Posted on 12/02/2001 11:11:49 AM PST by Jean S
Imagine an Osama bin Laden follower disrupting local water, power and telephone services from thousands of miles away without exploding a bomb or spreading deadly biological or chemical agents.
Impossible, you say? Not according to a growing number of academicians and technology experts who fear that terrorists can manipulate computers to wreak havoc in the United States.
It is feared that with a little technical expertise and the help of software available on the Internet, terrorists can disrupt a city's utilities, transportation systems, communications and hospitals by infiltrating computers that are not secure enough to fend off intruders.
Terry Savage, Nevada's Department of Information Technology director, said it is impossible to build a tamper-proof computer system.
"We have security systems in place, but we need to stay ahead of the criminals," Savage said. "These guys are developing new tools for intrusion all the time. Whenever computer defenses get developed, there are new offenses to counter them."
Computers have long been used by criminals to steal credit card information and other forms of personal identification, solicit money for fraudulent schemes, make sexual advances toward children or deface websites. But Dan Kuehl, a systems management professor at the National Defense University in Washington, said a cyberterrorist could do far more damage.
"I would be an idiot to suggest that a cyberterrorist could cause the same loss of life that we saw in New York City," Kuehl said. "But there's a possibility a cyberterrorist could make a terrorist event worse or slow the response to it.
"The terrorists of 9-11 made a big mistake by not interfering with the air traffic control system. The air traffic control system reacted quickly to the events."
At least one Sept. 11 hijacker, Mohamed Atta, was interested in computers. During repeated visits to Las Vegas this summer, Atta spent considerable time at CyberZone, 4440 S. Maryland Parkway, where customers can rent computer time. The FBI, which retrieved hard drives used by Atta, has not disclosed anything it may have learned.
There is mounting evidence, however, that terrorists are embracing computers as potential weapons. For example:
* Ramzi Yousef, who was convicted for the 1993 World Trade Center bombing, stored details of future terrorist plots on his laptop computer, including the planned bombing of 12 airliners.
* Nations such as Iraq, Libya, North Korea and Cuba are thought to be developing information warfare capabilities.
* A number of pro-Muslim hacker groups exist, and at least one, the Pakistan Hackerz Club, has already attacked Internet websites belonging to the Air Force and Energy Department. Anti-American hackers also exist in China.
* Last year there were more than 20,000 attempts to break into Defense Department computers, according to the Information Technology Association of America in Arlington, Va.
Computer system managers try to safeguard equipment and data by creating backup files and constructing fire walls to stop unwanted computer transmissions from doing damage.
But University of Kansas professor Gary Minden, who teaches courses on Internet security, said a cyberterrorist will attempt to circumvent those fire walls by searching for computers that are connected to cable modems or digital subscriber lines that enable high-speed Internet access.
"The threat is significant in that our computer systems are very fragile," Minden said. "Security is like a chain, and if you find the weakest link, you can break in."
For example, computer programs can automatically dial telephone numbers in numerical order until they make a connection, he said. That connection may be a computer.
"The problem is that a lot of people leave their computers on," Minden said. "There is a threat that someone could take over your computer and use it to attack someone else.
"They could hide their identity by getting lots of computers to attack the same place at the same time. That is called a denial-of-service attack. It would be like going to a fast-food restaurant with your friends, ordering the cheapest thing on the menu and taking up all the seats."
Savage said there are three major cyberthreats that concern computer system managers. One is from an intruder who gains access to information he is not supposed to have, such as another individual's personal records. The second, and more serious, is denial of service during which a computer system is unable to perform a function because of excessive traffic.
The most serious threat comes from a perpetrator who is able to destroy or alter data so that the computer is directed to perform abnormally.
"I know of no credible threats right now, but if you look at the cost of cyberterrorism compared to other terrorism, cyberterrorism is a lot cheaper to pull off," Savage said.
In 1999 Congress established an advisory panel to assess domestic response capabilities for terrorism involving weapons of mass destruction. The panel, lead by Virginia Gov. James Gilmore, urged Congress in October to improve the nation's security against cyberattacks.
The panel recommended formation of a federal "cybercourt" to prosecute computer-related crimes.
"There is a lack of complete understanding among many in the judiciary at large of the nature and urgency of cybersecurity," the panel wrote. "A court that is dedicated to criminal cyberconduct can develop the expertise to recognize and act more quickly in approving or disapproving special authority for investigative activities."
The Institute for Security Technology Studies at Dartmouth College in Hanover, N.H., a week after the Sept. 11 attacks, recommended that the nation remain on high cyberalert during the war on terrorism. The institute warned computer administrators to be particularly vigilant immediately after American and allied military strikes or covert operations.
But the Information Technology Association has complained that the government hasn't done enough to address computer security. President Harris Miller said that Rep. Steve Horn, R-Calif., one of the most computer-savvy members of Congress, has given federal agencies a failing grade for cybersecurity.
