Suche innerhalb des Archivs / Search the Archive All words Any words

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[] Cyber-Attacks by Al Qaeda Feared,

Cyber-Attacks by Al Qaeda Feared
Terrorists at Threshold of Using Internet as Tool of Bloodshed, Experts Say

By Barton Gellman, Washington Post,  June 27, 2002

Late last fall, Detective Chris Hsiung of the Mountain View, Calif., police
department began investigating a suspicious pattern of surveillance against
Silicon Valley computers. From the Middle East and South Asia, unknown
browsers were exploring the digital systems used to manage Bay Area
utilities and government offices. Hsiung, a specialist in high-technology
crime, alerted the FBI's San Francisco computer intrusion squad. Working
with experts at the Lawrence Livermore National Laboratory, the FBI traced
trails of a broader reconnaissance. A forensic summary of the
investigation, prepared in the Defense Department, said the bureau found
"multiple casings of sites" nationwide. Routed through telecommunications
switches in Saudi Arabia, Indonesia and Pakistan, the visitors studied
emergency telephone systems, electrical generation and transmission, water
storage and distribution, nuclear power plants and gas facilities. Some of
the probes suggested planning for a conventional attack, U.S. officials
said. But others homed in on a class of digital devices that allow remote
control of services such as fire dispatch and of equipment such as
pipelines. More information about those devices -- and how to program them
-- turned up on al Qaeda computers seized this year, according to law
enforcement and national security officials. Unsettling signs of al Qaeda's
aims and skills in cyberspace have led some government experts to conclude
that terrorists are at the threshold of using the Internet as a direct
instrument of bloodshed. The new threat bears little resemblance to
familiar financial disruptions by hackers responsible for viruses and
worms. It comes instead at the meeting points of computers and the physical
structures they control. U.S. analysts believe that by disabling or taking
command of the floodgates in a dam, for example, or of substations handling
300,000 volts of electric power, an intruder could use virtual tools to
destroy real-world lives and property. They surmise, with limited evidence,
that al Qaeda aims to employ those techniques in synchrony with "kinetic
weapons" such as explosives. "The event I fear most is a physical attack in
conjunction with a successful cyber-attack on the responders' 911 system or
on the power grid," Ronald Dick, director of the FBI's National
Infrastructure Protection Center, told a closed gathering of corporate
security executives hosted by Infraguard in Niagara Falls on June 12. In an
interview, Dick said those additions to a conventional al Qaeda attack
might mean that "the first responders couldn't get there . . . and water
didn't flow, hospitals didn't have power. Is that an unreasonable scenario?
Not in this world. And that keeps me awake at night."

'Bad Ones and Zeros'

Regarded until recently as remote, the risks of cyber-terrorism now command
urgent White House attention. Discovery of one acute vulnerability -- in a
data transmission standard known as ASN.1, short for Abstract Syntax
Notification -- rushed government experts to the Oval Office on Feb. 7 to
brief President Bush. The security flaw, according to a subsequent written
assessment by the FBI, could have been exploited to bring down telephone
networks and halt "all control information exchanged between ground and
aircraft flight control systems." Officials said Osama bin Laden's
operatives have nothing like the proficiency in information war of the most
sophisticated nations. But al Qaeda is now judged to be considerably more
capable than analysts believed a year ago. And its intentions are
unrelentingly aimed at inflicting catastrophic harm. One al Qaeda laptop
found in Afghanistan, sources said, had made multiple visits to a French
site run by the Societ=E9 Anonyme, or Anonymous Society. The site offers a
two-volume online "Sabotage Handbook" with sections on tools of the trade,
planning a hit, switch gear and instrumentation, anti-surveillance methods
and advanced techniques. In Islamic chat rooms, other computers linked to
al Qaeda had access to "cracking" tools used to search out networked
computers, scan for security flaws and exploit them to gain entry -- or
full command. Most significantly, perhaps, U.S. investigators have found
evidence in the logs that mark a browser's path through the Internet that
al Qaeda operators spent time on sites that offer software and programming
instructions for the digital switches that run power, water, transport and
communications grids. In some interrogations, the most recent of which was
reported to policymakers last week, al Qaeda prisoners have described
intentions, in general terms, to use those tools.

