Computer Attack and Cyberterrorism:

Vulnerabilities and Policy Issues for Congress

Congressional Research Service Report for Congress
Order Code RL32114
CRS Report for Congress
Clay Wilson
Specialist in Technology and National Security
Foreign ffairs! "efense! and Trade "i#ision
Congressional Research Ser#ice! The Li$rary of Congress
%pdated pril 1! 2&&'
Su((ary
Contents
Summary
)any international terrorist groups no* acti#ely use co(puters and the +nternet to co((unicate! and
se#eral (ay de#elop or ac,uire the necessary technical s-ills to direct a coordinated attac- against
co(puters in the %nited States. cy$erattac- intended to har( the %.S. econo(y *ould li-ely target
co(puters that operate the ci#ilian critical infrastructure and go#ern(ent agencies. /o*e#er! there is
disagree(ent a(ong so(e o$ser#ers a$out *hether a coordinated cy$erattac- against the %.S. critical
infrastructure could $e e0tre(ely har(ful! or e#en *hether co(puters operating the ci#ilian critical
infrastructure actually offer an effecti#e target for furthering terrorists1 goals.
While there is no pu$lished e#idence that terrorist organi2ations are currently planning a coordinated attac-
against co(puters! co(puter syste( #ulnera$ilities persist *orld*ide! and initiators of the rando(
cy$erattac-s that plague co(puters on the +nternet re(ain largely un-no*n. Reports fro( security
organi2ations sho* that rando( attac-s are no* increasingly i(ple(ented through use of auto(ated tools!
called 3$ots3! that direct large nu($ers of co(pro(ised co(puters to launch attac-s through the +nternet
as s*ar(s. The gro*ing trend to*ard the use of (ore auto(ated attac- tools has also o#er*hel(ed so(e
of the current (ethodologies used for trac-ing +nternet cy$erattac-s.
This report pro#ides $ac-ground infor(ation for three types of attac-s against co(puters 4cy$erattac-!
physical attac-! and electro(agnetic attac-5! and discusses related #ulnera$ilities for each type of attac-.
The report also descri$es the possi$le effects of a coordinated cy$erattac-! or co(puter net*or- attac-
4CN5! against %.S. infrastructure co(puters! along *ith possi$le technical capa$ilities of international
terrorists.
+ssues for Congress (ay include ho* could trends in cy$erattac-s $e (easured (ore effecti#ely6 *hat is
appropriate guidance for "O" use of cy$er*eapons6 should cy$ersecurity $e co($ined *ith! or re(ain
separate fro(! the physical security organi2ation *ithin "/S6 ho* can co((ercial #endors $e encouraged
to i(pro#e the security of their products6 and *hat are options to encourage %.S. citi2ens to follo* $etter
cy$ersecurity practices7 ppendices to this report descri$e co(puter #iruses! spy*are! and 3$ot net*or-s3!
and ho* (alicious progra(s are used to ena$le cy$ercri(e and cy$erespionage. lso! si(ilarities are dra*n
$et*een planning tactics currently used $y co(puter hac-ers and those used $y terrorists groups for
con#entional attac-s.
This report *ill $e updated as e#ents *arrant.
Contents
+ntroduction 1
8ac-ground 2
Three )ethods for Co(puter ttac- 2
Characteristics of 9hysical ttac- 3
Characteristics of :lectronic ttac- 4:5 3
Characteristics of Cy$erattac- 4CN5 '
+dentifying Cy$erterroris( '
:0pert Opinions "iffer ;
Cy$erterroris( "efined <
"ifficulty +dentifying ttac-ers <
9ossi$le :ffects of Cy$erterroris( <
"isagree(ent a$out :ffects on the Critical +nfrastructure =
%npredicta$le +nteractions 8et*een +nfrastructures >
SC" Syste(s )ay 8e ?ulnera$le 1&
"O" Relies on Ci#ilian Technology 11
Why Cy$erattac-s re Successful 13
/ac-ers Search for Co(puter Syste( ?ulnera$ilities 13
uto(ated Cy$erattac-s Spread @uic-ly 13
9ersistence of Co(puter Syste( ?ulnera$ilities 14
:rrors in Ne* Soft*are 9roducts 14
+nade,uate Resources 1'
Offshore Outsourcing 1;
Terrorist Capa$ilities for Cy$erattac- 1<
ttracti#eness of Cy$erterroris( 1<
Lo*er Ris- 1=
Less "ra(atic 1=
Lin-s *ith TerroristASponsoring Nations 1>
Lin-s 8et*een Terrorists and /ac-ers 2&
Federal :fforts to 9rotect Co(puters 21
+ssues for Congress 22
Bro*ing Technical Capa$ilities of Terrorists 22
/o* 8est to )easure Cy$erattac- Trends7 23
"O" and Cy$erterroris( 24
:0isting Buidance 24
Retaliation 24
)ilitary ?ulnera$ility and Reliance on Co((ercial 9roducts 2'
9ri#acy 2'
Terroris( +nfor(ation *areness 9rogra( 2;
Other "ata )ining Search Technologies 2<
National "irector for Cy$ersecurity 2=
Should 9hysical and Cy$ersecurity +ssues Re(ain Co($ined7 2>
National Strategy to Secure Cy$erspace 3&
Co((ercial Soft*are ?ulnera$ilities 31
*areness and :ducation 31
Coordination to 9rotect gainst Cy$erterroris( 32
+nfor(ation Sharing 32
+nternational Cooperation gainst Cy$erattac- 32
Offshore "e#elop(ent of Soft*are 33
Legislati#e cti#ity 34
ppendi0 . 9lanning for a Cy$erattac- 3;
ppendi0 8. Characteristics of )alicious Code 3>
ppendi0 C. Si(ilarities in Tactics %sed for Cy$erattac-s and Con#entional Terrorist ttac-s 42
Computer Attack and Cyberterrorism:
Vulnerabilities and Policy Issues for Congress
Introduction
)any 9entagon officials reportedly $elie#e that future ad#ersaries (ay resort to strategies intended to offset
%.S. (ilitary technological superiority.
1
8ecause the %.S. (ilitary is supported in significant *ays $y ci#ilian
high technology products and ser#ices 4including co((unications syste(s! electronics! and co(puter
soft*are5! future conflicts (ay in#ol#e a $lurring of the distinction $et*een ci#ilian and (ilitary
targets.
2
Therefore! ci#ilian syste(s! including co(puters that operate the %.S. critical infrastructure! (ay
increasingly $e seen as #ia$le targets that are #ulnera$le to attac- $y ad#ersaries! including terrorist
groups.
So(e feel that past discussions a$out a coordinated attac- against ci#ilian co(puters (ay ha#e o#erA
inflated the percei#ed ris- to the %.S. critical infrastructure! and se#eral e0perts ha#e stated that
cy$erterroris( does not pose the sa(e type of threat as Nuclear! 8iological! or Che(ical 4N8C5
threats.
3
)any e0perts also $elie#e that it *ould $e difficult to use attac-s against co(puters to inflict death
on a large scale! and ha#e stated that con#entional physical threats present a (uch (ore serious concern
for %.S. national security.
4
/o*e#er! other o$ser#ers point out that terrorist groups no* use the +nternet to
co((unicate #ia *e$sites! chat roo(s! and e(ail! to raise funds! and to co#ertly gather intelligence on
future targets. Fro( these acti#ities! it is e#ident that the -no*ledge that terrorist groups1 ha#e of co(puter
technology is increasing! and along *ith that! a $etter -no*ledge of related #ulnera$ilities. Should any
terrorist groups initiate a
--1--
coordinated attac- against co(puter syste(s in the %nited States! (ost security e0perts agree that the
li-ely scenario *ould $e to try to disa$le %.S. co(puters or co((unications syste(s so as to a(plify the
effects of! or supple(ent! a con#entional terrorist $o($ing or other (aCor N8C attac-.
Congress (ay *ish to e0plore the possi$le effects on the %.S. econo(y and on the %.S. (ilitary that (ight
result fro( a coordinated attac- against ci#ilian co(puters and co((unications syste(s. Congress (ay also
*ish to e0plore options for protecting ci#ilian co(puter syste(s against a coordinated attac- and the
possi$le international conse,uences that (ight result fro( any %.S. (ilitary response to such an attac-.
The 8ac-ground section of this report descri$es three (ethods for attac-ing co(puters6 ho*e#er! the report
focuses on the (ethod (ost co((only -no*n as cy$erattac- or co(puter net*or- attac- 4CN5! *hich
in#ol#es disruption caused $y (alicious co(puter code. +t also descri$es the current disagree(ent o#er the
possi$le effects of a coordinated cy$erattac- on the %.S. critical infrastructure! and *hy the rando(
cy$erattac-s that plague the +nternet continue to $e successful. There is also a $rief discussion a$out the
possi$le capa$ilities of terrorist groups and terroristAsponsoring nations to initiate a coordinated cy$erattac-.
Three appendices gi#e a description of the tactics possi$ly used in planning and e0ecuting a co(puter
net*or- attac-.
Background
The focus of this report is possi$le cy$erterroris( using co(puter net*or- attac-! or cy$erattac-. /o*e#er!
*hen +T facilities and co(puter e,uip(ent are deli$erately targeted $y a terrorist group! it is possi$le that a
physical attac-! or an electronic attac- 4:5! (ay also fit *ithin one or (ore of the e0pert definitions sho*n
$elo* for 3cy$erterroris(.3
hree !ethods for Computer Attack
co(puter attac- (ay $e defined as actions directed against co(puter syste(s to disrupt e,uip(ent
operations! change processing control! or corrupt stored data. "ifferent attac- (ethods target different
#ulnera$ilities and in#ol#e different types of *eapons! and se#eral (ay $e *ithin the current capa$ilities of
so(e terrorist groups.
'
Three different (ethods of attac- are identified in this report! $ased on the effects of
the *eapons used. /o*e#er! as technology e#ol#es! distinctions $et*een these (ethods (ay $egin to $lur.
physical attac- in#ol#es con#entional *eapons directed against a co(puter facility or its
trans(ission lines6
--2--
n electronic attac- 4:5 in#ol#es the use DofE the po*er of electro(agnetic energy as a *eapon!
(ore co((only as an electro(agnetic pulse 4:)95 to o#erload co(puter circuitry! $ut also in a less
#iolent for(! to insert a strea( of (alicious digital code directly into an ene(y (icro*a#e radio
trans(ission6 and
co(puter net*or- attac- 4CN5! usually in#ol#es (alicious code used as a *eapon to infect
ene(y co(puters to e0ploit a *ea-ness in soft*are! in the syste( configuration! or in the co(puter
security practices of an organi2ation or co(puter user. Other for(s of CN are ena$led *hen an
attac-er uses stolen infor(ation to enter restricted co(puter syste(s.
"O" officials ha#e stated that *hile CN and : threats are 3less li-ely3 than physical attac-s! they could
actually pro#e (ore da(aging $ecause they in#ol#e disrupti#e technologies that (ight generate
unpredicta$le conse,uences or gi#e an ad#ersary une0pected ad#antages.
;
Characteristics of Physical Attack" physical attac- disrupts the relia$ility of co(puter e,uip(ent and
a#aila$ility of data. 9hysical attac- is i(ple(ented either through use of con#entional *eapons! creating
heat! $last! and frag(entation! or through direct (anipulation of *iring or e,uip(ent! usually after gaining
unauthori2ed physical access.
+n 1>>1! during Operation "esert Stor(! the %.S. (ilitary reportedly disrupted +ra,i co((unications and
co(puter centers $y sending cruise (issiles to scatter car$on fila(ents that short circuited po*er supply
lines. lso! the l @aeda attac-s directed against the World Trade Center and the 9entagon on Septe($er
11! 2&&1! destroyed (any i(portant co(puter data$ases and disrupted ci#ilian and (ilitary financial and
co((unications syste(s that *ere lin-ed glo$ally.
<
The te(porary loss of co((unications lin-s and
i(portant data added to the effects of the physical attac- $y closing financial (ar-ets for up to a *ee-.
=
Characteristics of #lectronic Attack $#A%" :lectronic attac-! (ost co((only referred to as an
:lectro(agnetic 9ulse 4:)95! disrupts the relia$ility of
--3--
electronic e,uip(ent through generating instantaneous high energy that o#erloads circuit $oards!
transistors! and other electronics.
>
:)9 effects can penetrate co(puter facility *alls *here they can erase
electronic (e(ory! upset soft*are! or per(anently disa$le all electronic co(ponents.
1&
So(e assert that
little has $een done $y the pri#ate sector to protect against the threat fro( electro(agnetic pulse! and that
co((ercial electronic syste(s in the %nited States could $e se#erely da(aged $y li(ited range! s(allA
scale! or porta$le electro(agnetic pulse de#ices.
11
So(e (ilitary e0perts ha#e stated that the %nited States
is perhaps the nation (ost #ulnera$le to electro(agnetic pulse attac-.
12
Co((ission to ssess the Threat fro( /igh ltitude :lectro(agnetic 9ulse *as esta$lished $y Congress in
FF2&&1 after se#eral e0perts e0pressed concern that the %.S. critical infrastructure and (ilitary *ere
#ulnera$le to high altitude :)9 attac-.
13
t a Guly 22! 2&&4! hearing $efore the /ouse r(ed Ser#ices
Co((ittee! panel (e($ers fro( the Co((ission reportedly stated that as (ore %.S. (ilitary *eapons and
control syste(s $eco(e increasingly co(ple0! they (ay also $e (ore #ulnera$le to the effects of :)9. The
consensus of the Co((ission is that a largeAscale high altitude :)9 attac- could possi$ly hold our society
seriously at ris- and (ight result in defeat of our (ilitary forces.
14
/o*e#er! the "epart(ent of /o(eland Security 4"/S5 has stated that testing of the current generation of
ci#ilian core teleco((unications s*itches no* in use has sho*n that they are only (ini(ally affected $y
:)9. "/S has also stated that (ost of the core co((unications assets for the %nited States are housed in
large! #ery *ell constructed facilities *hich pro#ide a (easure of shielding against the effects of :)9.
1'
--4--
O$ser#ers $elie#e that (ounting a coordinated attac- against %.S. co(puter syste(s! using either largerA
scale! s(allerAscale! or e#en porta$le :)9 *eapons re,uires technical s-ills that are $eyond the capa$ilities
of (ost terrorist organi2ations. /o*e#er! nations such as Russia! and possi$ly terroristAsponsoring nations
such as North Horea! no* ha#e the technical capa$ility to construct and deploy a s(aller che(icallyAdri#en!
or $atteryAdri#en :)9 de#ice that could disrupt co(puters at a li(ited range.
1;
For (ore on electro(agnetic *eapons! see CRS Report RL32'44! High Altitude Electromagnetic Pulse
(HEMP) and High Power Microwave (HPM) Devices !hreat Assessments.
Characteristics of Cyberattack $C&A%" co(puter net*or- attac- 4CN5! or 3cy$erattac-!3 disrupts the
integrity or authenticity of data! usually through (alicious code that alters progra( logic that controls data!
leading to errors in output 4for (ore detail! see ppendices ! 8! and C5. Co(puter hac-ers opportunistically
scan the +nternet loo-ing for co(puter syste(s that are (isAconfigured or lac-ing necessary security
soft*are. Once infected *ith (alicious code! a co(puter can $e re(otely controlled $y a hac-er *ho (ay!
#ia the +nternet! send co((ands to spy on the contents of that co(puter or attac- and disrupt other
co(puters.
Cy$erattac-s usually re,uire that the targeted co(puter ha#e so(e preAe0isting syste( fla*! such as a
soft*are error! a lac- of anti#irus protection! or a faulty syste( configuration! for the (alicious code to
e0ploit. /o*e#er! as technology e#ol#es! this distinguishing re,uire(ent of CN (ay $egin to fade. For
e0a(ple! so(e for(s of : can no* cause effects nearly identical to so(e for(s of CN. For e0a(ple! at
controlled po*er le#els! the trans(issions $et*een targeted (icro*a#e radio to*ers can $e hiCac-ed and
specially designed #iruses! or altered code! can $e inserted directly into the ad#ersary1s digital net*or-.
1<
Identifying Cyberterrorism
No single definition of the ter( 3terroris(3 has yet gained uni#ersal acceptance. Li-e*ise! no single
definition for the ter( 3cy$erterroris(3 has $een uni#ersally accepted. La$eling a co(puter attac- as
3cy$erterroris(3 is pro$le(atic $ecause of
--"--
the difficulty deter(ining the identity! intent! or the political (oti#ations of an attac-er *ith certainty.
%nder 22 %SC! section 2;';! 3terroris(3 is defined as pre(editated! politically (oti#ated #iolence
perpetrated against nonco($atant targets $y su$ national groups or clandestine agents! usually intended to
influence an audience.
1=
#'pert (pinions )iffer" So(e definitions for cy$erterroris( focus on the intent of the attac-ers. For
e0a(ple! the Federal :(ergency )anage(ent gency 4F:)5 defines cy$erterroris( asI 3%nla*ful attac-s
and threats of attac- against co(puters! net*or-s! and the infor(ation stored therein *hen done to
inti(idate or coerce a go#ern(ent or its people in furtherance of political or social o$Cecti#es.3
1>
Security
e0pert "orothy "enning defines cy$erterroris( as the 3politically (oti#ated hac-ing operations intended to
cause gra#e har( such as loss of life or se#ere econo(ic da(age.3
2&
Others assert that any deli$erate use of
infor(ation technology $y terrorist groups and their agents to cause har( constitutes cy$erterroris(.
21
So(e security e0perts define cy$erterroris( $ased on the effects of an attac-. +ncluded are acti#ities *here
co(puters are targeted and the resulting effects are destructi#e or disrupti#e enough to generate fear
potentially co(para$le to that fro( a traditional act of terroris(! e#en if initiated $y cri(inals *ith no
political (oti#e. %nder this 3effects3 #ie*! e#en co(puter attac-s that are li(ited in scope! $ut lead to
death! inCury! e0tended po*er outages! airplane crashes! *ater conta(ination! or (aCor loss of confidence
for portions of the econo(y! (ay also $e la$eled cy$erterroris(.
22
So(e o$ser#ers state that cy$erterroris(
can ta-e the for( of a physical attac- that destroys co(puteri2ed nodes for critical infrastructures! such as
the +nternet! teleco((unications! or the electric po*er grid! *ithout e#er touching a -ey$oard.
23
"/S
officials ha#e also asserted that cy$ersecurity cuts across all aspects of critical infrastructure protection and
that cy$eroperations cannot $e separated fro( the physical aspects of $usinesses $ecause they operate
interdependently.
