CSO — "Traditional terrorism refers to violent acts that indiscriminately target civilians," says Jon Iadonisi, former Navy SEAL, cyber security expert and co-founder, White Canvas Group. Traditional terrorists are largely interested in achieving or thwarting political or ideological goals in the process. "Cyberterrorism invokes the specific use of computer networks to induce violence against innocent civilians," says Iadonisi.
Lloyd's of London affirms the occurrence and rising risk of physical danger from cyberterrorist attacks. But, as the risks increase, the law is not rising to the occasion to prosecute these terrorists.
"We have a growing criminal body [cyberterrorists] that has technically out maneuvered federal prosecutors," says Iadonisi. The cyberterrorism landscape is exposing federal judges to cases they are unable to prosecute. "When you look at the evidentiary support and try to prove guilt, you realize there is no existing statute," says Iadonisi.
This leaves CSOs and CISOs with technical and policy solutions for the cyberterrorism challenge.
Cyberterrorism events point to risks
Increasing occurrences demonstrate the risk of cyberterrorism. In 2010, the Stuxnet worm attacked Iran's Natanz nuclear facility in a probable attempt to halt Iran's uranium enrichment program by disabling its nuclear centrifuges, according to Charles Tendell, CISSP, C|EH, cyber security expert for the U.S. military. Stuxnet creators designed the worm to take out Siemens industrial control (SCADA) systems of the type that the Natanz nuclear facility employed. Stuxnet accomplished this using a rootkit for programmable logic controllers.
"The Stuxnet authors used 4 zero-day exploits cleverly integrated in such a way as to resemble non-alarming Windows files. Instead of bypassing common anti-virus protocols, the authors designed Stuxnet to gain acceptance as an innocuous set of files and later spawn exploits from within the trusted enclave," says Iadonisi. The complexity of the Stuxnet code was such that it had over 15,000 lines of code with a low bug-per-1000 lines ratio--something that required very talented software engineers, according to Iadonisi.
While cyber security experts have suggested that the U.S. and Israel had the resources to create Stuxnet, famous NSA whistle-blower Edward Snowden has openly proclaimed that their collaboration on the worm is a fact, according to Tendell.
In 2012, the Shamoon virus attacked Saudi Aramco in an attempt to disrupt oil operations. The virus erased and rendered approximately 30,000 computer hard drives throughout the company useless. Numerous experts who examined the code found that the Shamoon virus included evidence of anti-American sentiment such as an image of a burning U.S. flag, according to Iadonisi.
"The elements of the Saudi Aramco attack denote a textbook cyberterrorism example--a politically motivated (anti-US) organization attacking a civilian infrastructure with the intent to cause an O & G disaster," says Iadonisi. The political / hacktivist movement the Cutting Sword of Justice claimed responsibility for the attack.
"Over the course of 2013, we saw a record number of hackers probing nuclear power facilities, dams and critical infrastructures in the U.S.," says Tendell. Because the U.S. government often classifies these attacks as national security threats, it keeps the number of attacks secret. So, the count is likely higher than even Tendell knows. "If you want to get an idea of how many probes there are," says Tendell, "ask a corporate network security analyst what their firewall and intrusion detection systems look like on a daily basis."
Near term risks
In the near term, utilities and critical infrastructure are becoming more mainstream as targets of cyberterrorism. "The value of these targets is higher now that more institutions, organizations and governments are including cyber-attacks in real-world battle field tactics," says Tendell. Authorities are readily able to link many attacks to government funded hacktivist groups. In some cases, the very organizations tasked by governments will "out" their government sponsor when and if they are caught. "It's the old 'I-was-just-following-orders' excuse," says Tendell.
In the next few years, with U.S. legislation providing for increasing government regulation of critical infrastructure facilities, according to Tendell, the government may have mitigated the risk. But, even if regulation is enough to protect those assets, cyberterrorists could still seek out other targets.
Many local governments and local departments of transportation (DoT) are not very secure. This leaves local traffic targets open to attack. "Many local DoT still use outdated connection and management tools such as telnet and open web access portals that could be vulnerable to SQL Injection and attacks that weren't around when the systems came online," says Tendell. Imagine the chaos should city street lights fall under the control of cyberterrorists.
CSOs and CISOs thinking their enterprise is not at risk should remember that once unleashed, the same worms and viruses that cyberterrorists use on their intended targets can spread to other organizations.
Readiness in a time of cyberterrorism
CSOs and CISOs should know that customary corporate security cannot address the methods cyberterrorists use to perpetrate the majority of cyber-attacks. "They are not attacking your firewall. They are not attacking your DMZ. They are looking for social engineering routes, social media routes, email routes and phishing routes. They are looking to drop a flash drive somewhere and get someone to plug it in," says Tendell. Cyberterrorists are looking for any means to get an unwitting co-conspirator to open up a channel and give them permission to come in.
The biggest vulnerability might be the help desk. Anyone can call the help desk and attempt to solicit new information about the network. If the enterprise does not train those people to understand that, they might give that data out. "That information might actually lend to cyberterrorists bringing down the entire network," says Iadonisi.
The best practice for securing the enterprise against a broadening cyberterrorism landscape is to step up employee and contractor security training. "You can have a moat around your facility but if your employees and contractors don't understand your security practices, they can become insider threats or allow threats into your facility, either virtually or physically," says Tendell.
CSOs need to have their people take a step back and analyze threats in a holistic manner. Using an example from a consultation, Iadonisi illustrates how to do exactly that: "A Fortune 250 CSO asked me, saying, I manage 25,000 computers around the globe. How do I even begin to broach the subject of cyberterrorism?' I responded with a scenario with three different ongoing events."
In that scenario, the enterprise experiences a cyber-event where terrorists are probing the network they want to hack. Simultaneously, the enterprise's C-level's kids have been receiving strange friend requests on Facebook. At the same time, people are organizing protests in front of a couple of the enterprise's stores.
Typically, a company would look at that scenario and send the physical security team to take care of the protest. They would send the marketing team or the security people to take care of the Facebook issue, and they would send IT to take care of the attacks. But, they would view it as three unrelated incidents. "I go in and train people to understand that in many cases these events are interrelated. For the first time, the separate enterprise teams work together. That's what I told the CSO," says Iadonisi.
Further resources for CSOs and CISOs who want to dig deeper into cyberterrorism include security blogs such as Krebs on Security and Dark Reading and organizations such as the Sans Institute. "Form alliances with people who can feed you the appropriate information. Get involved in LinkedIn groups and in forums dedicated to these issues," says Tendell.