London, UK - 14 December 2004, 00:30 GMT - More than three OECD member countries outside the US are embarking on cyber terrorism exercises in December this year and the first quarter of 2005 to test key components of their critical economic infrastructure. These imminent exercises enable those countries to prepare against potential sabotage of critical components and allow the nation states to evaluate their readiness against threats in a controlled environment. The information gathered through those drills sheds new light on the potential impact of cyber-attacks on critical facilities and also allows those countries to enhance their nation-wide emergency operations. Specific techniques used for the drill involve computer and communications hacking, physical attack simulation and media manipulation.

In the last ten days, two former CIA directors, Robert Gates and George Tenet, have warned that a cyber attack could cripple the US economy and stated that foreign intelligence services are far ahead of their US counterparts when it comes to understanding the threat posed by cyber terrorism. "The internet," Tenet claimed at a recent security conference in Washington DC, "represents a potential Achilles heel for our financial stability and physical security if the networks we are creating are not protected." "Efforts at physical security will not be enough," he argued, "because the thinking enemy that we confront is going to school on our network vulnerabilities." He said that there were "known adversaries conducting research on information attacks," including "intelligence services, military organisations and non-state actors."

Mr Tenet, who left the CIA in July after serving as director for seven years, warned that Al-Qaeda - although its primary leadership had been largely destroyed - remained "a sophisticated, intelligent organization with enormous capability." The secondary leadership that was emerging, he added, envisioned "a global, decentralised movement" whose ability to multiply depended crucially on the internet, which enabled them to share information from explosives' recipes to the best ways to get into Iraq undetected. The group, he said, was "undoubtedly mapping vulnerabilities and weaknesses in our telecommunications networks."

Following the earlier drills in 2004, the second set of cyber-terror exercises involve the execution of impact analysis studies on unnamed facilities, co-coordinating planning and logistics as well as assessing current emergency response capability. Through the cyber warfare drills that specific countries are conducting, those nations aim to reach a new level of preparedness against potential attacks. By applying the knowledge gathered through those exercises, they aim to reduce vulnerabilities and improve response time to cyber-attacks. The exercises are essentially benchmarking events that the business and government communities seek to learn from.

Cyber terrorism could be the most devastating weapon of mass destruction yet and could cripple the US economy according to the former CIA Director, Robert Gates who was speaking at the cyber terrorism conference held at Rice University. He said that when a teenage hacker in the Philippines wreaks $10 billion in damage to the US economy in one night by implanting a virus, imagine what a sophisticated, well-funded effort to attack the computer base of the US economy could accomplish.

The CIA and National Security Agency (NSA) had conducted an exercise six years ago, assigning 50 computer specialists to see how hard it would be to shut down the nation's electric grid. It took only two days for the group to put itself in a position to do so, Mr Gates said. He also referred to the blackout that affected cities from Detroit to New York in August 2003, to illustrate what he meant in terms of the potential scale of a future cyber attack which could bring the US economy to its knees. Terrorism is a global challenge that may take many forms and many years to defeat or contain. He was certain that terrorists would hit America again. Terrorism continued to evolve in the years since he had served as CIA director during the early 1990s.

In the 1970s and 1980s, most terrorist groups were directed or sponsored by governments such as Iran, Iraq, Libya or Syria, making it easier to gather intelligence. Since they were trying to bring attention to a cause and to win support, they tended to limit the scale of their violence and the number of innocent lives they were prepared to take according to Mr Gates. This is no longer the case. Now terrorists are motivated by religion and are profoundly revolutionary, he said.

The cyber terrorism exercises are based on the fundamental tenet that the cyber-terrorist is a very real threat to modern information systems according to the US Defense Advanced Research Projects Agency (DARPA). This tenet is based on the following assertions:

1. Sophisticated terrorist threats still exist against economically powerful countries and their interests abroad;
2. Information systems that manage those nations' defences and critical infrastructures are vulnerable to cyber attack;
3. Terrorists can forward their agenda by attacking the nations' critical infrastructures;
4. Cyber attack costs - especially in proportion to their perceived relative effectiveness - are asymmetric and favour the cyber-terrorist; and
5. The ability for the cyber-terrorist to conduct attacks against nation state assets from foreign shores with little risk of consequence appears to be reality.

In the exercises, the cyber-terrorist is believed to have a level of sophistication somewhere between that of a sophisticated hacker and a foreign intelligence organisation. The cyber-terrorist might even employ sophisticated or professional hackers in their operations. However, this adversary would not have access to any of the very sophisticated attacks that are available to members of the nation state sponsored intelligence community. This cyber-terrorist is believed to have access to all commercial resources that are generally available. These include, according to DARPA:

1. All publicly available information, which includes tools, attack techniques and specific intelligence on a particular target, consultants and other commercially available expertise;
2. Any commercially available technology such as workstations,software, hardware, and diagnostic tools;
3. Software developers, network developers, and other expertise required for developing their own attacks against a particular target;
4. The adversary is assumed to have limited funding. However, he is assumed to be able to raise funds on the order of hundreds of thousands to a few million dollars, and he is willing to spend those funds to accomplish his mission;
5. The adversary is assumed to be able to acquire all design information on a system of interest. The assumption is based on the following assertions: Much of the information is publicly available; information that is not generally available is loosely controlled; information that is controlled can be obtained by bribing a trusted insider or through extortion.

"As loathsome as bin Laden and his henchmen are, there is a method to their madness," Mr Gates said. "The primary reason bin Laden attacked the United States three years ago is that dislike and even hatred of the United States is the only point of agreement that cuts across religious, secular and national divisions throughout the Arab Middle East."

[ENDS]


mi2g is at the leading edge of building secure on-line banking, broking and trading architectures. The principal applications of our technology are:

1. D2-Banking;
2. Digital Risk Management; and
3. Bespoke Security Architecture.

mi2g pioneers enterprise-wide security practices and technology to save time and cut cost. We enhance comparative advantage within financial services and government agencies. Our real time intelligence is deployed worldwide for contingency capability, executive decision making and strategic threat assessment.

mi2g Research Methodology: The Frequently Asked Questions (FAQ) List is available from here in pdf. Please note terms and conditions of use listed on www.mi2g.net

Full details of the November 2004 report are available as of 1st December 2004 and can be ordered from here. (To view contents sample please click here).