Cyber Terrorism: Mass Destruction or
Mass Disruption?
by Vikki Spencer, © 2002 Business Information Group.
All rights reserved
Just days after the September 11 terrorist attacks the U.S. Federal Bureau
of Investigation began warning the public that the potential for future attacks
exist, and among the threats was that of cyber terrorism. The concept is not
a new one, such attacks have been taking place between Palestinian and Israeli
groups, and between U.S. and Chinese sources, in response to political conflicts.
And now, in light of new terrorism and cyber exclusions in insurance policies,
commercial insurance buyers are wondering how to protect themselves from the
potential threat of today's "hacktivists" becoming tomorrow's cyber terrorists,
and weapons of mass disruption turning into weapons of mass destruction.
February 2002 - Al-Qaida, (the notorious terrorist group formed by
Osama bin Laden, has not engaged in computer-based attacks in the past. However,
in the wake of the World Trade Center (WTC) attacks, bin Laden has suggested
that Al-Qaida has the expertise to use computer technology as a weapon, reports
Canada's Office of Critical Infrastructure Protection and Emergency Preparedness
(OCIPEP).
In response to reports from the FBI about the potential threat of cyber
attacks in the wake of September 11, OCIPEP began issuing such advisories,
and notes that "retaliatory cyber attacks" against coalition countries, primarily
in the form of website defacements had already begun. In late November, the
Canadian government helped draft the Council of Europe's Convention on Cybercrime,
an international effort to deal with issues of terrorist financing, money
laundering and cyber terrorism.
The September 11 terrorist attacks changed perceptions of the world's security
infrastructure, and the insurance industry's understanding of risk. What had
once been inconceivable was now reality and so began the process of imagining
the unimaginable in terms of catastrophic risks. Cyber terrorism, a heretofore
unconsidered threat, was suddenly put on the world stage amongst a host of
new potential threats.
Digital Pearl Harbor
When the U.S. government's new cyber terrorism expert, Richard Clarke, suggested
the possibility of a "digital Pearl Harbor", he was greeted with skepticism.
The concept of one, large-scale attack on the Internet seems far-reaching,
despite the claims of Al Qaida and other Muslim extremist groups who claim
to, or are known to, use the Internet as a tool.
That said, there is ample evidence that politically motivated hack attacks
are on the rise, notes DK Matai, chairman and CEO of the mi2g intelligence
unit, which deals in cyber security.
Tensions between the U.S. and China following the accidental bombing of
the Chinese Embassy in Belgrade led to a cyber conflict. In the U.S., key
government sites, including the Energy Department, the Interior Department
and even the White House were targeted. The Chinese domain, ".cn", and that
of Taiwan, ".tw", became the two most defaced domains behind ".com" last year.
India (.in) and Pakistan (.pk) saw similar increases in the number of web
site defacements due to political tensions (see Charts 1 and 2).
Following NATO air attacks on Serbia in 1999, hackers began to tap into
U.S. defense computers and those of other defense related businesses. And,
since September 11, several high profile U.S. government sites have been defaced,
some bearing the Saudi flag and threatening messages aimed at the U.S. The
groups involved, sometimes called "cyber mujihadeens", have hit sites including
the U.S. Army Waterways Experiment Station and the National Institute of Health's
Human Genome Project.
Striking at .ca
Canada is not immune to the cyber threat, experts say.
Matai points out that the ".ca" domain experienced a similar increase in defacements
last year, with 215 hits, up from 59 in 2000 and 52 in 1999. He notes that
many Canadian sites bear the ".com" domain, as well as ".org" and ".net",
also popular targets. Hits are similarly not aimed solely at government sites,
he adds. "Admittedly there is some bias of attacks towards high profile sites
such as whitehouse.gov or fbi.gov, however more and more attacks are on commercial
web sites."
"The 11 September attack had an even deeper ripple effect: the temporary
disruption of the entire U.S. financial and transportation infrastructure,"
notes the OCIPEP report. "If the terrorists did not fully anticipate these
aftershocks, they can see them clearly now. This raises the possibility that
those responsible may shift their sights away from primarily symbolic targets,
such as heavily populated buildings or sports stadiums, toward critical infrastructures."
There are about 10,000 "serious grade crackers"
using original code attack systems, as opposed to what Matai calls "script-kiddies",
or hackers who rely on ready-made tools. "In terms of defacement attacks on
large corporations, attackers penetrate the systems as multi-level attacks
using subterfuge and social engineering," he explains. Criticisms
of lax electronic security are still being heard, despite the growing awareness
created by large-scale attacks such as the "I Love You" and "Melissa" viruses,
and worms like "Nimda" and "Code Red". Criticisms of lax electronic security
are still being heard, despite the growing awareness created by large-scale
attacks such as the "I Love You" and "Melissa" viruses, and worms like "Nimda"
and "Code Red".
"My own opinion is that the potential is there [for cyber terrorists to
attack], everyone's networks are so poorly protected, but no one has taken
advantage of it," says Chuck Wilmink, director of the Canadian Center for
Information Technology Security (CCITS).