Specialized digital devices are used by the millions as the brains of
American "critical infrastructure" -- a term defined by federal directive
to mean industrial sectors that are "essential to the minimum operations of
the economy and government."
The devices are called distributed control systems, or DCS, and supervisory
control and data acquisition, or SCADA, systems. The simplest ones collect
measurements, throw railway switches, close circuit-breakers or adjust
valves in the pipes that carry water, oil and gas. More complicated
versions sift incoming data, govern multiple devices and cover a broader
area. What is new and dangerous is that most of these devices are now being
connected to the Internet -- some of them, according to classified "Red
Team" intrusion exercises, in ways that their owners do not suspect.
Because the digital controls were not designed with public access in mind,
they typically lack even rudimentary security, having fewer safeguards than
the purchase of flowers online. Much of the technical information required
to penetrate these systems is widely discussed in the public forums of the
affected industries, and specialists said the security flaws are well known
to potential attackers. Until recently, said Director John Tritak of the
Commerce Department's Critical Infrastructure Assurance Office, many
government and corporate officials regarded hackers mainly as a menace to
their e-mail. "There's this view that the problems of cyberspace originate,
reside and remain in cyberspace," Tritak said. "Bad ones and zeros hurt
good ones and zeros, and it sort of stays there. . . . The point we're
making is that increasingly we are relying on 21st century technology and
information networks to run physical assets." Digital controls are so
pervasive, he said, that terrorists might use them to cause damage on a
scale that otherwise would "not be available except through a very
systematic and comprehensive physical attack." 'Mapping Our
Vulnerabilities' The 13 agencies and offices of the U.S. intelligence
community have not reached consensus on the scale or imminence of this
threat, according to participants in and close observers of the discussion.
The Defense Department, which concentrates on information war with nations,
is most skeptical of al Qaeda's interest and prowess in cyberspace. "DCS
and SCADA systems might be accessible to bits and bytes," Assistant
Secretary of Defense John P. Stenbit said in an interview. But al Qaeda
prefers simple, reliable plans and would not allow the success of a
large-scale attack "to be dependent on some sophisticated, tricky cyber
thing to work." "We're thinking more in physical terms -- biological
agents, isotopes in explosions, other analogies to the fully loaded
airplane," he said. "That's more what I'm worried about. When I think of
cyber, I think of it as ancillary to one of those." White House and FBI
analysts, as well as officials in the Energy and Commerce departments with
more direct responsibility for the civilian infrastructure, describe the
threat in more robust terms. "We were underestimating the amount of
attention [al Qaeda was] paying to the Internet," said Roger Cressey, a
longtime counterterrorism official who became chief of staff of the
President's Critical Infrastructure Protection Board in October. "Now we
know they see it as a potential attack vehicle. Al Qaeda spent more time
mapping our vulnerabilities in cyberspace than we previously thought. An
attack is a question of when, not if."

Ron Ross, who heads a new "information assurance" partnership between the
National Security Agency and the National Institute of Standards and
Technology, reminded the Infraguard delegates in Niagara Falls that, after
the Sept. 11 attacks, air traffic controllers brought down every commercial
plane in the air. "If there had been a cyber-attack at the same time that
prevented them from doing that," he said, "the magnitude of the event could
have been much greater." "It's not science fiction," Ross said in an
interview. "A cyber-attack can be launched with fairly limited resources."
U.S. intelligence agencies have upgraded their warnings about al Qaeda's
use of cyberspace. Just over a year ago, a National Intelligence Estimate
on the threat to U.S. information systems gave prominence to China, Russia
and other nations. It judged al Qaeda operatives as "less developed in
their network capabilities" than many individual hackers and "likely to
pose only a limited cyber-threat," according to an authoritative
description of its contents. In February, the CIA issued a revised
Directorate of Intelligence Memorandum. According to officials who read it,
the new memo said al Qaeda had "far more interest" in cyber-terrorism than
previously believed and contemplated the use of hackers for hire to speed
the acquisition of capabilities.
"I don't think they are capable of bringing a major segment of this country
to its knees using cyber-attack alone," said an official representing the
current consensus, but "they would be able to conduct an integrated attack
using a combination of physical and cyber resources and get an
amplification of consequences." Counterterrorism analysts have known for
years that al Qaeda prepares for attacks with elaborate "targeting
packages" of photographs and notes. But, in January, U.S. forces in Kabul,
Afghanistan, found something new. A computer seized at an al Qaeda office
contained models of a dam, made with structural architecture and
engineering software, that enabled the planners to simulate its
catastrophic failure. Bush administration officials, who discussed the
find, declined to say whether they had identified a specific dam as a=
The FBI reported that the computer had been running Microstran, an advanced
tool for analyzing steel and concrete structures; Autocad 2000, which
manipulates technical drawings in two or three dimensions; and software
"used to identify and classify soils," which would assist in predicting the
course of a wall of water surging downstream. To destroy a dam physically
would require "tons of explosives," Assistant Attorney General Michael
Chertoff said a year ago. To breach it from cyberspace is not out of the
question. In 1998, a 12-year-old hacker, exploring on a lark, broke into
the computer system that runs Arizona's Roosevelt Dam. He did not know or
care, but federal authorities said he had complete command of the SCADA
system controlling the dam's massive floodgates. Roosevelt Dam holds back
as much as 1.5 million acre-feet of water, or 489 trillion gallons. That
volume could theoretically cover the city of Phoenix, down river, to a
height of five feet. In practice, that could not happen. Before the water
reached the Arizona capital, the rampant Salt River would spend most of
itself in a flood plain encompassing the cities of Mesa and Tempe -- with a
combined population of nearly a million.
'Could Have Done Anything' In Queensland, Australia, on April 23, 2000,
police stopped a car on the road to Deception Bay and found a stolen
computer and radio transmitter inside. Using commercially available
technology, Vitek Boden, 48, had turned his vehicle into a pirate command
center for sewage treatment along Australia's Sunshine Coast.