24
--#--
Thus! *here co(puters or +T facilities and e,uip(ent are deli$erately targeted $y terrorist groups! (ethods
in#ol#ing physical attac- and : (ay each fit *ithin the a$o#e definitions for 3cy$erterroris(.3
Cyberterrorism )efined" 8y co($ining the a$o#e concepts of intent and effects! 3cy$erterroris(3 (ay $e
defined as the use of co(puters as *eapons! or as targets! $y politically (oti#ated international! or su$A
national groups! or clandestine agents *ho threaten or cause #iolence and fear in order to influence an
audience! or cause a go#ern(ent to change its policies. This definition! *hich co($ines se#eral opinions
a$out cy$erterroris(! can enco(pass all three (ethodsI physical! :! and CN! for attac-s against
co(puters.
)ifficulty Identifying Attackers" +nstructions for e0ploiting co(puter #ulnera$ilities are easily o$taina$le
$y anyone #ia the +nternet. /o*e#er! to date! there is no pu$lished e#idence lin-ing a sustained or
*idespread attac- using CN *ith international terrorist groups.
2'
+t re(ains difficult to deter(ine the
identity of the initiators of (ost cy$erattac-s! *hile at the sa(e ti(e security organi2ations continue to
report that co(puter #irus attac-s are $eco(ing (ore fre,uent! causing (ore econo(ic losses! and
affecting larger areas of the glo$e. For e0a(ple! the Co(puter :(ergency Response Tea( Coordination
Center 4C:RTJCC5 sho*s that 13<!'2> co(puter security incidents *ere reported to their office in 2&&3! up
fro( =2!&>4 in 2&&2.
2;
The challenge of identifying the source of attac-s is co(plicated $y the un*illingness
of co((ercial enterprises to report attac-s! o*ing to potential lia$ility concerns. C:RTJCC esti(ates that as
(uch as =&K of all actual co(puter security incidents still re(ain unreported.
2<
Possible #ffects of Cyberterrorism
s yet! no coordinated or *idespread cy$erattac- has had a crippling effect on the %.S. infrastructure.
/o*e#er! *hile the nu($er of rando( +nternet cy$erattac-s has $een increasing! the data collected to
(easure the trends for cy$erattac-s cannot $e used to accurately deter(ine if a terrorist group! or terroristA
sponsoring state! has initiated any of the(.
--$--
recent pri#ate study found that during the latter half of 2&&2! the highest rates for glo$al cy$erattac-
acti#ity *ere directed against critical infrastructure industry co(panies.
2=
ne* report on industrial
cy$ersecurity pro$le(s! produced $y the 8ritish Colu($ia +nstitute of Technology! and the 9 Consulting
Broup! using data fro( as far $ac- as 1>=1! reportedly has found a 1&Afold increase in the nu($er of
successful cy$erattac-s on infrastructure Super#isory Control nd "ata c,uisition syste(s since
2&&&.
2>
"O" officials ha#e also o$ser#ed that the nu($er of atte(pted intrusions into (ilitary net*or-s has
gradually increased! fro( 4&!&<; incidents in 2&&1! to 43!&=; in 2&&2! '4!4== in 2&&3! and 24!<4' as of
Gune 2&&4.
3&
The conse,uences of these attac-s on (ilitary operations are not clear! ho*e#er.
)isagreement about #ffects on the Critical Infrastructure" While security e0perts agree that a
coordinated cy$erattac- could $e used to a(plify the effects of a con#entional physical terrorist attac-! such
as an N8C attac-! (any of these sa(e e0perts disagree a$out the da(aging effects that (ight result fro(
an attac- directed against co(puters that operate the %.S. critical infrastructure. So(e o$ser#ers ha#e
stated that $ecause of %.S. dependency on co(puter technology! such attac-s (ay ha#e the potential to
create econo(ic da(age on a large scale! *hile other o$ser#ers ha#e stated that %.S. infrastructure
syste(s are resilient and *ould possi$ly reco#er easily! thus a#oiding any se#ere or catastrophic effects.
So(e of China1s (ilitary Cournals speculate that cy$erattac-s could disa$le (erican financial (ar-ets.
China! ho*e#er! is as dependent on these (ar-ets as the %nited States! and could suffer e#en (ore fro(
their disruption. s to other critical infrastructures! the a(ount of potential da(age that could $e inflicted
(ay $e relati#ely tri#ial co(pared to the costs of disco#ery! if engaged in $y a nation state. These
constraints! ho*e#er! do not apply to nonAstate actors li-e l @aeda! (a-ing cy$erattac-s a potentially
useful tool for it and others *ho reCect the glo$al (ar-et econo(y.
31
+n Guly 2&&2! the %.S. Na#al War College hosted a *ar ga(e called 3"igital 9earl /ar$or3 to de#elop a
scenario for a coordinated cy$erterroris( e#ent! *here (oc- attac-s $y co(puter security e0perts against
critical infrastructure syste(s si(ulated stateAsponsored cy$er*arfare. The si(ulated cy$erattac-s
deter(ined that the (ost #ulnera$le infrastructure co(puter syste(s *ere the +nternet itself! and the
co(puter syste(s that are part of the financial infrastructure.
32
+t *as also
--%--
deter(ined that atte(pts to cripple the %.S. teleco((unications infrastructure *ould $e unsuccessful
$ecause syste( redundancy *ould pre#ent da(age fro( $eco(ing too *idespread. The conclusion of the
e0ercise *as that a 3"igital 9earl /ar$or3 in the %nited States *as only a slight possi$ility.
33
/o*e#er! in 2&&2! a (aCor #ulnera$ility *as disco#ered in s*itching e,uip(ent soft*are that threatened the
infrastructure for (aCor portions of the +nternet. fla* in the Si(ple Net*or- )anage(ent 9rotocol 4SN)95
*ould ha#e ena$led attac-ers to ta-e o#er +nternet routers and cripple net*or- teleco((unications
e,uip(ent glo$ally. Net*or- and e,uip(ent #endors *orld*ide raced ,uic-ly to fi0 their products $efore the
pro$le( could $e e0ploited $y hac-ers! *ith possi$le *orld*ide conse,uences. %.S. go#ern(ent officials
also reportedly (ade efforts to -eep infor(ation a$out this (aCor #ulnera$ility ,uiet until after the needed
repairs *ere i(ple(ented on #ulnera$le +nternet syste(s.
34
ccording to an assess(ent reportedly *ritten
$y the F8+! the security fla* could ha#e $een e0ploited to cause (any serious pro$le(s! such as $ringing
do*n *idespread telephone net*or-s and also halting control infor(ation e0changed $et*een ground and
aircraft flight control syste(s.
3'
*npredictable Interactions Bet+een Infrastructures" n i(portant area that is not fully understood
concerns the unpredicta$le interactions $et*een co(puter syste(s that operate the different %.S.
infrastructures. The concern is that nu(erous interdependencies 4*here do*nstrea( syste(s (ay rely on
recei#ing good
--&--
data through sta$le lin-s *ith upstrea( co(puters in a different infrastructure5 could possi$ly $uild to a
cascade of da(aging effects that are unpredicta$le in ho* they (ight affect national security.
3;
For e0a(ple!
in 2&&3 *hile the ne*ly released 38laster3 *or( *as causing disruption of +nternet co(puters o#er se#eral
days in ugust! it (ay also ha#e added to the se#erity of the :astern %nited States po*er $lac-out that
occurred on ugust 14! $y degrading the perfor(ance of se#eral co((unications lines that lin-ed the data
centers used $y utility co(panies to send *arnings to other (anagers do*nstrea( on the po*er grid.
3<
SCA)A Systems !ay Be Vulnerable" Super#isory Control nd "ata c,uisition 4SC"5 syste(s are
co(puter syste(s relied upon $y (ost critical infrastructure organi2ations 4such as co(panies that (anage
the po*er grid5 to auto(atically (onitor and adCust s*itching! (anufacturing! and other process control
acti#ities! $ased on digiti2ed feed$ac- data gathered $y sensors. These control syste(s are fre,uently
un(anned! operate in re(ote locations! and are accessed periodically $y engineers or technical staff #ia
teleco((unications lin-s.
So(e e0perts $elie#e that these syste(s (ay $e especially #ulnera$le! and that their i(portance for
controlling the critical infrastructure (ay (a-e the( an attracti#e target for cy$erterrorists. SC"
syste(s! once connected only to isolated net*or-s using only proprietary co(puter soft*are! no* operate
using (ore #ulnera$le Co((ercialAOffATheAShelf 4COTS5 soft*are! and are increasingly $eing lin-ed directly
into corporate office net*or-s #ia the +nternet.
3=
So(e o$ser#ers $elie#e that (any! if not (ost! SC"
syste(s are inade,uately protected against a cy$erattac-! and re(ain persistently #ulnera$le $ecause (any
organi2ations that operate the( ha#e not paid proper attention to their uni,ue co(puter security needs.
3>
--1'--
The follo*ing e0a(ple (ay ser#e to illustrate the #ulnera$ility of control syste(s and highlight possi$le
cy$ersecurity issues that could arise for infrastructure nodes *hen SC" controls are interconnected *ith
office net*or-s. +n ugust 2&&3! the 3Sla((er3 +nternet co(puter *or( *as a$le to corrupt for fi#e hours
the co(puter control syste(s at the "a#isA8esse nuclear po*er plant located in Ohio 4fortunately! the
po*er plant *as closed and offAline *hen the cy$erattac- occurred5. The co(puter *or( *as a$le to
successfully penetrate syste(s in the "a#isA8esse po*er plant control roo( largely $ecause the $usiness
net*or- for its corporate offices *as found to ha#e (ultiple connections to the +nternet that $ypassed the
control roo( fire*all.
4&
/o*e#er! other o$ser#ers suggest that SC" syste(s and the critical infrastructure are (ore ro$ust and
resilient than early theorists of cy$erterror ha#e stated! and that the infrastructure *ould li-ely reco#er
rapidly fro( a cy$erterroris( attac-. They cite! for e0a(ple! that *ater syste( failures! po*er outages! air
traffic disruptions! and other scenarios rese($ling possi$le cy$erterroris( often occur as routine e#ents!
and rarely affect national security! e#en (arginally. Syste( failures due to stor(s routinely occur at the
regional le#el! *here ser#ice (ay often $e denied to custo(ers for hours or days. Technical e0perts *ho
understand the syste(s *ould *or- to restore functions as ,uic-ly as possi$le. Cy$erterrorists *ould need
to attac- (ultiple targets si(ultaneously for long periods of ti(e to gradually create terror! achie#e
strategic goals! or to ha#e any noticea$le effects on national security.
41
For (ore infor(ation a$out SC" syste(s! see CRS Report RL31'34! (ritical )n*rastructure (ontrol
+,stems and the !errorist !hreat-
)() Relies on Civilian echnology" "uring Operation +ra,i Freedo(! co((ercial satellites *ere used to
supple(ent other (ilitary co((unications channels! *hich at ti(es lac-ed sufficient capacity.
42

cy$erattac- directed against ci#ilian co((unications syste(s could possi$ly disrupt co((unications to
so(e
--11--
co($at units! or could possi$ly lead to delayed ship(ent of (ilitary supplies! or a slo*do*n in the
scheduling and deploy(ent of troops $efore a crisis.
Se#eral si(ulations ha#e $een conducted to deter(ine *hat effects an atte(pted cy$erattac- on the critical
infrastructure (ight ha#e on %.S. defense syste(s. +n 1>><! "O" conducted a (oc- cy$erattac- to test the
a$ility of "O" syste(s to respond to protect the national infor(ation infrastructure. That e0ercise! called
operation 3:ligi$le Recei#er 1>><!3 re#ealed dangerous #ulnera$ilities in %.S. (ilitary infor(ation
syste(s.
43
+n Octo$er 2&&2! a su$se,uent (oc- cy$erattac- against "O" syste(s! titled 3:ligi$le Recei#er
2&&3!3 indicated a need for greater coordination $et*een (ilitary and nonA(ilitary organi2ations to deploy a
rapid (ilitary co(puter counterAattac-.
44
"O" also uses Co((ercialAOffATheAShelf 4COTS5 hard*are and soft*are products $oth in core infor(ation
technology ad(inistrati#e functions! and also in the co($at syste(s of all ser#ices! as for e0a(ple! in the
integrated *arfare syste(s for nuclear aircraft carriers.
4'
"O" fa#ors the use of COTS products in order to
ta-e ad#antage of technological inno#ation! product fle0i$ility and standardi2ation and resulting costA
effecti#eness. Ne#ertheless! "O" officials and others ha#e stated that COTS products are lac-ing in security!
and that strengthening the security of those products to (eet (ilitary re,uire(ents (ay $e too difficult and
costly for (ost COTS #endors. To i(pro#e security! "O" +nfor(ation ssurance practices re,uire deploying
se#eral layers of additional protecti#e (easures around COTS (ilitary syste(s to (a-e the( (ore difficult
for ene(y cy$erattac-ers to penetrate.
4;
/o*e#er! on t*o separate occasions in 2&&4! #iruses reportedly infiltrated t*o topAsecret co(puter syste(s
at the r(y Space and )issile "efense Co((and. +t is not clear ho* the #iruses penetrated the (ilitary
syste(s! or *hat the effects *ere. lso! contrary to security policy re,uire(ents! the co(puters reportedly
lac-ed $asic anti #irus soft*are protection.
4<
Security e0perts ha#e noted that for $oth (ilitary and ci#ilian
syste(s! no (atter ho* (uch protection is gi#en to co(puters! hac-ers are al*ays creating ne* *ays to
defeat those protecti#e (easures! and *hene#er
--12--
syste(s are connected on a net*or-! it is possi$le to e0ploit e#en a relati#ely secure syste( $y Cu(ping
fro( a nonAsecure syste(.
4=
,hy Cyberattacks Are Successful
Net*or-ed co(puters *ith e0posed #ulnera$ilities (ay $e disrupted or ta-en o#er $y a hac-er! or $y
auto(ated (alicious code. Should a terrorist group atte(pt to launch a coordinated cy$erattac- against
co(puters that (anage the %.S. critical infrastructure! they (ay find it useful to copy so(e of the tactics
no* co((only used $y today1s co(puter hac-er groups to locate +nternetAconnected co(puters *ith
#ulnera$ilities! and then syste(atically e0ploit those #ulnera$ilities 4see ppendices ! 8! and C5.
-ackers Search for Computer System Vulnerabilities" Co(puter hac-ers opportunistically scan the
+nternet to find and infect co(puter syste(s that are (isAconfigured! or lac- current soft*are security
patches. Co(pro(ised co(puters can $eco(e part of a 3$ot net*or-3 or 3$ot herd3 4a 3$ot3 is a re(otelyA
controlled! or se(iAautono(ous co(puter progra( that can infect co(puters5! so(eti(es co(prised of
hundred or thousands of co(pro(ised co(puters that can all D$eE controlled re(otely $y a single hac-er.
This 3$ot herd3 hac-er (ay instruct the co(puters through an encrypted co((unications channel to spy on
the o*ner of each infected co(puter! and ,uietly trans(it copies of any sensiti#e data that is found! or he
(ay direct the 3herd3 to collecti#ely attac- as a s*ar( against other targeted co(puters.
:#en co(puters *ith current soft*are security patches installed (ay still $e #ulnera$le to a type of CN
-no*n as a 3LeroA"ay e0ploit3. This (ay occur if a co(puter hac-er disco#ers a ne* soft*are #ulnera$ility
and launches a (alicious attac- progra( to infect the co(puter $efore a security patch can $e created $y
the soft*are #endor and distri$uted to protect users.
+n results of a 2&&4 sur#ey of security and la* enforce(ent e0ecuti#es! conducted in part $y the Secret
Ser#ice! CSO 4Chief Security Officer5 (aga2ine! and the Co(puter :(ergency Response Tea( Coordination
Center 4C:RTJCC5! a (aCor reporting center for statistics on +nternet security pro$le(s! hac-ers are cited as
the greatest cy$ersecurity threat. The sur#ey also sho*s that *hile 43K of respondents reported an
increase in cy$ercri(es o#er the pre#ious year! at least 3&K of those did not -no* *hether insiders or
outsiders *ere the cause. Of those respondents *ho did -no*! <1K of attac-s reportedly ca(e fro(
outsiders *hile 2>K ca(e fro( insiders.
4>
Automated Cyberattacks Spread .uickly" The 3Sla((er3 co(puter *or( attac-ed )icrosoft1s data$ase
soft*are and spread through the +nternet o#er the space of one *ee-end in Ganuary 2&&3. ccording to a
preli(inary study
--13--
coordinated $y the Cooperati#e ssociation for +nternet "ata nalysis 4C+"5! on Ganuary 2'! 2&&3! the
S@L Sla((er *or( 4also -no*n as 3Sapphire35 auto(atically spread to infect (ore than >& percent of
#ulnera$le co(puters *orld*ide *ithin 1& (inutes of its release on the +nternet! (a-ing it the fastest
co(puter *or( in history. s the study reports! e0ploiting a -no*n #ulnera$ility for *hich a patch has $een
a#aila$le since Guly 2&&2! Sla((er dou$led in si2e e#ery =.' seconds and achie#ed its full scanning rate 4''
(illion scans per second5 after a$out 3 (inutes. +t caused considera$le har( through net*or- outages and
such unforeseen conse,uences as canceled airline flights and auto(ated teller (achine 4T)5 failures.
'&
Whene#er a cy$erattac- against co(puters or net*or-s is reported to C:RTJCC! it is recorded as a statistic
for security incidents. /o*e#er! as of 2&&4! C:RTJCC has a$andoned this practice for -eeping a record of
cy$erattac-s. This is $ecause the *idespread use of auto(ated cy$erattac- tools has escalated the nu($er
of net*or- attac-s to such a high le#el! that their organi2ation has stated that a count of security incidents
has $eco(e (eaningless as a (etric for assessing the scope and effects of attac-s against +nternetA
connected syste(s.
'1
Persistence of Computer System Vulnerabilities" ?ulnera$ilities in soft*are and co(puter syste(
configurations pro#ide the entry points for a cy$erattac-. ?ulnera$ilities persist largely as a result of poor
security practices and procedures! inade,uate training in co(puter security! or poor ,uality in soft*are
products.
'2
+nade,uate resources de#oted to staffing the security function (ay also contri$ute to poor
security practices. /o(e co(puter users often ha#e little or no training in $est practices for effecti#ely
securing ho(e net*or-s and e,uip(ent.
#rrors in &e+ Soft+are Products" ?endors for Co((ercialAOffATheAShelf soft*are 4COTS5 are often
critici2ed for releasing ne* products *ith errors that create the co(puter syste(
#ulnera$ilities.
'3
ppro0i(ately =& percent of successful intrusions into federal co(puter syste(s reportedly
can $e attri$uted to soft*are errors! or poor soft*are product ,uality.
'4
Richard Clar-e! for(er White /ouse
cy$erspace ad#isor until 2&&3! has reportedly said that (any co((ercial soft*are
--14--
products ha#e poorly *ritten! or poorly configured security features.
''
Richard ". 9ethia! "irector! C:RTJCC!
