[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[infowar.de] CSIS: Assessing the Risks of Cyber Terrorism, Cyber War and other Cyber Threats

To: "Infowar.de" <infowar - de -! - infopeace - de>
Subject: [infowar.de] CSIS: Assessing the Risks of Cyber Terrorism, Cyber War and other Cyber Threats
From: Ralf Bendrath <bendrath -! - zedat - fu-berlin - de>
Date: Mon, 23 Dec 2002 16:55:38 +0100
Organization: http://www.fogis.de
Reply-to: infowar - de -! - infopeace - de
Sender: bendrath -! - zedat - fu-berlin - de
Infowar.de, http://userpage.fu-berlin.de/~bendrath/liste.html
-------------------------------------------------------------

Mit einem ausführlichen Kommentar von Wanja Eric Naef von
www.iwar.org.uk. 
Scheint ein gutes Papier zu sein - eher unüblich für die
CSIS-Panikfraktion.
RB

-------- Original Message --------
Subject: [INFOCON] - Assessing the Risks of Cyber Terrorism, Cyber War
andOther Cyber Threats
Date: Fri, 20 Dec 2002 18:15:59 -0000
From: "Wanja Eric Naef \(IWS\)" <w -
 naef -!
- iwar -
 org -
 uk>
To: <infocon -!
- infowarrior -
 org>


(Usually I send my detailed comments only onto the IWS Limited List, but
as the paper is so interesting I make an exception. I like the paper,
even though the definition of Cyberterrorism is not the greatest one and
I do not like the bit about the WWII as it is too simplistic ('know thy
military history'), but the rest is good. WEN. 

Key sentence: '... but a brief review suggests that while many computer
networks remain very vulnerable to attack, few critical infrastructures
are equally vulnerable. ...' as Scada systems & Co are usually not
connected to the Internet.

'... A preliminary review of these factors suggests that computer
network vulnerabilities are an increasingly serious business problem but
that their threat to national security is overstated. Modern industrial
societies are more robust than they appear at first glance. Critical
infrastructures, especially in large market economies, are more
distributed, diverse, redundant and self-healing than a cursory
assessment may suggest, rendering them less vulnerable to attack. In all
cases, cyber attacks are less effective and less disruptive than
physical attacks. ...'

'Know thy military history'

It is annoying to see people mention examples in military history if
they lack knowledge and make mistakes:

The author looks at the Strategic Bombing Campaign during WWII, but
unfortunately you cannot really compare it to CNI attacks as even though
the UK had a ministry for economic warfare its advice was mostly ignored
by Bomber Harris who preferred to 'flatten German cities' whilst the US
urged the UK to attack the real Centre of Gravity. 

'... What the survey [.S. Strategic Bombing Survey, Summary Report
(European War), 1945] found, however, is that industrial societies are
impressively resilient. Industrial production actually increased for two
years under the bombing.'

It is always risky to quote such an old survey as they might 'slightly
bias' -- the Air Force wanted to make a business case for its bombers,
..., --especially if the academic in question lacks a detailed knowledge
of the German War Economy. (Instead of reading a summary report I would
recommend to read the 'The Effects of Strategic Bombing on the German
War Economy' report which was published a month later. It gives a far
more detailed overview. (Before someone asks, I do not have a url for it
as I got a copy of it, but I do have some old notes from a Defence
Economics course which focuses on economic warfare during WWII and two
unpublished papers on the Nazi War Economy. If someone wants them please
email me)).

Another example:

'... Comparing aerial and cyber attacks on hydroelectric dams helps
provide a measure for cyber-threats. Early in World War II, the Royal
Air Force mounted a daring attack on dams in the Ruhr, a chief source of
electrical power for German industry. The raid was a success, the dams
breached by bombs and, for a period of time, the electrical supply in
the region was disrupted. ...'

This attack was based on wrong intelligence. An argument was put
forwarded by the UK Ministry of Production (not the Ministry of Economic
Warfare) that it would great opportunity to stop German industrial
production in the Ruhr as the dam provided the electricity for those
industries. Therefore without electricity German industry in the Ruhr
would be forced to stop. The Ministry of Economic Warfare (MEW)
questioned the assumptions on which this raid was based and concluded
that the RAF might be able to hit the dam, but in the end the Germans
have other means to produce electricity, such as coal fired plants to
produce electricity. MEW was right and they said that worst which will
happen that there would be massive flooding below the dam, some
productions might be cut, but in the end the German will just compensate
with coal fired plants. 

Anyway back to cyberterrorism. Some good quotes from the paper:

Risk to National Security:

' ... However, from a strategic military perspective, attacks that do
not degrade national capabilities are not significant. From this
perspective, if a cyber-attack does not cause damage that rises above
the threshold of the routine disruptions that every economy experiences,
it does not pose an immediate or significant risk to national security.

It is particularly important to consider that in the larger context of
economic activity, water system failures, power outages, air traffic
disruptions and other cyber-terror scenarios are routine events that do
not affect national security. On a national level, where dozens or even
hundreds of different systems provide critical infrastructure services,
failure is a routine occurrence at the system or regional level, with
service denied to customers for hours or days. ...'

