Recently, I have experienced an increase in organizations questioning how real is the threat of Internet terrorism and what they can do to protect themselves. As a former CISO, this was one of the last concerns that crossed my mind, especially since it was a daily up-hill battle getting buy-in for the most basic security controls and services. The notion of worrying about the potential risk of terrorism against my organization seemed to be the lowest priority given the choices at hand. Ironically, terrorism today seems to be an emerging concern in the commercial world and many are actively pursuing methods and technology to help combat the problem. As a result, I began to research this trend to determine its drivers and potential implications to information security as we know it today.
I have been able to identify two main factors to date that play a part in the increased concern for businesses. Governments all around the globe are spending vast amounts of money trying to track and contain internet terrorism. As former government security professionals are landing executive roles as CSO and CISO in organizations, the awareness and education about terrorism is increasing and the company is driven to investigate the threat further. Also, the news media is making Internet terrorism and the targeted attacks front-page news, which impacts a much larger audience. The combination of these factors propels companies and their leadership to ask the important questions in order to determine the risk it presents, especially in the critical industries like utilities and supply chains.
To better understand this threat and its impact on organizations today requires some background on how terrorism is defined. Once we have a definition laid out, we need to add the term “internet” to terrorism to gain an understanding of how this changes the overall meaning and its impact. Each of us has a pre-conceived notion of what terrorism means. I am confident that your definition differs from mine since this is shaped by our personal environment and experiences. I am also confident in saying that even though our definition of terrorism may differ, there are fundamental characteristics that we share in common. Today, there is no universally accepted definition of terrorism and countries define the term according to their own beliefs and to support their own national interests. In fact, it might be impossible to define because it is intangible and fluctuates according to historical and geographical contexts. Some forms of it are indistinguishable from crime, revolution, and war. Even the US government is struggling with a consistent definition by evidence of the following chart:
State Department definition, Title 22 of the U.S. Code, Chapter 38, Section 2656f(d): premeditated, politically motivated violence perpetrated against noncombatant targets by subnational groups or clandestine agents, usually intended to influence an audience.
FBI definition: the unlawful use of force or violence against persons or property to intimidate or coerce a government, the civilian population, or any segment thereof, in furtherance of political or social objectives.
Defense Department definition: the calculated use, or threatened use, of force or violence against individuals or property to coerce or intimidate governments or societies, often to achieve political, religious, or ideological objectives.
United Nations definition: any act intended to cause death or serious bodily injury to a civilian, or to any other person not taking an active part in the hostilities in a situation of armed conflict, when the purpose of such act, by its nature or context, is to intimidate a population, or to compel a government or an international organization to do or to abstain from doing any act. Article 2(b) of International Convention for the Suppression of the Financing of Terrorism, May 5, 2004)
If we take all the three definitions and compare them, we can understand the governments’ intent in defining the actions and the basic fundamental characteristics of terrorism. Realistically, the lack of a solid, universally accepted definition and having to rely on intent is the first major strike against understanding the threat. The first rule in being able to track a threat is to understand what that threat is and the characteristics that make up the profile. If we do not have this understanding up front, it will spur a great amount of activity for the least possible value in targeting Internet terrorism. With so many different definitions, you can start to understand the reason behind failures in the identification and of course, tracking and monitoring.
In the interest of moving to the next phase in our discussion, let’s assume that terrorism is defined as an unlawful use or threatened use of force or violence against people or property to coerce or intimidate businesses, governments or societies. We can now tack on the term “internet” to explore how the definition changes and the impact of those changes on information security. By building the term “internet terrorism”, we are saying that violence and physical harm can be conducted electronically. Now I don’t believe that this is the intent, but in essence layering intent upon intent has now diluted our definition. This causes confusion and forces us to lean upon our beliefs, environment and current situations to form a definition. This does not provide us with any greater capability in tracking or monitoring and just seems to muddy the waters even further.
So how we identify the threat and what can we do to protect ourselves? Internet terrorism is really about two separate uses of the Internet. First, a terrorist can utilize the Internet as a vehicle to cause outages and denial of services with an overarching message to instill fear and to threaten physical harm. From an information security point of view, we can readily understand this first point since we experience this noise today within on our networks. The attacks are targeting our assets to cause electronic pain and fear with our Internet presence. But as we know, attacks that are conducted against our organizations can originate from many diverse groups with for different reasons. Former employees, competitors, or fraudsters can have justifiable reasons in their mind to electronically cause you pain or reputation harm. It becomes apparent that the campaign against Internet terrorism using the Internet in this fashion may stem from known terrorist in the real world who has conducted violent or harmful crimes to invoke fear. The challenge is to know when these seemingly “innocent” attacks actually become terror. Does the act require a certain number of members, a certain political/ideological principle, or a certain funding to be considered terrorism? Can one person be considered a terrorist? These are great questions that need a clear definition to gain the appropriate buy-in and funding within an organization. Since the activity and characteristics are not well defined, the message today will be a hard sell for information security professionals and will get lost in the shuffle of shifting priorities. Likewise, when the terrorist begin to electronically target organizations and prevent services from working, companies today would see the threat as noise since there is nothing that distinguishes them from the rest of the pack. The challenge is determining how to distinguish the noise that is normally experienced from an actual terrorist activity.
