Use

Major terrorist organizations such as al Qaeda have yet to fully exploit the cyber realm having proven to be limited in their understanding of the medium's potential. This will not last. Terrorists use the Internet extensively, but so far not for offensive operations. Intelligence and law enforcement agencies agree that terrorists have been limited to communications, propaganda, fund raising and money transfers, recruitment, and intelligence.

Since the National Security Agency's capabilities of tracking communications became public knowledge during the trial of the first World Trade Center bombers, terrorists worry about operational security. The security of the Internet is very attractive. The anonymity and difficulty of tracing interactions in restricted, password-protected chat rooms and the use of encrypted e-mail give terrorists a much greater degree of operational security than other means of communication.

Clearly, the terrorists are good and getting better at using the Internet for propaganda and fund-raising. The increasing sophistication of their messaging shows an understanding of the potential of the cyber medium. Internet messaging keeps the most geographically isolated spokesperson prominent and relevant in the minds of the mass audience. The reach and timeliness of the net cannot be matched by other communication means and greatly aid in their fund-raising efforts among dispersed people.

These same characteristics apply to their recruitment programs. Individual radicalization, which has always been a vulnerable point for terrorist organizations, no longer has to take place in person. These efforts can be greatly enhanced by cyber communication and instruction, and can in some cases replace face-to-face contact.

The tendency of Western countries to post nearly everything there is to know about critical infrastructures on unsecured Web sites is a great boon to the terrorists and requires no more expertise than an ability to use rudimentary search engines that children have mastered. Google Earth and other similar free programs provide street-view photos of potential targets, as well as excellent route and obstacle information.

The Most Likely Major Threat

Terrorists need mentors to reach the next level of cyber operations. Unfortunately, they can easily reach out to cyber criminals where they will find willing partners.

The West has a huge number of intelligence and law enforcement assets dedicated to stopping the proliferation of weapons of mass destruction, and many arrests have been made of those attempting to traffic in WMD or materials. Any movement of related devices or materials will sound the alarm across the world. No similar watchdog systems are in place to prevent the proliferation of cyber capabilities.

Terrorists could develop their own cyber assets. They can find a number of highly educated, intelligent, computer-literate people in agreement with their cause who can be trained to develop code, write malware, and hack as well as anyone. They cannot, however, develop in a timely manner the kind of large-scale operational capabilities that a nation possesses. This economy of scale is what they need to make a truly effective cyber assault on the West.

Two points negate the economy-of-scale hindrance. First, they need not attack an entire nation to achieve success. While they desire to create a large event, it does not necessarily need to be as extensive as a full nation-state attack. As long as it is effective and gains worldwide attention, it will be a victory. Second, with abundant funds and potential access to more, the criminal option is accessible, giving the terrorists an extraordinarily destructive capability.

Should a terrorist group use its wealth to hire cyber criminal botnets, we would have a strategic-level problem. A terrorist group so equipped could begin to overwhelm the cyber defenses of a specific corporation, single government organization, or a particular infrastructure sector, and do tremendous damage. They could destroy or corrupt vital data in the financial sector or cripple communications over a wide area to spread panic and uncertainty.

Similar to the nation-state attack scenarios, terrorists could use botnet-driven denial of service attacks to blind security forces at a border crossing point as a means of facilitating an infiltration operation, or use a cyber attack in one area of a country to act as a diversion so a conventional kinetic terrorist attack can occur elsewhere. They could even conduct supervisory control and data acquisition attacks on specific sites and use the control system to create kinetic-like effects without the kinetic component. A good example would be to open the valves at a chemical plant near a population center, creating a Bhopal-like event. The permutations are as endless as one's imagination.

A Deadly Combination

The capability of terrorist leaders to think outside the proverbial box is one of their biggest strengths. They will adapt to this new area as they are forced in that direction by the successes of our intelligence and law enforcement elements. Imagine the operational elegance of simply hitting the return key and seeing thousands of enemies die a continent away, or watching a bank shut down because of the destruction of all its data by an unknown force. Additionally, the combination of cyber methods and kinetic strikes will increase the effectiveness of their efforts.

Criminals, for their part, are motivated by greed. Few leaders of the cyber-organized crime world would hesitate to sell their capabilities to a terrorist loaded with hard currency. That, combined with the ever-growing terrorist awareness of cyber vulnerabilities, makes this set of scenarios not just highly likely, but close to inevitable.

As a harbinger of this future, there were many similarities between the techniques used in the attacks on Estonia, and those used in the counterattacks during the Gaza incursion. Some have speculated that perhaps Hamas or Hezbollah had hired the same East European criminal botnets that had been used in Estonia. If this is the case, we are farther down this road than we know and already at risk. The highly developed and capable cyber criminal organizations' desire for money and the terrorists' wealth and need for help to develop their capabilities is a highly explosive mix.

The threat of a full nation-state attack, either cyber-only or cyber-enabled kinetic, is our most dangerous threat. We pray deterrence will continue to hold and should take all measures to shore it up. Terrorists will never be deterred. They will continue to seek ways to harm us and will join hands with the criminal element to do so. A terrorist attack bolstered by cyber-crime capabilities will be the most likely major homeland security event that will confront America.

1. John Bumgarner and Scott Borg, The USCCU Report on the Georgian Cyber Campaign, U.S. Cyber Consequences Unit, August 2009.

2. Ibid.

3. GEN Peter Pace, U.S. Marine Corps (Retired), in discussions with IBM officials, May 2009.

4. Bumgarner and Borg, The USCCU Report.

5. GEN Peter Pace, Discussions with IBM officials.

6. www.PressTV.ir , 2 January 2009.

7. Bumgarner and Borg, The USCCU Report.

8. Siobhan Gorman and Evan Ranstad, www.WSJ-online/tech.com , "Cyber Blitz hits US and Korea," 9 July 2009.

Dr. Bucci is IBM's Issue Lead for Cyber Security Programs and a part of the Global Leadership Initiative, the in-house think tank for public-sector practice. He most recently served as Deputy Assistant Secretary of Defense, Homeland Defense and Defense Support to Civil Authorities.


Conferences and Events

Maritime Security Dialogue

Mon, 2016-06-13

You are cordially invited to: U.S. Coast Guard Update A discussion with: Admiral Paul F. Zukunft, USCG25th Commandant of the U.S...

2016 Naval History Conference

Why Become a Member of the U.S. Naval Institute?

As an independent forum for over 135 years, the Naval Institute has been nurturing creative thinkers who responsibly raise their voices on matters relating to national defense.

Become a Member Renew Membership