Attack on CIP:

* Water

'... In the United States, the water supply infrastructure would be an
elusive target for cyber attack. There are 54,064 separate water systems
in the U.S. Of these, 3,769 water systems serve eighty one percent of
the population and 353 systems served forty-four percent of the
population. However, the uneven spread of diverse network technologies
complicates the terroristsâ?? task. Many of these water supply systems
in the U.S., even in large cities, continue to rely on technologies not
easily disrupted by network attacks. There have been cases in the U.S.
when a communityâ??s water supply has been knocked out for days at a
time (usually as a result of flooding), but these have produced neither
terror nor paralysis. ...'

*Power

'... A risk assessment by the Information Assurance Task Force of the
National Security Telecommunications Advisory Committee concluded
â??Physical destruction is still the greatest threat facing the electric
power infrastructure. Compared to this, electronic intrusion represents
an emerging, but still relatively minor, threat.â?? ...'


* Transportation (Air)

'... We are not yet at a stage where computer networks operate aircraft
remotely, so it is not possible for a cyber-attacker to take over an
aircraft. Aircraft still carry pilots who are trained to operate the
plane in an emergency. Similarly, the Federal Aviation Authority does
not depend solely on computer networks to manage air traffic, nor are
its communications dependent on the Internet. The high level of human
involvement in the control and decision making process for air traffic
reduces the risk of any cyber attack. In a normal month storms,
electrical failures and programming glitches all ensure a consistently
high level of disruption in air traffic. Pilots and air traffic
controllers are accustomed to unexpected disruptions and have adapted
their practices to minimize the effect. ...'

* Manufacturing:

'... Manufacturing and economic activity are increasingly dependent on
computer networks, and cyber crime and industrial espionage are new
dangers for economic activity. However, the evidence is mixed as to the
vulnerability of manufacturing to cyber attack. A virus in 2000 infected
1,000 computers at Ford Motor Company. Ford received 140,000
contaminated e-mail messages in three hours before it shut down its
network. E-mail service was disrupted for almost a week within the
company. Yet, Ford reported, â??the rogue program appears to have caused
only limited permanent damage. None of its 114 factories stopped,
according to the automaker. ...'


Terrorism

'.... An analysis of the risk of cyber terrorism is also complicated by
the tendency to initially attribute cyber events to military or
terrorist efforts when their actual source is civilian recreational
hackers. ...'

'... While the press has reported that government officials are
concerned over Al Qaeda plans to use the Internet to wage
cyber-terrorism, these stories often recycle the same hypothetical
scenarios previously attributed to foreign governmentsâ?? cyber-warfare
efforts. The risk remains hypothetical but the antagonist has changed
from hostile states to groups like Al Qaeda. ...'

Cybercrime

'... Cyber crime is a serious and growing threat, but the risk to a
nation-state in deploying cyber-weapons against a potential opponentâ??s
economy are probably too great for any country to contemplate these
measures. For example, writers in some of Chinaâ??s military journals
speculated that cyber attacks could disable American financial markets.
The dilemma for this kind of attack is that China is as dependent on the
same financial markets as the United States, and could suffer even more
from disruption. ...'

Conclusion:

'... Much of the early analysis of cyber-threats and cyber security
appears to have â??The Sky is Fallingâ?? as its theme. The sky is not
falling, and cyber weapons seem to be of limited value in attacking
national power or intimidating citizens. 

... To understand the vulnerability of critical infrastructures to cyber
attack, we would need for each target infrastructure a much more
detailed assessment of redundancy, normal rates of failure and response,
the degree to which critical functions are accessible from public
networks and the level of human control, monitoring and intervention in
critical operations. This initial assessment suggests that
infrastructures in large industrial countries are resistant to cyber
attack.  ...

... Terrorists or foreign militaries may well launch cyber attacks, but
they are likely to be disappointed in the effect. Nations are more
robust than the early analysts of cyber-terrorism and cyber-warfare give
them credit for, and cyber attacks are less damaging than physical
attacks. Digital Pearl Harbors are unlikely. Infrastructure systems,
because they have to deal with failure on a routine basis, are also more
flexible and responsive in restoring service than early analysts
realized. Cyber attacks, unless accompanied by a simultaneous physical
attack that achieves physical damage, are short lived and ineffective.
However, if the risks of cyber-terrorism and cyber-war are overstated,
the risk of espionage and cyber crime may be not be fully appreciated by
many. ...'


**************************************************************************

Assessing the Risks of Cyber Terrorism, Cyber War and Other Cyber
Threats: James A. Lewis

Center for Strategic and International Studies
December 2002

Full Report: 

http://www.csis.org/tech/0211_lewis.pdf


IWS INFOCON Mailing List
@ IWS - The Information Warfare Site
http://www.iwar.org.uk

---------------------------------------------------------------
Liste verlassen: 
Mail an infowar -
 de-request -!
- infopeace -
 de mit "unsubscribe" im Text.
Prev by Date: [infowar.de] Spiegel Online zur geplanten Netzüberwachung in den USA (FIDNet 2.0)
Next by Date: [infowar.de] Theater Battle Management Core Systems: neue Standards für USAF
Previous by thread: [infowar.de] Spiegel Online zur geplanten Netzüberwachung in den USA (FIDNet 2.0)
Next by thread: [infowar.de] Theater Battle Management Core Systems: neue Standards für USAF
Index(es):
- Date
- Thread