"The agencies are not being given the money by the Office of Management and Budget and by Congress because computer security has not been treated as a high priority," Miller said.
After Sept. 11, public and private data center managers were surveyed by AFCOM, an Orange, Calif., data managers association; its president is Las Vegas resident Leonard Eckhaus. One of the most startling findings was that only 53 percent of the more than 400 respondents said they had reviewed disaster recovery and backup data plans since Sept. 11.
"We were kind of surprised that so few had reviewed their plans," Eckhaus said.
Up until about two years ago, computer systems used by Nevada agencies had security holes that resembled "Swiss cheese," Savage said.
Although the state has made major strides over the past biennium -- including the ongoing mapping of the state's computer networks to identify security shortcomings -- there are still agencies with notable weaknesses, he said.
"It varies fairly widely from agency to agency," Savage said. "We're certainly not where I want to be, but there's also a trade-off between cost and security levels. One thing we're trying to encourage is for state workers to change passwords every couple of months instead of every couple of years. Some people have left their passwords on sticky notes that they leave on their computers."
Clark County last spring became the first local government agency in the country to participate in a pilot program with Carnegie Mellon University in Pittsburgh in which the county is continually monitoring potential threats to its computers.
Steve Chapin, the county's chief information officer, said he is considering the formation of a mutual-aid compact with other local governments that would enable them to share computer resources as a backup in case one is cyberattacked. Chapin said users of the county's 4,500 personal computers are encouraged to back up work daily if possible to guard against the loss of data.
"We try to keep up with whatever our virus servers tell us to do," Chapin said. "At this point we haven't had significant infections, and that reflects responsible management. But I think cyberterrorism is a legitimate subject. Evidence has shown that terrorists use computers, so I have to think they could disrupt economies. That's why it pays to be cautious."
Chapin said that whenever the county plans a major upgrade of its Internet website, it hires professional "hackers" to try to damage the new data.
"We're in the process of increasing much of our fire wall, and we're isolating ourselves from nonprotected computer networks," he said.
Southern Nevada utilities spokesmen also expressed confidence in the security measures their companies have taken to protect computers that run practically every facet of their operations. The Southern Nevada Water Authority, which uses computers to control everything from water distribution to the testing of chlorine levels, hired a contractor to try to breach its systems.
"We were very secure prior to the Sept. 11 incidents," Dick Wimmer, deputy general manager, said. "We're even more vigilant now. The place we worry about the most is the control of our water-distribution system, but the ability to access that from the outside is virtually impossible. We think we have an excellent fire wall in place."
Likewise, Bureau of Reclamation spokesman Bob Walsh of Boulder City said Hoover Dam is safe.
"It's something that we've been looking at for years, well before the recent events," Walsh said. "We're very comfortable with the protection we have from those types (cyber) of attacks."
Nevada Power Co. officials are also confident that its computers are secure, spokeswoman Andrea Smith said.
To aid in the battle against cybercrime, the attorney general's office has teamed with the FBI, Metro Police and other law-enforcement agencies to open a laboratory to investigate such crimes. The lab, expected to become operational in January, is in North Las Vegas at the Energy Department's National Nuclear Security Administration offices.
Tara Shepperson, executive director of the Nevada Cybercrime Task Force, said it is difficult to find qualified experts to investigate crimes involving computers. But she expressed hope that the lab will be a success.
"Our goal is to create a place where crimes involving the Internet and computers can be investigated," she said. "Crimes are being committed using technology, and we need to create a mechanism to fix that. The lab needs to be able to do more than each law enforcement agency or police department can do on its own."
Outer layers, connected to civilian life, are often vulnerable. If you look up a test done a few years back, dubbed "Eligible Receiver", the results may horrify you. Things will have gotten better since then, though.
But to give you an example. Suppose you have a mass of housing used only part-time, like on winter weekends. Many countries have that kind of thing. And in many countries they are on the electrical grid. Some of these countries have set up a service where you can control the heating by a phone call. Now, building an app to simply scan all those phones and turn on EVERYTHING is probably not a terrible challenge. You will of course need to break a pin, but mostly we're talking four digits I'd think. And the surge may be unpleasant enough, particularly if it hits at a time when consumption is at a high point.
Industrial computers are probably in many ways more secure than the mil stuff in many countries. Military planners, I think, have been under some pressure to let stovepiping slip in favour of doing things more "cost effectively" - that is, buying commercial bandwidth and capability. In itself that is a recipe for disaster, but again, I think the pendulum has started to swing the other way.
But anyway, network or no network, internet or no internet, a computer can be gotten at. A real hacker - one of the obsessives, not a script kiddie - you may find inside your installation one fine day, cool as a cucumber carting away 200 pounds of tech manuals and documentation. That actually happened at one place, several years ago :).
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.