By Mark Rasch Last week, the White House announced the creation of a new Special Advisor
to the President for Cyber Security, and installed Richard Clarke in that
position. Fresh warnings were issued about the threats of new forms of
terrorism, including cyber terrorism. But what exactly is cyber
terrorism? What are the government's responses, from a technical and
legal perspective, and what are the costs of such response?
While there is no universally accepted definition of terrorism, and
therefore no universally accepted definition of cyber terrorism, there
are a few attributes of terrorism that hold true for its conventional as
well as electronic methodology. Keep in mind of course that whether an
attack is considered to be a terrorist attack or a legitimate use of
force may frequently depend upon the attacker.
It is somewhat tautological to point out that the essence of terrorism is
terror. In the wake of the September 11 attacks, we have seen a massive
disruption that, like ripples in a still lake, reverberate well beyond the
World Trade Center and the Pentagon. People are afraid to travel on
airplanes, work in large office buildings, open their mail, and use the
rails. Some people are stockpiling food, water and antibiotics in
anticipation of new and more virulent threats. Terrorism inflicts on its
victims a sense of fear and mistrust of previously accepted safe havens.
It also inspires governments and individuals to respond in a manner
disproportionate to the actual threat inflicted by the attacks themselves.
Thus, a half dozen anthrax cases in New York and Florida cause pharmacies
in Des Moines to sell out of the antibiotic Cipro. Fear that terrorists
may have used email to communicate causes the FBI and other government
agencies to demand, and Congress to acquiesce in granting, new powers to
Because the essence of terrorism is terror, the Internet is a relatively
poor vehicle for attack. If you blow up a shopping center, people across
the nation are afraid to shop and are terrorized. If you disrupt the
Internet, however, or other infrastructures, people are inconvenienced,
but generally not terrorized. Indeed, the Internet is a better tool for
terrorists or propagandists if it is running properly. It can be used to
spread information -- true or false -- rumor, panic and political
We also have to distinguish between cyber terrorism, cyber warfare, cyber
attacks, and information warfare. Cyber attacks, either by organized
groups of hackers, disgruntled employees, thieves, teenagers or even
governments have been endemic to the Internet, and will continue. They
may include viruses, worms, Trojans, as well as denial of service
attacks, and straight unauthorized access attacks.
CRITICAL INFRASTRUCTURES. Information warfare includes the use of rumor, propaganda, and the prevention of access to competing information to wage psychological war on an adversary. The Bin Laden videotape represents a form of information warfare, as does the White House's effort to prevent or limit its raw
distribution. The distribution of leaflets over Afghanistan likewise represents a form of information warfare. It would be naove to believe that the Internet is not and will not be a tool for both affirmative and negative information warfare.
Cyber war represents a different character. The United States government,
while bombing the critical infrastructures of the Taliban controlled
portions of Afghanistan, could use electronic devices to disrupt the
infrastructure as well. Logic bombs could disrupt water, power and
telecommunications systems. Denial of Service attacks could affect
command and control systems.
The problems with protecting America from all of these attacks are
interrelated. The vast majority of the critical infrastructure of the
United States -- those networks that are essential for the running of the
economy and the nation -- are in the hands not of the government, but of
the private sector.
Telecommunications, water, electricity, nuclear power, gas distribution,
transportation systems, banking and financial sectors are all run by
corporate America, not by some agency or department.
It is these corporations that will be required to invest in new hardware,
software, training and policies to protect against cyber terrorism. But
there are many things the government can do to help.
ENCOURAGE INFORMATION SHARING. Information Sharing and Analysis Centers (ISAC's) are voluntary groups within critical infrastructures that permit and facilitate the free sharing of information about threats, vulnerabilities and incidents that may be a prelude to an attack, or may give early warning of an attack.
The ability to share information free from regulation and without
attribution, and the competent and thorough analysis of this raw data, is
essential for these ISACs to work properly.
The government can facilitate these voluntary sharing mechanisms by
making the data in them immune from disclosure, removing liability for
companies for good faith reporting of such information, and by
voluntarily sharing unclassified intelligence data with the private
sector in a secure manner.
Key individuals within the private sector should also have access to
classified threat data so they can respond appropriately.
EDUCATE. A traditional governmental role has been to train the next generation of warriors -- both offensive and defensive. The government can help fund and endow university programs in cyber security, creating a new generation of security professionals with skills that will assist in protecting not only the national defense, but also the commercial infrastructure.
Government funded and supported training programs should be introduced to
raise awareness in the public and private sector about the genuine threats
to the electronic infrastructure.
Government agencies, such as the National Institute of Standards and
Technology (NIST), can perform basic research and testing on hardware,
software or implementations, and can make recommendations about new
security practices that will harden the infrastructure.
As a large-scale purchaser of hardware and software, the government can
also demand security and secure implementation as a condition precedent to
purchasing. This alone may skew the market in favor of more secure
OFFER TAX INCENTIVES. The commercial sector generally places security among the factors it considers in making purchasing and resource decisions. Using a
cost-benefit analysis, companies decide on the level of protection they deem reasonable, depending upon the criticality of the application and data, and the cost of securing it.
If the government believes that, for national security purposes, this
level is too low, it may provide direct grants to companies in the
critical infrastructure, direct support for security, or tax incentives
to companies to provide additional security.
Just as nobody would have expected the owners of the World Trade Center
towers to be responsible for providing F-18s to intercept incoming
airplanes, we must redefine the government private sector roles and
The United States is perhaps the most vulnerable to cyber attacks, being
among the most technologically advanced and dependent nations on the
planet. The asymmetric nature of the attack makes us even more
vulnerable. While panic is both unproductive and unwarranted, there is
much more than can and should be done to protect critical infrastructures
from attack. There is a business case for much of this, and most
security measures are not expensive. Only though effective cooperation
between the public and private sector, based upon trust and mutual
respect, can this be achieved. Mark D. Rasch, J.D., is the Vice President for Cyberlaw at Predictive
Systems Inc. in Reston, Virginia, a computer security and network design
consulting firm. Prior to joining Predictive Systems, Mr. Rasch was the
head of the U.S. Department of Justice Computer Crime Unit and prosecuted
a series of high profile computer crime cases from 1984 to 1991.