Last week Matt Franz, a reader, took me to task in a Tweet about a blog entry for mentioning ‘terrorism’ in a discussion about cyber security. He apparently felt that including terrorism sensationalized the discussion and made it less likely that the discussion would be taken seriously. I understand his point, there are not really that many people in the cyber security community that consider terrorism to be much of a threat in their realm.
Not a Terror Threat?
I think that there are generally three reasons for this point of view in the cyber security community. First, I know of no instance of a cyber attack that was related to terrorism. Many people with technical backgrounds are more comfortable basing predictions about future events on past history. The probabilistic tools that they routinely use in their technical lives rely on a history of past occurrences to predict the likelihood of future activity
The second reason is that I think many people in the cyber security community equate terrorism with a certain lack of technical sophistication, assuming that terrorists would not have the technical expertise to affect a cyber attack. Part of this is due to equating terrorist with countries like Afghanistan and Somalia where there is not a strong history of technical development.
Finally, I think that there is the cultural assumption that anyone with the technical expertise necessary to execute a cyber attack is part of the community and thus has a vested interest in maintaining the current political/social structure that terrorists are trying to tear down.
These points all rely on a misunderstanding of the historical reality of revolutionaries and terrorists. First everyone must remember that most large terrorist organizations are at heart revolutionary movements. As such, they draw their leadership from the political and economic elites. While the revolutionary (or terrorist) foot soldier may be little more than cannon fodder and are frequently poorly educated and economically disadvantaged, the leadership of the movements are almost always college educated and come from the societal ruling classes.
Al Qaeda is no exception. Bin Laden was trained as an engineer and came from one of the politically elite Saudi families. Petrochemical engineering and medicine are two very common backgrounds in the leadership of the organization.
Anyone who has spent any time on American university campuses across the country is well aware of the fact that we have a large number of people from countries from all over the world coming to this country for a wide variety of technical training. That training certainly includes software engineering and programming. While many of these people stay in this country for their subsequent employment, many return back home. It would be the height of arrogance to assume that none of these people join radical organizations.
Finally, we have seen numerous reports on the use of the internet as an organizing and recruitment tool by al Qaeda and its affiliates. While the production of web sites and the use of internet does not require the same skills as does hacking, it would be silly to assume that there no members of these terrorist organizations with the skills necessary to become a hacker.
Tools for Sale
Finally, we must remember that the recent history of cyber security has been marked by the development and commercialization of exploit tools. While many of these tools are used primarily by security researchers and security vendors, many are generally available and can be used by personnel with much less technical expertise than required to develop the tools.
This further lowers the bar that protects chemical facilities against cyber attack and makes it easier for less organized terrorist groups and even potential lone wolf attackers to execute a relatively sophisticated attack. As more and more vulnerabilities are found, publicized and weaponized it will soon become apparent that a cyber attack will be easier to successfully execute than trying to get past the physical defenses to place an IED or VBIED where it will do the most good.
Crooks and Competitors
Most cyber security experts expect that it is more likely that personal glory hackers, crooks or even commercial competitors will be the likely attackers exploiting the control system vulnerabilities. And I certainly agree that these will be the more common exploiters of cyber security shortcomings. They don’t require spectacular public successes to gain from their attacks, where as a subtle terrorist gains nothing. And subtle attacks are much easier to execute.
Interestingly industry and government are much less concerned about the non-ideological attackers than they are about terrorists. Part of that is because, in our society, the private sector is responsible for protecting itself against crooks. The government will investigate, arrest and prosecute after a crime has been committed, but prevention is mainly an individual or corporate responsibility.
Industry, of course, looses regardless of whom attacks them. So why aren’t they concerned about crooks and competitors attacking them? They just don’t understand on the corporate gut level how someone could gain from such attacks. Small business owners in high-crime areas understand, from personal experience, protection rackets and the dangers of paying danegeld. Large corporations on the other hand, in the United States at least, have not been widely exposed to this problem.
Since one of the aims of this blog is to influence both corporate and government movers and shakers to take cyber security seriously, I will continue to emphasize the terrorist aspects of the threat; since I think that is a real threat, I have no moral qualms about that. I will also try to educate those same people about the more probable threat of cyber attack based upon crime or competition.