The second use of the internet by terrorist is their utilization of technologies to build and coordinate their activities such as recruitment, fundraising and data mining. The internet is the perfect tool to use for this activity since much of it is not regulated and there is anonymity that protects against identification. This helps terrorist build memberships and raise funding to further their cause and distribute their message to a wider audience. But can this equate to electronic violence or transform into physical harm? Each one of us use the internet for the same purpose, minus the terrorist intent, so tracking and monitoring are quite difficult to nail down without spilling over into our civil liberties as a whole. The perceived harm that can be identified is the ability to organize a group for the intent of personal or physical violence. In order for an organization to keep on top of this issue, it would require vast amounts of resources and capital to infiltrate each terrorist group and monitor their progress. This goes way beyond what any commercial organization would do, especially since many still require basic security controls and services. This type of request would certainly invoke some strange looks.
Here is where the government steps in on the war on internet terror. The government has the funding and resources to concentrate on infiltrating the terrorist groups to provide the community greater insight into the problem. We know that the government’s main concern is infrastructure and self-preservation so terrorist targeting one specific entity or business becomes secondary by default. Disclosure of the intelligence takes a considerable amount of time since the information has to be interpreted and correlated against other information before being released. I have not experienced a mechanism or process that would release intelligence in a timely manner to a commercial business unless it was a matter of national security. Strike two is the inability, either by design or accident, to make the intelligence gathering and disclosure transparent and timely. This seems to be the greatest gap in protecting our commercial industries from Internet terrorist today. The lack of communication, fear or retaliation coupled with the shear expense prevents organizations from becoming the watchdogs for their respective industries. The terrorist seem to capitalize on this shortfall and use it to their benefit.
There are many journals and white papers that clearly confirm that the internet terrorist community is becoming increasingly sophisticated and beginning to leverage technology to protect their interests. I find this is amazing considering the lack of a fundamental definition to understand what we are monitoring, but I digress. Online session encryption and file encryption are being used to conceal information about activity and potential targets. They are building redundant systems that have the ability to withstand constant bombardment of noise by other terrorist groups or disgruntled citizens. They are beginning to build highly dynamic services that can disappear, re-emerge to change locations quickly and easily. The content on their sites is rich with multimedia such as movies or audio. They even implement security controls to track and prevent their version of threats to their presence. As the use of technology sophistication continues to grow, the less insight our governments will have about their activities and potential targets. The small amount of information we could potentially access today is drying up fast. We really need to open our eyes to this problem and build better methods to keep up or offset this threat growing into something much larger. We need to convince our governments that our society can be radically impacted by the collapse of our commercial industries as well as our critical infrastructure. Monitoring and active communication of emerging threats can further assist our industries to prepare or prevent the attacks, given the time to react. Sure, the down side is overreacting, but given that the majority of our businesses are on-line, I would enjoy the ability and time to manage my reaction.
As information security professionals, we are limited in what we can do to offer physical and logical protection. We always have to balance the security control with the convenience factor and no one wants to complicate any process that is suppose to generate revenue or get the revenue generators to their desks. In the physical security space, we have a few more choices in protective services that push the terrorist out further into someone else’s yard, but we are still very limited in coordinated information sharing within our respected industries. In the electronic world, we can continue to insist on the basic levels of security controls to detect and potentially prevent attacks, but it will always be perceived as Internet noise vs. terrorism until we accurately define the risk.
Let’s return to how we identify the threat and what can we do to protect ourselves. We now know that there is no consistent method to define or track internet terrorism. We understand that the issue is extremely complex since the characteristics can change based on our environment and experience. We can now understand the government’s role in being the watchdog for our critical national infrastructure and the government services, but this takes considerable resources and funding. We also know that our communication in both our local community and our global industry vertical is limited since the intelligence is not readily available to share. The message we are left with is that there is very little we can do until we define with certainty the meaning and characteristics of Internet terrorism. A great place to start would be to have the government develop a single definition that can be communicated to its agencies so that the right profile can be understood. Another key development would be to rebuild certain structures that gather intelligence to facilitate a greater level of communication to impacted industries. With a clear definition and greater communication, we can then begin to monitor and track certain behaviors that could be potential threats with greater accuracy. Accuracy equates to a reduction in cost and resources, which can then be reinvested into greater communication and intelligence gathering. Sounds simple but my guess is that it will take a great amount of time to achieve, if we even achieve it at all. In the meantime, we are left with vague definitions, variable characteristics and a method of attack that blends in with the normal noise we see on the internet daily. It really does beg the question, does such as thing really exist?