Boden's arrest solved a mystery that had troubled the Maroochy Shire
wastewater system for two months. Somehow the system was leaking hundreds
of thousands of gallons of putrid sludge into parks, rivers and the
manicured grounds of a Hyatt Regency hotel. Janelle Bryant of the
Australian Environmental Protection Agency said "marine life died, the
creek water turned black and the stench was unbearable for residents."
Until Boden's capture -- during his 46th successful intrusion -- the
utility's managers did not know why. Specialists in cyber-terrorism have
studied Boden's case because it is the only one known in which someone used
a digital control system deliberately to cause harm. Details of Boden's
intrusion, not disclosed before, show how easily Boden broke in -- and how
restrained he was with his power. Boden had quit his job at Hunter
Watertech, the supplier of Maroochy Shire's remote control and telemetry
equipment. Evidence at his trial suggested that he was angling for a
consulting contract to solve the problems he had caused. To sabotage the
system, he set the software on his laptop to identify itself as "pumping
station 4," then suppressed all alarms. Paul Chisholm, Hunter Watertech's
chief executive, said in an interview last week that Boden " was the
central control system" during his intrusions, with unlimited command of
300 SCADA nodes governing sewage and drinking water alike. "He could have
done anything he liked to the fresh water," Chisholm said. Like thousands
of utilities around the world, Maroochy Shire allowed technicians operating
remotely to manipulate its digital controls. Boden learned how to use those
controls as an insider, but the software he used conforms to international
standards and the manuals are available on the Web. He faced virtually no
obstacles to breaking in. Nearly identical systems run oil and gas
utilities and many manufacturing plants. But their most dangerous use is in
the generation, transmission and distribution of electrical power, because
electricity has no substitute and every other key infrastructure depends on
it. Massoud Amin, a mathematician directing new security efforts in the
industry, described the North American power grid as "the most complex
machine ever built." At an April 2 conference hosted by the Commerce
Department, participants said, government and industry scientists agreed
that they have no idea how the grid would respond to a cyber-attack. What
they do know is that "Red Teams" of mock intruders from the Energy
Department's four national laboratories have devised what one government
document listed as "eight scenarios for SCADA attack on an electrical power
grid" -- and all of them work. Eighteen such exercises have been conducted
to date against large regional utilities, and Richard A. Clarke, Bush's
cyber-security adviser, said the intruders "have always, always succeeded."
Joseph M. Weiss of KEMA Consulting, a leading expert in control system
security, reported at two recent industry conferences that intruders were
"able to assemble a detailed map" of each system and "intercepted and
changed" SCADA commands without detection. "What the labs do is look at
simple, easy things I can do to get in" with tools commonly available on
the Internet, Weiss said in an interview. "In most of these cases, they are
not using anything that a hacker couldn't have access to." Bush has
launched a top-priority research program at the Livermore, Sandia and Los
Alamos labs to improve safeguards in the estimated 3 million SCADA systems
in use. But many of the systems rely on instantaneous responses and cannot
tolerate authentication delays. And the devices deployed now lack the
memory and bandwidth to use techniques such as "integrity checks" that are
standard elsewhere.

