Cyber terrorism: no longer fiction; the threat of cyber terrorism became much more real after Sept. 11. Here's how states are trying to reduce the risks.On the morning of Sept. 11, 2001, New York New York, state, United States New York, Middle Atlantic state of the United States. It is bordered by Vermont, Massachusetts, Connecticut, and the Atlantic Ocean (E), New Jersey and Pennsylvania (S), Lakes Erie and Ontario and the Canadian province of Senator Michael Balboni Michael Balboni (born in May 1959, Long Island, New York) is the Deputy Secretary for Public Safety for the State of New York, which is the senior homeland security and law enforcement official in Governor Eliot Spitzer's Administration. was on his way from Long Island to deliver a lecture in midtown Manhattan when he heard about the terrorist attacks on the World Trade Center. As a native New Yorker whose district hugs the northern shore of Long Island, across the East River from what would soon be universally known as "Ground Zero," Balboni was grief-stricken by the day's events. But he quickly realized that the tragedy might serve as a wake-up call not only to his fellow New Yorkers, but to members of the Legislature. His earlier pleas there asking that terrorism, bioterrorism and cyber terrorism be given a legal definition had received a less than enthusiastic response. "Before 9/11, my bill on terrorism had little or no traction in the New York Senate," says Balboni. A former senator had told him "the only weapon of mass destruction weapon of mass destruction (WMD) Weapon with the capacity to inflict death and destruction indiscriminately and on a massive scale. The term has been in currency since at least 1937, when it was used to describe massed formations of bomber aircraft. we have in New York City New York City: see New York, city. New York City City (pop., 2000: 8,008,278), southeastern New York, at the mouth of the Hudson River. The largest city in the U.S. is the assault weapon." In February of this year, New York Governor George Pataki George Elmer Pataki (born June 24, 1945) is an American politician who was the 57th Governor of New York serving from January 1995 until January 1, 2007. He is a member of the Republican Party and was seen as a possible 2000 and 2008 Presidential candidate. signed into law the Omnibus Governors' Program Bill, which created legal definitions for a wide array of terrorist crimes. It also strengthens the authority of law enforcement to investigate and prosecute terrorists. But it was a second measure, SB 1627, that Balboni, who currently serves as chairman of the Senate Committee on Veterans, Homeland Security Noun 1. Homeland Security - the federal department that administers all matters relating to homeland security Department of Homeland Security executive department - a federal department in the executive branch of the government of the United States and Military Affairs, particularly enjoyed seeing made into law. That measure created a legal definition for the act of cyber terrorism in New York, making it a Class B felony to launch an attack on any local, state or federal government computer network. "Until now, New York, like many other states, has simply not officially recognized or acknowledged what the computer experts have said is a very real threat, what they call a 'denial of service' attack," says Balboni. WREAKING HAVOC Simply put, a hacker or terrorist could bombard bom·bard tr.v. bom·bard·ed, bom·bard·ing, bom·bards 1. To attack with bombs, shells, or missiles. 2. To assail persistently, as with requests. See Synonyms at attack, barrage2. 3. a state agency site with millions of "requests for information," thus causing the site to overload and shut down. Similarly, an intruder--via the Internet--could potentially invade a system designed to control a city's water supply or air transportation systems and wreak havoc. Such scenarios, to many, seem improbable. And maybe they are. "The real question is: What CAN happen?" asks Michael Vatis, director of the Institute for Security Technology Studies at Dartmouth College Dartmouth College, at Hanover, N.H.; coeducational; chartered 1769, opened 1770, the ninth colonial college (see Wheelock, Eleazar). Originally a men's college, Dartmouth began admitting women in 1972. . "What is it possible to do?" In the fall of 2001, just days after the 9/11 attack, Vatis sought to answer his own question. His report, "Cyber Attacks During the War on Terrorism Terrorist acts and the threat of Terrorism have occupied the various law enforcement agencies in the U.S. government for many years. The Anti-Terrorism and Effective Death Penalty Act of 1996, as amended by the usa patriot act ," was quickly scooped up and devoured by the nation's computer security community. In it, Vatis says the "potential exists for much more devastating dev·as·tate tr.v. dev·as·tat·ed, dev·as·tat·ing, dev·as·tates 1. To lay waste; destroy. 2. To overwhelm; confound; stun: was devastated by the rude remark. cyber attacks following any U.S.