Soft*are :ngineering +nstitute! Carnegie )ellon %ni#ersity! in testi(ony $efore the /ouse Select Co((ittee
on /o(eland Security! Su$co((ittee on Cy$ersecurity! Science! and Research and "e#elop(ent! stated!
3There is little e#idence of i(pro#e(ent in the security features of (ost products6 de#elopers are not
de#oting sufficient effort to apply lessons learned a$out the sources of #ulnera$ilities.... We continue to see
the sa(e types of #ulnera$ilities in ne*er #ersions of products that *e sa* in earlier #ersions. Technology
e#ol#es so rapidly that #endors concentrate on ti(e to (ar-et! often (ini(i2ing that ti(e $y placing a lo*
priority on security features. %ntil their custo(ers de(and products that are (ore secure! the situation is
unli-ely to change.3
';
+n response to co(plaints! the soft*are industry reportedly has (ade ne* efforts to design soft*are *ith
(ore secure code and *ith architectures that are (ore secure. For e0a(ple! )icrosoft has created a special
Security Response Center and no* *or-s *ith "O" and *ith industry and go#ern(ent leaders to i(pro#e
security features in its ne* products. /o*e#er! (any soft*are industry representati#es reportedly agree
that no (atter *hat in#est(ent is (ade to i(pro#e soft*are security! there *ill continue to $e
#ulnera$ilities found in soft*are $ecause it is $eco(ing increasingly (ore co(ple0.
'<
Inade/uate Resources" lthough soft*are #endors periodically release fi0es or upgrades to sol#e ne*ly
disco#ered security pro$le(s! an i(portant soft*are security patch (ight not get scheduled for installation
on an organi2ation1s co(puters until se#eral *ee-s or (onths after the patch is a#aila$le.
'=
The Co$ (ay $e
too
--1"--
ti(eAconsu(ing! too co(ple0! or too lo* a priority for the syste( ad(inistration staff. With increased
soft*are co(ple0ity co(es the introduction of (ore #ulnera$ilities! so syste( (aintenance is ne#erAending.
So(eti(es the security patch itself (ay disrupt the co(puter *hen installed! forcing the syste(
ad(inistrator to ta-e additional ti(e to adCust the co(puter to accept the ne* patch. To a#oid such
disruption! a security patch (ay first re,uire testing on a separate isolated net*or- $efore it is distri$uted
for installation on all other co(puters.
8ecause of such delays! the co(puter security patches actually installed in (any organi2ations (ay lag
considera$ly $ehind the current cy$erthreat situation. Whene#er delays are allo*ed to persist in pri#ate
organi2ations! in go#ern(ent agencies! or a(ong 9C users at ho(e! co(puter #ulnera$ilities that are *idely
reported (ay re(ain unprotected! lea#ing net*or-s open to possi$le attac- for long periods of ti(e.
One *ay to i(pro#e this *ould $e to encourage the soft*are industry to create products that do not re,uire
syste( ad(inistrators to de#ote so (uch ti(e to installing fi0es. )any security e0perts also e(phasi2e that
if syste(s ad(inistrators recei#ed the necessary training for -eeping their co(puter configurations secure!
then co(puter security *ould greatly i(pro#e for the %.S. critical infrastructure.
'>
(ffshore (utsourcing" )any (aCor soft*are co(panies no* outsource code de#elop(ent to
su$contractors *ho design and $uild large portions of COTS products outside the %nited States.
;&
Offshore
outsourcing (ay gi#e a progra((er in a foreign country the chance to secretly insert a TroCan /orse or
other (alicious code into a ne* co((ercial soft*are product. BO reportedly has $egun a re#ie* of "O"
reliance on foreign soft*are de#elop(ent to deter(ine the ade,uacy of (easures intended to reduce these
related security ris-s in co((ercial soft*are products purchased for (ilitary syste(s.
Soft*are industry representati#es ha#e responded $y saying that offshore outsourcing should not $e cited
as the only possi$le source for (alicious code. )ost core soft*are co(ponents are designed and de#eloped
*ithin the %nited States! and
--1#--
despite the e(erging contro#ersy a$out security and offshore outsourcing! (any soft*are de#elopers
*or-ing and residing here also ha#e foreign $ac-grounds. Therefore! to i(pro#e national security it (ay $e
(ore effecti#e to focus not on the location *here code is de#eloped! $ut rather to focus on (a-ing certain
that soft*are #endors al*ays ha#e rigorous ,uality assurance techni,ues in place no (atter *here the code
is produced. /o*e#er! higher standards for ,uality assurance *ill also in#ol#e (ore costs and additional
ti(e for testing.
;1
For (ore infor(ation a$out offshore outsourcing and national security! see CRS Report RL32411! .etwor/
(entric 0ar*are 1ac/ground and 2versight )ssues *or (ongress! and CRS Report RL321<>! Manu*acturing
2ut3ut4 Productivit, and Em3lo,ment )m3lications *or 5-+- Polic,.
errorist Capabilities for Cyberattack
:0tensi#e planning and preAoperational sur#eillance $y hac-ers are i(portant characteristics that precede a
cy$erattac- directed at an organi2ation.
;2
So(e e0perts esti(ate that ad#anced or structured cy$erattac-s
against (ultiple syste(s and net*or-s! including target sur#eillance and testing of sophisticated ne* hac-er
tools! (ight re,uire fro( t*o to four years of preparation! *hile a co(ple0 coordinated cy$erattac-! causing
(ass disruption against integrated! heterogeneous syste(s (ay re,uire ; to 1& years of preparation.
;3
This
characteristic! *here hac-ers de#ote (uch ti(e to detailed and e0tensi#e planning $efore launching a
cy$erattac-! has also $een descri$ed as a 3hall(ar-3 of pre#ious physical terrorist attac-s and $o($ings
launched $y l @aeda 4see ppendices and C5.
Attractiveness of Cyberterrorism" +t is difficult to deter(ine the le#el of interest! or the capa$ilities of
international terrorist groups to launch an effecti#e cy$erattac-. 1>>> report $y The Center for the Study
of Terroris( and +rregular Warfare at the Na#al 9ostgraduate School concluded that it is li-ely that any
se#ere cy$erattac-s e0perienced in the near future $y industriali2ed nations *ill $e used $y
--1$--
terrorist groups si(ply to supple(ent the (ore traditional physical terrorist attac-s.
;4
So(e o$ser#ers ha#e stated that l @aeda does not see cy$erterroris( as i(portant for achie#ing its goals!
preferring attac-s *hich inflict hu(an casualties.
;'
Other o$ser#ers $elie#e that the groups (ost li-ely to
consider and e(ploy cy$erattac- and cy$erterroris( are the terrorist groups operating in postAindustrial
societies 4such as :urope and the %nited States5! rather than international terrorist groups that operate in
de#eloping regions *here there is li(ited access to high technology.
/o*e#er! other sources report that l @aeda has ta-en steps to i(pro#e organi2ational secrecy through
(ore acti#e and cle#er use of technology! and e#idence suggests that l @aeda terrorists used the +nternet
e0tensi#ely to plan their operations for Septe($er 11! 2&&1.
;;
l @aeda cells reportedly used ne* +nternetA
$ased telephone ser#ices to co((unicate *ith other terrorist cells o#erseas. Hhalid Shai-h )oha((ed! one
of the (aster(inds of the plot against the World Trade Center! reportedly used special +nternet chat
soft*are to co((unicate *ith at least t*o airline hiCac-ers. Ra(2i Fousef! *ho *as sentenced to life
i(prison(ent for the pre#ious $o($ing of the World Trade Center! had trained as an electrical engineer!
and had planned to use sophisticated electronics to detonate $o($s on 12 %.S. airliners departing fro( sia
for the %nited States. /e also used sophisticated encryption to protect his data and to pre#ent la*
enforce(ent fro( reading his plans should he $e captured.
;<
0o+er Risk" Tighter physical security (easures no* *idely in place throughout the %nited States (ay
encourage terrorist groups in the future to e0plore cy$erattac- as DaE *ay to lo*er the ris- of detection for
their operations.
;=
lso! lin-ages $et*een net*or-ed co(puters could e0pand the effects of a cy$erattac-.
Therefore! a cy$erattac- directed against only a fe* #ulnera$le co(puters could (ultiply its effects $y
corrupting i(portant infor(ation that is trans(itted to other do*nstrea( $usinesses.
0ess )ramatic" /o*e#er! other security o$ser#ers $elie#e that terrorist organi2ations (ight $e reluctant to
launch a cy$erattac- $ecause it *ould result in less i((ediate dra(a and ha#e a lo*er psychological i(pact
than a (ore con#entional act of destruction! such as a $o($ing. These o$ser#ers $elie#e that unless a
cy$erattac- can $e (ade to result in actual physical da(age or $loodshed!
--1%--
it *ill ne#er $e considered as serious as a nuclear! $iological! or che(ical terrorist attac-.
;>
0inks +ith errorist1Sponsoring &ations" The %.S. "epart(ent of State! as of Octo$er 2&&4! lists se#en
designated state sponsors of terroris(I Cu$a! +ran! +ra,! Li$ya! North Horea! Syria! and Sudan.
<&
These
countries are identified as sponsors for funding! pro#iding *eapons! and supplying other resources used for
operations $y terrorist groups.
/o*e#er! a study of trends in +nternet attac-s deter(ined that countries that are state sponsors of
terroris( generated less than one percent of all reported cy$erattac-s directed against selected $usinesses
in 2&&2.
<1
Ne*s sources ha#e reported that! other than a fe* *e$site deface(ents! there *as no e#idence
that a co(puter attac- *as launched $y +ra, or $y terrorist organi2ations against %nited States (ilitary
forces during Bulf War ++.
<2
The security research organi2ation! C4+.org! reported that prior to the )arch
2&&3 deploy(ent of %.S. troops! traffic increased fro( We$ surfers in +ra, using search ter(s such as!
3Co(puter *arfare!3 3NS co(puter net*or-!3 and 3air$orne co(puter.3 :0perts interpreted the increased
We$ traffic as an indication that +ra,1s go#ern(ent *as increasingly relying on the +nternet for intelligence
gathering.
<3
:le(ents in +ran are $elie#ed $y so(e o$ser#ers to ha#e lin-s *ith l @aeda as *ell as other terrorist
groups! and North Horea has continued to sell *eapons and highAtechnology ite(s to other countries
designated as state sponsors of terroris(. Other ne*s sources ha#e reported that North Horea (ay $e
$uilding up their o*n capa$ilities for cy$eroperations. Security e0perts reportedly $elie#e that North Horea
(ay ha#e de#eloped a considera$le capa$ility for cy$er*arfare partly in response to South Horea1s ad(itted
$uild up of co(puter training centers and its e0panding defense $udget to prepare for infor(ation
*arfare.
<4
Co(puter progra((ers fro( the 9yongyang +nfor(atics Center in North Horea ha#e done
contract *or- to de#elop soft*are for local go#ern(ents and $usinesses in Gapan and South Horea. nd!
recent state(ents (ade $y South Horea1s "efense Security Co((and clai( that North Horea (ay currently
$e training (ore than 1&& ne* co(puter hac-ers per
--1&--
year! for national defense.
<'
/o*e#er! 9entagon and State "epart(ent officials reportedly are una$le to
confir( the clai(s (ade $y South Horea! and defense e0perts reportedly $elie#e that North Horea is
incapa$le of seriously disrupting %.S. (ilitary co(puter syste(s. lso! "epart(ent of State officials ha#e
reportedly said that North Horea is not -no*n to ha#e sponsored any terrorist acts since 1>=<.
0inks Bet+een errorists and -ackers" Lin-s $et*een co(puter hac-ers and terrorists! or terroristA
sponsoring nations (ay $e difficult to confir(. )e($ership in the (ost highlyAs-illed co(puter hac-er
groups is so(eti(es #ery e0clusi#e! li(ited to indi#iduals *ho de#elop! de(onstrate! and share only *ith
each other their (ost closelyAguarded set of sophisticated hac-er tools. These e0clusi#e hac-er groups do
not see- attention $ecause (aintaining secrecy allo*s the( to operate (ore effecti#ely.
So(e hac-er groups (ay also ha#e political interests that are supraAnational! or $ased on religion or other
socioApolitical ideologies! *hile other hac-er groups (ay $e (oti#ated $y profit! or lin-ed to organi2ed
cri(e! and (ay $e *illing to sell their co(puter ser#ices! regardless of the political interests in#ol#ed. For
e0a(ple! it has $een reported that the +ndian separatist group! /ar-atAulAnsar 4an +sla(ic funda(entalist
group in 9a-istan that operates pri(arily in Hash(ir! and is also no* la$eled a Foreign Terrorist
Organi2ation in 1>>< for its lin-s *ith $in Laden5! atte(pted to purchase cy$erattac- soft*are fro( hac-ers
in late 1>>=. +n )arch 2&&&! it *as reported that the u( Shinri-yo cult! a designated Foreign Terrorist
Organi2ation! had contracted to *rite soft*are for =& Gapanese co(panies! and 1& go#ern(ent agencies!
including Gapan1s )etropolitan 9olice "epart(ent6 ho*e#er! no cy$erattac-s that related to these contracts
*ere reported.
<;
/o*e#er! infor(ation a$out co(puter #ulnera$ilities is no* for sale online in a hac-ers1 3$lac- (ar-et3. For
e0a(ple! list of '!&&& addresses of co(puters that ha#e already $een infected *ith spy*are and *hich are
*aiting to $e re(otely controlled as part of an auto(ated 3$ot net*or-3 4see ppendi0 5 reportedly can $e
o$tained for a$out M1'& to M'&&. 9rices for infor(ation a$out co(puter #ulnera$ilities for *hich no soft*are
patch yet e0ists reportedly range fro( M1!&&& to M'!&&&. 9urchasers of this infor(ation are often co(panies
that deal in spa(! organi2ed cri(e groups! and #arious foreign go#ern(ents.
<<
--2'--
2ederal #fforts to Protect Computers
The federal go#ern(ent has ta-en steps to i(pro#e its o*n co(puter security and to encourage the pri#ate
sector to also adopt stronger co(puter security policies and practices to reduce infrastructure #ulnera$ilities.
+n 2&&2! the Federal +nfor(ation Security )anage(ent ct 4F+S)5 *as enacted! gi#ing the Office of
)anage(ent and 8udget 4O)85 responsi$ility for coordinating infor(ation security standards and guidelines
de#eloped $y federal agencies.
<=
+n 2&&3! the National Strategy to Secure Cy$erspace *as pu$lished $y the
d(inistration to encourage the pri#ate sector to i(pro#e co(puter security for the %.S. critical
infrastructure through ha#ing federal agencies set an e0a(ple for $est security practices.
<>
The National Cy$er Security "i#ision 4NCS"5! *ithin the +nfor(ation nalysis and +nfrastructure 9rotection
"irectorate of the "epart(ent of /o(eland Security 4"/S5 o#ersees a Cy$er Security Trac-ing! nalysis
and Response Center 4CSTRC5! tas-ed *ith conducting analysis of cy$erspace threats and #ulnera$ilities!
issuing alerts and *arnings for cy$erthreats! i(pro#ing infor(ation sharing! responding to (aCor
cy$ersecurity incidents! and aiding in nationalAle#el reco#ery efforts.
=&
+n addition! a ne* Cy$er Warning and
+nfor(ation Net*or- 4CW+N5 has $egun operation in '& locations! and ser#es as an early *arning syste( for
cy$erattac-s.
=1
The CW+N is engineered to $e relia$le and sur#i#a$le! has no dependency on the +nternet or
the pu$lic s*itched net*or- 49SN5! and reportedly *ill not $e affected if either the +nternet or 9SN suffer
disruptions.
=2
+n Ganuary 2&&4! the NCS" also created the National Cy$er lert Syste( 4NCS5! a coordinated national
cy$ersecurity syste( that distri$utes infor(ation to su$scri$ers to help identify! analy2e! and prioriti2e
e(erging #ulnera$ilities and cy$erthreats. NCS is (anaged $y the %nited States Co(puter :(ergency
Readiness Tea( 4%SAC:RT5! a partnership $et*een NCS" and the pri#ate sector!
--21--
and su$scri$ers can sign up to recei#e notices fro( this ne* ser#ice $y #isiting the %SAC:RT *e$site.
=3
/o*e#er! despite gro*ing concerns for national security! co(puter #ulnera$ilities persist! the nu($er of
co(puter attac-s reported $y industry and go#ern(ent has increased yearly! and federal agencies ha#e! for
the past three years! co(e under criticis( for the poor effecti#eness of their co(puter security
progra(s.
=4
For e0a(ple! *ea-nesses in co(puter security at the "epart(ent of :nergy reportedly allo*ed
hac-ers to successfully penetrate syste(s 1>> ti(es in FF2&&4! affecting appro0i(ately 3!'31 unclassified
net*or-ed syste(s.
='
report $y the "O: inspector general stated that the "epart(ent continues to ha#e
difficulty finding! trac-ing and fi0ing pre#iously reported cy$ersecurity *ea-nesses ,uic-ly. The report
identified a nu($er of other security *ea-nesses! and reco((ended that all (aCor applications and general
support syste(s $eco(e certified and accredited! according to "O: co(puter security policy.
=;
Issues for Congress
3ro+ing echnical Capabilities of errorists
+s it li-ely that the threat *ill increase in the future for a coordinated cy$erattac-! or other type of attac-
against co(puters that operate the %.S. infrastructure7 s co(puterAliterate youth increasingly Coin the
ran-s of terrorist groups! *ill cy$erterroris( $eco(e increasingly (ore (ainstrea( in the future7 Will a
co(puterAliterate leader $ring increased a*areness of the ad#antages of an attac- on infor(ation syste(s!
or $e (ore recepti#e to suggestions fro( other! ne*er co(puterAliterate (e($ers7 Once a ne* tactic has
*on *idespread (edia attention! *ill it li-ely (oti#ate other ri#al terrorist groups to follo* along the ne*
path*ay.
=<
--22--
Se#eral e0perts ha#e asserted that terrorist organi2ations (ay soon $egin to use co(puter technology to
(ore acti#ely support terrorist o$Cecti#es. For e0a(ple! sei2ed co(puters $elonging to l @aeda indicate its
(e($ers are no* $eco(ing fa(iliar *ith hac-er tools that are freely a#aila$le o#er the
+nternet.
==
9otentially se#ere cy$erattac- tools (ay $e first de#eloped and then secretly tested $y dispersed
terrorist groups using s(all! isolated la$oratory net*or-s! thus a#oiding detection of any preparation $efore
launching a *idespread attac- on the +nternet.
=>
-o+ Best to !easure Cyberattack rends4
Congress (ay *ish to encourage security and technology e0perts to study *ays to collect data that *ill
ena$le (ore effecti#e analysis of trends of ongoing cy$erattac-s on the +nternet. Currently! there is no
pu$lished data to either support or deny terrorist in#ol#e(ent in the increasing nu($er of cy$erattac-s that
plague the +nternet. Congress (ay *ish to encourage researchers to find $etter *ays to deter(ine the
initiators of cy$erattac-s.