In a book-length Electricity Infrastructure Security Assessment, the
industry concluded on Jan. 7 that "it may not be possible to provide
sufficient security when using the Internet for power system control."
Power companies, it said, will probably have to build a parallel private
network for themselves. 'Where Their Crown Jewels Are' The U.S. government
may never have fought a war with so little power in the battlefield. That
became clear again on Feb. 7, when Clarke and his vice-chairman at the
critical infrastructure board, Howard A. Schmidt, arrived in the Oval
Office. They told the president that researchers in Finland had identified
a serious security hole in the Internet's standard language for routing
data through switches. A government threat team found implications -- for
air traffic control and civilian and military phone links, among others --
that were more serious still. "We've got troops on the ground in
Afghanistan and we've got communication systems that we all depend on that,
at that time, were vulnerable," Schmidt recalled. Bush ordered the Pentagon
and key federal agencies to patch their systems. But most of the vulnerable
networks were not government-owned. Since Feb. 12, "those who have the fix
in their power are in the private sector," Schmidt said. Asked about
progress, he said: "I don't know that we'd ever get to 100 percent."
Frustrated at the pace of repairs, Clarke traveled to San Jose on Feb. 19
and accused industry leaders of spending more on coffee than on information
security. "You will be hacked," he told them. "What's more, you deserve to
be hacked." Tritak, at the Commerce Department, appealed to patriotism.
Speaking of al Qaeda, he said: "When you've got people who are saying,
'We're coming after your economy,' everyone has a responsibility to do
their bit to safeguard against it." New public-private partnerships are
helping, but the government case remains a tough sell. Alan Paller,
director of research at the SANS Institute in Bethesda, said not even banks
and brokerages, considered the most security-conscious businesses, tell the
government when their systems are attacked. Sources said the government did
not learn crucial details about September's Nimda worm, which caused an
estimated &dol;530 million in damage, until the stricken companies began
firing their security executives. Experts said public companies worry about
the loss of customer confidence and the legal liability to shareholders or
security vendors when they report flaws. The FBI is having even less
success with its "key asset initiative," an attempt to identify the most
dangerous points of vulnerability in 5,700 companies deemed essential to
national security. "What we really want to drill down to, eventually, is
not the companies but the actual things themselves, the actual switches . .
. that are vital to [a firm's] continued operations," Dick said. He
acknowledged a rocky start: "For them to tell us where their crown jewels
are is not reasonable until you've built up trust."

Michehl R. Gent, president of the North American Electric Reliability
Council, said last month it will not happen. "We're not going to build such
a list. . . . We have no confidence that the government can keep that a
secret." For fear of terrorist infiltration, Clarke's critical
infrastructure board and Tom Ridge's homeland security office are now
exploring whether private companies would consider telling the government
the names of employees with access to sensitive sites. "Obviously, the
ability to check intelligence records from the terrorist standpoint would
be the goal," Dick said. There is no precedent for that. The FBI screens
bank employees but has no statutory authority in other industries. Using
classified intelligence databases, such as the Visa Viper list of suspected
terrorists, would mean the results could not be shared with the employers.
Bobby Gillham, manager of global security at oil giant Conoco Inc., said he
doubts his industry will go along with that. "You have Privacy Act
concerns," he said in an interview. "And just to get feedback that there's
nothing here, or there's something here but we can't share it with you,
doesn't do us a lot of good. Most of our companies would not [remove an
employee] in a frivolous way, on a wink." Exasperated by companies seeking
proof that they are targets, Clarke has stopped talking about threats at
all. "It doesn't matter whether it's al Qaeda or a nation-state or the
teenage kid up the street," he said. "Who does the damage to you is far
less important than the fact that damage can be done. You've got to focus
on your vulnerability . . . and not wait for the FBI to tell you that al
Qaeda has you in its sights."

Staff researcher Robert Thomason contributed to this report.

Liste verlassen: 
Mail an infowar -
 de-request -!
- infopeace -
 de mit "unsubscribe" im Text.