-led retaliation to the terrorist attacks on America." "It was the honest thing to say," Vatis now maintains. "If you study this matter at all, you quickly have to conclude that a major cyber attack on the nation's information infrastructure could very well take place. If it went the way the attackers hoped, it would probably be devastating." For cyber security experts the advent of a major cyber attack had always centered on whether or not it was possible. The question of what was probable--as was repeatedly noted by critics--was not addressed. WHEN THE IMPOSSIBLE HAPPENS What happened on the morning of Sept. 11 changed that. "If, on the day before that day, I asked you what the odds were that four people were going to hijack four planes. And three of them would hit prominent buildings and that both towers of the World Trade Center would collapse--you would have said such a risk is minimal," says Scott Charney, the chief security strategist for Microsoft. "After Sept. 11, that very afternoon, in fact," he says, "you would have said there was a 100 percent chance that something like the attacks of that morning could occur. The reason for the sudden change in perception, of course, is that the highly improbable did happen. But just as important was the fact that everyone saw it happen on live national television, reinforcing the very real transformation of the highly improbable into decidedly possible. Moreover, many of those same experts believe the states should now consider information systems security as not only a necessary, but a regular part of their budgets. "It is difficult to come up with any exact hard numbers because there are so many variables," says Larry Kettlewell, chief information security officer for Kansas and a member of the National Association of State Information Executives (NASCIO NASCIO National Association of State Chief Information Officers ) security and liability team. "What type of system does a state have? How much money is alloted to its information system? There're nearly 50 different answers to these questions. "But, generally, it is thought that the average amount of resources dedicated to IT systems is about 4 percent to 6 percent of a state's budget," says Kettlewell. "The amount of money spent on securing those systems is a fraction of that percentage." But before any efforts can be made to enhance either security budgets or security systems, says Charney, the experts have to come to an agreement on terms, Just what is cyber terrorism? And how is it different from cyber hacking, the Number 1 systems intrusion crime in the United States Crime in the United States is characterized by relatively high levels of gun violence and homicide, compared to other developed countries although this is explained by the fact that criminals in America are more likely to use firearms. ? Officially, cyber terrorism is regarded as any major computer-based attack that is premeditated pre·med·i·tat·ed adj. Characterized by deliberate purpose, previous consideration, and some degree of planning: a premeditated crime. , politically motivated and designed both to call attention to a cause and to create panic, through the breakdown of a widely used information system. ELECTRONIC PEARL HARBOR Pearl Harbor, land-locked harbor, on the southern coast of Oahu island, Hawaii, W of Honolulu; one of the largest and best natural harbors in the E Pacific Ocean. In the vicinity are many U.S. military installations, including the chief U.S. Experts say such attacks, first labeled an "electronic Pearl Harbor" by former Senator Sam Nunn Samuel Augustus Nunn, Jr. (born September 8, 1938) is an American businessman and politician. Currently the co-chairman and Chief Executive Officer of the NTI (Nuclear Threat Initiative), a charitable organization working to reduce the global threats from nuclear, biological and in 1998, could cripple communications in heavily populated areas and lead to social chaos, as well as death. "Until we secure our cyber infrastructure, a few keystrokes and an Internet connection is all one needs to disable the economy and endanger lives," said Congressman Lamar Smith Lamar Smith may refer to:
But as the shock of 9/11 began to fade in the months after the attack, many cyber security experts again raised the issue of probability, most notably Dorothy Denning, whose work as a cyber security professor at Georgetown University Georgetown University, in the Georgetown section of Washington, D.C.; Jesuit; coeducational; founded 1789 by John Carroll, chartered 1815, inc. 1844. Its law and medical schools are noteworthy, and its archives are especially rich in letters and manuscripts by and has won her a national reputation. "I thought the talk about the cyber threats were being overstated o·ver·state tr.v. o·ver·stat·ed, o·ver·stat·ing, o·ver·states To state in exaggerated terms. See Synonyms at exaggerate. o ," says Denning. "I just didn't subscribe to Verb 1. subscribe to - receive or obtain regularly; "We take the Times every day" subscribe, take buy, purchase - obtain by purchase; acquire by means of a financial transaction; "The family purchased a new car"; "The conglomerate acquired a new company"; the 'sky-is-falling' scenarios." Denning, in fact, pointed out what other critics have long emphasized-even though there have been thousands of documented cases of cyber intrusions, "there hasn't been one instance of a cyber terrorist attack." It has been the hackers, she says, who have been breaking into systems, sometimes just to show they can do it and other times to steal access to money. Such intrusions, Denning admits, "of course, cost money and have to be regarded seriously. But they are not cyber terrorism." NO SUCH THING Similarly, Washington Monthly magazine explored the sometimes alarmist a·larm·ist n. A person who needlessly alarms or attempts to alarm others, as by inventing or spreading false or exaggerated rumors of impending danger or catastrophe. talk about the advent of cyber terrorism, and noted, "There is no such thing as cyber terrorism--no instance of anyone ever having been killed by a terrorist or anyone else using a computer." For Howard Schmidt, chairman of the President's Critical Infrastructure Protection Department of Defense (DOD) program to identify and protect assets critical to the Defense Transportation