What effects are ne* cy$erattac- tools! such as auto(ated 3$ot3 syste(s! ha#ing on the sta$ility of the
+nternet infrastructure! and the security of the %.S. critical infrastructure7
+s there a need for a (ore statistically relia$le analysis of trends in co(puter security #ulnera$ilities to (ore
accurately sho* the costs and $enefits for i(pro#ing national cy$ersecurity7 Currently! se#eral annual
studies are pu$lished $y se#eral security co(panies! analy2ing *hat they ha#e o$ser#ed fro( custo(er
(onitoring or sur#eys. These reported statistics are relied upon for (easuring financial losses to %.S.
industry due to co(puter attac-s. /o*e#er! it is $elie#ed $y so(e o$ser#ers that so(e studies (ay $e
li(ited in scope and (ay possi$ly contain statistical $ias.
>&
--23--
s technology e#ol#es! *ill ne* and (ore inno#ati#e selfAdirected high technology products change the
nature of our #ulnera$ility to cy$erattac-7 Currently! the degree and i((ediacy of hu(an o#ersight of
infrastructure co(puters *ill li-ely help pre#ent the effects of a possi$le cy$erattac- fro( cascading
unpredicta$ly. /o*e#er! as (ore high technology products are designed to co((unicate directly *ith each
other *ithout hu(an in#ol#e(ent! *ill the i((ediate o#ersight of hu(an e0perts di(inish! and *ould this
also reduce our protection against a potentially se#ere cy$erattac- in the future7
)() and Cyberterrorism
+n Fe$ruary 2&&3! the d(inistration pu$lished a report titled 3National Strategy to Secure Cy$erspace!3
(a-ing clear that the %.S. go#ern(ent reser#es the right to respond 3in an appropriate (anner3 if the
%nited States co(es under co(puter attac-. The response could in#ol#e the use of %.S. cy$er*eapons! or
(alicious code designed to attac- and disrupt the targeted co(puter syste(s of an ad#ersary.
The Goint +nfor(ation Operations Center 4G+OC5! *hich is under the %.S. Strategic Co((and
4%SSTRTCO)5! has responsi$ility for (anaging infor(ation *arfare and electronic *arfare acti#ities. Within
the G+OC! the Goint Tas- ForceABlo$al Net*or- Operations 4GTFABNO5! coordinates and directs the defense of
"O" co(puter syste(s and net*or-s! and! *hen directed! conducts co(puter net*or- attac- in support of
co($atant co((anders1 and national o$Cecti#es.
#'isting 3uidance" The 8ush d(inistration announced plans in Fe$ruary 2&&3 to de#elop nationalAle#el
guidance for deter(ining *hen and ho* the %nited States *ould launch co(puter net*or- attac-s against
foreign ad#ersary co(puter syste(s.
>1
/o*e#er! any %.S. response to a co(puter attac- $y an ad#ersary
(ust $e carefully *eighed to a#oid (ista-es in retaliation! or other possi$le unintended outco(es. Options
for a cy$erresponse fro( the %nited States (ay $e li(ited $ecause there *ill li-ely $e difficulty in
deter(ining! *ith a high degree of certainty! if a terrorist group is actually responsi$le for an attac- against
co(puters in the %nited States. For e0a(ple! a terrorist group (ight possi$ly su$#ert the co(puters of a
third party! in an atte(pt to pro#o-e a retaliatory stri-e $y the %nited States against the *rong group or
nation.
Retaliation" +f it is deter(ined that the %nited States has $een the target of a successful coordinated
cy$erattac- $y a terrorist group! *hat is the appropriate response7 There are (any ,uestions that can $e
raised regarding the (ilitary use of cy$er*eapons. For instance! should those decisions $e (ade $y the
9resident! or $y the Goint Chiefs of Staff! or $y other (ilitary co((anders7 What o#ersight role should
Congress ha#e7 Would the resulting effects of offensi#e cy$er*eapons for infor(ation *arfare operations $e
difficult to li(it or control7 +f the %nited States should use "O" cy$er*eapons to retaliate against a terrorist
group! *ould that
--24--
possi$ly encourage others to start launching cy$erattac-s against the %nited States7 Si(ilarly! *ill any %.S.
atte(pt to suddenly increase sur#eillance #ia use of cy$erespionage progra(s $e la$eled as an unpro#o-ed
attac-! e#en if directed against a terrorist group7 +f a terrorist group should su$se,uently copy! or re#erseA
engineer a destructi#e %.S. (ilitary co(puter attac- progra(! *ould it $e used against other countries that
are %.S. allies! or e#en turned $ac- to attac- ci#ilian co(puter syste(s in the %nited States7
>2
Would the use
of cy$er*eapons! if the effects are *idespread and se#ere! e0ceed the custo(ary rules of (ilitary conflict!
or international la*s.
>3
+n a (eeting held in Ganuary 2&&3 at the )assachusetts +nstitute of Technology! White /ouse officials
sought input fro( e0perts outside go#ern(ent on guidelines for %.S. use of cy$er*eapons. Officials ha#e
stated they are proceeding cautiously! $ecause a %.S. cy$erattac- against terrorist groups or other
ad#ersaries could ha#e serious cascading effects! perhaps causing (aCor disruption to ci#ilian syste(s in
addition to the intended co(puter targets.
>4
!ilitary Vulnerability and Reliance on Commercial Products" Co((ercial electronics and
co((unications e,uip(ent are no* used e0tensi#ely to support co(ple0 %.S. *eapons syste(s! lea#ing
operations for those syste(s possi$ly #ulnera$le to cy$erattac-! and this situation is -no*n to our potential
ad#ersaries.
>'
To *hat degree are (ilitary forces and national security threatened $y #ulnera$ilities of
co((ercial syste(s! and ho* can the co(puter industry $e encouraged to create ne* COTS products that
are less #ulnera$le to cy$erattac-7
Privacy
What is the proper $alance $et*een the need to detect and re(ain a*are of terroris( acti#ities and the
need to protect indi#idual pri#acy7 Cy$erterrorists *ould li-ely use tactics that are si(ilar to those used $y
co(puter hac-er groups. 9reoperati#e sur#eillance characteri2es the early stages of (any cy$erattac-s! and
secret
--2"--
planning (ay $e conducted in +nternet chat areas! *here hac-ers (eet anony(ously to e0change
infor(ation a$out co(puter #ulnera$ilities! or ne* cy$erattac- tools. These co#ert co((unications could
also $e encrypted and difficult to detect or decode.
li(iting factor for either pre#enting a cy$erattac- or identifying the attac-ers is a lac- of data re#ealing
e#idence of preAoperati#e sur#eillance and onAline planning acti#ity that is tracea$le $ac- to terrorist groups.
Should intelligence agencies (onitor co(puter chat roo(s fre,uented $y terrorists and de#elop other *ays
to help unco#er their co((unications and planning7 "ata )ining search technologies (ay offer *ays to help
the intelligence co((unity unco#er these lin-ages.
errorism Information A+areness Program" The "efense d#anced Research 9roCects gency 4"R95
has conducted research and de#elop(ent for syste(s such as the for(er Terroris( +nfor(ation *areness
9rogra( 4T+5
>;
that are intended to help in#estigators disco#er co#ert lin-ages a(ong people! places!
things! and e#ents related to possi$le terrorist acti#ity 4see $elo* for pri#acy issues5. Funding ended for the
T+ progra( in 2&&4 and the +nfor(ation *areness Office! a $ranch of "R9! is no* dis$anded.
><
The T+
data (ining progra( *as intended to sift through #ast ,uantities of citi2ens1 personal data! such as credit
card transactions and tra#el $oo-ings! to identify possi$le terrorist acti#ity to pro#ide $etter ad#ance
infor(ation a$out terrorist planning and preparation acti#ities to pre#ent future international terrorist
attac-s against the %nited States at ho(e or a$road. /o*e#er! the T+ progra( and other si(ilar proposals
for do(estic sur#eillance raised pri#acy concerns fro( la*(a-ers! ad#ocacy groups! and the (edia. So(e
pri#acy ad#ocates ha#e o$Cected to the possi$ility that infor(ation gathered through do(estic sur#eillance
(ay $e #ie*ed $y unauthori2ed users! or e#en (isused $y authori2ed users. Congress has (o#ed to restrict
or eli(inate funding for the T+ progra( under S. 13=2 and /.R. 2;'=.
P"0" 567178! titled the "efense ppropriations ct of 2&&4! enacted on Septe($er 3&! 2&&3! restricts
funding and deploy(ent of the T+ 9rogra(. Specifically! section =131 part 4a5 li(its use of funds for
research and de#elop(ent of the T+ 9rogra(! e0cept for 39rocessing! analysis! and colla$oration tools for
counterterroris( foreign intelligence3 for (ilitary operations outside the %nited States.
--2#--
(ther )ata !ining Search echnologies" Should (ore research $e encouraged into ne*er data$ase
search technologies that pro#ide (ore protection for indi#idual pri#acy *hile helping to detect terrorist
acti#ities7 The "epart(ent of "efense is currently re#ie*ing the capa$ilities of other data (ining products
using technology that (ay reduce do(estic pri#acy concerns raised $y T+. For e0a(ple! Syste(s Research
and "e#elop(ent! a technology fir( $ased in Las ?egas! has $een tas-ed $y the C+ and other agencies to
de#elop a ne* data$ase search product called 3nony(ous :ntity Resolution.3 The technology used in this
product can help in#estigators deter(ine *hether a terrorist suspect appears in t*o separate data$ases!
*ithout re#ealing any pri#ate indi#idual infor(ation. The product uses encryption to ensure that e#en if the
scra($led records are intercepted! no pri#ate infor(ation can $e e0tracted. Thus! terroris( *atch lists and
corporate data$ases could $e securely co(pared online! *ithout re#ealing pri#ate infor(ation.
>=
lso! the Florida police depart(ent has! since 2&&1! operated a counter terroris( syste( called the
)ultistate ntiATerroris( +nfor(ation :0change 4)TR+N5 that helps in#estigators find patterns a(ong
people and e#ents $y co($ining police records *ith co((ercially a#aila$le infor(ation a$out (ost %.S.
adults. )TR+N includes infor(ation that has al*ays $een a#aila$le to in#estigators! $ut adds e0traordinary
processing speed. The Gustice "epart(ent has pro#ided M4 (illion to e0pand the )TR+N progra(
nationally. "/S has pledged M= (illion to assist *ith the national e0pansion! and has also announced plans
to launch a pilot dataAsharing net*or- that *ill include ?irginia! )aryland! 9ennsyl#ania! and Ne* For-.
>>
For (ore infor(ation a$out T+! data (ining technology! and other pri#acy issues! see related CRS
Reports.
1&&
--2$--
&ational )irector for Cybersecurity
:ach of the three top officials in#ol#ed in the go#ern(ent1s cy$ersecurity effort has resigned since the
$eginning of 2&&3. +n Ganuary 2&&3! Richard Clar-e resigned fro( his position as cy$ersecurity ad#iser to
the 9resident! ending a 3&Ayear go#ern(ent career. Clar-e had $een the cy$ersecurity ad#iser since
Octo$er 2&&1. Three (onths later! in pril 2&&3! /o*ard Sch(idt! Clar-e1s successor as ad#iser! resigned!
ending a 31Ayear go#ern(ent career. 8efore $eco(ing the ad#iser in Ganuary 2&&3! Sch(idt had ser#ed as
Clar-e1s deputy.
+n Septe($er 2&&3! "/S for(ally announced the appoint(ent of (it Foran as ne* director of its
cy$ersecurity di#ision.
1&1
/o*e#er! the ne* director1s position *as placed three le#els $eneath "/S Secretary
To( Ridge! in contrast to Foran1s predecessors! /o*ard Sch(idt and Richard Clar-e! $oth of *ho( *ere
positioned in the White /ouse and had a direct line of contact *ith the 9resident. +n Septe($er 2&&4! (it
Foran! resigned! citing the end of his oneAyear co((it(ent to "/S. /o*e#er! to so(e o$ser#ers Foran1s
resignation *as une0pected.
9otential ,uestions for Congress arising out of these resignations include the follo*ingI Were any of their
resignations (oti#ated in part $y Co$Arelated concerns7 +f the latter! are these concerns indicati#e of any
pro$le(s in the go#ern(ent1s cy$ersecurity effort that need to $e addressed7 Why is the e0ecuti#e $ranch
ha#ing difficulty holding onto senior cy$ersecurity officials7 What effect has these resignations had on the
go#ern(ent1s efforts in cy$ersecurity7 re the go#ern(ent1s efforts in this area suffering due to insufficient
continuity of leadership7
The le#el of influence for the director of cy$ersecurity position has $eco(e a su$Cect of recent de$ate! *here
se#eral o$ser#ers ha#e proposed strengthening the director1s position $y (o#ing it out of "/S and into the
White /ouse! possi$ly under the Office of )anage(ent and 8udget. /o*e#er! so(e security industry
leaders ha#e fa#ored ele#ating the position to the assistant secretary le#el *ithin "/S! and ha#e o$Cected to
(o#ing the position to another depart(ent! saying that relocating the office no* *ould possi$ly $e
disrupti#e to the go#ern(entAindustry relationships that are ne*ly for(ed at "/S.
1&2
"/S officials ha#e
reportedly resisted ele#ating the position! arguing that separating concerns for cy$ersecurity fro( physical
security is inefficient and e0pensi#e $ecause co((on pro$le(s threaten $oth.
1&3
9.L. 1&=A4'=! the
+ntelligence Refor( and Terroris( 9re#ention ct!
--2%--
enacted on "ece($er 1<! 2&&4! does not descri$e a ne* ssistant Secretary position for Cy$ersecurity.
-"R" 97: *as introduced on Ganuary ;! 2&&' $y Representati#e )ac Thorn$erry! *ith Representati#e Loe
Lofgren and Representati#e 8ennie Tho(pson as coAsponsors. This $ill proposes to create a National
Cy$ersecurity Office headed $y an ssistant Secretary for Cy$ersecurity *ithin the "/S "irectorate for
+nfor(ation nalysis and +nfrastructure 9rotection! *ith authority for all cy$ersecurityArelated critical
infrastructure protection progra(s. On Fe$ruary 1=! 2&&'! the $ill *as referred to the /ouse su$co((ittee
on :cono(ic Security! infrastructure 9rotection! and Cy$ersecurity.
Should Physical and Cybersecurity Issues Remain Combined4
ccording to ne*s sources! in the 1>=&s during the Cold War! the %nited States C+ deli$erately created
faulty SC" soft*are and then planted it in locations *here agents fro( the So#iet %nion *ould steal it.
%n-no*n to the So#iets! the SC" soft*are! *hich *as supposedly designed to auto(ate controls for gas
pipelines! *as also infected *ith a secret TroCan /orse progra((ed to reset pu(p speeds and #al#e settings
that *ould create pressures far $eyond *hat *as accepta$le to pipeline Coints and *elds. The result! in Gune
1>=2! *as a (onu(ental nonnuclear e0plosion on the transASi$erian gas pipeline! e,ui#alent to 3 -ilotons of
TNT. /o*e#er! the e#ent re(ained secret $ecause the e0plosion too- place in the Si$erian *ilderness! and
there *ere no -no*n casualties.
1&4
"/S officials (aintain that an attac- against co(puters could possi$ly result in disastrous effects in physical
facilities. 8ecause of the this! the ne* "/S National Cy$er Security "i#ision 4NCS"5 is tas-ed to protect
cy$erassets in order to also pro#ide the $est protection for %.S. critical infrastructure assets. "/S officials
ha#e asserted that cy$ersecurity cuts across all aspects of critical infrastructure protection! and that
cy$eroperations cannot $e separated fro( the physical aspects of $usinesses $ecause they operate
interdependently.
1&'
Therefore! the NCS" e(ploys a threatAindependent strategy of protecting the +nternet
and critical infrastructures fro( all types of attac-s. "/S officials ha#e stated! 3+f *e atte(pt to 3sto#epipe3
our protection efforts to focus on the different types of attac-ers *ho (ay use the cy$erinfrastructure! *e
ris- the possi$ility of li(iting our understanding of the entire threat en#iron(ent.3
1&;
--2&--
/o*e#er! officials of fi#e $usiness groups A the Cy$er Security +ndustry lliance! the 8usiness Soft*are
lliance! TechNet! the +T ssociation of (erica! and the Financial Ser#ices Roundta$le A ha#e urged the
ad(inistration to create separate physical and cy$ersecurity reporting structures *ithin the "/S. The
industry groups (aintain that the challenges of protection in a glo$ally net*or-ed cy$er*orld are sufficiently
different fro( re,uire(ents for protection in the physical *orld that "/S needs a separate structure6 one
that is focused on cy$erissues! and headed $y a SenateAconfir(ed pu$lic official.
1&<
&ational Strategy to Secure Cyberspace
"oes the National Strategy to Secure Cy$erspace present clear incenti#es for achie#ing security o$Cecti#es7
Suggestions to increase incenti#es (ay include re,uiring that all soft*are procured for federal agencies $e
certified under the 3Co((on Criteria3 testing progra(! *hich is no* the re,uire(ent for the procure(ent of
(ilitary soft*are. /o*e#er! industry o$ser#ers point out that the soft*are certification process is lengthy
and (ay interfere *ith inno#ation and co(petiti#eness in the glo$al soft*are (ar-et.
1&=
Should the National Strategy to Secure Cy$erspace rely on #oluntary action on the part of pri#ate fir(s!
ho(e users! uni#ersities! and go#ern(ent agencies to -eep their net*or-s secure! or is there a need for
possi$le regulation to ensure $est security practices7 /as pu$lic response to i(pro#e co(puter security
$een slo* partly $ecause there are no regulations currently i(posed7
1&>
Would regulation to i(pro#e
--3'--
co(puter security interfere *ith inno#ation and possi$ly har( %.S. co(petiti#eness in technology (ar-ets7
T*o of the for(er cy$ersecurity ad#isers to the president ha#e differing #ie*sI /o*ard Sch(idt has stated
that (ar-et forces! rather than the go#ern(ent! should deter(ine ho* product technology should e#ol#e for
$etter cy$ersecurity6 ho*e#er! Richard Clar-e has stated that the +T industry has done little on its o*n to
i(pro#e security of its o*n syste(s and products.
11&
Commercial Soft+are Vulnerabilities
Should soft*are product #endors $e re,uired to create higher ,uality soft*are products that are (ore
secure and that need fe*er patches7 Soft*are #endors (ay increase the le#el of security for their products
$y rethin-ing the design! or $y adding (ore test procedures during product de#elop(ent. /o*e#er! so(e
#endors reportedly ha#e said that their co((ercial custo(ers (ay not $e *illing to pay the increased costs
for additional security features.
