This post will end with a ten minute and forty second video that is both the best detective story and the scariest homeland security movie I have seen in years.
But first, the set up….
Is there such a thing as cyber terrorism?
I understand there’s something called cyber warfare. And cyber crime. And cyber security. But what about cyber terrorism?
And if there is something called cyber terrorism, has the US been attacked by cyber terrorists? Or maybe that question should be have terrorists attacked the US with cyber weapons? And if not, could they? Will they?
Experts cannot agree whether cyber terrorism is real or even if it is a useful concept.
I have one colleague who claims that no one in the United States has been killed by cyber terrorism. He says maybe it’s not a valid homeland security threat.
I have another friend who teaches a course on homeland security threats. He says nations attack nations with cyber weapons. Non-state actors don’t use cyber weapons. So in the homeland security threat spectrum, he says, cyber is more about sound than significance.
Former DHS Secretary Chertoff sort of disagrees.
He devotes Chaper 8 to cybersecurity in his book “Homeland Security: Assessing the First Five Years.” He underscored that concern in his March 2 appearance with the other two DHS secretaries:
“We’ve seen some very dramatic, publicized attacks, not terrorism so much as espionage and things of that sort. But that is going to become an increasing area of concern for the Department.”
Secretary Napolitano agreed with Chertoff:
… I think cyber will be an ever-evolving area. And the problem with cyber is, almost by the time you’re talking about something, they’re onto the next thing. I mean, it is really a fast-moving field. And, quite frankly, probably none of us on this stage are as good at understanding it as somebody who’s 20 years old and who’s grown up with the computer just as part of life.
The US has a cyber incident annex to the National Response Plan. I think that was updated in September of 2010 with an Interim Version of the National Cyber Incident Response Plan. I believe that is meant to serve as part of the National Response Framework. But I’m not sure. Cyber security (i.e., cyber crime, cyber warfare, cyber terrorism) is yet another homeland security issue area I know very little about.
The gap in my knowledge was brought to my attention again this weekend when I saw news stories about something called “LizaMoon.” [see here or here for probably more than you want to know about LizaMoon].
As I understand it, LizaMoon is a small piece of computer code that places itself into certain websites; when someone goes to that website, they see a message (and the resulting screen drama) that tries to convince the user the computer they are using is infected. Liza then offers to clean the computer and the trouble expands.
I don’t know if this is a big deal or not. Some reports say over a million websites were infected. Is that a lot? Other reports (like this one ) say it’s not that big of a deal.
Also this weekend, I learned that a firm called Epsilon had (according to its press release):
“…an incident … where a subset of Epsilon clients’ customer data were exposed by an unauthorized entry into Epsilon’s email system.”
Translated into numbers, “a subset of Epsilon clients” could be several million people.
Perhaps you got an email message today from Hilton, or Target, or Best Buy, or Capital One, or LL Bean, or Walgreens or another Epsilon client that basically said, “Don’t worry; nothing bad happened.”
These were two fairly well publicized cyber incidents over a weekend that included at least the cusp of April Fool’s day. Maybe I’m overly sensitive to these kinds of incidents since some of my web presence was hacked in December. It wasn’t terrorism. But it was disturbing.
Are cyber “attacks” something an inquiring homeland security mind should be concerned about? I use that word in quotes because I know there are thousands of cyber incursions every day. How should one even start to think about this cyber stuff?
I went to three government sites that, I thought, would help me frame and understand these incidents: IT-ISAC: The Information Technology Information Sharing and Analysis Center, MS-ISAC: The Multi-State Sharing and Analysis Center, and US-CERT: the United States Computer Emergency Readiness Team.
I thought they might have some information about what I figured might be fairly significant incidents. But if they did, I missed it.
I went back to the sites several times over the weekend, and saw no information about LizaMoon or Epsilon.
… something is happening here
But you don’t know what it is
Do you, Mister Jones?
Maybe providing situational awareness for the public is not part of the IT-ISAC, MS-ISAC or US-CERT missions.
the mission of the IT-ISAC is to:
• Report, exchange, collect, and analyze across the IT Sector information concerning security incidents, threats, attacks, vulnerabilities, solutions and countermeasures, best security practices and other protective measures,
• Establish a mechanism for systematic and protected exchange and coordination of such information [my emphasis] and trusted collaboration; and
• Provide technical thought leadership to U.S. and International policymakers on cyber security and information sharing issues.
The mission of the MS-ISAC is to improve the overall cyber security posture of state, local, territorial and tribal governments. Collaboration and information sharing among members, private sector partners and the DHS are the keys to success.
Major Objectives of the MS-ISAC
• provide two-way sharing of information and early warnings on cyber security threats
• provide a process for gathering and disseminating information on cyber security incidents [my emphasis]
• promote awareness of the interdependencies between cyber and physical critical infrastructure as well as between and among the different sectors
• coordinate training and awareness
• ensure that all necessary parties are vested partners in this effort
US-CERT is charged with providing response support and defense against cyber attacks for the Federal Civil Executive Branch (.gov) and information sharing and collaboration with state and local government, industry and international partners.
US-CERT interacts with federal agencies, industry, the research community, state and local governments, and others to disseminate reasoned and actionable cyber security information to the public. [my emphasis]
If it isn’t at least part of their job to provide situation awareness to the public about cyber security matters (i.e., cyber war, cyber crime, cyber terrorism), whose job is it? Have we essentially privatized situational awareness? I learned more about both attacks this weekend by monitoring Twitter.
I guess I’m ok with that as an interim fix.
But is that the plan?
Ok, that’s the set up. Now the movie.
Perhaps you’ve heard of stuxnet. If not, you can read about it here. The New York Times claims it may be “the most sophisticated cyberweapon ever deployed.”
So, to answer the question I posed at the start of this post, maybe currently there isn’t such a thing as cyber terrorism.
However after watching this video (also available here) — particularly at the 8:45 mark, when the speaker talks about the possibility of a cyber weapon of mass destruction — I think the homeland security enterprise would be foolish to discount the use of cyber weapons by terrorists.