System. Loss of a critical asset would result in failure to support the mission of a combatant commander. Board, the debate on what is and isn't cyber terrorism became so problematic that he decided to ban the use of the words 'cyber terrorism' in his office. "The simple fact of the matter is that none of us really knows what the motivation is behind an act," says Schmidt, "I like to joke that a cyber attack could come from the Middle East or the Midwest. Who knows what the motivation is behind it?" But whatever name it goes by, the invasion of any computer system, insists Schmidt, is a "very serious thing. And we would be very wrong not to treat it as such." Even without an agreed-upon moniker (1) A name, title or alias. See alias. (2) A COM object that is used to create instances of other objects. Monikers save programmers time when coding various types of COM-based functions such as linking one document to another (OLE). See COM and OLE. , cyber intrusions exist, and, according to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. the Computer Security Institute, are growing. Last year, surveying more than 500 computer security practitioners across the country, the Computer Security Institute discovered that more than "90 percent of the respondents (primarily large corporations and government agencies) detected computer security breaches within the last 12 months." The CSI CSI Crime Scene Investigator CSI CompuServe, Inc. CSI Commodity Systems, Inc. CSI Commodity Systems Inc. (Boca Raton, FL) CSI Crime Scene Investigation (CBS TV show) CSI Christian Schools International study added that those intrusions accounted for more than $455 million in losses to those same corporations and government agencies. "It doesn't matter what you call it," contends Representative Dan Gelber Dan Gelber (born November 26, 1960) is the Minority Leader of the Florida House of Representatives. He is a Democrat and has represented the 106th District since 2000. Dan Gelber has a BA from Tufts University and a JD from University of Florida College of Law. of Florida, author of a 2002 bill signed into law by Governor Jeb Bush John Ellis "Jeb" Bush (born February 11, 1953) is an American politician, and was the 43rd Governor of Florida as well as the first Republican to be re-elected to that office. He is a prominent member of the Bush family: the younger brother of current President George W. that allows law enforcement officials to investigate attacks on protected computers owned by the government, "the issues of cyber security get larger by the day. "In fact, there is no area of our public or private infrastructure that is in the interconnected world that has not suffered intrusions or disruptions," says Gelber. Usually cyber security experts cite the possibility of a terrorist disrupting a utility service or overloading a government Web site as the most likely kinds of criminal activity bordering on terrorism in cyber space. TARGET: INFORMATION But those same experts also note that virtually every government department or agency is vulnerable to a cyber attack, primarily because most contain the one thing that hackers most desire--information. "Take a department that issues benefits to people," says Charney of Microsoft. "That is an agency that is going to have a large amount of personally identifiable information In information security and privacy, personally identifiable information or personally identifying information (PII) is any piece of information which can potentially be used to uniquely identify, contact, or locate a single person. . Protecting that information is critical because otherwise you are going to be facing a huge risk with things like identity theft." Even worse, because most government agencies today are interconnected with other agencies, the potential for invading one system through another has never been greater. This makes it essential, says Dave Morrow, a deputy director of privacy services at EDS (Electronic Data Systems, Plano, TX, www.eds.com) Founded in 1962 by H. Ross Perot (independent candidate for the President of the U.S. in 1992), EDS is the largest outsourcing and data processing services organization in the country. , that state and local governments conduct what he calls an "enterprise-wide assessment of their security needs." "That is the only way that you can satisfy or protect the data elements you have that are sensitive," Morrow continues. In his own talks with state cyber security experts, Schmidt emphasizes the idea that "no one part of a state network truly stands alone." "You may go to great lengths to secure your system," Schmidt says, "but you are going to be interconnected to some other agency, a vendor of some sort. If they are not at the same level of security that you are, they can become a gateway for an intrusion into your system." Training is also important, says NASCIO's Kettlewell. "There are not that many states that have, on staff, people with the level of expertise needed to keep up with the latest systems, and, along with that, who know how to make those systems secure," he says. "When you take into consideration something like Microsoft's Windows 2000, with servers that are the next technological step up," continues Kettlewell, "there are not that many states with on-staff technicians who have the training or background to understand these systems from beginning to end. And that kind of understanding is essential." Equally important is the need to "eliminate the boundaries between the cyber world and the physical world," maintains William Pelgrin, director of the New York State Cyber Security and Critical Infrastructures Coordinating Initiative. Founded