111
A+areness and #ducation
Should co(puter security training $e (ade a#aila$le to all co(puter users to -eep the( a*are of constantly
changing co(puter security threats! and to encourage the( to follo* proper security procedures7 2&&4
sur#ey done $y the National Cy$er Security lliance and OL sho*ed that ho(e 9C users had a lo* le#el of
a*areness a$out $est practices for co(puter security. The sur#ey sho*ed that (ost ho(e users do not
ha#e ade,uate protection against hac-ers! do not ha#e updated anti#irus soft*are protection! and are
confused a$out the protections they are supposed to use and ho* to use the(.
112
--31--
Will incenti#es! education progra(s! or pu$lic a*areness (essages a$out co(puter security encourage
ho(e 9C users to follo* the $est security practices7 )any co(puters ta-en o#er $y +nternet hac-ers $elong
to s(all $usinesses or indi#idual ho(e users *ho ha#e not had training in $est co(puter security practices
and *ho (ay not feel (oti#ated to #oluntarily participate in a training progra(. ?ulnera$ilities that re,uire
go#ern(ent and corporate syste(s ad(inistrators to install soft*are patches also affect co(puters
$elonging to (illions of ho(e 9C users.
113
Coordination to Protect Against Cyberterrorism
What can $e done to i(pro#e sharing of infor(ation $et*een federal go#ern(ent! local go#ern(ents! and
the pri#ate sector to i(pro#e co(puter security7 :ffecti#e cy$ersecurity re,uires sharing of rele#ant
infor(ation a$out threats! #ulnera$ilities! and e0ploits. recent BO sur#ey of local go#ern(ent officials
reco((ended that "/S strengthen infor(ation sharing $y incorporating states and cities into its federal
3enterprise architecture3 planning process.
114
/o* can the pri#ate sector o$tain useful infor(ation fro( the
go#ern(ent on specific threats *hich the go#ern(ent considers classified! and ho* can the go#ern(ent
o$tain specific infor(ation fro( pri#ate industry a$out #ulnera$ilities and incidents *hich co(panies say
they *ant to protect to a#oid pu$licity and to guard trade secrets7
11'
Information Sharing" Should infor(ation #oluntarily shared *ith the federal go#ern(ent a$out security
#ulnera$ilities $e shielded fro( disclosure through Freedo( of +nfor(ation ct re,uests7 )any fir(s are
reluctant to share i(portant co(puter security infor(ation *ith go#ern(ent agencies $ecause of the
possi$ility of ha#ing co(petitors $eco(e a*are of a co(pany1s security #ulnera$ilities through FO+.
International Cooperation Against Cyberattack" /o* can the %nited States $etter coordinate security
policies and international la* to gain the cooperation of other nations to $etter protect against a co(puter
attac-7 9ursuit of hac-ers (ay in#ol#e a trace $ac- through net*or-s re,uiring the cooperation of (any
+nternet
--32--
Ser#ice 9ro#iders located in se#eral different nations.
11;
9ursuit is (ade increasingly co(ple0 if one or (ore
of the nations in#ol#ed has a legal policy or political ideology that conflicts *ith that of the %nited States.
11<
)ethods for i(pro#ing international cooperation in dealing *ith cy$ercri(e and terroris( *ere the su$Cect
of a conference sponsored $y the /oo#er +nstitution! the Consortiu( for Research on +nfor(ation Security
and 9olicy 4CR+S95 and the Center for +nternational Security and Cooperation 4C+SC5 at Stanford %ni#ersity
in 1>>>. )e($ers of go#ern(ent! industry! NBOs! and acade(ia fro( (any nations (et at Stanford to
discuss the gro*ing pro$le(! and a clear consensus e(erged that greater international cooperation is
re,uired.
11=
Currently! thirtyAeight countries! including the %nited States! ha#e signed the Council of :urope1s Con#ention
on Cy$ercri(e! pu$lished in No#e($er 2&&1. The Con#ention see-s to $etter co($at cy$ercri(e $y
har(oni2ing national la*s! i(pro#ing in#estigati#e a$ilities! and $oosting international cooperation.
Supporters argue that the Con#ention *ill enhance deterrence! *hile critics counter it *ill ha#e little effect
*ithout participation $y countries in *hich cy$ercri(inals operate freely. 4see CRS Report
RS212&=! (,6ercrime !he (ouncil o* Euro3e (onvention5.
(ffshore )evelopment of Soft+are" +s %.S. national security threatened $y using co((ercial soft*are
products de#eloped in foreign countries.
11>
recent study $y Bartner +nc.! a technology research
organi2ation! predicts that for 2&&4 and $eyond! (ore than =& percent of %.S. co(panies *ill consider
outsourcing critical +T ser#ices! including soft*are de#elop(ent. Terrorist net*or-s are -no*n to e0ist in
se#eral countries such as )alaysia and +ndonesia! *here +T contract *or- has $een outsourced. Other
possi$le recipients of outsourced proCects are +srael! +ndia!
--33--
9a-istan! Russia and China.
12&
Corporations Custify their actions $y e0plaining that glo$al econo(ic
co(petition (a-es offshore outsourcing a $usiness necessity. Other o$ser#ers point out that restricting
offshore de#elop(ent (ay not $e effecti#e for i(pro#ing national security $ecause (any foreign *or-ers
are also currently e(ployed $y do(estic fir(s to de#elop co(puter soft*are *ithin the %nited States.
0egislative Activity
The Cy$ersecurity Research and "e#elop(ent ct 49.L. 1&<A3&'5! authori2ed M>&3 (illion o#er fi#e years
for ne* research and training progra(s $y the National Science Foundation 4NSF5 and the National +nstitute
for Standards and Technology 4N+ST5 to pre#ent and respond to terrorist attac-s on pri#ate and go#ern(ent
co(puters.
Follo*ing the Septe($er 11! 2&&1 attac-s! the Federal +nfor(ation Security )anage(ent ct 4F+S)5 of
2&&2 *as enacted gi#ing responsi$ility for setting security standards for ci#ilian federal agency co(puter
syste(s to the Office of )anage(ent and 8udget 4O)85.
121
Responsi$ility for security standards for national
defense syste(s re(ains pri(arily *ith "O" and NS.
The follo*ing $ills identify recent legislati#e acti#ity that is related to pre#ention of cy$erterroris(! or
related to collection of infor(ation on possi$le terrorist acti#ities.
P"0" 56715;:I On "ece($er 1>! 2&&3! the "efense 9roduction ct of 2&&3 a(ended the "efense
9roduction ct of 1>'& to e0tend its e0piration date and authori2ation of appropriations through
FF2&&=. Sponsored $y Senator Shel$y Richard! this la* corrects industrial resource shortfalls for
radiationAhardened electronics! and defines 3critical infrastructure3 to include physical and
cy$er$ased assets.
S" 5<6I Hno*n as the "o(estic "efense Fund ct of 2&&'! this $ill proposes to authori2e "/S to
a*ard grants to states and local go#ern(ents to i(pro#e cy$er and infrastructure security.
+ntroduced $y Senator /illary Clinton on Ganuary 24! 2&&'! the $ill *as referred to the Senate
Co((ittee on /o(eland Security and Bo#ern(ental ffairs.
--34--
--.ote .o 3age 3"--
Appendi' A" Planning for a Cyberattack
cy$erattac- is so(eti(es also called a Co(puter Net*or- ttac- 4CN5! $ecause a net*or- connection
ena$les this type of attac-. Co(puter hac-ers traditionally use fi#e $asic steps to gain unauthori2ed access!
and su$se,uently ta-e o#er co(puter syste(s. These fi#e steps can also $e e(ployed $y terrorist groups.
The steps are fre,uently auto(ated through use of special hac-er tools freely a#aila$le to anyone #ia the
+nternet.
122
/ighlyAs-illed hac-ers use auto(ated tools that are also #ery sophisticated! and their effects are
initially (uch (ore difficult for co(puter security staff and security technology products to detect. These
sophisticated hac-er tools are usually shared only a(ong an e0clusi#e group of other highlyAs-illed hac-er
associates. The hac-er tactics descri$ed in this report are also e0plained in detail in (any sources that list
possi$le defenses against co(puter attac-.
123
Step 5" Reconnaissance and Pre1operative Surveillance
+n this first step! hac-ers e(ploy e0tensi#e preAoperati#e sur#eillance to find out detailed
infor(ation a$out an organi2ation that *ill help the( later gain unauthori2ed access to co(puter
syste(s. The (ost co((on (ethod is social engineering! or tric-ing an e(ployee into re#ealing
sensiti#e infor(ation 4such as a telephone nu($er or a pass*ord5. Other (ethods include du(pster
di#ing! or rifling through an organi2ation1s trash to find sensiti#e infor(ation 4such as floppy dis-s
or i(portant docu(ents that ha#e not $een shredded5. This step can $e auto(ated if the attac-er
installs on an office co(puter a #irus! *or(! or 3Spy*are3 progra( that perfor(s sur#eillance and
then trans(its useful infor(ation! such as pass*ords! $ac- to the attac-er. 3Spy*are3 is a for( of
(alicious code that is ,uietly installed on a co(puter *ithout user -no*ledge *hen a user #isits a
(alicious *e$site. +t (ay re(ain undetected $y fire*alls or current antiA#irus security products
*hile (onitoring -eystro-es to record *e$ acti#ity or collect snapshots of screen displays and other
restricted infor(ation for trans(ission $ac- to an un-no*n third party.
124
Step 9" Scanning
Once in possession of special restricted infor(ation! or a fe* critical phone nu($ers! an attac-er
perfor(s additional sur#eillance $y scanning an organi2ation1s co(puter soft*are and net*or-
--3#--
configuration to find possi$le entry points. This process goes slo*ly! so(eti(es lasting (onths! as
the attac-er loo-s for se#eral #ulnera$le openings into a syste(.
12'
Step =: 3aining Access
Once the attac-er has de#eloped an in#entory of soft*are and configuration #ulnera$ilities on a
target net*or-! he or she (ay ,uietly ta-e o#er a syste( and net*or- $y using a stolen pass*ord
to create a phony account! or $y e0ploiting a #ulnera$ility that allo*s the( to install a (alicious
TroCan /orse! or auto(atic 3$ot3 that *ill a*ait further co((ands sent through the +nternet.
Step <: !aintaining Access
Once an attac-er has gained unauthori2ed access! he or she (ay secretly install e0tra (alicious
progra(s that allo* the( to return as often as they *ish. These progra(s! -no*n as 3Root Hits3 or
38ac- "oors3! run unnoticed and can allo* an attac-er to secretly access a net*or- at *ill. +f the
attac-er can gain all the special pri#ileges of a syste( ad(inistrator! then the co(puter or net*or-
has $een co(pletely ta-en o#er! and is 3o*ned3 $y the attac-er. So(eti(es the attac-er *ill
reconfigure a co(puter syste(! or install soft*are patches to close the pre#ious security
#ulnera$ilities Cust to -eep other hac-ers out.
Step :: Covering racks
Sophisticated attac-ers desire ,uiet! uni(peded access to the co(puter syste(s and data they ta-e
o#er. They (ust stay hidden to (aintain control and gather (ore intelligence! or to refine
preparations to (a0i(i2e da(age. The 3Root Hit3 or 3TroCan /orse3 progra(s often allo* the
attac-er to (odify the log files of the co(puter syste(! or to create hidden files to help a#oid
detection $y the legiti(ate syste( ad(inistrator. Security syste(s (ay not detect the unauthori2ed
acti#ities of a careful intruder for a long period of ti(e.
12;
--3$--
s technology has e#ol#ed! (ore of the a$o#e tas-s are no* aided $y the use of auto(ated progra(s! or
3$ots!3 that are increasingly autono(ous! rapid! and difficult to detect. These 3$ots3 can $e re(otely
controlled $y co((ands sent through the +nternet and can $e acti#ated to operate in a coordinated (anner
on thousands of co(puters in different locations around the *orld. Thousands of such co(puters under
re(ote control (ay $e progra((ed $y a hac-er to si(ultaneously launch an attac- through the +nternet
that can $e descri$ed as a 3s*ar(.3
--3%--
Appendi' B" Characteristics of !alicious Code
Technology constantly e#ol#es! and ne* security #ulnera$ilities are disco#ered regularly $y soft*are
#endors! $y security organi2ations! $y indi#idual researchers! and often $y co(puter hac-er
groups.
12<
Security organi2ations! such as the Co(puter :(ergency Response Tea( 4C:RTJCC5 located at
Carnegie )ellon! pu$lish security ad#isories! including infor(ation a$out ne* soft*are patches! usually
$efore co(puter hac-er groups can ta-e ad#antage of ne*ly disco#ered co(puter security #ulnera$ilities for
purposes of cy$ercri(e or cy$erespionage. /o*e#er! the nu($er of reported unauthori2ed co(puter
intrusions has increased e#ery year! *ith a '; percent increase reported $et*een 2&&1 and 2&&2.
12=
Currently! (any cy$erattac-s are ena$led $y 3infecting3 a co(puter *ith a (alicious payload progra( that
corrupts data! perfor(s sur#eillance! or that recei#es co((ands through the +nternet to paraly2e or deny
ser#ice to a targeted co(puter. co(puter (ay $eco(e 3infected3 if a co(puter user (ista-enly
do*nloads and installs a (alicious progra(! or (ista-enly opens an infected e(ail attach(ent. Other
(alicious progra(s! -no*n as 3*or(s!3 (ay acti#ely and rapidly see- out other co(puters on the +nternet
ha#ing a specific nonApatched #ulnera$ility and auto(atically install the(sel#es *ithout any action re,uired
on the part of the #icti(.
12>
--3&--
#irus is one for( of (alicious progra( that often i((ediately corrupts data or causes a (alfunction.
TroCan /orse is another for( of (alicious progra( that ,uietly and secretly corrupts the functions of an
e0isting trusted progra( on the co(puter. n attac- progra(! once installed! (ay ,uietly 3listen3 for a
special co((and sent through the +nternet fro( a re(ote source! instructing it to $egin acti#ation of
(alicious progra( instructions. nother type of (alicious progra(! -no*n as 3spy*are!3 has a sur#eillance
or espionage capa$ility that ena$les it to secretly record and auto(atically trans(it -eystro-es and other
infor(ation 4including pass*ords5 $ac- to a re(ote attac-er.
13&
Other types of (alicious code (ay co($ine
so(e or all of the characteristics of #iruses! *or(s! TroCan /orses! or spy*are along *ith the a$ility to
rando(ly change the electronic appearance 4poly(orphis(5 of the resulting attac- code. This a$ility to
change (a-es (any of the ne*er #iruses! *or(s! and TroCan /orses #ery difficult for (ost antiA#irus
security products to detect.
131
)alicious progra(s attac- $y disrupting nor(al co(puter functions or $y opening a $ac- door for a re(ote
attac-er to ta-e control of the co(puter. So(eti(es an attac-er can ,uietly ta-e full control of a co(puter
*ith the o*ner re(aining una*are that his or her (achine is co(pro(ised. n attac- can either
i((ediately disa$le a co(puter or incorporate a ti(e delay! after *hich a re(ote co((and *ill direct the
infected co(puter to trans(it har(ful signals that disrupt other co(puters. n attac- can trigger the
auto(atic trans(ission of huge #olu(es of har(ful signals that can #ery rapidly disrupt or paraly2e (any
thousands of other co(puters throughout the +nternet or se#erely clog trans(ission lines *ith an a$undance
of $ogus (essages! causing portions of the +nternet to $eco(e slo* and unresponsi#e.
--4'--
9reparation for a cy$ercri(e or co(puter attac- (ay so(eti(es proceed slo*ly or in se#eral phases $efore
a final attac- is initiated. So(e co(pro(ised co(puters $eco(e part of an auto(atic 3$ot net*or-!3 ,uietly
perfor(ing espionage $y trans(itting data or inter(ediate preparatory instructions $ac- and forth $et*een
co(pro(ised co(puters *hile a*aiting a special final acti#ation signal originating fro( the attac-er. The
final acti#ation phase (ay direct all co(pro(ised co(puters to inundate a targeted co(puter *ith $ogus
(essages or insert phony data into critical co(puter syste(s! causing the( to (alfunction at a crucial point
or affect other co(puters do*nstrea(. So(e recent co(puter attac-s ha#e focused on only a single ne*
co(puter #ulnera$ility and ha#e $een seen to spread *orld*ide through the +nternet *ith astonishing
speed.
132
--41--
Appendi' C" Similarities in actics *sed for Cyberattacks and Conventional
errorist Attacks
Si(ilarities e0ist in characteristics of tactics used $y hac-ers to prepare for and e0ecute a cy$ercri(e or
cy$erespionage co(puter attac-! and the tactics used $y terrorists to prepare for and e0ecute so(e recent
physical terrorist operations. For e0a(ple! $oth sets of tactics in#ol#e 415 net*or- (eetings in cy$erspace!
425 e0tensi#e preAattac- sur#eillance! 435 e0ploits of soft and #ulnera$le targets! and 445 s*ar(ing (ethods.
Hno*ing that these si(ilarities e0ist (ay help in#estigators as they e0plore different (ethods to detect and
pre#ent a possi$le cy$erattac- $y terrorist groupsI
The organi2ational structures of (any terrorist groups are not *ell understood and are usually
intended to conceal the interconnections and relationships.
133
net*or- organi2ation structure 4as
opposed to a hierarchical structure5 fa#ors s(aller units! gi#ing the group the a$ility to attac- and
,uic-ly o#er*hel( defenders! and then Cust as ,uic-ly disperse or disappear. Terrorist groups using
a net*or- structure to plan and e0ecute an attac- can place go#ern(ent hierarchies at a
disad#antage $ecause a terrorist attac- often $lurs the traditional lines of authority $et*een
agencies such as police! the (ilitary! and other responders. Si(ilarly! co(puter hac-ers are often
co(posed of s(all groups or indi#iduals *ho (eet anony(ously in net*or- chat roo(s to e0change
infor(ation a$out co(puter #ulnera$ilities! and plan *ays to e0ploit the( for cy$ercri(e or
cy$erespionage. 8y (eeting only in cy$erspace! hac-ers can ,uic-ly disappear *hene#er
go#ern(ent authorities try to locate the(.
Terrorists use preAattac- sur#eillance o#er e0tended periods to gather infor(ation on a target1s
current patterns. ccording to ne*s reports! l @aeda terrorists are no* operating through 3sleeper
cells3 scattered throughout the %nited States that are currently conducting preAattac- sur#eillance
and relaying (essages fro( terrorist leaders and planners.
134
Recent terrorist attac-s on Westerners
in Riyadh! Saudi ra$ia in 2&&4 *ere reported to ha#e in#ol#ed e0tensi#e planning and preparation
and *ere li-ely preceded $y preAattac- sur#eillance.
13'
ppendi0 of this report descri$es ho*
hac-ers engage in si(ilar preAoperati#e sur#eillance acti#ities $efore launching a cy$erattac-.
--42--
Terrorist groups are descri$ed $y "/S as opportunistic! choosing to e0ploit soft #ulnera$ilities that
are left e0posed. Si(ilarly! an increasingly popular trend for co(puter hac-ers engaged in co(puter
cri(e or co(puter espionage is to use a (alicious progra( called a *or(! that proAacti#ely spreads
copies of itself through the +nternet! rapidly finding as (any co(puters as possi$le *ith the sa(e
nonApatched #ulnera$ility! and then auto(atically installing itself to ,uietly a*ait further
instructions fro( the attac-er.
/ac-ers ha#e also designed recent co(puter e0ploits that launch anony(ously fro( thousands of
infected co(puters to produce *a#es of disruption that can ,uic-ly o#er*hel( a targeted
organi2ation! or (ultiple organi2ations such as a list of $an-ing institutions. +n a si(ilar (anner!
terrorist groups (ay also stri-e in *a#es fro( (ultiple dispersed directions against (ultiple targets!
in s*ar(ing ca(paigns. n e0a(ple of s*ar(ing (ay $e the )ay 11! 2&&3 attac- in Riyadh! *here
terrorists 4possi$ly l @aeda5! staged si(ultaneous assaults at three co(pounds in different
locations! *ith each assault in#ol#ing a rapid stri-e *ith (ultiple #ehicles! so(e carrying e0plosi#es
and others carrying gun(en. nother e0a(ple (ay $e the si(ultaneous attac-s of >J11 *hich *ere
directed against the to*ers of the World Trade Center! the 9entagon! and a possi$le third target.
--43--
2ootnotes:
1. For e0a(ple! ene(y fighters in +ra, ha#e reportedly e(ployed a strategy of directing a large portion of
their attac-s against %.S. rear guard and support units. Christopher Cooper! 38lac- Recruits Slide s Share
of r(y Forces!3 0all +treet 7ournal! Oct. <! 2&&4! p. 81.
2. "an Huehl! professor at the National "efense %ni#ersity School of +nfor(ation Warfare and Strategy! has
pointed out that a high percentage of %.S. (ilitary (essages flo* through co((ercial co((unications
channels! and this reliance creates a #ulnera$ility during conflict.
3. The critical infrastructure is #ie*ed $y so(e as (ore resilient than pre#iously thought to the effects of a
co(puter attac-. "re* Clar-! 3Co(puter Security Officials "iscount Chances of 1"igital 9earl /ar$or!13 Gune
3! 2&&3.
4. Goshua Breen! 3The )yth of Cy$erterroris(!3 0ashington Monthl,! No#. 2&&2.
'. ll (ethods of co(puter attac- are *ithin the current capa$ilities of se#eral nations. See CRS Report
RL31<=<! )n*ormation 0ar*are and (,6erwar (a3a6ilities and 8elated Polic, )ssues-
;. d#antages of : and CN (ight deri#e fro( %nited States reliance on a co(puterAcontrolled critical
infrastructure! along *ith unpredicta$le results depending on se#erity of the attac-. Gason Sher(an!
38racing for )odern 8rands of Warfare!3 Air 9orce !imes! Sept. 2<! 2&&4.
<. Ste#en )arlin and )artin Bar#ey! 3"isasterAReco#ery Spending on the Rise!3 )n*ormation 0ee/! ug. >!
2&&4! p.2;.
=. For (ore on con#entional! che(ical! nuclear! and $iological terroris(! see CRS Report RL3&1'3! (ritical
)n*rastructures 1ac/ground4 Polic,4 and )m3lementation6 CRS Report RL31;;>! !errorism 1ac/ground on
(hemical4 1iological4 and !o:in 0ea3ons and 23tions *or ;essening !heir )m3act6 CRS Report
RL32'>'! .uclear !errorism A 1rie* 8eview o* !hreats and 8es3onses6 and CRS +ssue 8rief
+81&11>! !errorism and .ational +ecurit, )ssues and !rends.
>. :lectrical syste(s connected to any *ire or line that can act as an antenna (ay $e disrupted.
DhttpIJJ***.physics.north*estern.eduJclassesJ2&&1FallJ9hy013'A2J1>Je(p.ht(E. 3)aintenance of
)echanical and :lectrical :,uip(ent at Co((and! Control! Co((unications! Co(puters! +ntelligence!
Sur#eillance! and Reconnaissance 4C4+SR5 Facilities!3HEMP Protection +,stems! Chapter 2<! Arm, !raining
Manual 'A;>2A2! pril 1'! 2&&1 DhttpIJJ***.usace.ar(y.(ilJpu$licationsJar(yt(Jt('A;>2A2Jchap2<?OLA
2.pdfE.
1&. Henneth R. Ti((er(an! 3%.S. Threatened *ith :)9 ttac-!3 )nsight on the .ews! )ay 2=! 2&&1.
11. /ouse r(ed Ser#ices Co((ittee! (ommittee Hearing on (ommission to Assess the !hreat to the
5nited +tates *rom Electromagnetic Pulse Attac/! Guly 22! 2&&4. 3:0perts Cite :lectro(agnetic 9ulse as
Terrorist Threat!3 ;as <egas 8eview-7ournal! Oct. 3! 2&&1.
12. Seth Schiesel! 3Ta-ing i( at n :ne(y1s Chips!3 .ew =or/ !imes! Fe$. 2&! 2&&3.
13. )ichael Sira-! 3%.S. ?ulnera$le to :)9 ttac-!3 7ane>s De*ence 0ee/l,! Guly 2;! 2&&4.
14. "r. Gohn Foster! Gr.! et al.! 8e3ort o* the (ommission to Assess the !hreat to the 5nited +tates *rom
Electromagnetic Pulse (EMP) Attac/ <olume 1 E:ecutive 8e3ort! report to Congress! 2&&4. nd! "aniel B.
"upont! 39anel Says Society t Breat Ris- Fro( :lecto(agnetic 9ulse ttac-!3 )nside the Pentagon! Guly 1'!
2&&4! p.1.
1'. State(ent of "r. 9eter ). Fonash! cting "eputy )anager! National Co((unications Syste(!
"epart(ent of /o(eland Security! $efore the %.S. Senate Gudiciary Co((ittee! Su$co((ittee on
Terroris(! Technology! and /o(eland Security! )arch '! 2&&'.
1;. While e0perts disagree a$out *hether any terrorist organi2ations are capa$le of $uilding an ine0pensi#e
electro(agnetic pulse de#ice! it (ay $e possi$le to ac,uire a de#ice fro( a terroristAsponsoring nation.
)ichael $ra(s! 3The "a*n of the :A8o($!3 )EEE +3ectrum 2nline! No#. 2&&3!
DhttpIJJ***.spectru(.ieee.orgJW:8ONLFJpu$licfeatureJno#&3J11&3e$o(.ht(lE.
1<. So(e for(s of : are intended to o#erpo*er a radio trans(ission signal to $loc- or 3Ca(3 it! *hile other
for(s of : are intended to o#erpo*er a radio signal and replace it *ith a su$stitute signal that disrupts
processing logic or stored data. "a#id Fulghu(! 3Net*or- Wars!3 Aviation 0ee/ ? +3ace !echnolog,! Oct.
2'! 2&&4! p.>1.
1=. The %nited States has e(ployed this definition of terroris( for statistical and analytical purposes since
1>=3. %.S. "epart(ent of State! 2&&2! Patterns o* @lo6al !errorism4 2''3!
DhttpIJJ***.state.go#JsJctJrlsJpgtrptJ2&&1Jht(lJ1&22&.ht(E.
1>. DhttpIJJ***.fe(a.go#JpdfJonpJtool-itOappOd.pdfE.
2&. "orothy "enning! 3cti#is(! /acti#is(! and Cy$erterroris(I The +nternet as a tool for +nfluencing
Foreign 9olicy!3 in Gohn r,uilla and "a#id Ronfeldt! ed.! .etwor/s and .etwars! 4Rand! 2&&15! p. 241.
21. Serge Hrasa#in! 0hat is (,6erterrorismA! Co(puter Cri(e Research Center! pr. 23! 2&&4!
DhttpIJJ***.cri(eAresearch.orgJanalyticsJHrasa#inJE.
22. "orothy "enning! )s (,6er 0ar .e:tA! Social Science Research Council! No#. 2&&1!
DhttpIJJ***.ssrc.orgJsept11JessaysJdenning.ht(E.
23. "an ?erton! A De*inition o* (,6er-terrorism! Co(puter*orld! ug. 11! 2&&3.
24. "/S press release! 3Ridge Creates Ne* "i#ision to Co($at Cy$er Threats!3 Gune ;! 2&&3!
DhttpIJJ***.dhs.go#Jdhspu$licJdisplay7contentP>1;E.
2'. Gohn r,uilla and "a#id Ronfeldt! 3The d#ent of Net*ar 4Re#isited5!3 .etwor/s and .etwars !he
9uture o* !error4 (rime and Militanc,! 4Santa )onicaI Rand! 2&&15! pp. 1A2=.
2;. n incident (ay in#ol#e one site or hundreds 4or e#en thousands5 of sites. lso! so(e incidents (ay
in#ol#e ongoing acti#ity for long periods of ti(e. !he (om3uter Emergenc, 8es3onse !eam (oordination
(enter ((E8!B(() +tatistics 1&%%-2''4! DhttpIJJ***.cert.orgJstatsJcertOstats.ht(lE.
2<. )any cy$erattac-s are unreported usually $ecause the organi2ation is una$le to recogni2e that it has
$een attac-ed! or $ecause the organi2ation is reluctant to re#eal pu$licly that it has e0perienced a co(puter
attac-! Bo#ern(ent ccounta$ility Office!)n*ormation +ecurit, 9urther E**orts .eeded to 9ull, )m3lement
+tatutor, 8eCuirements in D2D! BOA&3A 1&3<T! Guly 24! 2&&3! p. ;.
2=. Sy(antec! +,mantec )nternet +ecurit, !hreat 8e3ort! Fe$.2&&3! p. 4=.
2>. 3The )yths and Facts $ehind Cy$er Security Ris-s for +ndustrial Control Syste(s!3 Proceedings o* the
)+A E:3o 2''4! /ouston! Te0as! Oct. '! 2&&4.
3&. Fran- Ti$oni! 3"O" 9lans Net*or- Tas- Force!3 9(0-com! Sept. 2=! 2&&4.
31. Ga(es Le*is! 3ssessing the Ris-s of Cy$er Terroris(! Cy$er War and Other Cy$er Threats!3 "ec. 2&&2!
DhttpIJJ***.csis.orgJtechJ&211Ole*is.pdfE.
32. t the annual conference of the Center for Conflict Studies! 9hil Willia(s! "irector of the 9rogra( on
Terroris( and TransANational Cri(e and the %ni#ersity of 9itts$urgh! said an attac- on the glo$al financial
syste( *ould li-ely focus on -ey nodes in the %.S. financial infrastructureI Fed*ire and Fednet. Fed*ire is
the financial funds transfer syste( that e0changes (oney a(ong %.S. $an-s! *hile Fednet is the electronic
net*or- that handles the transactions. The syste( has one pri(ary installation and three $ac-ups. 3Fou can
find out on the +nternet *here the $ac-ups are. +f those could $e ta-en out $y a (i0 of cy$er and physical
acti#ities! the %.S. econo(y *ould $asically co(e to a halt!3 Willia(s said. 3+f the ta-edo*n *ere to include
the international funds transfer net*or-s C/+9S and SW+FT then the entire glo$al econo(y could $e thro*n
into chaos.3 Beorge 8utters! 3:0pect Terrorist ttac-s on Blo$al Financial Syste(!3 Oct. 1&! 2&&3!
DhttpIJJ***.theregister.co.u-JcontentJ''J332;>.ht(lE.
33. The si(ulation in#ol#ed (ore than 1&& participants. Bartner! +nc.! 3Cy$erattac-sI The Results of the
BartnerJ%.S. Na#al War College Si(ulation!3 Guly! 2&&2! War ga(e participants *ere di#ided into cells! and
de#ised attac-s against the electrical po*er grid! teleco((unications infrastructure! the +nternet and the
financial ser#ices sector. +t *as deter(ined that 3peerAtoApeer net*or-ing3! a special (ethod of
co((unicating *here e#ery 9C used co((only a#aila$le soft*are to act as $oth a ser#er and a client!
posed a potentially critical threat to the +nternet itself. Willia( Gac-son! 3War College Calls "igital 9earl
/ar$or "oa$le!3 @overnment (om3uter .ews! ug. 23! 2&&2.
34. The #ulnera$ility *as found in $stract Synta0 Notation One 4SN.15 encoding! and *as e0tre(ely
*idespread. :llen )ess(er! 39resident1s d#isor 9redicts Cy$erAcatastrophes %nless Security
+(pro#es!3 .etwor/ 0orld 9usion! Guly >! 2&&2.
3'. 8arton Bell(an! 3Cy$erAttac-s $y l @aeda Feared!3 0ashington Post! Gune 2<! 2&&2! p. &1.
3;. The (ost e0pensi#e natural disaster in %.S. history! /urricane ndre*! is reported to ha#e caused M2'
$illion dollars in da(age! *hile the Lo#e 8ug #irus is esti(ated to ha#e cost co(puter users around the
*orld so(e*here $et*een M3 $illion and M1' $illion. /o*e#er! the Lo#e 8ug #irus *as created and launched
$y a single uni#ersity student in the 9hilippines! relying on ine0pensi#e co(puter e,uip(ent. Christopher
)iller! @A2 8eview o* 0ea3on +,stems +o*tware! )ar. 3! 2&&3! :(ail co((unication! )illerCQgao.go#.
3<. Congestion caused $y the 8laster *or( delayed the e0change of critical po*er grid control data across
the pu$lic teleco((unications net*or-! *hich could ha#e ha(pered the operators1 a$ility to pre#ent the
cascading effect of the $lac-out. "an ?erton! 38laster Wor( Lin-ed to Se#erity of
8lac-out!3 (om3uterworld! ug. 2>! 2&&3.
3=. 9roprietary syste(s are uni,ue! custo( $uilt soft*are products intended for installation on a fe* 4or a
single5 co(puters! and their uni,ueness (a-es the( a less attracti#e target for hac-ers. They are less
attracti#e $ecause finding a security #ulnera$ility ta-es ti(e 4See ppendi0 5! and a hac-er (ay usually
not consider it *orth their *hile to in#est the preoperati#e sur#eillance and research needed to attac- a
proprietary syste( on a single co(puter. Widely used Co((ercialAOffATheAShelf 4COTS5 soft*are products!
on the other hand! are (ore attracti#e to hac-ers $ecause a single security #ulnera$ility! once disco#ered in
a COTS product! (ay $e e($edded in nu(erous co(puters that ha#e the sa(e COTS soft*are product
installed.
3>. +ndustrial co(puters so(eti(es ha#e operating re,uire(ents that differ fro( $usiness or office
co(puters. For e0a(ple! (onitoring a che(ical process! or a telephone (icro*a#e to*er (ay re,uire 24A
hour continuous a#aila$ility for a critical industrial co(puter. :#en though industrial syste(s (ay operate
using COTS soft*are 4see a$o#e5! it (ay $e econo(ically difficult to Custify suspending the operation of an
industrial SC" co(puter on a regular $asis to ta-e ti(e to install e#ery ne* security soft*are patch. See
inter#ie* *ith )ichael ?atis! director of the +nstitute for Security Technology Studies related to
counterterroris( and cy$ersecurity. Sharon Baudin! 3Security :0pterI %.S. Co(panies %nprepared for Cy$er
Terror!3 Datamation! Guly 1>! 2&&2. lso! Bo#ern(ent ccounta$ility Office! )n*ormation +ecurit, 9urther
E**orts .eeded to 9ull, )m3lement +tatutor, 8eCuirements in D2D! BOA&3A1&3<T! Guly 24! 2&&3! p. =.
4&. He#in 9oulsen! 3Sla((er Wor( Crashed Ohio Nu-e 9lant Net*or-!3 +ecurit, 9ocus! ug. 1>! 2&&3.
41. Scott Nance! 3"e$un-ing FearsI :0ercise Finds 1"igital 9earl /ar$or1 Ris- S(all!3 De*ense 0ee/! pr. <!
2&&3.
42. 8rigadier Ben. "ennis )oran! %.S. Central Co((andJ G;! in %.S. Congress! /ouse r(ed Ser#ices
Su$co((ittee on Terroris(! %ncon#entional Threats and Capa$ilities! Hearing on Militar, (4) +,stems! Oct.
21! 2&&3.
43. Christopher Casteilli!3"O" and Thailand Run Classified 1:ligi$le Recei#er1 +nfoAWar :0ercise!3 De*ense
)n*ormation and Electronics 8e3ort! 2&&2! #ol. <<! no. 44.
44. 8riefing on 3:ligi$le Recei#er 2&&33 $y "O" staff for the Congressional Research Ser#ice! Ganuary >!
2&&3.
4'. So(e ships of the %.S. Na#y use Windo*s soft*are. 8ill )urray! 3Na#y Carrier to Run Win
2&&&!3 @(.-com! Sept. 11! 2&&&. )aCor %.H. na#al syste(s defense contractor! 8: Syste(s! also too- the
decision to standardi2e future de#elop(ent on )icrosoft Windo*s. Gohn Lettice! 3OSS TorpedoedI Royal
Na#y Will Run on Windo*s for Warships!3 8egister! Sept. ;! 2&&4!
DhttpIJJ***.theregister.co.u-J2&&4J&>J&;Ja(sOgoesO*indo*sOforO*arshipsJE.
4;. 9atience Wait! 3"efense +T Security Can1t Rest on COTS!3 @(.-com! Sept. 2<! 2&&4.
4<. "a*n Onley! 3r(y %rged to Step %p +T Security Focus!3 @(.-com! Sept.2! 2&&4.
4=. 9atience Wait! 3"efense +T Security Can1t Rest on COTS!3 @(.-com! Sept.2<! 2&&4.
4>. 3:Acri(e Watch Sur#ey Sho*s Significant +ncrease in :lectronic Cri(es!3 (+2online-com! )ay 2'! 2&&4.
'&. 3+nternet Wor( Heeps Stri-ing!3 Ganuary 2<! 2&&3! (1+.ews.
'1. 3C:RTJCC Statistics 1>==A2&&4!3 DhttpIJJ***.cert.orgJstatsJcertOstats.ht(lE.
'2. The SNS +nstitute! in cooperation *ith the National +nfrastructure 9rotection Center 4N+9C5! pu$lishes
an annual list of the 1& (ost co((only e0ploited #ulnera$ilities for Windo*s syste(s and for %ni0
syste(s. !he +A.+B91) !went, Most (ritical )nternet +ecurit, <ulnera6ilities4 2''3! SNS! pr. 1'! 2&&3
DhttpIJJ***.sans.orgJtop2&JE.
