For years people have been talking about the threat of a Cyber Pearl Harbor or Digital September 11th event. There is a perception that this event would be an isolated incident that cripples society as we know it – heck, there is even a TV show about it. But what are the possibilities for such an occurrence in reality? Let’s take a look at three realistic categories where cyber terrorism is either already upon us or having its comeuppance.
Let’s look at four attack profiles which would reasonably either lead to loss of life or have the potential to leave the victim inevitably stricken with fear:
PUBLIC SCENARIO ONE: Large Scale Communications or Power Outage especially during a Terrorist or Natural Crisis Event
We’ve known for quite some time that cutting off communications during crisis periods will impede first responders’ situational awareness, exacerbate suffering and pain and might increase the loss of life. This means that the Pearl Harbor event of our time could consist of multiple components, including a physical attack, with a corresponding cyberattack component that targets the communications systems first responders use to contain and minimize damage.
These days it seems like not a day goes by without a widely reported terrorist attack of some sort, but can the day be far away where efforts such as these are magnified by an effective outage on communications or first responders? Think this is crazy? Look at this bulletin issued in 2013 by public safety organizations asking for assistance in cracking a Telephony Denial-of-Service (TDOS) attack against 911 systems.
PUBLIC SCENARIO TWO: Cyber Attacks against Public Transportation Systems
We all inherently understand that from trains, planes, buses to automobiles, our entire public transportation system is becoming more automated. Ironically, this automation is meant to provide us with increased safety, more reliable service and efficiencies. But is it really providing those things? If you have been following the public transportation system cyber security threats as close as I have, you’d realize that there have already been many attacks, some of which have distinguished themselves as harbingers of future attacks categories. In case you missed it, I have pointed out four real world examples in a recent blog of mine which help punctuate through example the problem.
Not only are the basic forms of transportation under more and more threats, so is the perilous aviation industry, which was so highly correlated to September 11th. Aviation terror threats, like water, tend to take the path of least resistance. We now know through numerous external analysis and documented evidence that the aviation sector is vulnerable to cyber-attacks. How long will it be before the terror strikes will evolve in the aviation industry, like they did around the world, to the cyber front? Should you have responsibility for any aspect of these areas, please don’t be a bystander. Be proactive about onboarding controls and saving peoples’ lives.
PERSONAL SCENARIO ONE: Cyber-Ransoming a Critical Healthcare Device or System (IoT Attacks)
Imagine if you will that one day you must wear an implantable healthcare device like a defibrillator to maintain your life. Now imagine that this device is hacked and being held for ransom? Believe it is science fiction? Well, the idea of hacking defibrillators is not, and cyber-ransom is the fastest growing motive and technique in cyber-attacks, so can the marriage of these two issues be far off? For those of you unfamiliar with these risks and U.S. Government-issued warnings in this category, please refer to the FDA’s Advice to Medical Device Manufacturers, a summary of FBI & DHS alerts on Internet of things, and these warnings on Cyber-Ransoming.
PERSONAL SCENARIO Two: Financial or personalized record loss, record changes or deletions.
If we are really honest with ourselves, we live two lives (or more). One life is our flesh and blood and represents the ‘real’ you, and the other lives are our various avatars online, which are required for highly functioning citizenry. These avatars represent our financial, health, education, and more often than not, even our love interests (and many more categories).
The question resides, who is the definitive source of who we are?
Now before you answer this question, let me ask you this – – if you are on a job interview and your answer to a question says one thing about your education history and a report back from your institution says another, who rules the day? I think we can take this analogy quite far, but the reality is that your online avatar has actually transcended to represent and require high security and fidelity in order for you to function properly in society.
Given this, the fact remains that one of the single most personalized terrorized acts which can occur is for a wide-scale record loss, alteration or deletion to occur with no reconstitution capability. This should strike fear in us all.
Conclusion: Yes, of course Cyberattacks can be terrorizing!
The main questions to be asked as we move forward are as follows:
- If physical terror has played such a major role today’s strife, why can’t cybersecurity sabotage be far behind?
- Given the above current threat landscape, what controls/testing are done to ensure that the public risk is abated through proactive measures, and the private scenarios are regulated so that we can trust our internet avatar system like we trust our financial system?
Given the threat landscape evolution and importance of the sanctity and trustworthiness of online systems, I believe this is an area where the government needs to step in and provide something like a Federal Bureau of Cyber Security, separate from the charter of all others, and whose role would be equivalent to the Physical Secret Service in numerous ways. However, its operating space and domain would be one with ghostly characteristics of computer-warfare. The charter of this group would be similar, to defend the citizenry of the land, however the belief is that the execution would need to cover the freedom of press and speech overall.
Download Radware’s DDoS Handbook to get expert advice, actionable tools and tips to help detect and stop DDoS attacks.
Carl is an IT security expert and responsible for Radware’s global security practice. With over a decade of experience, he began his career working at the Pentagon evaluating computer security events affecting daily Air Force operations. Carl also managed critical operational intelligence for computer network attack programs to aid the National Security Council and Secretary of the Air Force with policy and budgetary defense. Carl writes about network security strategy, trends, and implementation.