in 2002, the group now includes representatives from the 10 states that make up the Northeastern quadrant from Maine to Pennsylvania. Pelgrin hopes the group will eventually draw representatives from all 50 states. "The idea is to combine the cyber and physical security issues in your state, to realize that they are one and the same," continues Pelgrin. That means, explains Pelgrin, that policing a dock or a public waterworks waterworks: see water supply. to ensure its 24-hour security goes hand-in-hand with monitoring and protecting the computer systems that serve those facilities. "One affects the other," says Pelgrin. He also advises those in charge of protecting physical infrastructure to meet regularly and coordinate their activities with the people in charge of a state's cyber security. BACK TO THE '50s For those old enough to recall the Cold War, the last time the nation lived on the tenterhooks tenterhooks Noun, pl on tenterhooks in a state of tension or suspense [Latin tentus stretched + hook] tenterhooks npl of day-to-day security checks, add one more throwback throwback see atavism. to the 1950s--the preparedness drill. Then, of course, most drills centered on the time it took the entire family to find its way to the nearest fallout shelter in the event of an atomic war. And there was the legendary "duck and cover Duck and Cover was a suggested method of personal protection against the effects of a nuclear detonation which the United States government taught to generations of United States school children from the late 1940s into the 1980s. " exercises that many school children endured, crouching under their desks as they imagined an imminent Soviet arrival. Today's drills, by contrast, will be nearly entirely conducted in cyber space. "There needs to be planning for what needs to be done in the event of a major cyber attack," says Vatis. "What do you do if a critical part of your system has been knocked out or you're left without a major part of your communications?" Only through such exercises, which should include a "central state entity" for analysis and response, adds Vatis, "can we understand in advance what should happen, the role that law enforcement will play and how we should respond if a cyber terrorist attack proves successful." Ironically, many state governments have been here before with Y2K See Y2K problem and Y2K compliant. Y2K - Year 2000 . In the months and weeks leading up to New Year's Eve 2000, fears were rampant that a large number of state utility systems' computers unable to digest the numbers 2000, would simply turn themselves off. "Some people think that all of the preparations for Y2K were pointless because nothing happened," says Denning. "But the opposite is true--nothing happened because of all of the preparations." Denning says the same thing now applies to cyber security tests and evaluations--the more they are conducted, the less likely it is that something will happen. NEW LAWS INTRODUCED Meanwhile, lawmakers in at least 16 states have introduced legislation designed to strengthen information technology security. The new laws include felony penalties for using the Internet to disrupt critical infrastructures in Michigan; an Omnibus Terrorism Protection and Homeland Defense Act in South Carolina South Carolina, state of the SE United States. It is bordered by North Carolina (N), the Atlantic Ocean (SE), and Georgia (SW). Facts and Figures Area, 31,055 sq mi (80,432 sq km). Pop. (2000) 4,012,012, a 15. that makes it a crime to introduce a virus or a worm to a system; and a legal definition of terrorism Few words are as politically or emotionally charged as terrorism. A 1988 study by the US Army[1] counted 109 definitions of terrorism that covered a total of 22 different definitional elements. in Virginia that includes electronic threats in the commission of an act of terrorism. Schmidt says any state effort to update criminal codes to reflect the era of cyber threats is a welcome one. "Every state has laws that say you cannot break into a business or trespass on private property," he says. "But those laws have to be addressed within the cyber realm, so that there will not only be some consistency with the new federal laws in this area, but international law, as well." Yet in the rush to introduce new cyber security legislation, some lawmakers worry about the risk of doing too much, too soon and of going too far. Last year, Minnesota legislators were unable to reach an agreement over a bill that would have required background checks on all employees with access to sensitive data. A similar bill passed in Kansas. "We were worried that we might be going over some sort of line," says Minnesota Senator Steve Kelley. Kelley specifically remembers one proposal that would have transformed Internet service providers Internet service provider (ISP) Company that provides Internet connections and services to individuals and organizations. For a monthly fee, ISPs provide computer users with a connection to their site (see data transmission), as well as a log-in name and password. into what he called "anti-terrorist vigilantes vigilantes (vĭjĭlăn`tēz), members of a vigilance committee. Such committees were formed in U.S. frontier communities to enforce law and order before a regularly constituted government could be established or have real authority. ." It would have required them to turn over any suspicious information about their users to the government. "Law enforcement officials told us it would make tracking down people easier," says Kelley. "But we thought it would also create an unfair burden for innocent people. "The issue of cyber security is complicated enough. When