'3. +n Septe($er! 2&&3! )icrosoft Corporation announced three ne* critical fla*s in its latest Windo*s
operating syste(s soft*are. Security e0perts predicted that co(puter hac-ers (ay possi$ly e0ploit these
ne* #ulnera$ilities $y releasing (ore attac- progra(s! such as the 38laster *or(3 that recently targeted
other Windo*s #ulnera$ilities causing *idespread disruption on the +nternet. Gai-u(ar ?iCayan! 3ttac-s on
Ne* Windo*s Fla*s :0pected Soon!3 (om3uterworld! Sept. 1'! 2&&3! #ol. 3<! no. 3<! p. 1.
'4. Gonathan Hri(! 3Security Report 9uts 8la(e on )icrosoft!3 Washingtonpost.co(! Sept. 24! 2&&3. Goshua
Breen! 3The )yth of Cy$erterroris(!3 0ashington Monthl,! No#. 2&&2.
''. gencies operating national security syste(s (ust purchase soft*are products fro( a list of la$Atested
and e#aluated products in a progra( that re,uires #endors to su$(it soft*are for re#ie* in an accredited
la$! a process 4-no*n as certification and accreditation under the Co((on Criteria! a testing progra( run
$y the National +nfor(ation ssurance 9artnership5 that often ta-es a year and costs se#eral thousand
dollars. The re#ie* re,uire(ent pre#iously has $een li(ited to (ilitary national security soft*are! ho*e#er!
the ad(inistration has stated that the go#ern(ent *ill underta-e a re#ie* of the progra( in 2&&3 to
3possi$ly e0tend3 it as a ne* re,uire(ent for ci#ilian agencies. :llen )ess(er! White /ouse issue 3National
Strategy to Secure Cy$erspace!3 .etwor/ 0orld 9usion! Fe$ruary 14! 2&&3.
';. Richard ". 9ethia! "irector! C:RTJCC! Soft*are :ngineering +nstitute! Carnegie )ellon %ni#ersity!
Testi(ony $efore the /ouse Select Co((ittee on /o(eland Security! Su$co((ittee on Cy$ersecurity!
Science! and Research and "e#elop(ent! 2verview o* the (,6er Pro6lem--A .ation De3endent and Dealing
with 8is/! hearing! Gune 2'! 2&&3! DhttpIJJ***.cert.orgJcongressionalOtesti(onyJ9ethiaOtesti(onyO&;A2'A
&3.ht(lRfactorsE.
'<. Scott Charney! Chief Security Strategist! )icrosoft! State(ent $efore the /ouse Co((ittee on r(ed
Ser#ices! Terroris(! %ncon#entional Threats and Capa$ilities Su$co((ittee! )n*ormation !echnolog, in the
21st (entur, 1attles3ace! hearing! Guly 24! 2&&3! p.>.
'=. sur#ey of 2&&& 9C users found that 42K had not do*nloaded the #endor patch to *ard off the recent
8laster *or( attac-! 23K said they do not regularly do*nload soft*are updates! 21K do not update their
antiA#irus signatures! and <&K said they *ere not notified $y their co(panies a$out the urgent threat due
to the 8laster *or(. Gai-u(ar ?iCayan! 3+T )anagers Say They re 8eing Worn "o*n $y Wa#e of
ttac-s!3 (om3uterworld! ug. 2'! 2&&3! #ol. 3<! no. 34! 9.1.
'>. ccording to security group ttrition.org! failure to -eep soft*are patches up to date resulted in >>
percent of '!=23 *e$site deface(ents in 2&&3. Ro$ert Le(os! 3Soft*are 3Fi0es3 Routinely #aila$le $ut
Often +gnored!3 2&&3! and Richard ". 9ethia! "irector! C:RTJCC! Soft*are :ngineering +nstitute! Carnegie
)ellon %ni#ersity! Testi(ony $efore the /ouse Select Co((ittee on /o(eland Security! Su$co((ittee on
Cy$ersecurity! Science! and Research and "e#elop(ent! /earing on 2verview o* the (,6er Pro6lem - A
.ation De3endent and Dealing with 8is/! Gune 2'! 2&&3
DhttpIJJ***.cert.orgJcongressionalOtesti(onyJ9ethiaOtesti(onyO&;A2'A&3.ht(lRfactorsE.
;&. Bartner +nc.! a technology research organi2ation! has esti(ated that $y 2&&4! (ore than =&K of %.S.
co(panies *ill ha#e had highAle#el discussions a$out offshore outsourcing! and 4&K *ill ha#e co(pleted a
pilot progra(. 9atric- Thi$odeau! 3Offshore1s Rise +s Relentless!3 (om3uterworld! Gune 3&! 2&&3! #ol. 3<!
no. 2;! p.1.
;1. Scott Charney! Chief Security Strategist! )icrosoft! State(ent $efore the /ouse Co((ittee on r(ed
Ser#ices! Terroris(! %ncon#entional Threats and Capa$ilities Su$co((ittee! )n*ormation !echnolog, in the
21st (entur, 1attles3ace! hearing! Guly 24! 2&&3! p.11.
;2. The success of the ?ehicle 8orne +(pro#ised :0plosi#e "e#ices 4?8+:"s5 used in the )ay 11! 2&&3
terrorist attac-s in Riyadh! li-ely depended on e0tensi#e ad#ance sur#eillance of the (ultiple targets.
9rotecti#e (easures against such attac-s rely largely on *atching for signs of this preAoperational
sur#eillance. Bary /arter! 39otential +ndicators of Threats +n#ol#ing ?8+:"s!3 /o(eland Security 8ulletin!
Ris- ssess(ent "i#ision! +nfor(ation nalysis "irectorate! "/S! )ay 1'! 2&&3.
;3. "orothy "enning! 3Le#els of Cy$erterror Capa$ilityI Terrorists and the +nternet!3
DhttpIJJ***.cs.georgeto*n.eduJSdenningJinfosecJ"enningACy$erterrorASR+.pptE! presentation! and Lac-
9hillips! 3/o(eland Tech Shop Wants to Gu(pAStart Cy$ersecurity +deas!3 (DHomeland +ecurit,! Septe($er
14! 2&&4.
;4. Report *as pu$lished in 1>>>! a#aila$le at DhttpIJJ***.nps.na#y.(ilJcti*JreportsJE.
;'. The shland +nstitute for Strategic Studies has o$ser#ed that l @aeda is (ore fi0ated on physical
threats than electronic ones. Gohn S*art2! 3Cy$erterror +(pact! "efense %nder Scrutiny!3 5+A !oda,! ug.
3! 2&&4! p. 28.
;;. "a#id Haplan! 39laying OffenseI The +nside Story of /o* %.S. Terrorist /unters re Boing after l
@aeda!3 5-+- .ews ? 0orld 8e3ort! Gune 2! 2&&3! pp. 1>A2>.
;<. Ro$ert Windre(! 3>J11 "etaineeI ttac- Scaled 8ac-!3 Sept. 21! 2&&3.
;=. 3Terroris(I n +ntroduction!3 pril 4! 2&&3.
;>. Ga(es Le*is! 3ssessing the Ris-s of Cy$er Terroris(! Cy$er War and Other Cy$er Threats!3 "ec. 2&&2
DhttpIJJ***.csis.orgJtechJ&211Ole*is.pdfE.
<&. +n )ay 2&&3! the 9resident lifted all terroris( related sanctions that had $een i(posed on +ra,! ta-ing it
off the terroris( list! $ut only de facto. Li$ya is still on the list! although so(e sanctions ha#e $een eased.
%.S. "epart(ent of State! 2''3 Patterns o* @lo6al !errorism 8e3ort! pril 2>! 2&&4!
DhttpIJJ***.state.go#JsJctJrlsJpgtrptJ2&&3J31;44.ht(E.
<1. Riptech +nternet Security Threat Report! Attac/ !rends *or D1 and D2 2''2. 4Riptech *as purchased in
2&&2 $y Sy(antec! +nc.5
<2. Hi( Letter! 3Fau0 Cy$er*ar!3 (om3uter +ecurit,! )ay 2&&3! #ol.;! no.'! p. 22.
<3. 8rian )cWillia(s! 3+ra,1s Crash Course in Cy$er*ar!3 0ired .ews! )ay 22! 2&&3.
<4. 8rian )cWillia(s!! 3North Horea1s School for /ac-ers!3 0ired .ews-com! Gune 2! 2&&3.
<'. The ci#ilian population of North Horea is reported to ha#e a sparse nu($er of co(puters! *ith only a fe*
locations offering connections to the +nternet! *hile South Horea is one of the (ost denselyA*ired countries
in the *orld! *ith <& percent of all households ha#ing $road$and +nternet access. "uring the recent glo$al
attac- in#ol#ing the 3Sla((er3 co(puter *or(! (any +nternet ser#ice pro#iders in South Horea *ere
se#erely affected. 3North Horea )ay $e Training /ac-ers!3 Miami Herald 2nline! )ay 1;! 2&&3.
<;. "orothy "enning! 3Cy$er Terroris(!3 ugust 24! 2&&&!
DhttpIJJ***.cs.georgeto*n.eduJSdenningJinfosecJcy$erterrorAB".docE.
<<. /ac-ers sell their infor(ation anony(ously through secreti#e *e$sites. 8o$ Francis! 3Hno* Thy
/ac-er!3 )n*oworld ! Ganuary 2=! 2&&'.
<=. BO has noted that (any federal agencies ha#e not i(ple(ented security re,uire(ents for (ost of
their syste(s! and (ust (eet ne* re,uire(ents under F+S). See BO Report BOA&3A='2T! )n*ormation
+ecurit, (ontinued E**orts .eeded to 9ull, )m3lement +tatutor, 8eCuirements! Gune 24! 2&&3.
<>. Tina$eth 8urton! )!AA 9inds Much to Praise in .ational (,6ersecurit, Plan! )ay <! 2&&3.
=&. "/S is co(prised of fi#e (aCor di#isions or directoratesI 8order T Transportation Security6 :(ergency
9reparedness T Response6 Science T Technology6 +nfor(ation nalysis T +nfrastructure 9rotection6 and
)anage(ent. See DhttpIJJ***.dhs.go#Jdhspu$licJdisplay7the(eP'2E.
=1. 8ara ?aida! 3Warning Center for Cy$er ttac-s is Online! Official Says!3 Dail, 1rie*ing! Bo#:0ec.co(!
Gune 2'! 2&&3.
=2. The Cy$er Warning +nfor(ation Net*or- 4CW+N5 pro#ides #oice and data connecti#ity to go#ern(ent
and industry participants in support of critical infrastructure protection!
DhttpIJJ***.pu$licsectorinstitute.netJ:LettersJ/o(elandSecurityStrategiesJ?olu(e1No1JCy$erWarningNetL
aunch.lspE .
=3. DhttpIJJ***.usAcert.go#JcasJE.
=4. 8ased on 2&&2 data su$(itted $y federal agencies to the White /ouse Office of )anage(ent and
8udget! BO noted! in testi(ony $efore the /ouse Co((ittee on Bo#ern(ent Refor( 4BOA&3A';4T! pril
=! 2&&35! that all 24 agencies continue to ha#e 3significant infor(ation security *ea-nesses that place a
$road array of federal operations and assets at ris- of fraud! (isuse! and disruption.3! Christopher Lee!
3gencies Fail Cy$er TestI Report Notes 1Significant Wea-nesses1 in Co(puter Security!3 No#e($er 2&!
2&&2.
='. Wilson "i2ard! 3"O: /ac-ed 1>> Ti(es Last Fear!3 @(.-com! Septe($er 3&! 2&&4! and %.S.
"epart(ent of :nergy Office of +nspector Beneral! 2**ice o* Audit 23erations Evaluation 8e3ort! "O:J+BA
&;;2! Septe($er! 2&&4! DhttpIJJ***.ig.doe.go#JpdfJigA&;;2.pdfE.
=;. Evaluation 8e3ort !he De3artment>s 5nclassi*ied (,6er +ecurit, Program - 2''4! "O:J+BA&;;2!
Septe($er 2&&4! DhttpIJJ***.ig.doe.go#JpdfJigA&;;2.pdfE.
=<. Gerrold ). 9ost! He#in B. Ru$y! and :ric ". Sha*! 3Fro( Car 8o($s to Logic 8o($sI The Bro*ing
Threat Fro( +nfor(ation Terroris(!3 !errorism and Political <iolence! Su((er 2&&&! #ol.12! no.2! pp. ><A
122.
==. Richard Clar-e! 3?ulnera$ilityI What re l @aeda1s Capa$ilities73 P1+ 9rontline (,6erwar! pril 2&&3!
DhttpIJJ***.p$s.orgE.
=>. Net*or-ing technologies! such as the +nternet! are ad#antageous for attac-ers *ho are geographically
dispersed. Net*or-ing supports redundancy *ithin an organi2ation! and it suggests the use of s*ar(ing
tactics! ne* *eapons! and other ne* strategies for conducting conflict that sho* ad#antages o#er traditional
go#ern(ent hierarchies. +nfle0i$ility is a (aCor disad#antage *hen a hierarchy confronts a net*or-ed
organi2ation. Net*or-s $lend offensi#e and defensi#e functions! *hile hierarchies struggle *ith allocating
responsi$ility for either. Gohn r,uilla! "a#id Ronfeldt! 2&&1! .etwor/s and .etwars! 4Santa )onicaI Rand!
2&&15! p. 2='.
>&. *ell -no*n source of infor(ation a$out the costs of cy$erattac-s is the annual co(puter security
sur#ey pu$lished $y the Co(puter Security +nstitute 4CS+5! *hich utili2es data collected $y the F8+.
/o*e#er! respondents to the CS+JF8+ sur#ey of co(puter security issues are generally li(ited only to CS+
(e($ers! *hich (ay create statistical $ias that affects the sur#ey findings. Recently! CS+ has also conceded
*ea-nesses in its analytical approach and has suggested that its sur#ey of co(puter security #ulnera$ilities
and incidents (ay $e (ore illustrati#e than syste(atic. /o*e#er! the CS+JF8+ sur#ey re(ains useful despite
its i(perfect (ethodology. 8ruce 8er-o*it2 and Ro$ert W. /ahn! 3Cy$ersecurityI Who1s Watching the
Store7!3 )ssues in +cience and !echnolog,! Spring 2&&3.
>1. The guidance! -no*n as National Security 9residential "irecti#e 1;! *as signed in Guly 2&&2 and is
intended to clarify circu(stances under *hich an infor(ation *arfare attac- $y "O" *ould $e Custified! and
*ho has authority to launch a co(puter attac-.
>2. See CRS Report RL31<=<! )n*ormation 0ar*are and (,6erwar (a3a6ilities and 8elated Polic, )ssues! $y
Clay Wilson.
>3. The la*s of *ar are international rules that ha#e e#ol#ed to resol#e practical pro$le(s relating to
(ilitary conflict! such as restraints to pre#ent (is$eha#ior or atrocities! and ha#e not $een legislated $y an
o#erarching central authority. The %nited States is party to #arious li(iting treaties. For e0a(ple! innocent
ci#ilians are protected during *ar under the Con#ention on 9rohi$itions or Restrictions on the %se of Certain
Con#entional Weapons Which )ay 8e "ee(ed to $e :0cessi#ely +nCurious or to ha#e +ndiscri(inate :ffects.
So(eti(es the introduction of ne* technology tends to force changes in the understanding of the la*s of
*ar. Bary nderson and da( Bifford! 3Order Out of narchyI The +nternational La* of War!3 !he (ato
7ournal! #ol. 1'! no. 1! p. 2'A3;.
>4. 8radley Braha(! 38ush Orders Buidelines for Cy$erAWarfare!3 0ashington Post! Fe$. <! 2&&3! p. 1.
>'. Stanley Ga-u$ia- and Lo*ell Wood! 3"O" %ses Co((ercial Soft*are and :,uip(ent in Tactical Weapons
!3 State(ents $efore the /ouse )ilitary Research and "e#elop(ent Su$co((ittee! /earing on :)9 Threats
to the %.S. )ilitary and Ci#ilian +nfrastructure! Octo$er <! 1>>>. /ouse r(ed Ser#ices
Co((ittee! (ommission to Assess the !hreat to the 5nited +tates *rom Electromagnetic Pulse Attac/!
hearing! Guly 22! 2&&4.
>;. Funding for the contro#ersial Terroris( +nfor(ation *areness progra( ended in 2&&4. The prototype
syste( *as for(erly housed *ithin the "R9 +nfor(ation *areness Office. Se#eral related data (ining
research and de#elop(ent progra(s! no* (anaged $y different agencies! are designed to pro#ide $etter
ad#ance infor(ation a$out terrorist planning and preparation acti#ities to pre#ent future international
terrorist attac-s against the %nited States at ho(e or a$road. goal of data (ining is to treat *orld*ide
distri$uted data$ase infor(ation as if it *ere housed *ithin one centrali2ed data$ase. 8e3ort to (ongress
8egarding the !errorism )n*ormation Awareness Program! :0ecuti#e Su((ary! )ay 2& 2&&3! p. 1.
><. /ouse and Senate conferees #oted on Septe($er 24 to end funding for T+ through 2&&4. Ste#en ).
Cherry! 3Contro#ersial 9entagon 9rogra( Scuttled! 8ut +ts Wor- Will Li#e On!3 )EEE +3ectrum 2nline! Sept.
2>! 2&&3! DhttpIJJ***.spectru(.ieee.orgE.
>=. 9entagon sources fa(iliar *ith the 3nony(ous :ntity Resolution3 technology ha#e indicated that it (ay
alle#iate so(e of the issues associated *ith pri#acy protection. The product uses 3entityAresolution
techni,ues3 to scra($le data for security reasons. The soft*are sifts through data such as na(es! phone
nu($ers! addresses and infor(ation fro( e(ployers to identify indi#iduals listed under different na(es in
separate data$ases. The soft*are can find infor(ation $y co(paring records in (ultiple data$ases! ho*e#er
the infor(ation is scra($led using a 3oneA*ay hash function!3 *hich con#erts a record to a character string
that ser#es as a uni,ue identifier li-e a fingerprint. 9ersons $eing in#estigated re(ain anony(ous! and
agents can isolate particular records *ithout e0a(ining any other personal infor(ation. record that has
$een oneA*ay hashed cannot $e 3unhashed3 to re#eal infor(ation contained in the original record. Ste#e
)oll(an! 38etting on 9ri#ate "ata Search!3 0ired-com! )ar. 11! 2&&3.
>>. Ro$ert O1/arro*! 3%.S. 8ac-s Florida1s Ne* Counterterroris( "ata$ase!3 0ashington Post! ug. ;!
2&&3! p. &1.
1&&. CRS Report RL31<=;! !otal )n*ormation Awareness Programs 9unding4 (om3osition4 and 2versight
)ssues6 CRS Report RL31<3&! Privac, !otal )n*ormation Awareness Programs and 8elated )n*ormation
Access4 (ollection4 and Protection ;aws6 CRS Report RL31<>=! Data Mining An 2verview6 and CRS Report
RL31=4;! +cience and !echnolog, Polic, )ssues *or the 1'%th (ongress! 2nd Session.
1&1. The deputy director of the cy$ersecurity di#ision! ndre* 9urdy! has since $een appointed interi(
director of %.S. cy$ersecurity.
1&2. "an ?erton! 3%pdateI Cy$ersecurity O#erhaul Legislation "O in Congress!3 (om3uter0orld! Sept. 23!
2&&4.
1&3. The "/S cy$ersecurity center has fi#e pri(ary rolesI conducting cy$ersecurity research6 de#eloping
perfor(ance standards6 fostering pu$licApri#ate sector co((unication6 supporting the "/S infor(ation
analysis and infrastructure protection directorate6 and *or-ing *ith the National Science Foundation on
educational progra(s! (ongress Dail, )! )ay 1'! 2&&3.
1&4. NOR" (onitors first suspected that the e0plosion *as a nuclear e0plosion! $ut satellites did not pic-
up an electro(agnetic pulse that *ould ha#e acco(panied a nuclear detonation. Willia( Safire! 3The
Fare*ell "ossier!3 .ew =or/ !imes! Fe$. 4! 2&&4.
1&'. "/S press release! 3Ridge Creates Ne* "i#ision to Co($at Cy$er Threats!3 Gune ;! 2&&3!
DhttpIJJ***.dhs.go#Jdhspu$licJdisplay7contentP>1;E.
1&;. State(ent $y (it Foran! "irector National Cy$er Security "i#ision "epart(ent of /o(eland Security
$efore the %.S. Senate Co((ittee on the Gudiciary Su$co((ittee on Terroris(! Technology! and /o(eland
Security! Fe$ruary 24! 2&&4! DhttpIJJ***.usAcert.go#JpolicyJtesti(onyOyoranOfe$24&4.ht(lRnatureE.
1&<. 9atience Wait! 3+ndustry as-s Congress for help on "/S cy$ersecurity role3! 0ashington !echnolog,!
Octo$er 1'! 2&&4.
1&=. gencies operating national security syste(s are re,uired to purchase soft*are products fro( a list of
la$Atested and e#aluated products in a progra( run $y the National +nfor(ation ssurance 9artnership
4N+95! a Coint partnership $et*een the National Security gency and the National +nstitute of Standards
and Technology. The N+9 is the %.S. go#ern(ent progra( that *or-s *ith organi2ations in a do2en other
countries around the *orld *hich ha#e endorsed the international securityAe#aluation regi(en -no*n as the
3Co((on Criteria.3 The progra( re,uires #endors to su$(it soft*are for re#ie* in an accredited la$! a
process that often ta-es a year and costs se#eral thousand dollars. The re#ie* pre#iously *as li(ited to
(ilitary national security soft*are and e,uip(ent! ho*e#er! the d(inistration has stated that the
go#ern(ent *ill underta-e a re#ie* of the progra( to 3possi$ly e0tend3 this soft*are certification
re,uire(ent to ci#ilian agencies. :llen )ess(er!! White /ouse issue 3National Strategy to Secure
Cy$erspace!3 .etwor/ 0orld Fusion! Fe$ruary 14! 2&&3.
1&>. 8usiness e0ecuti#es (ay $e cautious a$out spending for large ne* technology proCects! such as placing
ne* e(phasis on co(puter security. Results fro( a Fe$ruary 2&&3 sur#ey of $usiness e0ecuti#es indicated
that 4' percent of respondents $elie#ed that (any large +nfor(ation Technology 4+T5 proCects are often too
e0pensi#e to Custify. )anagers in the sur#ey pointed to the esti(ated M12'.> $illion dollars spent on +T
proCects $et*een 1><< and 2&&& in preparation for the year 2&&& 4F2H5 changeo#er! no* #ie*ed $y so(e
as a none#ent. Sources reported that so(e $oardAle#el e0ecuti#es stated that the F2H pro$le( *as
o#er$lo*n and o#er funded then! and as a result! they are no* (uch (ore cautious a$out future spending
for any ne*! (assi#e +T initiati#es. Bary /. nthes and Tho(as /off(an! 3Tarnished
+(age!3 (om3uterworld! )ay 12! 2&&3! #ol. 3<! no. 1>! p. 3<.
11&. /o*ard Sch(idt points out that (aCor technology fir(s no* pro(ote antiA#irus soft*are and
encourage $etter cy$ersecurity practices. /e stresses that (ar-et forces are causing pri#ate industry to
i(pro#e security of products. )artin Hady! 3Cy$ersecurity a Wea- Lin- in /o(eland1s r(or!3 (D 0ee/l,!
Fe$. 14! 2&&'. )ean*hile! Richard Clar-e! *ho initially opposed regulation during his tenure in the Clinton
and 8ush ad(inistrations! no* states that the +T industry only reponds to i(pro#e security of its products
*hen regulation is threatened. Willia( Gac-son! 3To Regulate or Not to Regulate7 That +s the
@uestion!3 @overnment (om3uter .ews! Fe$. 2;! 2&&'.
111. 8uilding in (ore security adds to the cost of a soft*are product. No* that soft*are features are si(ilar
across $rands! soft*are #endors ha#e indicated that their custo(ers! including federal go#ern(ent
agencies! often (a-e purchases $ased largely on product price. (on*erence on +o*tware Product +ecurit,
9eatures! +nfor(ation ssurance Technical +nfor(ation Fra(e*or- Foru(! Laurel! )aryland! NS! 2&&1.
112. 2&&4 sur#ey of 32> 9C users re#ealed that (ost co(puter users thin- they are safe $ut lac- $asic
protections against #iruses! spy*are! hac-ers! and other online threats. +n addition! large (aCorities of
ho(e co(puter users ha#e $een infected *ith #iruses and spy*are and re(ain highly #ulnera$le to future
infections. OL and the National Cy$er Security lliance! 3Largest +nAho(e Study of /o(e Co(puter %sers
Sho*s )aCor Online Threats! 9erception Bap!3 Oct. 2&&4! DhttpIJJ***.staysafeonline.infoJne*sJNCSA
OL+nA/o(eStudyRelease.pdfE.
113. spo-esperson for the Co(puter :(ergency Response Tea( at Carnegie )ellon has reportedly stated
that (ost people (ay not yet reali2e that antiA#irus soft*are and a fire*all are no longer enough to protect
co(puters any(ore. Charles "uhigg! 3Fight gainst ?iruses )ay )o#e to Ser#ers!3 0ashington Post! ug.
2=! 2&&3! p. :&1.
114. Bo#ern(ent ccounta$ility Office! Homeland +ecurit, E**orts !o )m3rove )n*ormation +haring .eed to
1e +trengthened! BOA&3A<;&! ugust 2&&3.
11'. CRS Report RL3&1'3! (ritical )n*rastructures 1ac/ground4 Polic, and )m3lementation! $y Gohn )oteff.
11;. Trace $ac- to identify a cy$erattac-er at the granular le#el re(ains pro$le(atic. "orothy
"enning! )n*ormation 0ar*are and +ecurit,! 4ddisonAWesley! 1>>>5! p. 21<.
11<. +n rgentina! a group calling the(sel#es the NATea(! hac-ed into the *e$site of that country1s
Supre(e Court in pril 2&&2. The trial Cudge stated that the la* in his country co#ers cri(e against people!
things! and ani(als $ut not *e$sites. The group on trial *as declared not guilty of $rea-ing into the
*e$site. 9aul /ill$ec-! 3rgentine Gudge Rules in Fa#or of Co(puter /ac-ers! Fe$. '! 2&&2.
11=. $raha( ". Sofaer! et.al.! The /oo#er +nstitution! The Consortiu( for Research on +nfor(ation
Security and 9olicy 4CR+S95! and The Center for +nternational Security and Cooperation 4C+SC5 Stanford
%ni#ersity! 3 9roposal for an +nternational Con#ention on Cy$er Cri(e and Terroris(!3 ugust 2&&&!
DhttpIJJ***.i*ar.org.u-Jla*JresourcesJcy$ercri(eJstanfordJcisacAdraft.ht(E.
11>. +n 2&&&! ne*s sources reported that the "efense gency of Gapan halted the introduction of a ne*
co(puter syste( after disco#ering that so(e of the soft*are had $een de#eloped $y (e($ers of the u(
Shinri-yo cult! *hich *as responsi$le for the fatal 1>>' To-yo su$*ay gas attac-. The "efense gency *as
one of >& go#ern(ent agencies and industry fir(s that had ordered soft*are produced $y the cult. Richard
9o*er! (urrent ? 9uture Danger A (+) Primer on (om3uter (rime and )n*ormation 0ar*are! Co(puter
Security +nstitute! 2&&&.
12&. "an ?erton! 3Offshore Coding Wor- Raises Security Concerns!3 (om3uterworld! )ay '! 2&&3! #ol. 3<!
no. 1=! p. 1.
121. %nder F+S)! the "irector of O)8I o#ersees the i(ple(entation of infor(ation security policies for
ci#ilian federal agencies! re,uires agencies to identify and pro#ide infor(ation security protection
appropriate for the le#el of ris- and (agnitude of har( resulting fro( possi$le destruction of infor(ation or
syste(s! and coordinates the de#elop(ent of security standards and guidelines de#eloped $et*een N+ST!
NS! and other agencies to assure they are co(ple(entary *ith standards and guidelines de#eloped for
national security syste(s. See 44 %.S.C.! Section 3'43 4a5.
122. %sing these fi#e $asic steps! often supple(ented *ith auto(ated intrusion tools! attac-ers ha#e
successfully ta-en o#er co(puter syste(s and re(ained undetected for long periods of ti(e. :d
S-oudis! (ounter Hac/! 4Ne* GerseyI 9rentice /all! 2&&25.
123. These include :d S-oudis! (ounter Hac/ A +te3-1,-+te3 @uide to (om3uter Attac/s and E**ective
De*enses! 4Ne* GerseyI 9rentice /all! 2&&256 Winn Sch*artau! )n*ormation 0ar*are (,6erterrorism
Protecting =our Personal +ecurit, in the Electronic Age! 49u$lishers Broup West! 1>>;56 and Geff
Cru(e! )nside )nternet +ecurit, 0hat Hac/ers Don>t 0ant =ou !o Enow! 49earson :ducation Li(ited!
2&&&5.
124. For (ore a$out Spy*are! see Spy*areinfo at DhttpIJJ***.spy*areinfo.co(JE.
12'. n attac-er (ay use an auto(atic 3War "ialing3 tool that dials thousands of telephone nu($ers!
loo-ing for (ode(s connected to a co(puter. +f a co(puter (ode( ans*ers *hen the War "ialer calls! the
attac-er (ay ha#e located a *ay to enter an organi2ation1s net*or- and $ypass fire*all security. ne*er
*ay of scanning for #ulnera$ilities is called 3War "ri#ing3! *here hac-ers dri#e rando(ly through a
neigh$orhood trying to detect signals fro( $usiness or ho(e *ireless net*or-s. Once a net*or- is detected!
the hac-er (ay par- near$y and atte(pt to log on to gain free! unauthori2ed access. He#in 9oulsen! 3War
"ri#ing $y the 8ay!3 Securityfocus.co(! pril 12! 2&&1.
12;. Ne* 3antiforensics tools3 are no* a#aila$le on the +nternet that allo* hac-ers to (ore effecti#ely hide
their actions! and thus defeat (ore in#estigators *ho search for technical e#idence of co(puter intrusions.
nne Saita! 3ntiforensicsI The Loo(ing r(s Race!3 )n*ormation +ecurit,! )ay 2&&3! #ol. ;! no. '! p.13.
12<. +n Septe($er 2&&3! "/S *arned %.S. industry and the federal go#ern(ent to e0pect potentially
significant attac-s to e(erge against +nternet operations! si(ilar to the recent 8laster *or( e0ploit!
$ecause of ne*ly disco#ered critical fla*s in Windo*s soft*are that *ere announced $y )icrosoft
Corporation. Gai-u(ar ?iCayan! 3ttac-s on Ne* Windo*s Fla*s :0pected Soon!3 (om3uterworld! Sept. 1'!
2&&3! #ol. 3<! no. 3<! p. 1.
12=. single reported co(puter security incident (ay in#ol#e one site or hundreds 4or e#en thousands5 of
sites. lso! so(e incidents (ay in#ol#e ongoing acti#ity for long periods of ti(e. C:RT esti(ates that as
(uch as =& percent of actual security incidents goes unreported! in (ost cases $ecause the organi2ation
*as una$le to recogni2e that its syste(s had $een penetrated or there *ere no indications of penetration or
attac-6 or the organi2ation *as reluctant to pu$licly ad(it to $eing a #icti( of a co(puter security $reach.
C:RT! 2&&3! 3C:RTJCC Statistics 1>==A2&&2!3 pril 1'! 2&&3!
DhttpIJJ***.cert.orgJstatsJcertOstats.ht(lRincidents.E 3C:RTJCC Statistics! 2&&3!3
DhttpIJJ***.cert.orgJstatsJcertOstats.ht(lE.
12>. )RC Co((uter and CSN freight rail ser#ice e0perienced cancellations and delays on ugust 21! 2&&3!
$ecause of a #irus that disa$led the co(puter syste(s at the CSN rail*ay Gac-son#ille! Florida head,uarters.
The 38laster3 co(puter *or( attac-ed (ore than '&&!&&& co(puters *orld*ide *ithin one *ee-. The
38laster3 attac- *as ,uic-ly follo*ed the ne0t *ee- $y another *or( that spread *orld*ide! called
3Welchia!3 *hich installed itself on co(puters $y ta-ing ad#antage of the sa(e #ulnera$ility used $y 8laster.
8rian Hre$s! 31Bood1 Wor( Fi0es +nfected Co(puters!3 Washingtonpost.co(! ug. 1=! 2&&3. The 3Welchia3
*or( also disrupted the highly secure Na#y )arine Corps +ntranet 4N)C+5 during the *ee- of ugust 11! $y
flooding it *ith un*anted traffic. This *as the first ti(e that (ilitary net*or- *as disrupted $y an outside
cy$erattac-. "iane Fran-! 3ttac- of the Wor(sI Feds Bet Wa-eA%p Call!39ederal (om3uter 0ee/! ug. 2'!
2&&3! #ol. 1<! no. 2>! p. =.
13&. The F8+ is in#estigating *hat pri#ate security e0perts $elie#e to $e the first +nternet attac- ai(ed
pri(arily at a single econo(ic sector. The (alicious code! disco#ered in Gune 2&&3! contains a list of roughly
1!2&& We$ addresses for (any of the *orld1s largest financial institutions! including G.9. )organ Chase T
Co.! (erican :0press Co.! Wacho#ia Corp.! 8an- of (erica Corp. and Citi$an- N.. 38ug$ear3 is a
poly(orphic *or(J#irus that has -eystro-eAlogging and (assA(ailing capa$ilities! and atte(pts to
ter(inate #arious anti#irus and fire*all progra(s. Though (ost (aCor $an-s do not put sensiti#e
infor(ation on the +nternet! the *or( *ill atte(pt to use infor(ation captured fro( a des-top 9C to $rea-
into restricted co(puters that do contain financial data. For e0a(ple! e0perts found that the 8ug$ear
soft*are is progra((ed to deter(ine *hether a #icti( used an eA(ail address that $elonged to any of the
1!3&& financial institutions listed in its $lueprints. +f a (atch is (ade! it tries to steal pass*ords and other
infor(ation that *ould (a-e it easier for hac-ers to $rea- into a $an-1s net*or-s. The soft*are then
trans(its stolen pass*ords to 1& eA(ail addresses! *hich also are included in the $lueprints. 8ut e0perts
said that on the +nternet anyone can easily open a free eA(ail account using a false na(e! and so -no*ing
those addresses (ight not lead detecti#es to the culprit. .9.! 3Feds Warn 8an-s $out +nternet ttac-!3
CNN.Co(! Gune 1&! 2&&3.
131. The Na#al 9ostgraduate School is de#eloping a ne* net*or- security tool called 3Ther(inator3 that is
designed to detect possi$le co(puter attac-s $y carefully (onitoring net*or- traffic. Gason )a! 3N9S Touts
Ther(inator s :arlyAWarning Tool for Co(puter ttac-s!3 )nside the .av,! Na#yA1;A4&A12! Oct. ;! 2&&3.
132. The 3Sla((er3 *or( attac-ed )icrosoft1s data$ase soft*are and spread through the +nternet o#er one
*ee-end in Ganuary 2&&3. ccording to a preli(inary study coordinated $y the Cooperati#e ssociation for
+nternet "ata nalysis 4C+"5! on Ganuary 2'! 2&&3! the S@L Sla((er *or( 4also -no*n as 3Sapphire35
infected (ore than >& percent of #ulnera$le co(puters *orld*ide *ithin 1& (inutes of its release on the
+nternet! (a-ing it the fastest co(puter *or( in history. s the study reports! e0ploiting a -no*n
#ulnera$ility for *hich a patch has $een a#aila$le since Guly 2&&2! Sla((er dou$led in si2e e#ery =.'
seconds and achie#ed its full scanning rate 4'' (illion scans per second5 after a$out 3 (inutes. +t caused
considera$le har( through net*or- outages and such unforeseen conse,uences as canceled airline flights
and auto(ated teller (achine 4T)5 failures. Further! the study e(phasi2es that the effects *ould li-ely
ha#e $een (ore se#ere had Sla((er carried a (alicious payload! attac-ed a (ore *idespread #ulnera$ility!
or targeted a (ore popular ser#ice. The (alicious code disrupted (ore than 13!&&& 8an- of (erica
auto(ated teller (achines! causing so(e (achines to stop issuing (oney! and too- (ost of South Horea
+nternet users offline. s (any as fi#e of the 13 +nternet root na(e ser#ers *ere also slo*ed or disa$led!
according to ntiA#irus fir( FASecure. Ro$ert F. "acey! 3+NFOR)T+ON S:C%R+TFI 9rogress )ade! 8ut
Challenges Re(ain to 9rotect Federal Syste(s and the Nation1s Critical +nfrastructures!3 2&&36 )att Loney!
3Sla((er attac-s (ay $eco(e *ay of life for Net !3 (net-.ews-com! Fe$. ;! 2&&36 Ro$ert Le(os! 3Wor(
e0poses apathy! )icrosoft fla*s!3 Cnet.Ne*s.co(! Gan. 2;! 2&&3.
133. 3Report to Congress Regarding the Terroris( +nfor(ation *areness 9rogra(!3 E:ecutive +ummar,!
)ay 2&! 2&&3! p.3.
134. Gerry Seper! 31Sleeper Cells1 of l @aeda cti#e in %.S. "espite War!3 0ashington !imes! Fe$. 11! 2&&4.
13'. %.S. Citi2en Ser#ices! 3Tra#el Warnings and Warden )essages!3 Gune 1;! 2&&4!
DhttpIJJriyadh.use($assy.go#JsaudiAara$iaJ*1'&4.ht(lE.