Congressional Research Service Report for Congress Order Code RL32114 CRS Report for Congress Clay Wilson Specialist in Technology and National Security Foreign ffairs! "efense! and Trade "i#ision Congressional Research Ser#ice! The Li$rary of Congress %pdated pril 1! 2&&' Su((ary Contents Summary )any international terrorist groups no* acti#ely use co(puters and the +nternet to co((unicate! and se#eral (ay de#elop or ac,uire the necessary technical s-ills to direct a coordinated attac- against co(puters in the %nited States. cy$erattac- intended to har( the %.S. econo(y *ould li-ely target co(puters that operate the ci#ilian critical infrastructure and go#ern(ent agencies. /o*e#er! there is disagree(ent a(ong so(e o$ser#ers a$out *hether a coordinated cy$erattac- against the %.S. critical infrastructure could $e e0tre(ely har(ful! or e#en *hether co(puters operating the ci#ilian critical infrastructure actually offer an effecti#e target for furthering terrorists1 goals. While there is no pu$lished e#idence that terrorist organi2ations are currently planning a coordinated attac- against co(puters! co(puter syste( #ulnera$ilities persist *orld*ide! and initiators of the rando( cy$erattac-s that plague co(puters on the +nternet re(ain largely un-no*n. Reports fro( security organi2ations sho* that rando( attac-s are no* increasingly i(ple(ented through use of auto(ated tools! called 3$ots3! that direct large nu($ers of co(pro(ised co(puters to launch attac-s through the +nternet as s*ar(s. The gro*ing trend to*ard the use of (ore auto(ated attac- tools has also o#er*hel(ed so(e of the current (ethodologies used for trac-ing +nternet cy$erattac-s. This report pro#ides $ac-ground infor(ation for three types of attac-s against co(puters 4cy$erattac-! physical attac-! and electro(agnetic attac-5! and discusses related #ulnera$ilities for each type of attac-. The report also descri$es the possi$le effects of a coordinated cy$erattac-! or co(puter net*or- attac- 4CN5! against %.S. infrastructure co(puters! along *ith possi$le technical capa$ilities of international terrorists. +ssues for Congress (ay include ho* could trends in cy$erattac-s $e (easured (ore effecti#ely6 *hat is appropriate guidance for "O" use of cy$er*eapons6 should cy$ersecurity $e co($ined *ith! or re(ain separate fro(! the physical security organi2ation *ithin "/S6 ho* can co((ercial #endors $e encouraged to i(pro#e the security of their products6 and *hat are options to encourage %.S. citi2ens to follo* $etter cy$ersecurity practices7 ppendices to this report descri$e co(puter #iruses! spy*are! and 3$ot net*or-s3! and ho* (alicious progra(s are used to ena$le cy$ercri(e and cy$erespionage. lso! si(ilarities are dra*n $et*een planning tactics currently used $y co(puter hac-ers and those used $y terrorists groups for con#entional attac-s. This report *ill $e updated as e#ents *arrant. Contents +ntroduction 1 8ac-ground 2 Three )ethods for Co(puter ttac- 2 Characteristics of 9hysical ttac- 3 Characteristics of :lectronic ttac- 4:5 3 Characteristics of Cy$erattac- 4CN5 ' +dentifying Cy$erterroris( ' :0pert Opinions "iffer ; Cy$erterroris( "efined < "ifficulty +dentifying ttac-ers < 9ossi$le :ffects of Cy$erterroris( < "isagree(ent a$out :ffects on the Critical +nfrastructure = %npredicta$le +nteractions 8et*een +nfrastructures > SC" Syste(s )ay 8e ?ulnera$le 1& "O" Relies on Ci#ilian Technology 11 Why Cy$erattac-s re Successful 13 /ac-ers Search for Co(puter Syste( ?ulnera$ilities 13 uto(ated Cy$erattac-s Spread @uic-ly 13 9ersistence of Co(puter Syste( ?ulnera$ilities 14 :rrors in Ne* Soft*are 9roducts 14 +nade,uate Resources 1' Offshore Outsourcing 1; Terrorist Capa$ilities for Cy$erattac- 1< ttracti#eness of Cy$erterroris( 1< Lo*er Ris- 1= Less "ra(atic 1= Lin-s *ith TerroristASponsoring Nations 1> Lin-s 8et*een Terrorists and /ac-ers 2& Federal :fforts to 9rotect Co(puters 21 +ssues for Congress 22 Bro*ing Technical Capa$ilities of Terrorists 22 /o* 8est to )easure Cy$erattac- Trends7 23 "O" and Cy$erterroris( 24 :0isting Buidance 24 Retaliation 24 )ilitary ?ulnera$ility and Reliance on Co((ercial 9roducts 2' 9ri#acy 2' Terroris( +nfor(ation *areness 9rogra( 2; Other "ata )ining Search Technologies 2< National "irector for Cy$ersecurity 2= Should 9hysical and Cy$ersecurity +ssues Re(ain Co($ined7 2> National Strategy to Secure Cy$erspace 3& Co((ercial Soft*are ?ulnera$ilities 31 *areness and :ducation 31 Coordination to 9rotect gainst Cy$erterroris( 32 +nfor(ation Sharing 32 +nternational Cooperation gainst Cy$erattac- 32 Offshore "e#elop(ent of Soft*are 33 Legislati#e cti#ity 34 ppendi0 . 9lanning for a Cy$erattac- 3; ppendi0 8. Characteristics of )alicious Code 3> ppendi0 C. Si(ilarities in Tactics %sed for Cy$erattac-s and Con#entional Terrorist ttac-s 42 Computer Attack and Cyberterrorism: Vulnerabilities and Policy Issues for Congress Introduction )any 9entagon officials reportedly $elie#e that future ad#ersaries (ay resort to strategies intended to offset %.S. (ilitary technological superiority. 1 8ecause the %.S. (ilitary is supported in significant *ays $y ci#ilian high technology products and ser#ices 4including co((unications syste(s! electronics! and co(puter soft*are5! future conflicts (ay in#ol#e a $lurring of the distinction $et*een ci#ilian and (ilitary targets. 2 Therefore! ci#ilian syste(s! including co(puters that operate the %.S. critical infrastructure! (ay increasingly $e seen as #ia$le targets that are #ulnera$le to attac- $y ad#ersaries! including terrorist groups. So(e feel that past discussions a$out a coordinated attac- against ci#ilian co(puters (ay ha#e o#erA inflated the percei#ed ris- to the %.S. critical infrastructure! and se#eral e0perts ha#e stated that cy$erterroris( does not pose the sa(e type of threat as Nuclear! 8iological! or Che(ical 4N8C5 threats. 3 )any e0perts also $elie#e that it *ould $e difficult to use attac-s against co(puters to inflict death on a large scale! and ha#e stated that con#entional physical threats present a (uch (ore serious concern for %.S. national security. 4 /o*e#er! other o$ser#ers point out that terrorist groups no* use the +nternet to co((unicate #ia *e$sites! chat roo(s! and e(ail! to raise funds! and to co#ertly gather intelligence on future targets. Fro( these acti#ities! it is e#ident that the -no*ledge that terrorist groups1 ha#e of co(puter technology is increasing! and along *ith that! a $etter -no*ledge of related #ulnera$ilities. Should any terrorist groups initiate a --1-- coordinated attac- against co(puter syste(s in the %nited States! (ost security e0perts agree that the li-ely scenario *ould $e to try to disa$le %.S. co(puters or co((unications syste(s so as to a(plify the effects of! or supple(ent! a con#entional terrorist $o($ing or other (aCor N8C attac-. Congress (ay *ish to e0plore the possi$le effects on the %.S. econo(y and on the %.S. (ilitary that (ight result fro( a coordinated attac- against ci#ilian co(puters and co((unications syste(s. Congress (ay also *ish to e0plore options for protecting ci#ilian co(puter syste(s against a coordinated attac- and the possi$le international conse,uences that (ight result fro( any %.S. (ilitary response to such an attac-. The 8ac-ground section of this report descri$es three (ethods for attac-ing co(puters6 ho*e#er! the report focuses on the (ethod (ost co((only -no*n as cy$erattac- or co(puter net*or- attac- 4CN5! *hich in#ol#es disruption caused $y (alicious co(puter code. +t also descri$es the current disagree(ent o#er the possi$le effects of a coordinated cy$erattac- on the %.S. critical infrastructure! and *hy the rando( cy$erattac-s that plague the +nternet continue to $e successful. There is also a $rief discussion a$out the possi$le capa$ilities of terrorist groups and terroristAsponsoring nations to initiate a coordinated cy$erattac-. Three appendices gi#e a description of the tactics possi$ly used in planning and e0ecuting a co(puter net*or- attac-. Background The focus of this report is possi$le cy$erterroris( using co(puter net*or- attac-! or cy$erattac-. /o*e#er! *hen +T facilities and co(puter e,uip(ent are deli$erately targeted $y a terrorist group! it is possi$le that a physical attac-! or an electronic attac- 4:5! (ay also fit *ithin one or (ore of the e0pert definitions sho*n $elo* for 3cy$erterroris(.3 hree !ethods for Computer Attack co(puter attac- (ay $e defined as actions directed against co(puter syste(s to disrupt e,uip(ent operations! change processing control! or corrupt stored data. "ifferent attac- (ethods target different #ulnera$ilities and in#ol#e different types of *eapons! and se#eral (ay $e *ithin the current capa$ilities of so(e terrorist groups. ' Three different (ethods of attac- are identified in this report! $ased on the effects of the *eapons used. /o*e#er! as technology e#ol#es! distinctions $et*een these (ethods (ay $egin to $lur. physical attac- in#ol#es con#entional *eapons directed against a co(puter facility or its trans(ission lines6 --2-- n electronic attac- 4:5 in#ol#es the use DofE the po*er of electro(agnetic energy as a *eapon! (ore co((only as an electro(agnetic pulse 4:)95 to o#erload co(puter circuitry! $ut also in a less #iolent for(! to insert a strea( of (alicious digital code directly into an ene(y (icro*a#e radio trans(ission6 and co(puter net*or- attac- 4CN5! usually in#ol#es (alicious code used as a *eapon to infect ene(y co(puters to e0ploit a *ea-ness in soft*are! in the syste( configuration! or in the co(puter security practices of an organi2ation or co(puter user. Other for(s of CN are ena$led *hen an attac-er uses stolen infor(ation to enter restricted co(puter syste(s. "O" officials ha#e stated that *hile CN and : threats are 3less li-ely3 than physical attac-s! they could actually pro#e (ore da(aging $ecause they in#ol#e disrupti#e technologies that (ight generate unpredicta$le conse,uences or gi#e an ad#ersary une0pected ad#antages. ; Characteristics of Physical Attack" physical attac- disrupts the relia$ility of co(puter e,uip(ent and a#aila$ility of data. 9hysical attac- is i(ple(ented either through use of con#entional *eapons! creating heat! $last! and frag(entation! or through direct (anipulation of *iring or e,uip(ent! usually after gaining unauthori2ed physical access. +n 1>>1! during Operation "esert Stor(! the %.S. (ilitary reportedly disrupted +ra,i co((unications and co(puter centers $y sending cruise (issiles to scatter car$on fila(ents that short circuited po*er supply lines. lso! the l @aeda attac-s directed against the World Trade Center and the 9entagon on Septe($er 11! 2&&1! destroyed (any i(portant co(puter data$ases and disrupted ci#ilian and (ilitary financial and co((unications syste(s that *ere lin-ed glo$ally. < The te(porary loss of co((unications lin-s and i(portant data added to the effects of the physical attac- $y closing financial (ar-ets for up to a *ee-. = Characteristics of #lectronic Attack $#A%" :lectronic attac-! (ost co((only referred to as an :lectro(agnetic 9ulse 4:)95! disrupts the relia$ility of --3-- electronic e,uip(ent through generating instantaneous high energy that o#erloads circuit $oards! transistors! and other electronics. > :)9 effects can penetrate co(puter facility *alls *here they can erase electronic (e(ory! upset soft*are! or per(anently disa$le all electronic co(ponents. 1& So(e assert that little has $een done $y the pri#ate sector to protect against the threat fro( electro(agnetic pulse! and that co((ercial electronic syste(s in the %nited States could $e se#erely da(aged $y li(ited range! s(allA scale! or porta$le electro(agnetic pulse de#ices. 11 So(e (ilitary e0perts ha#e stated that the %nited States is perhaps the nation (ost #ulnera$le to electro(agnetic pulse attac-. 12 Co((ission to ssess the Threat fro( /igh ltitude :lectro(agnetic 9ulse *as esta$lished $y Congress in FF2&&1 after se#eral e0perts e0pressed concern that the %.S. critical infrastructure and (ilitary *ere #ulnera$le to high altitude :)9 attac-. 13 t a Guly 22! 2&&4! hearing $efore the /ouse r(ed Ser#ices Co((ittee! panel (e($ers fro( the Co((ission reportedly stated that as (ore %.S. (ilitary *eapons and control syste(s $eco(e increasingly co(ple0! they (ay also $e (ore #ulnera$le to the effects of :)9. The consensus of the Co((ission is that a largeAscale high altitude :)9 attac- could possi$ly hold our society seriously at ris- and (ight result in defeat of our (ilitary forces. 14 /o*e#er! the "epart(ent of /o(eland Security 4"/S5 has stated that testing of the current generation of ci#ilian core teleco((unications s*itches no* in use has sho*n that they are only (ini(ally affected $y :)9. "/S has also stated that (ost of the core co((unications assets for the %nited States are housed in large! #ery *ell constructed facilities *hich pro#ide a (easure of shielding against the effects of :)9. 1' --4-- O$ser#ers $elie#e that (ounting a coordinated attac- against %.S. co(puter syste(s! using either largerA scale! s(allerAscale! or e#en porta$le :)9 *eapons re,uires technical s-ills that are $eyond the capa$ilities of (ost terrorist organi2ations. /o*e#er! nations such as Russia! and possi$ly terroristAsponsoring nations such as North Horea! no* ha#e the technical capa$ility to construct and deploy a s(aller che(icallyAdri#en! or $atteryAdri#en :)9 de#ice that could disrupt co(puters at a li(ited range. 1; For (ore on electro(agnetic *eapons! see CRS Report RL32'44! High Altitude Electromagnetic Pulse (HEMP) and High Power Microwave (HPM) Devices !hreat Assessments. Characteristics of Cyberattack $C&A%" co(puter net*or- attac- 4CN5! or 3cy$erattac-!3 disrupts the integrity or authenticity of data! usually through (alicious code that alters progra( logic that controls data! leading to errors in output 4for (ore detail! see ppendices ! 8! and C5. Co(puter hac-ers opportunistically scan the +nternet loo-ing for co(puter syste(s that are (isAconfigured or lac-ing necessary security soft*are. Once infected *ith (alicious code! a co(puter can $e re(otely controlled $y a hac-er *ho (ay! #ia the +nternet! send co((ands to spy on the contents of that co(puter or attac- and disrupt other co(puters. Cy$erattac-s usually re,uire that the targeted co(puter ha#e so(e preAe0isting syste( fla*! such as a soft*are error! a lac- of anti#irus protection! or a faulty syste( configuration! for the (alicious code to e0ploit. /o*e#er! as technology e#ol#es! this distinguishing re,uire(ent of CN (ay $egin to fade. For e0a(ple! so(e for(s of : can no* cause effects nearly identical to so(e for(s of CN. For e0a(ple! at controlled po*er le#els! the trans(issions $et*een targeted (icro*a#e radio to*ers can $e hiCac-ed and specially designed #iruses! or altered code! can $e inserted directly into the ad#ersary1s digital net*or-. 1< Identifying Cyberterrorism No single definition of the ter( 3terroris(3 has yet gained uni#ersal acceptance. Li-e*ise! no single definition for the ter( 3cy$erterroris(3 has $een uni#ersally accepted. La$eling a co(puter attac- as 3cy$erterroris(3 is pro$le(atic $ecause of --"-- the difficulty deter(ining the identity! intent! or the political (oti#ations of an attac-er *ith certainty. %nder 22 %SC! section 2;';! 3terroris(3 is defined as pre(editated! politically (oti#ated #iolence perpetrated against nonco($atant targets $y su$ national groups or clandestine agents! usually intended to influence an audience. 1= #'pert (pinions )iffer" So(e definitions for cy$erterroris( focus on the intent of the attac-ers. For e0a(ple! the Federal :(ergency )anage(ent gency 4F:)5 defines cy$erterroris( asI 3%nla*ful attac-s and threats of attac- against co(puters! net*or-s! and the infor(ation stored therein *hen done to inti(idate or coerce a go#ern(ent or its people in furtherance of political or social o$Cecti#es.3 1> Security e0pert "orothy "enning defines cy$erterroris( as the 3politically (oti#ated hac-ing operations intended to cause gra#e har( such as loss of life or se#ere econo(ic da(age.3 2& Others assert that any deli$erate use of infor(ation technology $y terrorist groups and their agents to cause har( constitutes cy$erterroris(. 21 So(e security e0perts define cy$erterroris( $ased on the effects of an attac-. +ncluded are acti#ities *here co(puters are targeted and the resulting effects are destructi#e or disrupti#e enough to generate fear potentially co(para$le to that fro( a traditional act of terroris(! e#en if initiated $y cri(inals *ith no political (oti#e. %nder this 3effects3 #ie*! e#en co(puter attac-s that are li(ited in scope! $ut lead to death! inCury! e0tended po*er outages! airplane crashes! *ater conta(ination! or (aCor loss of confidence for portions of the econo(y! (ay also $e la$eled cy$erterroris(. 22 So(e o$ser#ers state that cy$erterroris( can ta-e the for( of a physical attac- that destroys co(puteri2ed nodes for critical infrastructures! such as the +nternet! teleco((unications! or the electric po*er grid! *ithout e#er touching a -ey$oard. 23 "/S officials ha#e also asserted that cy$ersecurity cuts across all aspects of critical infrastructure protection and that cy$eroperations cannot $e separated fro( the physical aspects of $usinesses $ecause they operate interdependently. 24 --#-- Thus! *here co(puters or +T facilities and e,uip(ent are deli$erately targeted $y terrorist groups! (ethods in#ol#ing physical attac- and : (ay each fit *ithin the a$o#e definitions for 3cy$erterroris(.3 Cyberterrorism )efined" 8y co($ining the a$o#e concepts of intent and effects! 3cy$erterroris(3 (ay $e defined as the use of co(puters as *eapons! or as targets! $y politically (oti#ated international! or su$A national groups! or clandestine agents *ho threaten or cause #iolence and fear in order to influence an audience! or cause a go#ern(ent to change its policies. This definition! *hich co($ines se#eral opinions a$out cy$erterroris(! can enco(pass all three (ethodsI physical! :! and CN! for attac-s against co(puters. )ifficulty Identifying Attackers" +nstructions for e0ploiting co(puter #ulnera$ilities are easily o$taina$le $y anyone #ia the +nternet. /o*e#er! to date! there is no pu$lished e#idence lin-ing a sustained or *idespread attac- using CN *ith international terrorist groups. 2' +t re(ains difficult to deter(ine the identity of the initiators of (ost cy$erattac-s! *hile at the sa(e ti(e security organi2ations continue to report that co(puter #irus attac-s are $eco(ing (ore fre,uent! causing (ore econo(ic losses! and affecting larger areas of the glo$e. For e0a(ple! the Co(puter :(ergency Response Tea( Coordination Center 4C:RTJCC5 sho*s that 13<!'2> co(puter security incidents *ere reported to their office in 2&&3! up fro( =2!&>4 in 2&&2. 2; The challenge of identifying the source of attac-s is co(plicated $y the un*illingness of co((ercial enterprises to report attac-s! o*ing to potential lia$ility concerns. C:RTJCC esti(ates that as (uch as =&K of all actual co(puter security incidents still re(ain unreported. 2< Possible #ffects of Cyberterrorism s yet! no coordinated or *idespread cy$erattac- has had a crippling effect on the %.S. infrastructure. /o*e#er! *hile the nu($er of rando( +nternet cy$erattac-s has $een increasing! the data collected to (easure the trends for cy$erattac-s cannot $e used to accurately deter(ine if a terrorist group! or terroristA sponsoring state! has initiated any of the(. --$-- recent pri#ate study found that during the latter half of 2&&2! the highest rates for glo$al cy$erattac- acti#ity *ere directed against critical infrastructure industry co(panies. 2= ne* report on industrial cy$ersecurity pro$le(s! produced $y the 8ritish Colu($ia +nstitute of Technology! and the 9 Consulting Broup! using data fro( as far $ac- as 1>=1! reportedly has found a 1&Afold increase in the nu($er of successful cy$erattac-s on infrastructure Super#isory Control nd "ata c,uisition syste(s since 2&&&. 2> "O" officials ha#e also o$ser#ed that the nu($er of atte(pted intrusions into (ilitary net*or-s has gradually increased! fro( 4&!&<; incidents in 2&&1! to 43!&=; in 2&&2! '4!4== in 2&&3! and 24!<4' as of Gune 2&&4. 3& The conse,uences of these attac-s on (ilitary operations are not clear! ho*e#er. )isagreement about #ffects on the Critical Infrastructure" While security e0perts agree that a coordinated cy$erattac- could $e used to a(plify the effects of a con#entional physical terrorist attac-! such as an N8C attac-! (any of these sa(e e0perts disagree a$out the da(aging effects that (ight result fro( an attac- directed against co(puters that operate the %.S. critical infrastructure. So(e o$ser#ers ha#e stated that $ecause of %.S. dependency on co(puter technology! such attac-s (ay ha#e the potential to create econo(ic da(age on a large scale! *hile other o$ser#ers ha#e stated that %.S. infrastructure syste(s are resilient and *ould possi$ly reco#er easily! thus a#oiding any se#ere or catastrophic effects. So(e of China1s (ilitary Cournals speculate that cy$erattac-s could disa$le (erican financial (ar-ets. China! ho*e#er! is as dependent on these (ar-ets as the %nited States! and could suffer e#en (ore fro( their disruption. s to other critical infrastructures! the a(ount of potential da(age that could $e inflicted (ay $e relati#ely tri#ial co(pared to the costs of disco#ery! if engaged in $y a nation state. These constraints! ho*e#er! do not apply to nonAstate actors li-e l @aeda! (a-ing cy$erattac-s a potentially useful tool for it and others *ho reCect the glo$al (ar-et econo(y. 31 +n Guly 2&&2! the %.S. Na#al War College hosted a *ar ga(e called 3"igital 9earl /ar$or3 to de#elop a scenario for a coordinated cy$erterroris( e#ent! *here (oc- attac-s $y co(puter security e0perts against critical infrastructure syste(s si(ulated stateAsponsored cy$er*arfare. The si(ulated cy$erattac-s deter(ined that the (ost #ulnera$le infrastructure co(puter syste(s *ere the +nternet itself! and the co(puter syste(s that are part of the financial infrastructure. 32 +t *as also --%-- deter(ined that atte(pts to cripple the %.S. teleco((unications infrastructure *ould $e unsuccessful $ecause syste( redundancy *ould pre#ent da(age fro( $eco(ing too *idespread. The conclusion of the e0ercise *as that a 3"igital 9earl /ar$or3 in the %nited States *as only a slight possi$ility. 33 /o*e#er! in 2&&2! a (aCor #ulnera$ility *as disco#ered in s*itching e,uip(ent soft*are that threatened the infrastructure for (aCor portions of the +nternet. fla* in the Si(ple Net*or- )anage(ent 9rotocol 4SN)95 *ould ha#e ena$led attac-ers to ta-e o#er +nternet routers and cripple net*or- teleco((unications e,uip(ent glo$ally. Net*or- and e,uip(ent #endors *orld*ide raced ,uic-ly to fi0 their products $efore the pro$le( could $e e0ploited $y hac-ers! *ith possi$le *orld*ide conse,uences. %.S. go#ern(ent officials also reportedly (ade efforts to -eep infor(ation a$out this (aCor #ulnera$ility ,uiet until after the needed repairs *ere i(ple(ented on #ulnera$le +nternet syste(s. 34 ccording to an assess(ent reportedly *ritten $y the F8+! the security fla* could ha#e $een e0ploited to cause (any serious pro$le(s! such as $ringing do*n *idespread telephone net*or-s and also halting control infor(ation e0changed $et*een ground and aircraft flight control syste(s. 3' *npredictable Interactions Bet+een Infrastructures" n i(portant area that is not fully understood concerns the unpredicta$le interactions $et*een co(puter syste(s that operate the different %.S. infrastructures. The concern is that nu(erous interdependencies 4*here do*nstrea( syste(s (ay rely on recei#ing good --&-- data through sta$le lin-s *ith upstrea( co(puters in a different infrastructure5 could possi$ly $uild to a cascade of da(aging effects that are unpredicta$le in ho* they (ight affect national security. 3; For e0a(ple! in 2&&3 *hile the ne*ly released 38laster3 *or( *as causing disruption of +nternet co(puters o#er se#eral days in ugust! it (ay also ha#e added to the se#erity of the :astern %nited States po*er $lac-out that occurred on ugust 14! $y degrading the perfor(ance of se#eral co((unications lines that lin-ed the data centers used $y utility co(panies to send *arnings to other (anagers do*nstrea( on the po*er grid. 3< SCA)A Systems !ay Be Vulnerable" Super#isory Control nd "ata c,uisition 4SC"5 syste(s are co(puter syste(s relied upon $y (ost critical infrastructure organi2ations 4such as co(panies that (anage the po*er grid5 to auto(atically (onitor and adCust s*itching! (anufacturing! and other process control acti#ities! $ased on digiti2ed feed$ac- data gathered $y sensors. These control syste(s are fre,uently un(anned! operate in re(ote locations! and are accessed periodically $y engineers or technical staff #ia teleco((unications lin-s. So(e e0perts $elie#e that these syste(s (ay $e especially #ulnera$le! and that their i(portance for controlling the critical infrastructure (ay (a-e the( an attracti#e target for cy$erterrorists. SC" syste(s! once connected only to isolated net*or-s using only proprietary co(puter soft*are! no* operate using (ore #ulnera$le Co((ercialAOffATheAShelf 4COTS5 soft*are! and are increasingly $eing lin-ed directly into corporate office net*or-s #ia the +nternet. 3= So(e o$ser#ers $elie#e that (any! if not (ost! SC" syste(s are inade,uately protected against a cy$erattac-! and re(ain persistently #ulnera$le $ecause (any organi2ations that operate the( ha#e not paid proper attention to their uni,ue co(puter security needs. 3> --1'-- The follo*ing e0a(ple (ay ser#e to illustrate the #ulnera$ility of control syste(s and highlight possi$le cy$ersecurity issues that could arise for infrastructure nodes *hen SC" controls are interconnected *ith office net*or-s. +n ugust 2&&3! the 3Sla((er3 +nternet co(puter *or( *as a$le to corrupt for fi#e hours the co(puter control syste(s at the "a#isA8esse nuclear po*er plant located in Ohio 4fortunately! the po*er plant *as closed and offAline *hen the cy$erattac- occurred5. The co(puter *or( *as a$le to successfully penetrate syste(s in the "a#isA8esse po*er plant control roo( largely $ecause the $usiness net*or- for its corporate offices *as found to ha#e (ultiple connections to the +nternet that $ypassed the control roo( fire*all. 4& /o*e#er! other o$ser#ers suggest that SC" syste(s and the critical infrastructure are (ore ro$ust and resilient than early theorists of cy$erterror ha#e stated! and that the infrastructure *ould li-ely reco#er rapidly fro( a cy$erterroris( attac-. They cite! for e0a(ple! that *ater syste( failures! po*er outages! air traffic disruptions! and other scenarios rese($ling possi$le cy$erterroris( often occur as routine e#ents! and rarely affect national security! e#en (arginally. Syste( failures due to stor(s routinely occur at the regional le#el! *here ser#ice (ay often $e denied to custo(ers for hours or days. Technical e0perts *ho understand the syste(s *ould *or- to restore functions as ,uic-ly as possi$le. Cy$erterrorists *ould need to attac- (ultiple targets si(ultaneously for long periods of ti(e to gradually create terror! achie#e strategic goals! or to ha#e any noticea$le effects on national security. 41 For (ore infor(ation a$out SC" syste(s! see CRS Report RL31'34! (ritical )n*rastructure (ontrol +,stems and the !errorist !hreat- )() Relies on Civilian echnology" "uring Operation +ra,i Freedo(! co((ercial satellites *ere used to supple(ent other (ilitary co((unications channels! *hich at ti(es lac-ed sufficient capacity. 42
cy$erattac- directed against ci#ilian co((unications syste(s could possi$ly disrupt co((unications to so(e --11-- co($at units! or could possi$ly lead to delayed ship(ent of (ilitary supplies! or a slo*do*n in the scheduling and deploy(ent of troops $efore a crisis. Se#eral si(ulations ha#e $een conducted to deter(ine *hat effects an atte(pted cy$erattac- on the critical infrastructure (ight ha#e on %.S. defense syste(s. +n 1>><! "O" conducted a (oc- cy$erattac- to test the a$ility of "O" syste(s to respond to protect the national infor(ation infrastructure. That e0ercise! called operation 3:ligi$le Recei#er 1>><!3 re#ealed dangerous #ulnera$ilities in %.S. (ilitary infor(ation syste(s. 43 +n Octo$er 2&&2! a su$se,uent (oc- cy$erattac- against "O" syste(s! titled 3:ligi$le Recei#er 2&&3!3 indicated a need for greater coordination $et*een (ilitary and nonA(ilitary organi2ations to deploy a rapid (ilitary co(puter counterAattac-. 44 "O" also uses Co((ercialAOffATheAShelf 4COTS5 hard*are and soft*are products $oth in core infor(ation technology ad(inistrati#e functions! and also in the co($at syste(s of all ser#ices! as for e0a(ple! in the integrated *arfare syste(s for nuclear aircraft carriers. 4' "O" fa#ors the use of COTS products in order to ta-e ad#antage of technological inno#ation! product fle0i$ility and standardi2ation and resulting costA effecti#eness. Ne#ertheless! "O" officials and others ha#e stated that COTS products are lac-ing in security! and that strengthening the security of those products to (eet (ilitary re,uire(ents (ay $e too difficult and costly for (ost COTS #endors. To i(pro#e security! "O" +nfor(ation ssurance practices re,uire deploying se#eral layers of additional protecti#e (easures around COTS (ilitary syste(s to (a-e the( (ore difficult for ene(y cy$erattac-ers to penetrate. 4; /o*e#er! on t*o separate occasions in 2&&4! #iruses reportedly infiltrated t*o topAsecret co(puter syste(s at the r(y Space and )issile "efense Co((and. +t is not clear ho* the #iruses penetrated the (ilitary syste(s! or *hat the effects *ere. lso! contrary to security policy re,uire(ents! the co(puters reportedly lac-ed $asic anti #irus soft*are protection. 4< Security e0perts ha#e noted that for $oth (ilitary and ci#ilian syste(s! no (atter ho* (uch protection is gi#en to co(puters! hac-ers are al*ays creating ne* *ays to defeat those protecti#e (easures! and *hene#er --12-- syste(s are connected on a net*or-! it is possi$le to e0ploit e#en a relati#ely secure syste( $y Cu(ping fro( a nonAsecure syste(. 4= ,hy Cyberattacks Are Successful Net*or-ed co(puters *ith e0posed #ulnera$ilities (ay $e disrupted or ta-en o#er $y a hac-er! or $y auto(ated (alicious code. Should a terrorist group atte(pt to launch a coordinated cy$erattac- against co(puters that (anage the %.S. critical infrastructure! they (ay find it useful to copy so(e of the tactics no* co((only used $y today1s co(puter hac-er groups to locate +nternetAconnected co(puters *ith #ulnera$ilities! and then syste(atically e0ploit those #ulnera$ilities 4see ppendices ! 8! and C5. -ackers Search for Computer System Vulnerabilities" Co(puter hac-ers opportunistically scan the +nternet to find and infect co(puter syste(s that are (isAconfigured! or lac- current soft*are security patches. Co(pro(ised co(puters can $eco(e part of a 3$ot net*or-3 or 3$ot herd3 4a 3$ot3 is a re(otelyA controlled! or se(iAautono(ous co(puter progra( that can infect co(puters5! so(eti(es co(prised of hundred or thousands of co(pro(ised co(puters that can all D$eE controlled re(otely $y a single hac-er. This 3$ot herd3 hac-er (ay instruct the co(puters through an encrypted co((unications channel to spy on the o*ner of each infected co(puter! and ,uietly trans(it copies of any sensiti#e data that is found! or he (ay direct the 3herd3 to collecti#ely attac- as a s*ar( against other targeted co(puters. :#en co(puters *ith current soft*are security patches installed (ay still $e #ulnera$le to a type of CN -no*n as a 3LeroA"ay e0ploit3. This (ay occur if a co(puter hac-er disco#ers a ne* soft*are #ulnera$ility and launches a (alicious attac- progra( to infect the co(puter $efore a security patch can $e created $y the soft*are #endor and distri$uted to protect users. +n results of a 2&&4 sur#ey of security and la* enforce(ent e0ecuti#es! conducted in part $y the Secret Ser#ice! CSO 4Chief Security Officer5 (aga2ine! and the Co(puter :(ergency Response Tea( Coordination Center 4C:RTJCC5! a (aCor reporting center for statistics on +nternet security pro$le(s! hac-ers are cited as the greatest cy$ersecurity threat. The sur#ey also sho*s that *hile 43K of respondents reported an increase in cy$ercri(es o#er the pre#ious year! at least 3&K of those did not -no* *hether insiders or outsiders *ere the cause. Of those respondents *ho did -no*! <1K of attac-s reportedly ca(e fro( outsiders *hile 2>K ca(e fro( insiders. 4> Automated Cyberattacks Spread .uickly" The 3Sla((er3 co(puter *or( attac-ed )icrosoft1s data$ase soft*are and spread through the +nternet o#er the space of one *ee-end in Ganuary 2&&3. ccording to a preli(inary study --13-- coordinated $y the Cooperati#e ssociation for +nternet "ata nalysis 4C+"5! on Ganuary 2'! 2&&3! the S@L Sla((er *or( 4also -no*n as 3Sapphire35 auto(atically spread to infect (ore than >& percent of #ulnera$le co(puters *orld*ide *ithin 1& (inutes of its release on the +nternet! (a-ing it the fastest co(puter *or( in history. s the study reports! e0ploiting a -no*n #ulnera$ility for *hich a patch has $een a#aila$le since Guly 2&&2! Sla((er dou$led in si2e e#ery =.' seconds and achie#ed its full scanning rate 4'' (illion scans per second5 after a$out 3 (inutes. +t caused considera$le har( through net*or- outages and such unforeseen conse,uences as canceled airline flights and auto(ated teller (achine 4T)5 failures. '& Whene#er a cy$erattac- against co(puters or net*or-s is reported to C:RTJCC! it is recorded as a statistic for security incidents. /o*e#er! as of 2&&4! C:RTJCC has a$andoned this practice for -eeping a record of cy$erattac-s. This is $ecause the *idespread use of auto(ated cy$erattac- tools has escalated the nu($er of net*or- attac-s to such a high le#el! that their organi2ation has stated that a count of security incidents has $eco(e (eaningless as a (etric for assessing the scope and effects of attac-s against +nternetA connected syste(s. '1 Persistence of Computer System Vulnerabilities" ?ulnera$ilities in soft*are and co(puter syste( configurations pro#ide the entry points for a cy$erattac-. ?ulnera$ilities persist largely as a result of poor security practices and procedures! inade,uate training in co(puter security! or poor ,uality in soft*are products. '2 +nade,uate resources de#oted to staffing the security function (ay also contri$ute to poor security practices. /o(e co(puter users often ha#e little or no training in $est practices for effecti#ely securing ho(e net*or-s and e,uip(ent. #rrors in &e+ Soft+are Products" ?endors for Co((ercialAOffATheAShelf soft*are 4COTS5 are often critici2ed for releasing ne* products *ith errors that create the co(puter syste( #ulnera$ilities. '3 ppro0i(ately =& percent of successful intrusions into federal co(puter syste(s reportedly can $e attri$uted to soft*are errors! or poor soft*are product ,uality. '4 Richard Clar-e! for(er White /ouse cy$erspace ad#isor until 2&&3! has reportedly said that (any co((ercial soft*are --14-- products ha#e poorly *ritten! or poorly configured security features. '' Richard ". 9ethia! "irector! C:RTJCC! Soft*are :ngineering +nstitute! Carnegie )ellon %ni#ersity! in testi(ony $efore the /ouse Select Co((ittee on /o(eland Security! Su$co((ittee on Cy$ersecurity! Science! and Research and "e#elop(ent! stated! 3There is little e#idence of i(pro#e(ent in the security features of (ost products6 de#elopers are not de#oting sufficient effort to apply lessons learned a$out the sources of #ulnera$ilities.... We continue to see the sa(e types of #ulnera$ilities in ne*er #ersions of products that *e sa* in earlier #ersions. Technology e#ol#es so rapidly that #endors concentrate on ti(e to (ar-et! often (ini(i2ing that ti(e $y placing a lo* priority on security features. %ntil their custo(ers de(and products that are (ore secure! the situation is unli-ely to change.3 '; +n response to co(plaints! the soft*are industry reportedly has (ade ne* efforts to design soft*are *ith (ore secure code and *ith architectures that are (ore secure. For e0a(ple! )icrosoft has created a special Security Response Center and no* *or-s *ith "O" and *ith industry and go#ern(ent leaders to i(pro#e security features in its ne* products. /o*e#er! (any soft*are industry representati#es reportedly agree that no (atter *hat in#est(ent is (ade to i(pro#e soft*are security! there *ill continue to $e #ulnera$ilities found in soft*are $ecause it is $eco(ing increasingly (ore co(ple0. '< Inade/uate Resources" lthough soft*are #endors periodically release fi0es or upgrades to sol#e ne*ly disco#ered security pro$le(s! an i(portant soft*are security patch (ight not get scheduled for installation on an organi2ation1s co(puters until se#eral *ee-s or (onths after the patch is a#aila$le. '= The Co$ (ay $e too --1"-- ti(eAconsu(ing! too co(ple0! or too lo* a priority for the syste( ad(inistration staff. With increased soft*are co(ple0ity co(es the introduction of (ore #ulnera$ilities! so syste( (aintenance is ne#erAending. So(eti(es the security patch itself (ay disrupt the co(puter *hen installed! forcing the syste( ad(inistrator to ta-e additional ti(e to adCust the co(puter to accept the ne* patch. To a#oid such disruption! a security patch (ay first re,uire testing on a separate isolated net*or- $efore it is distri$uted for installation on all other co(puters. 8ecause of such delays! the co(puter security patches actually installed in (any organi2ations (ay lag considera$ly $ehind the current cy$erthreat situation. Whene#er delays are allo*ed to persist in pri#ate organi2ations! in go#ern(ent agencies! or a(ong 9C users at ho(e! co(puter #ulnera$ilities that are *idely reported (ay re(ain unprotected! lea#ing net*or-s open to possi$le attac- for long periods of ti(e. One *ay to i(pro#e this *ould $e to encourage the soft*are industry to create products that do not re,uire syste( ad(inistrators to de#ote so (uch ti(e to installing fi0es. )any security e0perts also e(phasi2e that if syste(s ad(inistrators recei#ed the necessary training for -eeping their co(puter configurations secure! then co(puter security *ould greatly i(pro#e for the %.S. critical infrastructure. '> (ffshore (utsourcing" )any (aCor soft*are co(panies no* outsource code de#elop(ent to su$contractors *ho design and $uild large portions of COTS products outside the %nited States. ;& Offshore outsourcing (ay gi#e a progra((er in a foreign country the chance to secretly insert a TroCan /orse or other (alicious code into a ne* co((ercial soft*are product. BO reportedly has $egun a re#ie* of "O" reliance on foreign soft*are de#elop(ent to deter(ine the ade,uacy of (easures intended to reduce these related security ris-s in co((ercial soft*are products purchased for (ilitary syste(s. Soft*are industry representati#es ha#e responded $y saying that offshore outsourcing should not $e cited as the only possi$le source for (alicious code. )ost core soft*are co(ponents are designed and de#eloped *ithin the %nited States! and --1#-- despite the e(erging contro#ersy a$out security and offshore outsourcing! (any soft*are de#elopers *or-ing and residing here also ha#e foreign $ac-grounds. Therefore! to i(pro#e national security it (ay $e (ore effecti#e to focus not on the location *here code is de#eloped! $ut rather to focus on (a-ing certain that soft*are #endors al*ays ha#e rigorous ,uality assurance techni,ues in place no (atter *here the code is produced. /o*e#er! higher standards for ,uality assurance *ill also in#ol#e (ore costs and additional ti(e for testing. ;1 For (ore infor(ation a$out offshore outsourcing and national security! see CRS Report RL32411! .etwor/ (entric 0ar*are 1ac/ground and 2versight )ssues *or (ongress! and CRS Report RL321<>! Manu*acturing 2ut3ut4 Productivit, and Em3lo,ment )m3lications *or 5-+- Polic,. errorist Capabilities for Cyberattack :0tensi#e planning and preAoperational sur#eillance $y hac-ers are i(portant characteristics that precede a cy$erattac- directed at an organi2ation. ;2 So(e e0perts esti(ate that ad#anced or structured cy$erattac-s against (ultiple syste(s and net*or-s! including target sur#eillance and testing of sophisticated ne* hac-er tools! (ight re,uire fro( t*o to four years of preparation! *hile a co(ple0 coordinated cy$erattac-! causing (ass disruption against integrated! heterogeneous syste(s (ay re,uire ; to 1& years of preparation. ;3 This characteristic! *here hac-ers de#ote (uch ti(e to detailed and e0tensi#e planning $efore launching a cy$erattac-! has also $een descri$ed as a 3hall(ar-3 of pre#ious physical terrorist attac-s and $o($ings launched $y l @aeda 4see ppendices and C5. Attractiveness of Cyberterrorism" +t is difficult to deter(ine the le#el of interest! or the capa$ilities of international terrorist groups to launch an effecti#e cy$erattac-. 1>>> report $y The Center for the Study of Terroris( and +rregular Warfare at the Na#al 9ostgraduate School concluded that it is li-ely that any se#ere cy$erattac-s e0perienced in the near future $y industriali2ed nations *ill $e used $y --1$-- terrorist groups si(ply to supple(ent the (ore traditional physical terrorist attac-s. ;4 So(e o$ser#ers ha#e stated that l @aeda does not see cy$erterroris( as i(portant for achie#ing its goals! preferring attac-s *hich inflict hu(an casualties. ;' Other o$ser#ers $elie#e that the groups (ost li-ely to consider and e(ploy cy$erattac- and cy$erterroris( are the terrorist groups operating in postAindustrial societies 4such as :urope and the %nited States5! rather than international terrorist groups that operate in de#eloping regions *here there is li(ited access to high technology. /o*e#er! other sources report that l @aeda has ta-en steps to i(pro#e organi2ational secrecy through (ore acti#e and cle#er use of technology! and e#idence suggests that l @aeda terrorists used the +nternet e0tensi#ely to plan their operations for Septe($er 11! 2&&1. ;; l @aeda cells reportedly used ne* +nternetA $ased telephone ser#ices to co((unicate *ith other terrorist cells o#erseas. Hhalid Shai-h )oha((ed! one of the (aster(inds of the plot against the World Trade Center! reportedly used special +nternet chat soft*are to co((unicate *ith at least t*o airline hiCac-ers. Ra(2i Fousef! *ho *as sentenced to life i(prison(ent for the pre#ious $o($ing of the World Trade Center! had trained as an electrical engineer! and had planned to use sophisticated electronics to detonate $o($s on 12 %.S. airliners departing fro( sia for the %nited States. /e also used sophisticated encryption to protect his data and to pre#ent la* enforce(ent fro( reading his plans should he $e captured. ;< 0o+er Risk" Tighter physical security (easures no* *idely in place throughout the %nited States (ay encourage terrorist groups in the future to e0plore cy$erattac- as DaE *ay to lo*er the ris- of detection for their operations. ;= lso! lin-ages $et*een net*or-ed co(puters could e0pand the effects of a cy$erattac-. Therefore! a cy$erattac- directed against only a fe* #ulnera$le co(puters could (ultiply its effects $y corrupting i(portant infor(ation that is trans(itted to other do*nstrea( $usinesses. 0ess )ramatic" /o*e#er! other security o$ser#ers $elie#e that terrorist organi2ations (ight $e reluctant to launch a cy$erattac- $ecause it *ould result in less i((ediate dra(a and ha#e a lo*er psychological i(pact than a (ore con#entional act of destruction! such as a $o($ing. These o$ser#ers $elie#e that unless a cy$erattac- can $e (ade to result in actual physical da(age or $loodshed! --1%-- it *ill ne#er $e considered as serious as a nuclear! $iological! or che(ical terrorist attac-. ;> 0inks +ith errorist1Sponsoring &ations" The %.S. "epart(ent of State! as of Octo$er 2&&4! lists se#en designated state sponsors of terroris(I Cu$a! +ran! +ra,! Li$ya! North Horea! Syria! and Sudan. <& These countries are identified as sponsors for funding! pro#iding *eapons! and supplying other resources used for operations $y terrorist groups. /o*e#er! a study of trends in +nternet attac-s deter(ined that countries that are state sponsors of terroris( generated less than one percent of all reported cy$erattac-s directed against selected $usinesses in 2&&2. <1 Ne*s sources ha#e reported that! other than a fe* *e$site deface(ents! there *as no e#idence that a co(puter attac- *as launched $y +ra, or $y terrorist organi2ations against %nited States (ilitary forces during Bulf War ++. <2 The security research organi2ation! C4+.org! reported that prior to the )arch 2&&3 deploy(ent of %.S. troops! traffic increased fro( We$ surfers in +ra, using search ter(s such as! 3Co(puter *arfare!3 3NS co(puter net*or-!3 and 3air$orne co(puter.3 :0perts interpreted the increased We$ traffic as an indication that +ra,1s go#ern(ent *as increasingly relying on the +nternet for intelligence gathering. <3 :le(ents in +ran are $elie#ed $y so(e o$ser#ers to ha#e lin-s *ith l @aeda as *ell as other terrorist groups! and North Horea has continued to sell *eapons and highAtechnology ite(s to other countries designated as state sponsors of terroris(. Other ne*s sources ha#e reported that North Horea (ay $e $uilding up their o*n capa$ilities for cy$eroperations. Security e0perts reportedly $elie#e that North Horea (ay ha#e de#eloped a considera$le capa$ility for cy$er*arfare partly in response to South Horea1s ad(itted $uild up of co(puter training centers and its e0panding defense $udget to prepare for infor(ation *arfare. <4 Co(puter progra((ers fro( the 9yongyang +nfor(atics Center in North Horea ha#e done contract *or- to de#elop soft*are for local go#ern(ents and $usinesses in Gapan and South Horea. nd! recent state(ents (ade $y South Horea1s "efense Security Co((and clai( that North Horea (ay currently $e training (ore than 1&& ne* co(puter hac-ers per --1&-- year! for national defense. <' /o*e#er! 9entagon and State "epart(ent officials reportedly are una$le to confir( the clai(s (ade $y South Horea! and defense e0perts reportedly $elie#e that North Horea is incapa$le of seriously disrupting %.S. (ilitary co(puter syste(s. lso! "epart(ent of State officials ha#e reportedly said that North Horea is not -no*n to ha#e sponsored any terrorist acts since 1>=<. 0inks Bet+een errorists and -ackers" Lin-s $et*een co(puter hac-ers and terrorists! or terroristA sponsoring nations (ay $e difficult to confir(. )e($ership in the (ost highlyAs-illed co(puter hac-er groups is so(eti(es #ery e0clusi#e! li(ited to indi#iduals *ho de#elop! de(onstrate! and share only *ith each other their (ost closelyAguarded set of sophisticated hac-er tools. These e0clusi#e hac-er groups do not see- attention $ecause (aintaining secrecy allo*s the( to operate (ore effecti#ely. So(e hac-er groups (ay also ha#e political interests that are supraAnational! or $ased on religion or other socioApolitical ideologies! *hile other hac-er groups (ay $e (oti#ated $y profit! or lin-ed to organi2ed cri(e! and (ay $e *illing to sell their co(puter ser#ices! regardless of the political interests in#ol#ed. For e0a(ple! it has $een reported that the +ndian separatist group! /ar-atAulAnsar 4an +sla(ic funda(entalist group in 9a-istan that operates pri(arily in Hash(ir! and is also no* la$eled a Foreign Terrorist Organi2ation in 1>>< for its lin-s *ith $in Laden5! atte(pted to purchase cy$erattac- soft*are fro( hac-ers in late 1>>=. +n )arch 2&&&! it *as reported that the u( Shinri-yo cult! a designated Foreign Terrorist Organi2ation! had contracted to *rite soft*are for =& Gapanese co(panies! and 1& go#ern(ent agencies! including Gapan1s )etropolitan 9olice "epart(ent6 ho*e#er! no cy$erattac-s that related to these contracts *ere reported. <; /o*e#er! infor(ation a$out co(puter #ulnera$ilities is no* for sale online in a hac-ers1 3$lac- (ar-et3. For e0a(ple! list of '!&&& addresses of co(puters that ha#e already $een infected *ith spy*are and *hich are *aiting to $e re(otely controlled as part of an auto(ated 3$ot net*or-3 4see ppendi0 5 reportedly can $e o$tained for a$out M1'& to M'&&. 9rices for infor(ation a$out co(puter #ulnera$ilities for *hich no soft*are patch yet e0ists reportedly range fro( M1!&&& to M'!&&&. 9urchasers of this infor(ation are often co(panies that deal in spa(! organi2ed cri(e groups! and #arious foreign go#ern(ents. << --2'-- 2ederal #fforts to Protect Computers The federal go#ern(ent has ta-en steps to i(pro#e its o*n co(puter security and to encourage the pri#ate sector to also adopt stronger co(puter security policies and practices to reduce infrastructure #ulnera$ilities. +n 2&&2! the Federal +nfor(ation Security )anage(ent ct 4F+S)5 *as enacted! gi#ing the Office of )anage(ent and 8udget 4O)85 responsi$ility for coordinating infor(ation security standards and guidelines de#eloped $y federal agencies. <= +n 2&&3! the National Strategy to Secure Cy$erspace *as pu$lished $y the d(inistration to encourage the pri#ate sector to i(pro#e co(puter security for the %.S. critical infrastructure through ha#ing federal agencies set an e0a(ple for $est security practices. <> The National Cy$er Security "i#ision 4NCS"5! *ithin the +nfor(ation nalysis and +nfrastructure 9rotection "irectorate of the "epart(ent of /o(eland Security 4"/S5 o#ersees a Cy$er Security Trac-ing! nalysis and Response Center 4CSTRC5! tas-ed *ith conducting analysis of cy$erspace threats and #ulnera$ilities! issuing alerts and *arnings for cy$erthreats! i(pro#ing infor(ation sharing! responding to (aCor cy$ersecurity incidents! and aiding in nationalAle#el reco#ery efforts. =& +n addition! a ne* Cy$er Warning and +nfor(ation Net*or- 4CW+N5 has $egun operation in '& locations! and ser#es as an early *arning syste( for cy$erattac-s. =1 The CW+N is engineered to $e relia$le and sur#i#a$le! has no dependency on the +nternet or the pu$lic s*itched net*or- 49SN5! and reportedly *ill not $e affected if either the +nternet or 9SN suffer disruptions. =2 +n Ganuary 2&&4! the NCS" also created the National Cy$er lert Syste( 4NCS5! a coordinated national cy$ersecurity syste( that distri$utes infor(ation to su$scri$ers to help identify! analy2e! and prioriti2e e(erging #ulnera$ilities and cy$erthreats. NCS is (anaged $y the %nited States Co(puter :(ergency Readiness Tea( 4%SAC:RT5! a partnership $et*een NCS" and the pri#ate sector! --21-- and su$scri$ers can sign up to recei#e notices fro( this ne* ser#ice $y #isiting the %SAC:RT *e$site. =3 /o*e#er! despite gro*ing concerns for national security! co(puter #ulnera$ilities persist! the nu($er of co(puter attac-s reported $y industry and go#ern(ent has increased yearly! and federal agencies ha#e! for the past three years! co(e under criticis( for the poor effecti#eness of their co(puter security progra(s. =4 For e0a(ple! *ea-nesses in co(puter security at the "epart(ent of :nergy reportedly allo*ed hac-ers to successfully penetrate syste(s 1>> ti(es in FF2&&4! affecting appro0i(ately 3!'31 unclassified net*or-ed syste(s. =' report $y the "O: inspector general stated that the "epart(ent continues to ha#e difficulty finding! trac-ing and fi0ing pre#iously reported cy$ersecurity *ea-nesses ,uic-ly. The report identified a nu($er of other security *ea-nesses! and reco((ended that all (aCor applications and general support syste(s $eco(e certified and accredited! according to "O: co(puter security policy. =; Issues for Congress 3ro+ing echnical Capabilities of errorists +s it li-ely that the threat *ill increase in the future for a coordinated cy$erattac-! or other type of attac- against co(puters that operate the %.S. infrastructure7 s co(puterAliterate youth increasingly Coin the ran-s of terrorist groups! *ill cy$erterroris( $eco(e increasingly (ore (ainstrea( in the future7 Will a co(puterAliterate leader $ring increased a*areness of the ad#antages of an attac- on infor(ation syste(s! or $e (ore recepti#e to suggestions fro( other! ne*er co(puterAliterate (e($ers7 Once a ne* tactic has *on *idespread (edia attention! *ill it li-ely (oti#ate other ri#al terrorist groups to follo* along the ne* path*ay. =< --22-- Se#eral e0perts ha#e asserted that terrorist organi2ations (ay soon $egin to use co(puter technology to (ore acti#ely support terrorist o$Cecti#es. For e0a(ple! sei2ed co(puters $elonging to l @aeda indicate its (e($ers are no* $eco(ing fa(iliar *ith hac-er tools that are freely a#aila$le o#er the +nternet. == 9otentially se#ere cy$erattac- tools (ay $e first de#eloped and then secretly tested $y dispersed terrorist groups using s(all! isolated la$oratory net*or-s! thus a#oiding detection of any preparation $efore launching a *idespread attac- on the +nternet. => -o+ Best to !easure Cyberattack rends4 Congress (ay *ish to encourage security and technology e0perts to study *ays to collect data that *ill ena$le (ore effecti#e analysis of trends of ongoing cy$erattac-s on the +nternet. Currently! there is no pu$lished data to either support or deny terrorist in#ol#e(ent in the increasing nu($er of cy$erattac-s that plague the +nternet. Congress (ay *ish to encourage researchers to find $etter *ays to deter(ine the initiators of cy$erattac-s. What effects are ne* cy$erattac- tools! such as auto(ated 3$ot3 syste(s! ha#ing on the sta$ility of the +nternet infrastructure! and the security of the %.S. critical infrastructure7 +s there a need for a (ore statistically relia$le analysis of trends in co(puter security #ulnera$ilities to (ore accurately sho* the costs and $enefits for i(pro#ing national cy$ersecurity7 Currently! se#eral annual studies are pu$lished $y se#eral security co(panies! analy2ing *hat they ha#e o$ser#ed fro( custo(er (onitoring or sur#eys. These reported statistics are relied upon for (easuring financial losses to %.S. industry due to co(puter attac-s. /o*e#er! it is $elie#ed $y so(e o$ser#ers that so(e studies (ay $e li(ited in scope and (ay possi$ly contain statistical $ias. >& --23-- s technology e#ol#es! *ill ne* and (ore inno#ati#e selfAdirected high technology products change the nature of our #ulnera$ility to cy$erattac-7 Currently! the degree and i((ediacy of hu(an o#ersight of infrastructure co(puters *ill li-ely help pre#ent the effects of a possi$le cy$erattac- fro( cascading unpredicta$ly. /o*e#er! as (ore high technology products are designed to co((unicate directly *ith each other *ithout hu(an in#ol#e(ent! *ill the i((ediate o#ersight of hu(an e0perts di(inish! and *ould this also reduce our protection against a potentially se#ere cy$erattac- in the future7 )() and Cyberterrorism +n Fe$ruary 2&&3! the d(inistration pu$lished a report titled 3National Strategy to Secure Cy$erspace!3 (a-ing clear that the %.S. go#ern(ent reser#es the right to respond 3in an appropriate (anner3 if the %nited States co(es under co(puter attac-. The response could in#ol#e the use of %.S. cy$er*eapons! or (alicious code designed to attac- and disrupt the targeted co(puter syste(s of an ad#ersary. The Goint +nfor(ation Operations Center 4G+OC5! *hich is under the %.S. Strategic Co((and 4%SSTRTCO)5! has responsi$ility for (anaging infor(ation *arfare and electronic *arfare acti#ities. Within the G+OC! the Goint Tas- ForceABlo$al Net*or- Operations 4GTFABNO5! coordinates and directs the defense of "O" co(puter syste(s and net*or-s! and! *hen directed! conducts co(puter net*or- attac- in support of co($atant co((anders1 and national o$Cecti#es. #'isting 3uidance" The 8ush d(inistration announced plans in Fe$ruary 2&&3 to de#elop nationalAle#el guidance for deter(ining *hen and ho* the %nited States *ould launch co(puter net*or- attac-s against foreign ad#ersary co(puter syste(s. >1 /o*e#er! any %.S. response to a co(puter attac- $y an ad#ersary (ust $e carefully *eighed to a#oid (ista-es in retaliation! or other possi$le unintended outco(es. Options for a cy$erresponse fro( the %nited States (ay $e li(ited $ecause there *ill li-ely $e difficulty in deter(ining! *ith a high degree of certainty! if a terrorist group is actually responsi$le for an attac- against co(puters in the %nited States. For e0a(ple! a terrorist group (ight possi$ly su$#ert the co(puters of a third party! in an atte(pt to pro#o-e a retaliatory stri-e $y the %nited States against the *rong group or nation. Retaliation" +f it is deter(ined that the %nited States has $een the target of a successful coordinated cy$erattac- $y a terrorist group! *hat is the appropriate response7 There are (any ,uestions that can $e raised regarding the (ilitary use of cy$er*eapons. For instance! should those decisions $e (ade $y the 9resident! or $y the Goint Chiefs of Staff! or $y other (ilitary co((anders7 What o#ersight role should Congress ha#e7 Would the resulting effects of offensi#e cy$er*eapons for infor(ation *arfare operations $e difficult to li(it or control7 +f the %nited States should use "O" cy$er*eapons to retaliate against a terrorist group! *ould that --24-- possi$ly encourage others to start launching cy$erattac-s against the %nited States7 Si(ilarly! *ill any %.S. atte(pt to suddenly increase sur#eillance #ia use of cy$erespionage progra(s $e la$eled as an unpro#o-ed attac-! e#en if directed against a terrorist group7 +f a terrorist group should su$se,uently copy! or re#erseA engineer a destructi#e %.S. (ilitary co(puter attac- progra(! *ould it $e used against other countries that are %.S. allies! or e#en turned $ac- to attac- ci#ilian co(puter syste(s in the %nited States7 >2 Would the use of cy$er*eapons! if the effects are *idespread and se#ere! e0ceed the custo(ary rules of (ilitary conflict! or international la*s. >3 +n a (eeting held in Ganuary 2&&3 at the )assachusetts +nstitute of Technology! White /ouse officials sought input fro( e0perts outside go#ern(ent on guidelines for %.S. use of cy$er*eapons. Officials ha#e stated they are proceeding cautiously! $ecause a %.S. cy$erattac- against terrorist groups or other ad#ersaries could ha#e serious cascading effects! perhaps causing (aCor disruption to ci#ilian syste(s in addition to the intended co(puter targets. >4 !ilitary Vulnerability and Reliance on Commercial Products" Co((ercial electronics and co((unications e,uip(ent are no* used e0tensi#ely to support co(ple0 %.S. *eapons syste(s! lea#ing operations for those syste(s possi$ly #ulnera$le to cy$erattac-! and this situation is -no*n to our potential ad#ersaries. >' To *hat degree are (ilitary forces and national security threatened $y #ulnera$ilities of co((ercial syste(s! and ho* can the co(puter industry $e encouraged to create ne* COTS products that are less #ulnera$le to cy$erattac-7 Privacy What is the proper $alance $et*een the need to detect and re(ain a*are of terroris( acti#ities and the need to protect indi#idual pri#acy7 Cy$erterrorists *ould li-ely use tactics that are si(ilar to those used $y co(puter hac-er groups. 9reoperati#e sur#eillance characteri2es the early stages of (any cy$erattac-s! and secret --2"-- planning (ay $e conducted in +nternet chat areas! *here hac-ers (eet anony(ously to e0change infor(ation a$out co(puter #ulnera$ilities! or ne* cy$erattac- tools. These co#ert co((unications could also $e encrypted and difficult to detect or decode. li(iting factor for either pre#enting a cy$erattac- or identifying the attac-ers is a lac- of data re#ealing e#idence of preAoperati#e sur#eillance and onAline planning acti#ity that is tracea$le $ac- to terrorist groups. Should intelligence agencies (onitor co(puter chat roo(s fre,uented $y terrorists and de#elop other *ays to help unco#er their co((unications and planning7 "ata )ining search technologies (ay offer *ays to help the intelligence co((unity unco#er these lin-ages. errorism Information A+areness Program" The "efense d#anced Research 9roCects gency 4"R95 has conducted research and de#elop(ent for syste(s such as the for(er Terroris( +nfor(ation *areness 9rogra( 4T+5 >; that are intended to help in#estigators disco#er co#ert lin-ages a(ong people! places! things! and e#ents related to possi$le terrorist acti#ity 4see $elo* for pri#acy issues5. Funding ended for the T+ progra( in 2&&4 and the +nfor(ation *areness Office! a $ranch of "R9! is no* dis$anded. >< The T+ data (ining progra( *as intended to sift through #ast ,uantities of citi2ens1 personal data! such as credit card transactions and tra#el $oo-ings! to identify possi$le terrorist acti#ity to pro#ide $etter ad#ance infor(ation a$out terrorist planning and preparation acti#ities to pre#ent future international terrorist attac-s against the %nited States at ho(e or a$road. /o*e#er! the T+ progra( and other si(ilar proposals for do(estic sur#eillance raised pri#acy concerns fro( la*(a-ers! ad#ocacy groups! and the (edia. So(e pri#acy ad#ocates ha#e o$Cected to the possi$ility that infor(ation gathered through do(estic sur#eillance (ay $e #ie*ed $y unauthori2ed users! or e#en (isused $y authori2ed users. Congress has (o#ed to restrict or eli(inate funding for the T+ progra( under S. 13=2 and /.R. 2;'=. P"0" 567178! titled the "efense ppropriations ct of 2&&4! enacted on Septe($er 3&! 2&&3! restricts funding and deploy(ent of the T+ 9rogra(. Specifically! section =131 part 4a5 li(its use of funds for research and de#elop(ent of the T+ 9rogra(! e0cept for 39rocessing! analysis! and colla$oration tools for counterterroris( foreign intelligence3 for (ilitary operations outside the %nited States. --2#-- (ther )ata !ining Search echnologies" Should (ore research $e encouraged into ne*er data$ase search technologies that pro#ide (ore protection for indi#idual pri#acy *hile helping to detect terrorist acti#ities7 The "epart(ent of "efense is currently re#ie*ing the capa$ilities of other data (ining products using technology that (ay reduce do(estic pri#acy concerns raised $y T+. For e0a(ple! Syste(s Research and "e#elop(ent! a technology fir( $ased in Las ?egas! has $een tas-ed $y the C+ and other agencies to de#elop a ne* data$ase search product called 3nony(ous :ntity Resolution.3 The technology used in this product can help in#estigators deter(ine *hether a terrorist suspect appears in t*o separate data$ases! *ithout re#ealing any pri#ate indi#idual infor(ation. The product uses encryption to ensure that e#en if the scra($led records are intercepted! no pri#ate infor(ation can $e e0tracted. Thus! terroris( *atch lists and corporate data$ases could $e securely co(pared online! *ithout re#ealing pri#ate infor(ation. >= lso! the Florida police depart(ent has! since 2&&1! operated a counter terroris( syste( called the )ultistate ntiATerroris( +nfor(ation :0change 4)TR+N5 that helps in#estigators find patterns a(ong people and e#ents $y co($ining police records *ith co((ercially a#aila$le infor(ation a$out (ost %.S. adults. )TR+N includes infor(ation that has al*ays $een a#aila$le to in#estigators! $ut adds e0traordinary processing speed. The Gustice "epart(ent has pro#ided M4 (illion to e0pand the )TR+N progra( nationally. "/S has pledged M= (illion to assist *ith the national e0pansion! and has also announced plans to launch a pilot dataAsharing net*or- that *ill include ?irginia! )aryland! 9ennsyl#ania! and Ne* For-. >> For (ore infor(ation a$out T+! data (ining technology! and other pri#acy issues! see related CRS Reports. 1&& --2$-- &ational )irector for Cybersecurity :ach of the three top officials in#ol#ed in the go#ern(ent1s cy$ersecurity effort has resigned since the $eginning of 2&&3. +n Ganuary 2&&3! Richard Clar-e resigned fro( his position as cy$ersecurity ad#iser to the 9resident! ending a 3&Ayear go#ern(ent career. Clar-e had $een the cy$ersecurity ad#iser since Octo$er 2&&1. Three (onths later! in pril 2&&3! /o*ard Sch(idt! Clar-e1s successor as ad#iser! resigned! ending a 31Ayear go#ern(ent career. 8efore $eco(ing the ad#iser in Ganuary 2&&3! Sch(idt had ser#ed as Clar-e1s deputy. +n Septe($er 2&&3! "/S for(ally announced the appoint(ent of (it Foran as ne* director of its cy$ersecurity di#ision. 1&1 /o*e#er! the ne* director1s position *as placed three le#els $eneath "/S Secretary To( Ridge! in contrast to Foran1s predecessors! /o*ard Sch(idt and Richard Clar-e! $oth of *ho( *ere positioned in the White /ouse and had a direct line of contact *ith the 9resident. +n Septe($er 2&&4! (it Foran! resigned! citing the end of his oneAyear co((it(ent to "/S. /o*e#er! to so(e o$ser#ers Foran1s resignation *as une0pected. 9otential ,uestions for Congress arising out of these resignations include the follo*ingI Were any of their resignations (oti#ated in part $y Co$Arelated concerns7 +f the latter! are these concerns indicati#e of any pro$le(s in the go#ern(ent1s cy$ersecurity effort that need to $e addressed7 Why is the e0ecuti#e $ranch ha#ing difficulty holding onto senior cy$ersecurity officials7 What effect has these resignations had on the go#ern(ent1s efforts in cy$ersecurity7 re the go#ern(ent1s efforts in this area suffering due to insufficient continuity of leadership7 The le#el of influence for the director of cy$ersecurity position has $eco(e a su$Cect of recent de$ate! *here se#eral o$ser#ers ha#e proposed strengthening the director1s position $y (o#ing it out of "/S and into the White /ouse! possi$ly under the Office of )anage(ent and 8udget. /o*e#er! so(e security industry leaders ha#e fa#ored ele#ating the position to the assistant secretary le#el *ithin "/S! and ha#e o$Cected to (o#ing the position to another depart(ent! saying that relocating the office no* *ould possi$ly $e disrupti#e to the go#ern(entAindustry relationships that are ne*ly for(ed at "/S. 1&2 "/S officials ha#e reportedly resisted ele#ating the position! arguing that separating concerns for cy$ersecurity fro( physical security is inefficient and e0pensi#e $ecause co((on pro$le(s threaten $oth. 1&3 9.L. 1&=A4'=! the +ntelligence Refor( and Terroris( 9re#ention ct! --2%-- enacted on "ece($er 1<! 2&&4! does not descri$e a ne* ssistant Secretary position for Cy$ersecurity. -"R" 97: *as introduced on Ganuary ;! 2&&' $y Representati#e )ac Thorn$erry! *ith Representati#e Loe Lofgren and Representati#e 8ennie Tho(pson as coAsponsors. This $ill proposes to create a National Cy$ersecurity Office headed $y an ssistant Secretary for Cy$ersecurity *ithin the "/S "irectorate for +nfor(ation nalysis and +nfrastructure 9rotection! *ith authority for all cy$ersecurityArelated critical infrastructure protection progra(s. On Fe$ruary 1=! 2&&'! the $ill *as referred to the /ouse su$co((ittee on :cono(ic Security! infrastructure 9rotection! and Cy$ersecurity. Should Physical and Cybersecurity Issues Remain Combined4 ccording to ne*s sources! in the 1>=&s during the Cold War! the %nited States C+ deli$erately created faulty SC" soft*are and then planted it in locations *here agents fro( the So#iet %nion *ould steal it. %n-no*n to the So#iets! the SC" soft*are! *hich *as supposedly designed to auto(ate controls for gas pipelines! *as also infected *ith a secret TroCan /orse progra((ed to reset pu(p speeds and #al#e settings that *ould create pressures far $eyond *hat *as accepta$le to pipeline Coints and *elds. The result! in Gune 1>=2! *as a (onu(ental nonnuclear e0plosion on the transASi$erian gas pipeline! e,ui#alent to 3 -ilotons of TNT. /o*e#er! the e#ent re(ained secret $ecause the e0plosion too- place in the Si$erian *ilderness! and there *ere no -no*n casualties. 1&4 "/S officials (aintain that an attac- against co(puters could possi$ly result in disastrous effects in physical facilities. 8ecause of the this! the ne* "/S National Cy$er Security "i#ision 4NCS"5 is tas-ed to protect cy$erassets in order to also pro#ide the $est protection for %.S. critical infrastructure assets. "/S officials ha#e asserted that cy$ersecurity cuts across all aspects of critical infrastructure protection! and that cy$eroperations cannot $e separated fro( the physical aspects of $usinesses $ecause they operate interdependently. 1&' Therefore! the NCS" e(ploys a threatAindependent strategy of protecting the +nternet and critical infrastructures fro( all types of attac-s. "/S officials ha#e stated! 3+f *e atte(pt to 3sto#epipe3 our protection efforts to focus on the different types of attac-ers *ho (ay use the cy$erinfrastructure! *e ris- the possi$ility of li(iting our understanding of the entire threat en#iron(ent.3 1&; --2&-- /o*e#er! officials of fi#e $usiness groups A the Cy$er Security +ndustry lliance! the 8usiness Soft*are lliance! TechNet! the +T ssociation of (erica! and the Financial Ser#ices Roundta$le A ha#e urged the ad(inistration to create separate physical and cy$ersecurity reporting structures *ithin the "/S. The industry groups (aintain that the challenges of protection in a glo$ally net*or-ed cy$er*orld are sufficiently different fro( re,uire(ents for protection in the physical *orld that "/S needs a separate structure6 one that is focused on cy$erissues! and headed $y a SenateAconfir(ed pu$lic official. 1&< &ational Strategy to Secure Cyberspace "oes the National Strategy to Secure Cy$erspace present clear incenti#es for achie#ing security o$Cecti#es7 Suggestions to increase incenti#es (ay include re,uiring that all soft*are procured for federal agencies $e certified under the 3Co((on Criteria3 testing progra(! *hich is no* the re,uire(ent for the procure(ent of (ilitary soft*are. /o*e#er! industry o$ser#ers point out that the soft*are certification process is lengthy and (ay interfere *ith inno#ation and co(petiti#eness in the glo$al soft*are (ar-et. 1&= Should the National Strategy to Secure Cy$erspace rely on #oluntary action on the part of pri#ate fir(s! ho(e users! uni#ersities! and go#ern(ent agencies to -eep their net*or-s secure! or is there a need for possi$le regulation to ensure $est security practices7 /as pu$lic response to i(pro#e co(puter security $een slo* partly $ecause there are no regulations currently i(posed7 1&> Would regulation to i(pro#e --3'-- co(puter security interfere *ith inno#ation and possi$ly har( %.S. co(petiti#eness in technology (ar-ets7 T*o of the for(er cy$ersecurity ad#isers to the president ha#e differing #ie*sI /o*ard Sch(idt has stated that (ar-et forces! rather than the go#ern(ent! should deter(ine ho* product technology should e#ol#e for $etter cy$ersecurity6 ho*e#er! Richard Clar-e has stated that the +T industry has done little on its o*n to i(pro#e security of its o*n syste(s and products. 11& Commercial Soft+are Vulnerabilities Should soft*are product #endors $e re,uired to create higher ,uality soft*are products that are (ore secure and that need fe*er patches7 Soft*are #endors (ay increase the le#el of security for their products $y rethin-ing the design! or $y adding (ore test procedures during product de#elop(ent. /o*e#er! so(e #endors reportedly ha#e said that their co((ercial custo(ers (ay not $e *illing to pay the increased costs for additional security features. 111 A+areness and #ducation Should co(puter security training $e (ade a#aila$le to all co(puter users to -eep the( a*are of constantly changing co(puter security threats! and to encourage the( to follo* proper security procedures7 2&&4 sur#ey done $y the National Cy$er Security lliance and OL sho*ed that ho(e 9C users had a lo* le#el of a*areness a$out $est practices for co(puter security. The sur#ey sho*ed that (ost ho(e users do not ha#e ade,uate protection against hac-ers! do not ha#e updated anti#irus soft*are protection! and are confused a$out the protections they are supposed to use and ho* to use the(. 112 --31-- Will incenti#es! education progra(s! or pu$lic a*areness (essages a$out co(puter security encourage ho(e 9C users to follo* the $est security practices7 )any co(puters ta-en o#er $y +nternet hac-ers $elong to s(all $usinesses or indi#idual ho(e users *ho ha#e not had training in $est co(puter security practices and *ho (ay not feel (oti#ated to #oluntarily participate in a training progra(. ?ulnera$ilities that re,uire go#ern(ent and corporate syste(s ad(inistrators to install soft*are patches also affect co(puters $elonging to (illions of ho(e 9C users. 113 Coordination to Protect Against Cyberterrorism What can $e done to i(pro#e sharing of infor(ation $et*een federal go#ern(ent! local go#ern(ents! and the pri#ate sector to i(pro#e co(puter security7 :ffecti#e cy$ersecurity re,uires sharing of rele#ant infor(ation a$out threats! #ulnera$ilities! and e0ploits. recent BO sur#ey of local go#ern(ent officials reco((ended that "/S strengthen infor(ation sharing $y incorporating states and cities into its federal 3enterprise architecture3 planning process. 114 /o* can the pri#ate sector o$tain useful infor(ation fro( the go#ern(ent on specific threats *hich the go#ern(ent considers classified! and ho* can the go#ern(ent o$tain specific infor(ation fro( pri#ate industry a$out #ulnera$ilities and incidents *hich co(panies say they *ant to protect to a#oid pu$licity and to guard trade secrets7 11' Information Sharing" Should infor(ation #oluntarily shared *ith the federal go#ern(ent a$out security #ulnera$ilities $e shielded fro( disclosure through Freedo( of +nfor(ation ct re,uests7 )any fir(s are reluctant to share i(portant co(puter security infor(ation *ith go#ern(ent agencies $ecause of the possi$ility of ha#ing co(petitors $eco(e a*are of a co(pany1s security #ulnera$ilities through FO+. International Cooperation Against Cyberattack" /o* can the %nited States $etter coordinate security policies and international la* to gain the cooperation of other nations to $etter protect against a co(puter attac-7 9ursuit of hac-ers (ay in#ol#e a trace $ac- through net*or-s re,uiring the cooperation of (any +nternet --32-- Ser#ice 9ro#iders located in se#eral different nations. 11; 9ursuit is (ade increasingly co(ple0 if one or (ore of the nations in#ol#ed has a legal policy or political ideology that conflicts *ith that of the %nited States. 11< )ethods for i(pro#ing international cooperation in dealing *ith cy$ercri(e and terroris( *ere the su$Cect of a conference sponsored $y the /oo#er +nstitution! the Consortiu( for Research on +nfor(ation Security and 9olicy 4CR+S95 and the Center for +nternational Security and Cooperation 4C+SC5 at Stanford %ni#ersity in 1>>>. )e($ers of go#ern(ent! industry! NBOs! and acade(ia fro( (any nations (et at Stanford to discuss the gro*ing pro$le(! and a clear consensus e(erged that greater international cooperation is re,uired. 11= Currently! thirtyAeight countries! including the %nited States! ha#e signed the Council of :urope1s Con#ention on Cy$ercri(e! pu$lished in No#e($er 2&&1. The Con#ention see-s to $etter co($at cy$ercri(e $y har(oni2ing national la*s! i(pro#ing in#estigati#e a$ilities! and $oosting international cooperation. Supporters argue that the Con#ention *ill enhance deterrence! *hile critics counter it *ill ha#e little effect *ithout participation $y countries in *hich cy$ercri(inals operate freely. 4see CRS Report RS212&=! (,6ercrime !he (ouncil o* Euro3e (onvention5. (ffshore )evelopment of Soft+are" +s %.S. national security threatened $y using co((ercial soft*are products de#eloped in foreign countries. 11> recent study $y Bartner +nc.! a technology research organi2ation! predicts that for 2&&4 and $eyond! (ore than =& percent of %.S. co(panies *ill consider outsourcing critical +T ser#ices! including soft*are de#elop(ent. Terrorist net*or-s are -no*n to e0ist in se#eral countries such as )alaysia and +ndonesia! *here +T contract *or- has $een outsourced. Other possi$le recipients of outsourced proCects are +srael! +ndia! --33-- 9a-istan! Russia and China. 12& Corporations Custify their actions $y e0plaining that glo$al econo(ic co(petition (a-es offshore outsourcing a $usiness necessity. Other o$ser#ers point out that restricting offshore de#elop(ent (ay not $e effecti#e for i(pro#ing national security $ecause (any foreign *or-ers are also currently e(ployed $y do(estic fir(s to de#elop co(puter soft*are *ithin the %nited States. 0egislative Activity The Cy$ersecurity Research and "e#elop(ent ct 49.L. 1&<A3&'5! authori2ed M>&3 (illion o#er fi#e years for ne* research and training progra(s $y the National Science Foundation 4NSF5 and the National +nstitute for Standards and Technology 4N+ST5 to pre#ent and respond to terrorist attac-s on pri#ate and go#ern(ent co(puters. Follo*ing the Septe($er 11! 2&&1 attac-s! the Federal +nfor(ation Security )anage(ent ct 4F+S)5 of 2&&2 *as enacted gi#ing responsi$ility for setting security standards for ci#ilian federal agency co(puter syste(s to the Office of )anage(ent and 8udget 4O)85. 121 Responsi$ility for security standards for national defense syste(s re(ains pri(arily *ith "O" and NS. The follo*ing $ills identify recent legislati#e acti#ity that is related to pre#ention of cy$erterroris(! or related to collection of infor(ation on possi$le terrorist acti#ities. P"0" 56715;:I On "ece($er 1>! 2&&3! the "efense 9roduction ct of 2&&3 a(ended the "efense 9roduction ct of 1>'& to e0tend its e0piration date and authori2ation of appropriations through FF2&&=. Sponsored $y Senator Shel$y Richard! this la* corrects industrial resource shortfalls for radiationAhardened electronics! and defines 3critical infrastructure3 to include physical and cy$er$ased assets. S" 5<6I Hno*n as the "o(estic "efense Fund ct of 2&&'! this $ill proposes to authori2e "/S to a*ard grants to states and local go#ern(ents to i(pro#e cy$er and infrastructure security. +ntroduced $y Senator /illary Clinton on Ganuary 24! 2&&'! the $ill *as referred to the Senate Co((ittee on /o(eland Security and Bo#ern(ental ffairs. --34-- --.ote .o 3age 3"-- Appendi' A" Planning for a Cyberattack cy$erattac- is so(eti(es also called a Co(puter Net*or- ttac- 4CN5! $ecause a net*or- connection ena$les this type of attac-. Co(puter hac-ers traditionally use fi#e $asic steps to gain unauthori2ed access! and su$se,uently ta-e o#er co(puter syste(s. These fi#e steps can also $e e(ployed $y terrorist groups. The steps are fre,uently auto(ated through use of special hac-er tools freely a#aila$le to anyone #ia the +nternet. 122 /ighlyAs-illed hac-ers use auto(ated tools that are also #ery sophisticated! and their effects are initially (uch (ore difficult for co(puter security staff and security technology products to detect. These sophisticated hac-er tools are usually shared only a(ong an e0clusi#e group of other highlyAs-illed hac-er associates. The hac-er tactics descri$ed in this report are also e0plained in detail in (any sources that list possi$le defenses against co(puter attac-. 123 Step 5" Reconnaissance and Pre1operative Surveillance +n this first step! hac-ers e(ploy e0tensi#e preAoperati#e sur#eillance to find out detailed infor(ation a$out an organi2ation that *ill help the( later gain unauthori2ed access to co(puter syste(s. The (ost co((on (ethod is social engineering! or tric-ing an e(ployee into re#ealing sensiti#e infor(ation 4such as a telephone nu($er or a pass*ord5. Other (ethods include du(pster di#ing! or rifling through an organi2ation1s trash to find sensiti#e infor(ation 4such as floppy dis-s or i(portant docu(ents that ha#e not $een shredded5. This step can $e auto(ated if the attac-er installs on an office co(puter a #irus! *or(! or 3Spy*are3 progra( that perfor(s sur#eillance and then trans(its useful infor(ation! such as pass*ords! $ac- to the attac-er. 3Spy*are3 is a for( of (alicious code that is ,uietly installed on a co(puter *ithout user -no*ledge *hen a user #isits a (alicious *e$site. +t (ay re(ain undetected $y fire*alls or current antiA#irus security products *hile (onitoring -eystro-es to record *e$ acti#ity or collect snapshots of screen displays and other restricted infor(ation for trans(ission $ac- to an un-no*n third party. 124 Step 9" Scanning Once in possession of special restricted infor(ation! or a fe* critical phone nu($ers! an attac-er perfor(s additional sur#eillance $y scanning an organi2ation1s co(puter soft*are and net*or- --3#-- configuration to find possi$le entry points. This process goes slo*ly! so(eti(es lasting (onths! as the attac-er loo-s for se#eral #ulnera$le openings into a syste(. 12' Step =: 3aining Access Once the attac-er has de#eloped an in#entory of soft*are and configuration #ulnera$ilities on a target net*or-! he or she (ay ,uietly ta-e o#er a syste( and net*or- $y using a stolen pass*ord to create a phony account! or $y e0ploiting a #ulnera$ility that allo*s the( to install a (alicious TroCan /orse! or auto(atic 3$ot3 that *ill a*ait further co((ands sent through the +nternet. Step <: !aintaining Access Once an attac-er has gained unauthori2ed access! he or she (ay secretly install e0tra (alicious progra(s that allo* the( to return as often as they *ish. These progra(s! -no*n as 3Root Hits3 or 38ac- "oors3! run unnoticed and can allo* an attac-er to secretly access a net*or- at *ill. +f the attac-er can gain all the special pri#ileges of a syste( ad(inistrator! then the co(puter or net*or- has $een co(pletely ta-en o#er! and is 3o*ned3 $y the attac-er. So(eti(es the attac-er *ill reconfigure a co(puter syste(! or install soft*are patches to close the pre#ious security #ulnera$ilities Cust to -eep other hac-ers out. Step :: Covering racks Sophisticated attac-ers desire ,uiet! uni(peded access to the co(puter syste(s and data they ta-e o#er. They (ust stay hidden to (aintain control and gather (ore intelligence! or to refine preparations to (a0i(i2e da(age. The 3Root Hit3 or 3TroCan /orse3 progra(s often allo* the attac-er to (odify the log files of the co(puter syste(! or to create hidden files to help a#oid detection $y the legiti(ate syste( ad(inistrator. Security syste(s (ay not detect the unauthori2ed acti#ities of a careful intruder for a long period of ti(e. 12; --3$-- s technology has e#ol#ed! (ore of the a$o#e tas-s are no* aided $y the use of auto(ated progra(s! or 3$ots!3 that are increasingly autono(ous! rapid! and difficult to detect. These 3$ots3 can $e re(otely controlled $y co((ands sent through the +nternet and can $e acti#ated to operate in a coordinated (anner on thousands of co(puters in different locations around the *orld. Thousands of such co(puters under re(ote control (ay $e progra((ed $y a hac-er to si(ultaneously launch an attac- through the +nternet that can $e descri$ed as a 3s*ar(.3 --3%-- Appendi' B" Characteristics of !alicious Code Technology constantly e#ol#es! and ne* security #ulnera$ilities are disco#ered regularly $y soft*are #endors! $y security organi2ations! $y indi#idual researchers! and often $y co(puter hac-er groups. 12< Security organi2ations! such as the Co(puter :(ergency Response Tea( 4C:RTJCC5 located at Carnegie )ellon! pu$lish security ad#isories! including infor(ation a$out ne* soft*are patches! usually $efore co(puter hac-er groups can ta-e ad#antage of ne*ly disco#ered co(puter security #ulnera$ilities for purposes of cy$ercri(e or cy$erespionage. /o*e#er! the nu($er of reported unauthori2ed co(puter intrusions has increased e#ery year! *ith a '; percent increase reported $et*een 2&&1 and 2&&2. 12= Currently! (any cy$erattac-s are ena$led $y 3infecting3 a co(puter *ith a (alicious payload progra( that corrupts data! perfor(s sur#eillance! or that recei#es co((ands through the +nternet to paraly2e or deny ser#ice to a targeted co(puter. co(puter (ay $eco(e 3infected3 if a co(puter user (ista-enly do*nloads and installs a (alicious progra(! or (ista-enly opens an infected e(ail attach(ent. Other (alicious progra(s! -no*n as 3*or(s!3 (ay acti#ely and rapidly see- out other co(puters on the +nternet ha#ing a specific nonApatched #ulnera$ility and auto(atically install the(sel#es *ithout any action re,uired on the part of the #icti(. 12> --3&-- #irus is one for( of (alicious progra( that often i((ediately corrupts data or causes a (alfunction. TroCan /orse is another for( of (alicious progra( that ,uietly and secretly corrupts the functions of an e0isting trusted progra( on the co(puter. n attac- progra(! once installed! (ay ,uietly 3listen3 for a special co((and sent through the +nternet fro( a re(ote source! instructing it to $egin acti#ation of (alicious progra( instructions. nother type of (alicious progra(! -no*n as 3spy*are!3 has a sur#eillance or espionage capa$ility that ena$les it to secretly record and auto(atically trans(it -eystro-es and other infor(ation 4including pass*ords5 $ac- to a re(ote attac-er. 13& Other types of (alicious code (ay co($ine so(e or all of the characteristics of #iruses! *or(s! TroCan /orses! or spy*are along *ith the a$ility to rando(ly change the electronic appearance 4poly(orphis(5 of the resulting attac- code. This a$ility to change (a-es (any of the ne*er #iruses! *or(s! and TroCan /orses #ery difficult for (ost antiA#irus security products to detect. 131 )alicious progra(s attac- $y disrupting nor(al co(puter functions or $y opening a $ac- door for a re(ote attac-er to ta-e control of the co(puter. So(eti(es an attac-er can ,uietly ta-e full control of a co(puter *ith the o*ner re(aining una*are that his or her (achine is co(pro(ised. n attac- can either i((ediately disa$le a co(puter or incorporate a ti(e delay! after *hich a re(ote co((and *ill direct the infected co(puter to trans(it har(ful signals that disrupt other co(puters. n attac- can trigger the auto(atic trans(ission of huge #olu(es of har(ful signals that can #ery rapidly disrupt or paraly2e (any thousands of other co(puters throughout the +nternet or se#erely clog trans(ission lines *ith an a$undance of $ogus (essages! causing portions of the +nternet to $eco(e slo* and unresponsi#e. --4'-- 9reparation for a cy$ercri(e or co(puter attac- (ay so(eti(es proceed slo*ly or in se#eral phases $efore a final attac- is initiated. So(e co(pro(ised co(puters $eco(e part of an auto(atic 3$ot net*or-!3 ,uietly perfor(ing espionage $y trans(itting data or inter(ediate preparatory instructions $ac- and forth $et*een co(pro(ised co(puters *hile a*aiting a special final acti#ation signal originating fro( the attac-er. The final acti#ation phase (ay direct all co(pro(ised co(puters to inundate a targeted co(puter *ith $ogus (essages or insert phony data into critical co(puter syste(s! causing the( to (alfunction at a crucial point or affect other co(puters do*nstrea(. So(e recent co(puter attac-s ha#e focused on only a single ne* co(puter #ulnera$ility and ha#e $een seen to spread *orld*ide through the +nternet *ith astonishing speed. 132 --41-- Appendi' C" Similarities in actics *sed for Cyberattacks and Conventional errorist Attacks Si(ilarities e0ist in characteristics of tactics used $y hac-ers to prepare for and e0ecute a cy$ercri(e or cy$erespionage co(puter attac-! and the tactics used $y terrorists to prepare for and e0ecute so(e recent physical terrorist operations. For e0a(ple! $oth sets of tactics in#ol#e 415 net*or- (eetings in cy$erspace! 425 e0tensi#e preAattac- sur#eillance! 435 e0ploits of soft and #ulnera$le targets! and 445 s*ar(ing (ethods. Hno*ing that these si(ilarities e0ist (ay help in#estigators as they e0plore different (ethods to detect and pre#ent a possi$le cy$erattac- $y terrorist groupsI The organi2ational structures of (any terrorist groups are not *ell understood and are usually intended to conceal the interconnections and relationships. 133 net*or- organi2ation structure 4as opposed to a hierarchical structure5 fa#ors s(aller units! gi#ing the group the a$ility to attac- and ,uic-ly o#er*hel( defenders! and then Cust as ,uic-ly disperse or disappear. Terrorist groups using a net*or- structure to plan and e0ecute an attac- can place go#ern(ent hierarchies at a disad#antage $ecause a terrorist attac- often $lurs the traditional lines of authority $et*een agencies such as police! the (ilitary! and other responders. Si(ilarly! co(puter hac-ers are often co(posed of s(all groups or indi#iduals *ho (eet anony(ously in net*or- chat roo(s to e0change infor(ation a$out co(puter #ulnera$ilities! and plan *ays to e0ploit the( for cy$ercri(e or cy$erespionage. 8y (eeting only in cy$erspace! hac-ers can ,uic-ly disappear *hene#er go#ern(ent authorities try to locate the(. Terrorists use preAattac- sur#eillance o#er e0tended periods to gather infor(ation on a target1s current patterns. ccording to ne*s reports! l @aeda terrorists are no* operating through 3sleeper cells3 scattered throughout the %nited States that are currently conducting preAattac- sur#eillance and relaying (essages fro( terrorist leaders and planners. 134 Recent terrorist attac-s on Westerners in Riyadh! Saudi ra$ia in 2&&4 *ere reported to ha#e in#ol#ed e0tensi#e planning and preparation and *ere li-ely preceded $y preAattac- sur#eillance. 13' ppendi0 of this report descri$es ho* hac-ers engage in si(ilar preAoperati#e sur#eillance acti#ities $efore launching a cy$erattac-. --42-- Terrorist groups are descri$ed $y "/S as opportunistic! choosing to e0ploit soft #ulnera$ilities that are left e0posed. Si(ilarly! an increasingly popular trend for co(puter hac-ers engaged in co(puter cri(e or co(puter espionage is to use a (alicious progra( called a *or(! that proAacti#ely spreads copies of itself through the +nternet! rapidly finding as (any co(puters as possi$le *ith the sa(e nonApatched #ulnera$ility! and then auto(atically installing itself to ,uietly a*ait further instructions fro( the attac-er. /ac-ers ha#e also designed recent co(puter e0ploits that launch anony(ously fro( thousands of infected co(puters to produce *a#es of disruption that can ,uic-ly o#er*hel( a targeted organi2ation! or (ultiple organi2ations such as a list of $an-ing institutions. +n a si(ilar (anner! terrorist groups (ay also stri-e in *a#es fro( (ultiple dispersed directions against (ultiple targets! in s*ar(ing ca(paigns. n e0a(ple of s*ar(ing (ay $e the )ay 11! 2&&3 attac- in Riyadh! *here terrorists 4possi$ly l @aeda5! staged si(ultaneous assaults at three co(pounds in different locations! *ith each assault in#ol#ing a rapid stri-e *ith (ultiple #ehicles! so(e carrying e0plosi#es and others carrying gun(en. nother e0a(ple (ay $e the si(ultaneous attac-s of >J11 *hich *ere directed against the to*ers of the World Trade Center! the 9entagon! and a possi$le third target. --43-- 2ootnotes: 1. For e0a(ple! ene(y fighters in +ra, ha#e reportedly e(ployed a strategy of directing a large portion of their attac-s against %.S. rear guard and support units. Christopher Cooper! 38lac- Recruits Slide s Share of r(y Forces!3 0all +treet 7ournal! Oct. <! 2&&4! p. 81. 2. "an Huehl! professor at the National "efense %ni#ersity School of +nfor(ation Warfare and Strategy! has pointed out that a high percentage of %.S. (ilitary (essages flo* through co((ercial co((unications channels! and this reliance creates a #ulnera$ility during conflict. 3. The critical infrastructure is #ie*ed $y so(e as (ore resilient than pre#iously thought to the effects of a co(puter attac-. "re* Clar-! 3Co(puter Security Officials "iscount Chances of 1"igital 9earl /ar$or!13 Gune 3! 2&&3. 4. Goshua Breen! 3The )yth of Cy$erterroris(!3 0ashington Monthl,! No#. 2&&2. '. ll (ethods of co(puter attac- are *ithin the current capa$ilities of se#eral nations. See CRS Report RL31<=<! )n*ormation 0ar*are and (,6erwar (a3a6ilities and 8elated Polic, )ssues- ;. d#antages of : and CN (ight deri#e fro( %nited States reliance on a co(puterAcontrolled critical infrastructure! along *ith unpredicta$le results depending on se#erity of the attac-. Gason Sher(an! 38racing for )odern 8rands of Warfare!3 Air 9orce !imes! Sept. 2<! 2&&4. <. Ste#en )arlin and )artin Bar#ey! 3"isasterAReco#ery Spending on the Rise!3 )n*ormation 0ee/! ug. >! 2&&4! p.2;. =. For (ore on con#entional! che(ical! nuclear! and $iological terroris(! see CRS Report RL3&1'3! (ritical )n*rastructures 1ac/ground4 Polic,4 and )m3lementation6 CRS Report RL31;;>! !errorism 1ac/ground on (hemical4 1iological4 and !o:in 0ea3ons and 23tions *or ;essening !heir )m3act6 CRS Report RL32'>'! .uclear !errorism A 1rie* 8eview o* !hreats and 8es3onses6 and CRS +ssue 8rief +81&11>! !errorism and .ational +ecurit, )ssues and !rends. >. :lectrical syste(s connected to any *ire or line that can act as an antenna (ay $e disrupted. DhttpIJJ***.physics.north*estern.eduJclassesJ2&&1FallJ9hy013'A2J1>Je(p.ht(E. 3)aintenance of )echanical and :lectrical :,uip(ent at Co((and! Control! Co((unications! Co(puters! +ntelligence! Sur#eillance! and Reconnaissance 4C4+SR5 Facilities!3HEMP Protection +,stems! Chapter 2<! Arm, !raining Manual 'A;>2A2! pril 1'! 2&&1 DhttpIJJ***.usace.ar(y.(ilJpu$licationsJar(yt(Jt('A;>2A2Jchap2<?OLA 2.pdfE. 1&. Henneth R. Ti((er(an! 3%.S. Threatened *ith :)9 ttac-!3 )nsight on the .ews! )ay 2=! 2&&1. 11. /ouse r(ed Ser#ices Co((ittee! (ommittee Hearing on (ommission to Assess the !hreat to the 5nited +tates *rom Electromagnetic Pulse Attac/! Guly 22! 2&&4. 3:0perts Cite :lectro(agnetic 9ulse as Terrorist Threat!3 ;as <egas 8eview-7ournal! Oct. 3! 2&&1. 12. Seth Schiesel! 3Ta-ing i( at n :ne(y1s Chips!3 .ew =or/ !imes! Fe$. 2&! 2&&3. 13. )ichael Sira-! 3%.S. ?ulnera$le to :)9 ttac-!3 7ane>s De*ence 0ee/l,! Guly 2;! 2&&4. 14. "r. Gohn Foster! Gr.! et al.! 8e3ort o* the (ommission to Assess the !hreat to the 5nited +tates *rom Electromagnetic Pulse (EMP) Attac/ <olume 1 E:ecutive 8e3ort! report to Congress! 2&&4. nd! "aniel B. "upont! 39anel Says Society t Breat Ris- Fro( :lecto(agnetic 9ulse ttac-!3 )nside the Pentagon! Guly 1'! 2&&4! p.1. 1'. State(ent of "r. 9eter ). Fonash! cting "eputy )anager! National Co((unications Syste(! "epart(ent of /o(eland Security! $efore the %.S. Senate Gudiciary Co((ittee! Su$co((ittee on Terroris(! Technology! and /o(eland Security! )arch '! 2&&'. 1;. While e0perts disagree a$out *hether any terrorist organi2ations are capa$le of $uilding an ine0pensi#e electro(agnetic pulse de#ice! it (ay $e possi$le to ac,uire a de#ice fro( a terroristAsponsoring nation. )ichael $ra(s! 3The "a*n of the :A8o($!3 )EEE +3ectrum 2nline! No#. 2&&3! DhttpIJJ***.spectru(.ieee.orgJW:8ONLFJpu$licfeatureJno#&3J11&3e$o(.ht(lE. 1<. So(e for(s of : are intended to o#erpo*er a radio trans(ission signal to $loc- or 3Ca(3 it! *hile other for(s of : are intended to o#erpo*er a radio signal and replace it *ith a su$stitute signal that disrupts processing logic or stored data. "a#id Fulghu(! 3Net*or- Wars!3 Aviation 0ee/ ? +3ace !echnolog,! Oct. 2'! 2&&4! p.>1. 1=. The %nited States has e(ployed this definition of terroris( for statistical and analytical purposes since 1>=3. %.S. "epart(ent of State! 2&&2! Patterns o* @lo6al !errorism4 2''3! DhttpIJJ***.state.go#JsJctJrlsJpgtrptJ2&&1Jht(lJ1&22&.ht(E. 1>. DhttpIJJ***.fe(a.go#JpdfJonpJtool-itOappOd.pdfE. 2&. "orothy "enning! 3cti#is(! /acti#is(! and Cy$erterroris(I The +nternet as a tool for +nfluencing Foreign 9olicy!3 in Gohn r,uilla and "a#id Ronfeldt! ed.! .etwor/s and .etwars! 4Rand! 2&&15! p. 241. 21. Serge Hrasa#in! 0hat is (,6erterrorismA! Co(puter Cri(e Research Center! pr. 23! 2&&4! DhttpIJJ***.cri(eAresearch.orgJanalyticsJHrasa#inJE. 22. "orothy "enning! )s (,6er 0ar .e:tA! Social Science Research Council! No#. 2&&1! DhttpIJJ***.ssrc.orgJsept11JessaysJdenning.ht(E. 23. "an ?erton! A De*inition o* (,6er-terrorism! Co(puter*orld! ug. 11! 2&&3. 24. "/S press release! 3Ridge Creates Ne* "i#ision to Co($at Cy$er Threats!3 Gune ;! 2&&3! DhttpIJJ***.dhs.go#Jdhspu$licJdisplay7contentP>1;E. 2'. Gohn r,uilla and "a#id Ronfeldt! 3The d#ent of Net*ar 4Re#isited5!3 .etwor/s and .etwars !he 9uture o* !error4 (rime and Militanc,! 4Santa )onicaI Rand! 2&&15! pp. 1A2=. 2;. n incident (ay in#ol#e one site or hundreds 4or e#en thousands5 of sites. lso! so(e incidents (ay in#ol#e ongoing acti#ity for long periods of ti(e. !he (om3uter Emergenc, 8es3onse !eam (oordination (enter ((E8!B(() +tatistics 1&%%-2''4! DhttpIJJ***.cert.orgJstatsJcertOstats.ht(lE. 2<. )any cy$erattac-s are unreported usually $ecause the organi2ation is una$le to recogni2e that it has $een attac-ed! or $ecause the organi2ation is reluctant to re#eal pu$licly that it has e0perienced a co(puter attac-! Bo#ern(ent ccounta$ility Office!)n*ormation +ecurit, 9urther E**orts .eeded to 9ull, )m3lement +tatutor, 8eCuirements in D2D! BOA&3A 1&3<T! Guly 24! 2&&3! p. ;. 2=. Sy(antec! +,mantec )nternet +ecurit, !hreat 8e3ort! Fe$.2&&3! p. 4=. 2>. 3The )yths and Facts $ehind Cy$er Security Ris-s for +ndustrial Control Syste(s!3 Proceedings o* the )+A E:3o 2''4! /ouston! Te0as! Oct. '! 2&&4. 3&. Fran- Ti$oni! 3"O" 9lans Net*or- Tas- Force!3 9(0-com! Sept. 2=! 2&&4. 31. Ga(es Le*is! 3ssessing the Ris-s of Cy$er Terroris(! Cy$er War and Other Cy$er Threats!3 "ec. 2&&2! DhttpIJJ***.csis.orgJtechJ&211Ole*is.pdfE. 32. t the annual conference of the Center for Conflict Studies! 9hil Willia(s! "irector of the 9rogra( on Terroris( and TransANational Cri(e and the %ni#ersity of 9itts$urgh! said an attac- on the glo$al financial syste( *ould li-ely focus on -ey nodes in the %.S. financial infrastructureI Fed*ire and Fednet. Fed*ire is the financial funds transfer syste( that e0changes (oney a(ong %.S. $an-s! *hile Fednet is the electronic net*or- that handles the transactions. The syste( has one pri(ary installation and three $ac-ups. 3Fou can find out on the +nternet *here the $ac-ups are. +f those could $e ta-en out $y a (i0 of cy$er and physical acti#ities! the %.S. econo(y *ould $asically co(e to a halt!3 Willia(s said. 3+f the ta-edo*n *ere to include the international funds transfer net*or-s C/+9S and SW+FT then the entire glo$al econo(y could $e thro*n into chaos.3 Beorge 8utters! 3:0pect Terrorist ttac-s on Blo$al Financial Syste(!3 Oct. 1&! 2&&3! DhttpIJJ***.theregister.co.u-JcontentJ''J332;>.ht(lE. 33. The si(ulation in#ol#ed (ore than 1&& participants. Bartner! +nc.! 3Cy$erattac-sI The Results of the BartnerJ%.S. Na#al War College Si(ulation!3 Guly! 2&&2! War ga(e participants *ere di#ided into cells! and de#ised attac-s against the electrical po*er grid! teleco((unications infrastructure! the +nternet and the financial ser#ices sector. +t *as deter(ined that 3peerAtoApeer net*or-ing3! a special (ethod of co((unicating *here e#ery 9C used co((only a#aila$le soft*are to act as $oth a ser#er and a client! posed a potentially critical threat to the +nternet itself. Willia( Gac-son! 3War College Calls "igital 9earl /ar$or "oa$le!3 @overnment (om3uter .ews! ug. 23! 2&&2. 34. The #ulnera$ility *as found in $stract Synta0 Notation One 4SN.15 encoding! and *as e0tre(ely *idespread. :llen )ess(er! 39resident1s d#isor 9redicts Cy$erAcatastrophes %nless Security +(pro#es!3 .etwor/ 0orld 9usion! Guly >! 2&&2. 3'. 8arton Bell(an! 3Cy$erAttac-s $y l @aeda Feared!3 0ashington Post! Gune 2<! 2&&2! p. &1. 3;. The (ost e0pensi#e natural disaster in %.S. history! /urricane ndre*! is reported to ha#e caused M2' $illion dollars in da(age! *hile the Lo#e 8ug #irus is esti(ated to ha#e cost co(puter users around the *orld so(e*here $et*een M3 $illion and M1' $illion. /o*e#er! the Lo#e 8ug #irus *as created and launched $y a single uni#ersity student in the 9hilippines! relying on ine0pensi#e co(puter e,uip(ent. Christopher )iller! @A2 8eview o* 0ea3on +,stems +o*tware! )ar. 3! 2&&3! :(ail co((unication! )illerCQgao.go#. 3<. Congestion caused $y the 8laster *or( delayed the e0change of critical po*er grid control data across the pu$lic teleco((unications net*or-! *hich could ha#e ha(pered the operators1 a$ility to pre#ent the cascading effect of the $lac-out. "an ?erton! 38laster Wor( Lin-ed to Se#erity of 8lac-out!3 (om3uterworld! ug. 2>! 2&&3. 3=. 9roprietary syste(s are uni,ue! custo( $uilt soft*are products intended for installation on a fe* 4or a single5 co(puters! and their uni,ueness (a-es the( a less attracti#e target for hac-ers. They are less attracti#e $ecause finding a security #ulnera$ility ta-es ti(e 4See ppendi0 5! and a hac-er (ay usually not consider it *orth their *hile to in#est the preoperati#e sur#eillance and research needed to attac- a proprietary syste( on a single co(puter. Widely used Co((ercialAOffATheAShelf 4COTS5 soft*are products! on the other hand! are (ore attracti#e to hac-ers $ecause a single security #ulnera$ility! once disco#ered in a COTS product! (ay $e e($edded in nu(erous co(puters that ha#e the sa(e COTS soft*are product installed. 3>. +ndustrial co(puters so(eti(es ha#e operating re,uire(ents that differ fro( $usiness or office co(puters. For e0a(ple! (onitoring a che(ical process! or a telephone (icro*a#e to*er (ay re,uire 24A hour continuous a#aila$ility for a critical industrial co(puter. :#en though industrial syste(s (ay operate using COTS soft*are 4see a$o#e5! it (ay $e econo(ically difficult to Custify suspending the operation of an industrial SC" co(puter on a regular $asis to ta-e ti(e to install e#ery ne* security soft*are patch. See inter#ie* *ith )ichael ?atis! director of the +nstitute for Security Technology Studies related to counterterroris( and cy$ersecurity. Sharon Baudin! 3Security :0pterI %.S. Co(panies %nprepared for Cy$er Terror!3 Datamation! Guly 1>! 2&&2. lso! Bo#ern(ent ccounta$ility Office! )n*ormation +ecurit, 9urther E**orts .eeded to 9ull, )m3lement +tatutor, 8eCuirements in D2D! BOA&3A1&3<T! Guly 24! 2&&3! p. =. 4&. He#in 9oulsen! 3Sla((er Wor( Crashed Ohio Nu-e 9lant Net*or-!3 +ecurit, 9ocus! ug. 1>! 2&&3. 41. Scott Nance! 3"e$un-ing FearsI :0ercise Finds 1"igital 9earl /ar$or1 Ris- S(all!3 De*ense 0ee/! pr. <! 2&&3. 42. 8rigadier Ben. "ennis )oran! %.S. Central Co((andJ G;! in %.S. Congress! /ouse r(ed Ser#ices Su$co((ittee on Terroris(! %ncon#entional Threats and Capa$ilities! Hearing on Militar, (4) +,stems! Oct. 21! 2&&3. 43. Christopher Casteilli!3"O" and Thailand Run Classified 1:ligi$le Recei#er1 +nfoAWar :0ercise!3 De*ense )n*ormation and Electronics 8e3ort! 2&&2! #ol. <<! no. 44. 44. 8riefing on 3:ligi$le Recei#er 2&&33 $y "O" staff for the Congressional Research Ser#ice! Ganuary >! 2&&3. 4'. So(e ships of the %.S. Na#y use Windo*s soft*are. 8ill )urray! 3Na#y Carrier to Run Win 2&&&!3 @(.-com! Sept. 11! 2&&&. )aCor %.H. na#al syste(s defense contractor! 8: Syste(s! also too- the decision to standardi2e future de#elop(ent on )icrosoft Windo*s. Gohn Lettice! 3OSS TorpedoedI Royal Na#y Will Run on Windo*s for Warships!3 8egister! Sept. ;! 2&&4! DhttpIJJ***.theregister.co.u-J2&&4J&>J&;Ja(sOgoesO*indo*sOforO*arshipsJE. 4;. 9atience Wait! 3"efense +T Security Can1t Rest on COTS!3 @(.-com! Sept. 2<! 2&&4. 4<. "a*n Onley! 3r(y %rged to Step %p +T Security Focus!3 @(.-com! Sept.2! 2&&4. 4=. 9atience Wait! 3"efense +T Security Can1t Rest on COTS!3 @(.-com! Sept.2<! 2&&4. 4>. 3:Acri(e Watch Sur#ey Sho*s Significant +ncrease in :lectronic Cri(es!3 (+2online-com! )ay 2'! 2&&4. '&. 3+nternet Wor( Heeps Stri-ing!3 Ganuary 2<! 2&&3! (1+.ews. '1. 3C:RTJCC Statistics 1>==A2&&4!3 DhttpIJJ***.cert.orgJstatsJcertOstats.ht(lE. '2. The SNS +nstitute! in cooperation *ith the National +nfrastructure 9rotection Center 4N+9C5! pu$lishes an annual list of the 1& (ost co((only e0ploited #ulnera$ilities for Windo*s syste(s and for %ni0 syste(s. !he +A.+B91) !went, Most (ritical )nternet +ecurit, <ulnera6ilities4 2''3! SNS! pr. 1'! 2&&3 DhttpIJJ***.sans.orgJtop2&JE. '3. +n Septe($er! 2&&3! )icrosoft Corporation announced three ne* critical fla*s in its latest Windo*s operating syste(s soft*are. Security e0perts predicted that co(puter hac-ers (ay possi$ly e0ploit these ne* #ulnera$ilities $y releasing (ore attac- progra(s! such as the 38laster *or(3 that recently targeted other Windo*s #ulnera$ilities causing *idespread disruption on the +nternet. Gai-u(ar ?iCayan! 3ttac-s on Ne* Windo*s Fla*s :0pected Soon!3 (om3uterworld! Sept. 1'! 2&&3! #ol. 3<! no. 3<! p. 1. '4. Gonathan Hri(! 3Security Report 9uts 8la(e on )icrosoft!3 Washingtonpost.co(! Sept. 24! 2&&3. Goshua Breen! 3The )yth of Cy$erterroris(!3 0ashington Monthl,! No#. 2&&2. ''. gencies operating national security syste(s (ust purchase soft*are products fro( a list of la$Atested and e#aluated products in a progra( that re,uires #endors to su$(it soft*are for re#ie* in an accredited la$! a process 4-no*n as certification and accreditation under the Co((on Criteria! a testing progra( run $y the National +nfor(ation ssurance 9artnership5 that often ta-es a year and costs se#eral thousand dollars. The re#ie* re,uire(ent pre#iously has $een li(ited to (ilitary national security soft*are! ho*e#er! the ad(inistration has stated that the go#ern(ent *ill underta-e a re#ie* of the progra( in 2&&3 to 3possi$ly e0tend3 it as a ne* re,uire(ent for ci#ilian agencies. :llen )ess(er! White /ouse issue 3National Strategy to Secure Cy$erspace!3 .etwor/ 0orld 9usion! Fe$ruary 14! 2&&3. ';. Richard ". 9ethia! "irector! C:RTJCC! Soft*are :ngineering +nstitute! Carnegie )ellon %ni#ersity! Testi(ony $efore the /ouse Select Co((ittee on /o(eland Security! Su$co((ittee on Cy$ersecurity! Science! and Research and "e#elop(ent! 2verview o* the (,6er Pro6lem--A .ation De3endent and Dealing with 8is/! hearing! Gune 2'! 2&&3! DhttpIJJ***.cert.orgJcongressionalOtesti(onyJ9ethiaOtesti(onyO&;A2'A &3.ht(lRfactorsE. '<. Scott Charney! Chief Security Strategist! )icrosoft! State(ent $efore the /ouse Co((ittee on r(ed Ser#ices! Terroris(! %ncon#entional Threats and Capa$ilities Su$co((ittee! )n*ormation !echnolog, in the 21st (entur, 1attles3ace! hearing! Guly 24! 2&&3! p.>. '=. sur#ey of 2&&& 9C users found that 42K had not do*nloaded the #endor patch to *ard off the recent 8laster *or( attac-! 23K said they do not regularly do*nload soft*are updates! 21K do not update their antiA#irus signatures! and <&K said they *ere not notified $y their co(panies a$out the urgent threat due to the 8laster *or(. Gai-u(ar ?iCayan! 3+T )anagers Say They re 8eing Worn "o*n $y Wa#e of ttac-s!3 (om3uterworld! ug. 2'! 2&&3! #ol. 3<! no. 34! 9.1. '>. ccording to security group ttrition.org! failure to -eep soft*are patches up to date resulted in >> percent of '!=23 *e$site deface(ents in 2&&3. Ro$ert Le(os! 3Soft*are 3Fi0es3 Routinely #aila$le $ut Often +gnored!3 2&&3! and Richard ". 9ethia! "irector! C:RTJCC! Soft*are :ngineering +nstitute! Carnegie )ellon %ni#ersity! Testi(ony $efore the /ouse Select Co((ittee on /o(eland Security! Su$co((ittee on Cy$ersecurity! Science! and Research and "e#elop(ent! /earing on 2verview o* the (,6er Pro6lem - A .ation De3endent and Dealing with 8is/! Gune 2'! 2&&3 DhttpIJJ***.cert.orgJcongressionalOtesti(onyJ9ethiaOtesti(onyO&;A2'A&3.ht(lRfactorsE. ;&. Bartner +nc.! a technology research organi2ation! has esti(ated that $y 2&&4! (ore than =&K of %.S. co(panies *ill ha#e had highAle#el discussions a$out offshore outsourcing! and 4&K *ill ha#e co(pleted a pilot progra(. 9atric- Thi$odeau! 3Offshore1s Rise +s Relentless!3 (om3uterworld! Gune 3&! 2&&3! #ol. 3<! no. 2;! p.1. ;1. Scott Charney! Chief Security Strategist! )icrosoft! State(ent $efore the /ouse Co((ittee on r(ed Ser#ices! Terroris(! %ncon#entional Threats and Capa$ilities Su$co((ittee! )n*ormation !echnolog, in the 21st (entur, 1attles3ace! hearing! Guly 24! 2&&3! p.11. ;2. The success of the ?ehicle 8orne +(pro#ised :0plosi#e "e#ices 4?8+:"s5 used in the )ay 11! 2&&3 terrorist attac-s in Riyadh! li-ely depended on e0tensi#e ad#ance sur#eillance of the (ultiple targets. 9rotecti#e (easures against such attac-s rely largely on *atching for signs of this preAoperational sur#eillance. Bary /arter! 39otential +ndicators of Threats +n#ol#ing ?8+:"s!3 /o(eland Security 8ulletin! Ris- ssess(ent "i#ision! +nfor(ation nalysis "irectorate! "/S! )ay 1'! 2&&3. ;3. "orothy "enning! 3Le#els of Cy$erterror Capa$ilityI Terrorists and the +nternet!3 DhttpIJJ***.cs.georgeto*n.eduJSdenningJinfosecJ"enningACy$erterrorASR+.pptE! presentation! and Lac- 9hillips! 3/o(eland Tech Shop Wants to Gu(pAStart Cy$ersecurity +deas!3 (DHomeland +ecurit,! Septe($er 14! 2&&4. ;4. Report *as pu$lished in 1>>>! a#aila$le at DhttpIJJ***.nps.na#y.(ilJcti*JreportsJE. ;'. The shland +nstitute for Strategic Studies has o$ser#ed that l @aeda is (ore fi0ated on physical threats than electronic ones. Gohn S*art2! 3Cy$erterror +(pact! "efense %nder Scrutiny!3 5+A !oda,! ug. 3! 2&&4! p. 28. ;;. "a#id Haplan! 39laying OffenseI The +nside Story of /o* %.S. Terrorist /unters re Boing after l @aeda!3 5-+- .ews ? 0orld 8e3ort! Gune 2! 2&&3! pp. 1>A2>. ;<. Ro$ert Windre(! 3>J11 "etaineeI ttac- Scaled 8ac-!3 Sept. 21! 2&&3. ;=. 3Terroris(I n +ntroduction!3 pril 4! 2&&3. ;>. Ga(es Le*is! 3ssessing the Ris-s of Cy$er Terroris(! Cy$er War and Other Cy$er Threats!3 "ec. 2&&2 DhttpIJJ***.csis.orgJtechJ&211Ole*is.pdfE. <&. +n )ay 2&&3! the 9resident lifted all terroris( related sanctions that had $een i(posed on +ra,! ta-ing it off the terroris( list! $ut only de facto. Li$ya is still on the list! although so(e sanctions ha#e $een eased. %.S. "epart(ent of State! 2''3 Patterns o* @lo6al !errorism 8e3ort! pril 2>! 2&&4! DhttpIJJ***.state.go#JsJctJrlsJpgtrptJ2&&3J31;44.ht(E. <1. Riptech +nternet Security Threat Report! Attac/ !rends *or D1 and D2 2''2. 4Riptech *as purchased in 2&&2 $y Sy(antec! +nc.5 <2. Hi( Letter! 3Fau0 Cy$er*ar!3 (om3uter +ecurit,! )ay 2&&3! #ol.;! no.'! p. 22. <3. 8rian )cWillia(s! 3+ra,1s Crash Course in Cy$er*ar!3 0ired .ews! )ay 22! 2&&3. <4. 8rian )cWillia(s!! 3North Horea1s School for /ac-ers!3 0ired .ews-com! Gune 2! 2&&3. <'. The ci#ilian population of North Horea is reported to ha#e a sparse nu($er of co(puters! *ith only a fe* locations offering connections to the +nternet! *hile South Horea is one of the (ost denselyA*ired countries in the *orld! *ith <& percent of all households ha#ing $road$and +nternet access. "uring the recent glo$al attac- in#ol#ing the 3Sla((er3 co(puter *or(! (any +nternet ser#ice pro#iders in South Horea *ere se#erely affected. 3North Horea )ay $e Training /ac-ers!3 Miami Herald 2nline! )ay 1;! 2&&3. <;. "orothy "enning! 3Cy$er Terroris(!3 ugust 24! 2&&&! DhttpIJJ***.cs.georgeto*n.eduJSdenningJinfosecJcy$erterrorAB".docE. <<. /ac-ers sell their infor(ation anony(ously through secreti#e *e$sites. 8o$ Francis! 3Hno* Thy /ac-er!3 )n*oworld ! Ganuary 2=! 2&&'. <=. BO has noted that (any federal agencies ha#e not i(ple(ented security re,uire(ents for (ost of their syste(s! and (ust (eet ne* re,uire(ents under F+S). See BO Report BOA&3A='2T! )n*ormation +ecurit, (ontinued E**orts .eeded to 9ull, )m3lement +tatutor, 8eCuirements! Gune 24! 2&&3. <>. Tina$eth 8urton! )!AA 9inds Much to Praise in .ational (,6ersecurit, Plan! )ay <! 2&&3. =&. "/S is co(prised of fi#e (aCor di#isions or directoratesI 8order T Transportation Security6 :(ergency 9reparedness T Response6 Science T Technology6 +nfor(ation nalysis T +nfrastructure 9rotection6 and )anage(ent. See DhttpIJJ***.dhs.go#Jdhspu$licJdisplay7the(eP'2E. =1. 8ara ?aida! 3Warning Center for Cy$er ttac-s is Online! Official Says!3 Dail, 1rie*ing! Bo#:0ec.co(! Gune 2'! 2&&3. =2. The Cy$er Warning +nfor(ation Net*or- 4CW+N5 pro#ides #oice and data connecti#ity to go#ern(ent and industry participants in support of critical infrastructure protection! DhttpIJJ***.pu$licsectorinstitute.netJ:LettersJ/o(elandSecurityStrategiesJ?olu(e1No1JCy$erWarningNetL aunch.lspE . =3. DhttpIJJ***.usAcert.go#JcasJE. =4. 8ased on 2&&2 data su$(itted $y federal agencies to the White /ouse Office of )anage(ent and 8udget! BO noted! in testi(ony $efore the /ouse Co((ittee on Bo#ern(ent Refor( 4BOA&3A';4T! pril =! 2&&35! that all 24 agencies continue to ha#e 3significant infor(ation security *ea-nesses that place a $road array of federal operations and assets at ris- of fraud! (isuse! and disruption.3! Christopher Lee! 3gencies Fail Cy$er TestI Report Notes 1Significant Wea-nesses1 in Co(puter Security!3 No#e($er 2&! 2&&2. ='. Wilson "i2ard! 3"O: /ac-ed 1>> Ti(es Last Fear!3 @(.-com! Septe($er 3&! 2&&4! and %.S. "epart(ent of :nergy Office of +nspector Beneral! 2**ice o* Audit 23erations Evaluation 8e3ort! "O:J+BA &;;2! Septe($er! 2&&4! DhttpIJJ***.ig.doe.go#JpdfJigA&;;2.pdfE. =;. Evaluation 8e3ort !he De3artment>s 5nclassi*ied (,6er +ecurit, Program - 2''4! "O:J+BA&;;2! Septe($er 2&&4! DhttpIJJ***.ig.doe.go#JpdfJigA&;;2.pdfE. =<. Gerrold ). 9ost! He#in B. Ru$y! and :ric ". Sha*! 3Fro( Car 8o($s to Logic 8o($sI The Bro*ing Threat Fro( +nfor(ation Terroris(!3 !errorism and Political <iolence! Su((er 2&&&! #ol.12! no.2! pp. ><A 122. ==. Richard Clar-e! 3?ulnera$ilityI What re l @aeda1s Capa$ilities73 P1+ 9rontline (,6erwar! pril 2&&3! DhttpIJJ***.p$s.orgE. =>. Net*or-ing technologies! such as the +nternet! are ad#antageous for attac-ers *ho are geographically dispersed. Net*or-ing supports redundancy *ithin an organi2ation! and it suggests the use of s*ar(ing tactics! ne* *eapons! and other ne* strategies for conducting conflict that sho* ad#antages o#er traditional go#ern(ent hierarchies. +nfle0i$ility is a (aCor disad#antage *hen a hierarchy confronts a net*or-ed organi2ation. Net*or-s $lend offensi#e and defensi#e functions! *hile hierarchies struggle *ith allocating responsi$ility for either. Gohn r,uilla! "a#id Ronfeldt! 2&&1! .etwor/s and .etwars! 4Santa )onicaI Rand! 2&&15! p. 2='. >&. *ell -no*n source of infor(ation a$out the costs of cy$erattac-s is the annual co(puter security sur#ey pu$lished $y the Co(puter Security +nstitute 4CS+5! *hich utili2es data collected $y the F8+. /o*e#er! respondents to the CS+JF8+ sur#ey of co(puter security issues are generally li(ited only to CS+ (e($ers! *hich (ay create statistical $ias that affects the sur#ey findings. Recently! CS+ has also conceded *ea-nesses in its analytical approach and has suggested that its sur#ey of co(puter security #ulnera$ilities and incidents (ay $e (ore illustrati#e than syste(atic. /o*e#er! the CS+JF8+ sur#ey re(ains useful despite its i(perfect (ethodology. 8ruce 8er-o*it2 and Ro$ert W. /ahn! 3Cy$ersecurityI Who1s Watching the Store7!3 )ssues in +cience and !echnolog,! Spring 2&&3. >1. The guidance! -no*n as National Security 9residential "irecti#e 1;! *as signed in Guly 2&&2 and is intended to clarify circu(stances under *hich an infor(ation *arfare attac- $y "O" *ould $e Custified! and *ho has authority to launch a co(puter attac-. >2. See CRS Report RL31<=<! )n*ormation 0ar*are and (,6erwar (a3a6ilities and 8elated Polic, )ssues! $y Clay Wilson. >3. The la*s of *ar are international rules that ha#e e#ol#ed to resol#e practical pro$le(s relating to (ilitary conflict! such as restraints to pre#ent (is$eha#ior or atrocities! and ha#e not $een legislated $y an o#erarching central authority. The %nited States is party to #arious li(iting treaties. For e0a(ple! innocent ci#ilians are protected during *ar under the Con#ention on 9rohi$itions or Restrictions on the %se of Certain Con#entional Weapons Which )ay 8e "ee(ed to $e :0cessi#ely +nCurious or to ha#e +ndiscri(inate :ffects. So(eti(es the introduction of ne* technology tends to force changes in the understanding of the la*s of *ar. Bary nderson and da( Bifford! 3Order Out of narchyI The +nternational La* of War!3 !he (ato 7ournal! #ol. 1'! no. 1! p. 2'A3;. >4. 8radley Braha(! 38ush Orders Buidelines for Cy$erAWarfare!3 0ashington Post! Fe$. <! 2&&3! p. 1. >'. Stanley Ga-u$ia- and Lo*ell Wood! 3"O" %ses Co((ercial Soft*are and :,uip(ent in Tactical Weapons !3 State(ents $efore the /ouse )ilitary Research and "e#elop(ent Su$co((ittee! /earing on :)9 Threats to the %.S. )ilitary and Ci#ilian +nfrastructure! Octo$er <! 1>>>. /ouse r(ed Ser#ices Co((ittee! (ommission to Assess the !hreat to the 5nited +tates *rom Electromagnetic Pulse Attac/! hearing! Guly 22! 2&&4. >;. Funding for the contro#ersial Terroris( +nfor(ation *areness progra( ended in 2&&4. The prototype syste( *as for(erly housed *ithin the "R9 +nfor(ation *areness Office. Se#eral related data (ining research and de#elop(ent progra(s! no* (anaged $y different agencies! are designed to pro#ide $etter ad#ance infor(ation a$out terrorist planning and preparation acti#ities to pre#ent future international terrorist attac-s against the %nited States at ho(e or a$road. goal of data (ining is to treat *orld*ide distri$uted data$ase infor(ation as if it *ere housed *ithin one centrali2ed data$ase. 8e3ort to (ongress 8egarding the !errorism )n*ormation Awareness Program! :0ecuti#e Su((ary! )ay 2& 2&&3! p. 1. ><. /ouse and Senate conferees #oted on Septe($er 24 to end funding for T+ through 2&&4. Ste#en ). Cherry! 3Contro#ersial 9entagon 9rogra( Scuttled! 8ut +ts Wor- Will Li#e On!3 )EEE +3ectrum 2nline! Sept. 2>! 2&&3! DhttpIJJ***.spectru(.ieee.orgE. >=. 9entagon sources fa(iliar *ith the 3nony(ous :ntity Resolution3 technology ha#e indicated that it (ay alle#iate so(e of the issues associated *ith pri#acy protection. The product uses 3entityAresolution techni,ues3 to scra($le data for security reasons. The soft*are sifts through data such as na(es! phone nu($ers! addresses and infor(ation fro( e(ployers to identify indi#iduals listed under different na(es in separate data$ases. The soft*are can find infor(ation $y co(paring records in (ultiple data$ases! ho*e#er the infor(ation is scra($led using a 3oneA*ay hash function!3 *hich con#erts a record to a character string that ser#es as a uni,ue identifier li-e a fingerprint. 9ersons $eing in#estigated re(ain anony(ous! and agents can isolate particular records *ithout e0a(ining any other personal infor(ation. record that has $een oneA*ay hashed cannot $e 3unhashed3 to re#eal infor(ation contained in the original record. Ste#e )oll(an! 38etting on 9ri#ate "ata Search!3 0ired-com! )ar. 11! 2&&3. >>. Ro$ert O1/arro*! 3%.S. 8ac-s Florida1s Ne* Counterterroris( "ata$ase!3 0ashington Post! ug. ;! 2&&3! p. &1. 1&&. CRS Report RL31<=;! !otal )n*ormation Awareness Programs 9unding4 (om3osition4 and 2versight )ssues6 CRS Report RL31<3&! Privac, !otal )n*ormation Awareness Programs and 8elated )n*ormation Access4 (ollection4 and Protection ;aws6 CRS Report RL31<>=! Data Mining An 2verview6 and CRS Report RL31=4;! +cience and !echnolog, Polic, )ssues *or the 1'%th (ongress! 2nd Session. 1&1. The deputy director of the cy$ersecurity di#ision! ndre* 9urdy! has since $een appointed interi( director of %.S. cy$ersecurity. 1&2. "an ?erton! 3%pdateI Cy$ersecurity O#erhaul Legislation "O in Congress!3 (om3uter0orld! Sept. 23! 2&&4. 1&3. The "/S cy$ersecurity center has fi#e pri(ary rolesI conducting cy$ersecurity research6 de#eloping perfor(ance standards6 fostering pu$licApri#ate sector co((unication6 supporting the "/S infor(ation analysis and infrastructure protection directorate6 and *or-ing *ith the National Science Foundation on educational progra(s! (ongress Dail, )! )ay 1'! 2&&3. 1&4. NOR" (onitors first suspected that the e0plosion *as a nuclear e0plosion! $ut satellites did not pic- up an electro(agnetic pulse that *ould ha#e acco(panied a nuclear detonation. Willia( Safire! 3The Fare*ell "ossier!3 .ew =or/ !imes! Fe$. 4! 2&&4. 1&'. "/S press release! 3Ridge Creates Ne* "i#ision to Co($at Cy$er Threats!3 Gune ;! 2&&3! DhttpIJJ***.dhs.go#Jdhspu$licJdisplay7contentP>1;E. 1&;. State(ent $y (it Foran! "irector National Cy$er Security "i#ision "epart(ent of /o(eland Security $efore the %.S. Senate Co((ittee on the Gudiciary Su$co((ittee on Terroris(! Technology! and /o(eland Security! Fe$ruary 24! 2&&4! DhttpIJJ***.usAcert.go#JpolicyJtesti(onyOyoranOfe$24&4.ht(lRnatureE. 1&<. 9atience Wait! 3+ndustry as-s Congress for help on "/S cy$ersecurity role3! 0ashington !echnolog,! Octo$er 1'! 2&&4. 1&=. gencies operating national security syste(s are re,uired to purchase soft*are products fro( a list of la$Atested and e#aluated products in a progra( run $y the National +nfor(ation ssurance 9artnership 4N+95! a Coint partnership $et*een the National Security gency and the National +nstitute of Standards and Technology. The N+9 is the %.S. go#ern(ent progra( that *or-s *ith organi2ations in a do2en other countries around the *orld *hich ha#e endorsed the international securityAe#aluation regi(en -no*n as the 3Co((on Criteria.3 The progra( re,uires #endors to su$(it soft*are for re#ie* in an accredited la$! a process that often ta-es a year and costs se#eral thousand dollars. The re#ie* pre#iously *as li(ited to (ilitary national security soft*are and e,uip(ent! ho*e#er! the d(inistration has stated that the go#ern(ent *ill underta-e a re#ie* of the progra( to 3possi$ly e0tend3 this soft*are certification re,uire(ent to ci#ilian agencies. :llen )ess(er!! White /ouse issue 3National Strategy to Secure Cy$erspace!3 .etwor/ 0orld Fusion! Fe$ruary 14! 2&&3. 1&>. 8usiness e0ecuti#es (ay $e cautious a$out spending for large ne* technology proCects! such as placing ne* e(phasis on co(puter security. Results fro( a Fe$ruary 2&&3 sur#ey of $usiness e0ecuti#es indicated that 4' percent of respondents $elie#ed that (any large +nfor(ation Technology 4+T5 proCects are often too e0pensi#e to Custify. )anagers in the sur#ey pointed to the esti(ated M12'.> $illion dollars spent on +T proCects $et*een 1><< and 2&&& in preparation for the year 2&&& 4F2H5 changeo#er! no* #ie*ed $y so(e as a none#ent. Sources reported that so(e $oardAle#el e0ecuti#es stated that the F2H pro$le( *as o#er$lo*n and o#er funded then! and as a result! they are no* (uch (ore cautious a$out future spending for any ne*! (assi#e +T initiati#es. Bary /. nthes and Tho(as /off(an! 3Tarnished +(age!3 (om3uterworld! )ay 12! 2&&3! #ol. 3<! no. 1>! p. 3<. 11&. /o*ard Sch(idt points out that (aCor technology fir(s no* pro(ote antiA#irus soft*are and encourage $etter cy$ersecurity practices. /e stresses that (ar-et forces are causing pri#ate industry to i(pro#e security of products. )artin Hady! 3Cy$ersecurity a Wea- Lin- in /o(eland1s r(or!3 (D 0ee/l,! Fe$. 14! 2&&'. )ean*hile! Richard Clar-e! *ho initially opposed regulation during his tenure in the Clinton and 8ush ad(inistrations! no* states that the +T industry only reponds to i(pro#e security of its products *hen regulation is threatened. Willia( Gac-son! 3To Regulate or Not to Regulate7 That +s the @uestion!3 @overnment (om3uter .ews! Fe$. 2;! 2&&'. 111. 8uilding in (ore security adds to the cost of a soft*are product. No* that soft*are features are si(ilar across $rands! soft*are #endors ha#e indicated that their custo(ers! including federal go#ern(ent agencies! often (a-e purchases $ased largely on product price. (on*erence on +o*tware Product +ecurit, 9eatures! +nfor(ation ssurance Technical +nfor(ation Fra(e*or- Foru(! Laurel! )aryland! NS! 2&&1. 112. 2&&4 sur#ey of 32> 9C users re#ealed that (ost co(puter users thin- they are safe $ut lac- $asic protections against #iruses! spy*are! hac-ers! and other online threats. +n addition! large (aCorities of ho(e co(puter users ha#e $een infected *ith #iruses and spy*are and re(ain highly #ulnera$le to future infections. OL and the National Cy$er Security lliance! 3Largest +nAho(e Study of /o(e Co(puter %sers Sho*s )aCor Online Threats! 9erception Bap!3 Oct. 2&&4! DhttpIJJ***.staysafeonline.infoJne*sJNCSA OL+nA/o(eStudyRelease.pdfE. 113. spo-esperson for the Co(puter :(ergency Response Tea( at Carnegie )ellon has reportedly stated that (ost people (ay not yet reali2e that antiA#irus soft*are and a fire*all are no longer enough to protect co(puters any(ore. Charles "uhigg! 3Fight gainst ?iruses )ay )o#e to Ser#ers!3 0ashington Post! ug. 2=! 2&&3! p. :&1. 114. Bo#ern(ent ccounta$ility Office! Homeland +ecurit, E**orts !o )m3rove )n*ormation +haring .eed to 1e +trengthened! BOA&3A<;&! ugust 2&&3. 11'. CRS Report RL3&1'3! (ritical )n*rastructures 1ac/ground4 Polic, and )m3lementation! $y Gohn )oteff. 11;. Trace $ac- to identify a cy$erattac-er at the granular le#el re(ains pro$le(atic. "orothy "enning! )n*ormation 0ar*are and +ecurit,! 4ddisonAWesley! 1>>>5! p. 21<. 11<. +n rgentina! a group calling the(sel#es the NATea(! hac-ed into the *e$site of that country1s Supre(e Court in pril 2&&2. The trial Cudge stated that the la* in his country co#ers cri(e against people! things! and ani(als $ut not *e$sites. The group on trial *as declared not guilty of $rea-ing into the *e$site. 9aul /ill$ec-! 3rgentine Gudge Rules in Fa#or of Co(puter /ac-ers! Fe$. '! 2&&2. 11=. $raha( ". Sofaer! et.al.! The /oo#er +nstitution! The Consortiu( for Research on +nfor(ation Security and 9olicy 4CR+S95! and The Center for +nternational Security and Cooperation 4C+SC5 Stanford %ni#ersity! 3 9roposal for an +nternational Con#ention on Cy$er Cri(e and Terroris(!3 ugust 2&&&! DhttpIJJ***.i*ar.org.u-Jla*JresourcesJcy$ercri(eJstanfordJcisacAdraft.ht(E. 11>. +n 2&&&! ne*s sources reported that the "efense gency of Gapan halted the introduction of a ne* co(puter syste( after disco#ering that so(e of the soft*are had $een de#eloped $y (e($ers of the u( Shinri-yo cult! *hich *as responsi$le for the fatal 1>>' To-yo su$*ay gas attac-. The "efense gency *as one of >& go#ern(ent agencies and industry fir(s that had ordered soft*are produced $y the cult. Richard 9o*er! (urrent ? 9uture Danger A (+) Primer on (om3uter (rime and )n*ormation 0ar*are! Co(puter Security +nstitute! 2&&&. 12&. "an ?erton! 3Offshore Coding Wor- Raises Security Concerns!3 (om3uterworld! )ay '! 2&&3! #ol. 3<! no. 1=! p. 1. 121. %nder F+S)! the "irector of O)8I o#ersees the i(ple(entation of infor(ation security policies for ci#ilian federal agencies! re,uires agencies to identify and pro#ide infor(ation security protection appropriate for the le#el of ris- and (agnitude of har( resulting fro( possi$le destruction of infor(ation or syste(s! and coordinates the de#elop(ent of security standards and guidelines de#eloped $et*een N+ST! NS! and other agencies to assure they are co(ple(entary *ith standards and guidelines de#eloped for national security syste(s. See 44 %.S.C.! Section 3'43 4a5. 122. %sing these fi#e $asic steps! often supple(ented *ith auto(ated intrusion tools! attac-ers ha#e successfully ta-en o#er co(puter syste(s and re(ained undetected for long periods of ti(e. :d S-oudis! (ounter Hac/! 4Ne* GerseyI 9rentice /all! 2&&25. 123. These include :d S-oudis! (ounter Hac/ A +te3-1,-+te3 @uide to (om3uter Attac/s and E**ective De*enses! 4Ne* GerseyI 9rentice /all! 2&&256 Winn Sch*artau! )n*ormation 0ar*are (,6erterrorism Protecting =our Personal +ecurit, in the Electronic Age! 49u$lishers Broup West! 1>>;56 and Geff Cru(e! )nside )nternet +ecurit, 0hat Hac/ers Don>t 0ant =ou !o Enow! 49earson :ducation Li(ited! 2&&&5. 124. For (ore a$out Spy*are! see Spy*areinfo at DhttpIJJ***.spy*areinfo.co(JE. 12'. n attac-er (ay use an auto(atic 3War "ialing3 tool that dials thousands of telephone nu($ers! loo-ing for (ode(s connected to a co(puter. +f a co(puter (ode( ans*ers *hen the War "ialer calls! the attac-er (ay ha#e located a *ay to enter an organi2ation1s net*or- and $ypass fire*all security. ne*er *ay of scanning for #ulnera$ilities is called 3War "ri#ing3! *here hac-ers dri#e rando(ly through a neigh$orhood trying to detect signals fro( $usiness or ho(e *ireless net*or-s. Once a net*or- is detected! the hac-er (ay par- near$y and atte(pt to log on to gain free! unauthori2ed access. He#in 9oulsen! 3War "ri#ing $y the 8ay!3 Securityfocus.co(! pril 12! 2&&1. 12;. Ne* 3antiforensics tools3 are no* a#aila$le on the +nternet that allo* hac-ers to (ore effecti#ely hide their actions! and thus defeat (ore in#estigators *ho search for technical e#idence of co(puter intrusions. nne Saita! 3ntiforensicsI The Loo(ing r(s Race!3 )n*ormation +ecurit,! )ay 2&&3! #ol. ;! no. '! p.13. 12<. +n Septe($er 2&&3! "/S *arned %.S. industry and the federal go#ern(ent to e0pect potentially significant attac-s to e(erge against +nternet operations! si(ilar to the recent 8laster *or( e0ploit! $ecause of ne*ly disco#ered critical fla*s in Windo*s soft*are that *ere announced $y )icrosoft Corporation. Gai-u(ar ?iCayan! 3ttac-s on Ne* Windo*s Fla*s :0pected Soon!3 (om3uterworld! Sept. 1'! 2&&3! #ol. 3<! no. 3<! p. 1. 12=. single reported co(puter security incident (ay in#ol#e one site or hundreds 4or e#en thousands5 of sites. lso! so(e incidents (ay in#ol#e ongoing acti#ity for long periods of ti(e. C:RT esti(ates that as (uch as =& percent of actual security incidents goes unreported! in (ost cases $ecause the organi2ation *as una$le to recogni2e that its syste(s had $een penetrated or there *ere no indications of penetration or attac-6 or the organi2ation *as reluctant to pu$licly ad(it to $eing a #icti( of a co(puter security $reach. C:RT! 2&&3! 3C:RTJCC Statistics 1>==A2&&2!3 pril 1'! 2&&3! DhttpIJJ***.cert.orgJstatsJcertOstats.ht(lRincidents.E 3C:RTJCC Statistics! 2&&3!3 DhttpIJJ***.cert.orgJstatsJcertOstats.ht(lE. 12>. )RC Co((uter and CSN freight rail ser#ice e0perienced cancellations and delays on ugust 21! 2&&3! $ecause of a #irus that disa$led the co(puter syste(s at the CSN rail*ay Gac-son#ille! Florida head,uarters. The 38laster3 co(puter *or( attac-ed (ore than '&&!&&& co(puters *orld*ide *ithin one *ee-. The 38laster3 attac- *as ,uic-ly follo*ed the ne0t *ee- $y another *or( that spread *orld*ide! called 3Welchia!3 *hich installed itself on co(puters $y ta-ing ad#antage of the sa(e #ulnera$ility used $y 8laster. 8rian Hre$s! 31Bood1 Wor( Fi0es +nfected Co(puters!3 Washingtonpost.co(! ug. 1=! 2&&3. The 3Welchia3 *or( also disrupted the highly secure Na#y )arine Corps +ntranet 4N)C+5 during the *ee- of ugust 11! $y flooding it *ith un*anted traffic. This *as the first ti(e that (ilitary net*or- *as disrupted $y an outside cy$erattac-. "iane Fran-! 3ttac- of the Wor(sI Feds Bet Wa-eA%p Call!39ederal (om3uter 0ee/! ug. 2'! 2&&3! #ol. 1<! no. 2>! p. =. 13&. The F8+ is in#estigating *hat pri#ate security e0perts $elie#e to $e the first +nternet attac- ai(ed pri(arily at a single econo(ic sector. The (alicious code! disco#ered in Gune 2&&3! contains a list of roughly 1!2&& We$ addresses for (any of the *orld1s largest financial institutions! including G.9. )organ Chase T Co.! (erican :0press Co.! Wacho#ia Corp.! 8an- of (erica Corp. and Citi$an- N.. 38ug$ear3 is a poly(orphic *or(J#irus that has -eystro-eAlogging and (assA(ailing capa$ilities! and atte(pts to ter(inate #arious anti#irus and fire*all progra(s. Though (ost (aCor $an-s do not put sensiti#e infor(ation on the +nternet! the *or( *ill atte(pt to use infor(ation captured fro( a des-top 9C to $rea- into restricted co(puters that do contain financial data. For e0a(ple! e0perts found that the 8ug$ear soft*are is progra((ed to deter(ine *hether a #icti( used an eA(ail address that $elonged to any of the 1!3&& financial institutions listed in its $lueprints. +f a (atch is (ade! it tries to steal pass*ords and other infor(ation that *ould (a-e it easier for hac-ers to $rea- into a $an-1s net*or-s. The soft*are then trans(its stolen pass*ords to 1& eA(ail addresses! *hich also are included in the $lueprints. 8ut e0perts said that on the +nternet anyone can easily open a free eA(ail account using a false na(e! and so -no*ing those addresses (ight not lead detecti#es to the culprit. .9.! 3Feds Warn 8an-s $out +nternet ttac-!3 CNN.Co(! Gune 1&! 2&&3. 131. The Na#al 9ostgraduate School is de#eloping a ne* net*or- security tool called 3Ther(inator3 that is designed to detect possi$le co(puter attac-s $y carefully (onitoring net*or- traffic. Gason )a! 3N9S Touts Ther(inator s :arlyAWarning Tool for Co(puter ttac-s!3 )nside the .av,! Na#yA1;A4&A12! Oct. ;! 2&&3. 132. The 3Sla((er3 *or( attac-ed )icrosoft1s data$ase soft*are and spread through the +nternet o#er one *ee-end in Ganuary 2&&3. ccording to a preli(inary study coordinated $y the Cooperati#e ssociation for +nternet "ata nalysis 4C+"5! on Ganuary 2'! 2&&3! the S@L Sla((er *or( 4also -no*n as 3Sapphire35 infected (ore than >& percent of #ulnera$le co(puters *orld*ide *ithin 1& (inutes of its release on the +nternet! (a-ing it the fastest co(puter *or( in history. s the study reports! e0ploiting a -no*n #ulnera$ility for *hich a patch has $een a#aila$le since Guly 2&&2! Sla((er dou$led in si2e e#ery =.' seconds and achie#ed its full scanning rate 4'' (illion scans per second5 after a$out 3 (inutes. +t caused considera$le har( through net*or- outages and such unforeseen conse,uences as canceled airline flights and auto(ated teller (achine 4T)5 failures. Further! the study e(phasi2es that the effects *ould li-ely ha#e $een (ore se#ere had Sla((er carried a (alicious payload! attac-ed a (ore *idespread #ulnera$ility! or targeted a (ore popular ser#ice. The (alicious code disrupted (ore than 13!&&& 8an- of (erica auto(ated teller (achines! causing so(e (achines to stop issuing (oney! and too- (ost of South Horea +nternet users offline. s (any as fi#e of the 13 +nternet root na(e ser#ers *ere also slo*ed or disa$led! according to ntiA#irus fir( FASecure. Ro$ert F. "acey! 3+NFOR)T+ON S:C%R+TFI 9rogress )ade! 8ut Challenges Re(ain to 9rotect Federal Syste(s and the Nation1s Critical +nfrastructures!3 2&&36 )att Loney! 3Sla((er attac-s (ay $eco(e *ay of life for Net !3 (net-.ews-com! Fe$. ;! 2&&36 Ro$ert Le(os! 3Wor( e0poses apathy! )icrosoft fla*s!3 Cnet.Ne*s.co(! Gan. 2;! 2&&3. 133. 3Report to Congress Regarding the Terroris( +nfor(ation *areness 9rogra(!3 E:ecutive +ummar,! )ay 2&! 2&&3! p.3. 134. Gerry Seper! 31Sleeper Cells1 of l @aeda cti#e in %.S. "espite War!3 0ashington !imes! Fe$. 11! 2&&4. 13'. %.S. Citi2en Ser#ices! 3Tra#el Warnings and Warden )essages!3 Gune 1;! 2&&4! DhttpIJJriyadh.use($assy.go#JsaudiAara$iaJ*1'&4.ht(lE.