Cyber Terror

Jul 1, 2008 12:00 PM, By Michael Fickes

Two months before Russian tanks rolled into South Ossetia in Georgia, denial of service attacks began shutting down Web sites used by the Georgian government to communicate with citizens. Denial of Service (DOS) attacks use vast networks of computers to bombard servers with millions of messages. Eventually the servers shut down.

When accused of mounting the cyber attacks against Georgia, Russia denied involvement. The denial might have been credible had a physical attack not followed so soon on the heels of the DOS attacks.

More and more often, cyber attacks on government servers signal a physical attack in the offing.

And it's not always a military attack. Last year, for example, Estonia, a former Soviet Socialist Republic, for example, Estonia, another former Soviet Socialist Republic, removed a war memorial commemorating the bravery of Russian soldiers killed in World War II. Some Russians didn't like it, and they mounted a month-long offensive against Estonia that fired daily DOS barrages at government Web sites and shut them down.

When the attacks were in full swing, organized protest groups rioted in the city of Tallinn, where the memorial had stood.

Observers seem to believe that those involved were Russian citizens angered by Estonia's decision to remove the statue. As an act of revenge, they mounted a physical and cyber attack designed to unnerve an entire country. They succeeded.

The attack didn't shut down power grids, and hospitals didn't lose power. “It wasn't that kind of attack,” says Michael Maloof, chief technology officer with TriGeo Network Security in Post Falls, Idaho, who has studied the Estonian attack. “It was a denial-of-service attack, and technically the security people dealt with it effectively. But it did do what the attackers intended. It panicked government officials, who saw it as an act of war.”

Cyber terror is not science fiction or wild speculation. It is a risk recognized by the U.S. Congress in the enactment of the Federal Information Security Management Act or FISMA. The act orders the Office of Management and Budget (OMB) to establish information security policies for all federal agencies and to monitor compliance. FISMA also orders the National Institute of Standards and Technology (NIST) to develop standards and guidelines to enable federal agencies to demonstrate compliance with policies established by OMB.

If you think a successful cyber attack means little more than a day-off from e-mail, consider the Aurora experiment conducted by the Idaho National Laboratory in March 2007 under the auspices of the Department of Homeland Security (DHS). In the test, computer experts from the lab went on-line and broke into the control programs of a demonstration power plant, took over a giant electric generator and caused it to blow up.

“The theory is that if there were a live power grid, downstream systems would have been damaged as well, possibly knocking systems off line,” Maloof says.

Those involved in the test were stunned to discover that a cyber attack could produce physical damage. In a report on CNN last September, Jean Meserve interviewed Scott Borg, director and chief economist with the U.S. Cyber Consequences Unit. Meserve set up a nightmare scenario for Borg to comment on:

What if a cyber attack on generating plants cut off power to a third of the country for three months?

At first, Borg said, it would be inconvenient: no lights, dysfunctional ATMs, no working gas pumps, no television, no Internet and no news about what was going on. By the third day, stores would run out of food and businesses running emergency generators would lose their power as the generators ran out of gas.

If the crisis lasted three months, Borg continued, it would cause damage equal to 40 or 50 large hurricanes striking all at once. The consequences would be worse than the Great Depression.

In fact, cyber attackers are already coming at the United States. In 2006, they went after the e-mail system and Web site of the Naval War College in Newport, R.I., presumably looking for sensitive information. When the Navy's Cyber Defense Operations Command discovered the attack, it had to unplug the system from the Internet. At least a half dozen other federal agencies, including the Defense Information Systems Agency, have reported attacks.

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

Story Missing Your Link?

• Innovation In The Sun
• Tackling Identity Theft
• Search And Rescue