you get into people's constitutional rights, then you really have to be careful," Kelley says. RELATED ARTICLE: WHITE HOUSE HAS IDEAS FOR REDUCING RISKS IN CYBERSPACE A White House report is encouraging industry, government agencies and citizens to reduce cyberspace risks wherever practical and gives advice on how to do it. National Strategy to Secure Cyberspace In the United States government, the National Strategy to Secure Cyberspace, is a component of the larger National Strategy for Homeland Security. The National Strategy to Secure Cyberspace was drafted by the Department of Homeland Security in reaction to the September 11, 2001 is part of President Bush's larger National Strategy for Homeland Security. It sets up five major national priorities: to create a cyberspace security response system, to establish a threat and vulnerability reduction program, to improve security training and awareness, to secure the government's own systems, and to work internationally to solve security issues. The plan depends on coordinated and cooperative efforts from federal, state and local governments, businesses and citizens. Unlike the previous draft version that mandated businesses to adopt certain measures, the new strategy encourages state and local governments and the private businesses to reduce threats and vulnerabilities incrementally with a number of recommendations. Infrastructure sectors, for example, are encouraged to establish mutual assistance programs for cyber emergencies. Corporations are encouraged to regularly review and exercise IT continuity plans and consider active involvement in sharing critical IT information. State and local governments are persuaded to work closely with the federal government and Department of Homeland Security Noun 1. Department of Homeland Security - the federal department that administers all matters relating to homeland security Homeland Security executive department - a federal department in the executive branch of the government of the United States in establishing IT security programs that include awareness, audits and standards in the combat against cyber threats and attacks. The Department of Homeland Security (DHS DHS Department of Homeland Security (USA) DHS Department of Human Services DHS Department of Health Services DHS Demographic and Health Surveys DHS Dirhams (Morocco national currency) ) is in charge of creating a comprehensive national strategy to secure "key resources and critical infrastructure of the United States." The DHS will also be responsible for responding in the event of a crisis, supplying technical assistance to the government and private businesses, coordinating efforts between agencies, and conducting and funding research to support homeland security. Janna Goodwin, NCSL NCSL National Conference of State Legislatures NCSL National College for School Leadership NCSL National Conference of Standards Laboratories NCSL National Council of State Legislators NCSL National Computer Systems Laboratory (NIST) FEDS TIGHTEN COMPUTER CRIME ACTS The federal government has had a computer crime law, the Computer Fraud and Abuse Act The Computer Fraud and Abuse Act is a law passed by the United States Congress in 1986 intended to reduce "hacking" of computer systems. It was amended in 1994, 1996 and in 2001 by the USA PATRIOT Act. , since 1986. But as recent events have encouraged heightened security, computer law has been amended on the federal level to guard against cyber theft or disruption. The 1986 act addressed hacking information involving national secrecy with the intent to injure the United States, as well as unauthorized access to a federal government computers. The act has been amended several times to keep pace with advancing technology. Increased penalties for hackers who damage protected computers were included in the 2001 Patriot Act, passed in the wake of the Sept. 11 terrorist attacks. The Patriot Act also specified that a hacker need only intend damage for criminal penalties to apply. The act added a new offense for damaging computers used for national security or criminal justice and also included computers in foreign countries if they affect American interstate or foreign commerce. Last year's Cyber Security Enhancement Act, slipped into the Homeland Security Bill at the last moment, expands police powers police powers n. from the 10th Amendment to the Constitution, which reserves to the states the rights and powers "not delegated to the United States" which include protection of the welfare, safety, health and even morals of the public. to conduct Internet or telephone eavesdropping Secretly gaining unauthorized access to confidential communications. Examples include listening to radio transmissions or using laser interferometers to reconstitute conversations by reflecting laser beams off windows that are vibrating in synchrony to the sound in the room. without a court order. It also gives Internet providers more latitude in reporting information to the police. Currently, all 50 states have laws on hacking and unauthorized access to computer systems. Lawmakers have amended existing criminal statutes or created new laws to deal with computer-related offenses. Nearly all include financial institutions, businesses and the general public who use computers. Arizona prohibits unleashing a computer contaminant contaminant /con·tam·i·nant/ (kon-tam´in-int) something that causes contamination. contaminant something that causes contamination. ," such as a virus or worm. Janna Goodwin, NCSL Garry Boulard, a frequent contributor to State Legislatures, is a free-lance writer in New Orleans. |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion