Attacking Through the Wires: Cyber Terrorism, Hackers and Cyber Security

by Eric Green

In the wake of the September 11th attacks, the nation is working to bolster security on many fronts. One particularly vulnerable area is information technology (IT) security.

Computers are an integral part of the nation's infrastructure. They retain vast amounts of critical data and sustain the progress of e-commerce. With such heavy reliance on technology, any disruption can have disastrous effects. But cyber threats are very real and potentially very serious. How can the United States — and the world — protect itself from digital rogues?

The Threat Potential Is Huge

Cyber terrorism can take many forms. Computers regulate dams, power grids, phone services, fire control systems, gas pipelines, and even public transportation. If terrorists were able to gain control of any of these systems individually, they could flood a town, contaminate the water supply, take out
9-1-1 emergency phone service, or even prevent the effectiveness of emergency response teams. Combine this capability with a conventional terrorist attack, and the effects would be devastating. As tragic as the events of September 11th were, had rescue crews not had reliable water, power and communications systems, rescue and containment efforts would have been nearly impossible.

What Once Was Only Hollywood Is Now Life As We Know It

For years, the public viewed computer "hackers" as mischievous computer enthusiasts who played relatively harmless technological pranks on corporations or government offices, thus exposing vulnerabilities in their security networks or making political statements. Scenes from such movies as The Net, which portrayed hackers who could change someone's identification and criminal record with ease, seemed unsettling and yet improbable. Unfortunately, in real life, some of the more malicious hackers have evolved into professional extortionists and thieves, committing credit card fraud and wreaking havoc on major e-commerce websites, not to mention casual home users.

Hackers' Damage Costs Millions to 'Undo'

Hackers experimenting with "worms" and "viruses" have cost corporations billions in lost data, computer repair and virus protection. Computer Economics magazine estimated that the total economic impact of the "Code Red" worm in 2001 was $2.6 billion; "Sircam" cost another $1.3 billion. In comparison, the magazine estimates that the United States will spend some $15.8 billion to restore IT and communications capabilities damaged by the September 11th attacks.

Corporate America has been forced to wage an all-out war against would-be cyber intruders; they must continually plug the security holes that enable illegal and destructive activity. But will this prove to be enough?

Legislation May Help In the Long Run

Although no quick fix for IT vulnerability exists, Congress and industry have proposed a number of long-term solutions. In letters to Congress and in testimony before the Senate, IEEE-USA has supported the Cyber Security Research and Development Act, which passed in the House on 7 February by a vote of 400-12 and has since passed in the Senate Commerce Committee. The bill would appropriate funds to the National Science Foundation (NSF) and the National Institute of Standards and Technology (NIST) for establishing security research and development programs.

Developing Expertise Is Critical

The United States is home to more technological experts than any other nation in the world. Even so, the country continues to lack expertise in cyber security. In an interview for the February 2002 issue of The Institute, IEEE Fellow Dr. Eugene Spafford, director of Purdue University's Center for Education and Research in Information Assurance and Security in West Lafayette, Ind., said, "There are probably fewer than 100 faculty in the United States who really have some experience in the [computer security research] arena." To help fill that void, the Cyber Security Research and Development Act would require that some programs be designated not only for the purpose of research, but also to train more cyber security specialists.

Ron Hira, IEEE-USA's Research & Development Policy Committee chair, testified in April before the Senate Subcommittee on Science, Technology and Space to support both the Cyber Security Research and Development Act and the Science and Technology Emergency Mobilization Act, which would establish an office to provide technological and scientific expertise in the event of a national emergency. IEEE-USA endorses the proposal of this latter bill, with the caveat that bringing in a team of experts may not be the best response, if the attacked system already has an expert in place.

Congress is also considering similar plans that would establish a cyber security task force. However, the exact role of such a group remains unclear. Would they be responsible for finding security holes? Would they protect government and infrastructure sites only? Would they track down the source of known terrorist hacks, or just prevent them? Would the group be part of the new Homeland Security Agency? And where would the group be located? Congress will try to answer these and other related questions in the coming months.

Diligence in the Short-Term — Plan for the Long-Term

Faced with elusive and cunning cyber terrorists, the importance of having a secure network has never been more obvious. Cyber security is critical to maintaining the strength of the nation's infrastructure. Antiquated systems that control utilities are barely secure and must be updated. In addition, the government must take proactive steps toward fighting digital terror. As National Academy of Engineering president William Wulf told The Institute (February 2002), "well-funded, long-term basic research on computer security is vital to our national security."

---

Eric Green, a junior electrical engineering student at Baylor University in Waco, Texas, was IEEE-USA's Intellectual Property Committee summer intern.