Cyberterrorism poses limited risk
Cyberwarfare is not as simple as Hollywood would have it. A good old secret agent can do more damage than a digital attack.
Matthew Broderick in his bedroom in War Games. Bruce Willis fighting cyber-terrorists in Die Hard 4.0.
For 30 years, Hollywood has produced movies where a single hacker sitting in front of a computer screen can bring the world to the brink of collapse.
The real world is quite different.
“It is very difficult (for a lone hacker) to inflict serious damage,” says researcher Sverre Diesen. “Even for a great power with a lot of resources, an online attack may well fail. An attack with traditional weapons is often more likely to succeed.”
The former Norwegian Chief of Defence is now a researcher at FFI, the Norwegian Defence Research Establishment.
Diesen plays down the risk of terrorists using the Internet to take control of the electric grid, telecommunications, banks or other key elements in Norwegian society.
“Obviously, nothing is impossible, but it is extremely unlikely,” he said.
Bombs are more efficient
The goal of any terrorist is not only to do harm, but to get attention.
“A spectacular attack using cyberterrorism would be very complicated. It would be a lot easier to simply fill a truck with explosives and drive it into a vulnerable spot, or produce nerve gas and release it on the subway,” Diesen points out.
The Web is important for terrorists, but for entirely different reasons.
Terrorists use the Web "for propaganda and recruitment and to assume responsibility for their actions.” says Diesen's colleague Torgeir Broen, who is also a researcher at FFI,
Studying cyber power
FFI has started to develop a study of the use of computers in warfare. The researchers say that there is a big difference between opportunistic crime and targeted terror and warfare.
The cyber domain
The cyber domain is defined as “a global domain realized through physical or logical interconnections of information.” This includes physical and virtual network devices, communication infrastructure, media and data.
It is divided into open and closed networks. Open networks are linked to the Internet, where it is normal to use publicly available software.
Closed networks are not connected to the Internet, and often involve the use of special software. Important military information infrastructure normally belongs to this category.
Broen points out that “online crime for financial gain is tremendously widespread. But these criminals do not have to take over one particular machine. That is much more difficult.”
Layer upon layer upon layer
Although it is possible to access the user area of a slightly sloppy operator who has used the name of his cat or the birthday of his wife as his password, you have to bypass quite a few security layers to even begin to guess the password.
“If you want to take control of an industrial control system, such as a nuclear power plant, you have to enter the computer system of the energy company,” Diesen explains. “So you have to get into a specific network. Then you have to get into a specific computer on the network, and then into a specific software component.”
“You have to know these systems well. For example, you have to know which version of the applications they use and how they are used. The difficulties quickly pile up,” he says.
All this means that if military hackers from another country want to be able to do some damage, they need information. A lot of information.
As Broen says, “these operations are so dependent on intelligence that the link between the people engaged in hacking operations and the intelligence service is very close. It has to be.”
Diesen admits that it is hard to get people to understand this.
“We are struggling with perceptions created by the entertainment industry. These things seem far easier than they are in reality,” he says. Hacker movies are good entertainment, but not more than that, he adds.
Attacks on Iran's nuclear centrifuges
Diesen distinguishes between open and closed networks. Closed networks are not connected to the Internet. This is the case for military networks and industrial control networks.
He also explains that there is a tendency for more and more networks to be connected to the Internet to be fully functional.
But “closed systems increasingly use the same software as open networks," Broen says. "Security mechanisms in commercial software are often better than those found in specialized software, in part because they are exposed to a lot of attacks.”
It is possible to do physical damage via digital attacks. But there are few examples of this. One example is Stuxnet – the worm that destroyed the centrifuges for Iran’s nuclear programme three-and-a-half years ago.
Fooling the adversary
The FFI researchers point out that a real world cyberattack would be quite different.
“It would probably be more of a supplement to the use of physical force. The attack would deny the adversary access to their own systems during a critical window of time,” Diesen says.
“This can be done by a completely open penetration, where the adversary is forced to turn off the system because he sees that it is compromised - or more subtly, by manipulating information covertly,” he explains.
An example of this would be a radar system failing to show incoming planes as they are closing in.
A cyberattack is both uncertain and unique. It is not possible to practice under completely realistic conditions, and you cannot know if it will succeed.
After an attack your adversaries will be able to protect themselves against the method that was used, and your enemies may even use it for a counter-attack.
The old way
It is easier to inflict damage ”the old way”, using physical intrusions or disloyal people.
“If the target is a computer system that is not connected to the Internet, you have to get physical access with a memory stick or something similar. It is easier to use blackmail or manipulation of unfaithful workers than it is to breach firewalls and security mechanisms,” says Diesen.
“It's like stealing a car: Stealing a modern car is very difficult, it's easier to steal the key,” he says. Thus, it is not possible to be completely safe, even in a closed network.
“Even military systems are used so widely that we must assume that their counterparts have access to them. Things can't just break down if the enemy breaches the system. Our goal has to be to be able to keep using the system, even if a system is breached,” Diesen says.
Computer experts under military command
The subject of FFI’s cyberpower study is the role of the military. One of the topics is the demarcation between the military and the National Security Authority.
“The emergency apparatus of civil society should monitor and protect vital computer systems. We have looked at how the military could reinforce this kind of work,” says Diesen.
“The military has a rather limited capability when it comes to strengthening civil society,” Broen adds. “Computer systems are tailored to the users' purposes. The military does not have the ability to defend the computer systems of civil institutions such as banks.”
However, it is possible to talk about a solution where a service provider is placed under military command. There were a number of these kinds contingency arrangements in place during the Cold War. However, there is a lot of “uncharted political territory” here, in Diesen's assessment.
“This is what we call a cyber reserve. Other countries are planning to introduce similar models. Estonia, the Netherlands and the UK have introduced it or are studying it,” Broen says.
The cyber power study from FFI will be completed next autumn. But - surprise! - you probably won’t get to read that much of it.
“But we will produce a simpler, unclassified report,” Broen says.
Translated by: Lars Nygaard