A study by the U.S.-based Computer Security Institute reports that 85% of
companies admit to having their networks breached in 2000, and 64% acknowledge
significant financial losses due to those breaches. A recent report by the
U.S. Congress gave two-thirds of American's federal agencies failing grades
in cyber security, including the departments of Defense, Justice, Energy and
Treasury.
Similarly, in Canada, a 1999 Senate report pointed to the potential for
a major cyber attack in Canada, and admitted that the FBI has characterized
Canada as a "hacker haven". Perhaps fortunately, Canada is more often a base
for hackers to attack other countries, rather than a target itself. "Canadian
hackers have traditionally tended to attack outside of Canada as opposed to
within," says Matai. He notes that Canada's quieter political demeanor means
that it is less often viewed as a target. ".ca Canadian sites are less vulnerable
than .com or .uk because Canada is not seen to be so aggressive on the world
stage."
"I really don't think we've ever considered Canada to be at the same threat
level (as the U.S.)," says Max London, manager of public affairs for OCIPEP.
However, OCIPEP has issued the FBI warnings post-September 11, giving companies
advance warning in the event of a cyber attack. Ultimately, London explains,
corporations are responsible for their own security systems.
He notes that OCIPEP is aware of "hacktivist" activity in Canada, specifically
"around some of the larger meetings", such as the G-8 Summit or World Trade
Organization meetings. However, these are a far cry from the threat by a foreign
government or terrorist organization that might harm Canada's critical infrastructure,
including systems that support communications, transportation and services
such as health care and finance. With the "increasing dependence and increasing
interconnectivity" of such systems comes a greater risk, however. In the past,
OCIPEP has been involved in public awareness campaigns around threats including
the "Code Red" worm, which was viewed as "a very real threat to the Internet",
and has worked with the U.S. National Infrastructure Protection Center (NIPC),
an FBI operation, to disseminate infornation. The NPIC issued warnings in
mid-October of a potential cyber threat aimed at the U.S. power grid, and
yet another aimed at online financial sites.
Insurer reaction
Canada's insurers have been jumping into the terrorism risk fray since September
11, trying to understand what exposures they might face in the future. Just
as no one predicted the events that represent the largest insurance loss in
history, there is fear of what other unforeseen risks may lie ahead.
As insurers met through the Insurance Bureau of Canada's (IBC) terrorism
task force to discuss the new risk horizon, cyber threats were one possibility
on the table, says Anne MacKenzie, assistant vice president, claims technical,
at the Dominion of Canada General Insurance Company and a member of the task
force. She adds, however, that they did not top the list of concerns for several
reasons, including the notion that terrorists generally tend towards visible,
high profile acts. "It's usually physical acts of terrorism," she says. "Terrorists
like to put the population at fear." OCIPEP also notes that terrorists have
traditionally relied on "bombs over bytes" as the weapon of choice.
Cyber terrorism has not dominated discussion of electronic risks, adds Jennifer
Soper, assistant vice president, technology, at St. Paul Canada. Most of the
talk seems centered around the major viruses that have plagued companies.
This is partly because many companies do not see themselves as targets for
such acts. "When you're not in the Fortune 500 or brand name companies, you
can get an 'it can't happen to me', almost false sense of security."
She adds that companies often do not discuss the nature of attacks, and
still have a "keep it in the closet" attitude about cyber security breaches.
The benefit is that this policy of silence denies attackers the desired result
of publicity. However, terrorists may soon find that cyber attacks will gain
them the same kind of notoriety as physical attacks, MacKenzie adds. "Nothing
would scare people more than to learn that terrorists had hacked into government
sites".
Exclusions, exclusions
Commercial insurance buyers are no doubt facing a tough market in the post-September
11 era, although the situation was already beginning to grow bleak prior to
the terrorist attacks. Reinsurers had already stated their intention to introduce
cyber exclusions into their treaties, leaving insurers to follow suit.
However, insurers assert that cyber or "data" coverage was never really
part of commercial general liability (CGL) policies. In light of the potential
for differing interpretations (such as the U.S. case of Ingram v. Micro, where
it was found that business interruption due to computer failure should be
included in CGL policies), more specific wording was added to most policies.
"The data exclusion was just a clarification to make sure consumers knew what
they were buying, there never was coverage for data," explains MacKenzie.
This clarification is apparent in most policies as of yearend 2001, adds Dominion
president George Cooke. "Our view is that the wordings don't do anything the
old wordings didn't do, they're just clearer."
However, the wordings have left many companies scrambling for coverage,
Soper says. "What is available is not widely available." Companies will either
have to negotiate coverage as a limited buy-back option in existing policies,
or hunt it down as a separate policy from another carrier. "In terms of coverage,
if there is anything going on it is on a customer-by-customer level. It has
to be." Given the difficulty in quantifying cyber risks, there is no "one
size fits all" policy.
Cooke says he is concerned with the lack of cyber coverage available, but
acknowledges that insurers simply are not in a position to offer it. "It's
a situation that troubles me. But we can't buy coverage [in the reinsurance
market], so it's impossible for us to offer it."
September 11 did not help the situation either. He predicts that notwithstanding
the terrorist attacks, cyber coverage would have been a top issue for insurers,
but given the shift in priorities, insurers were unable to come up with private
market capital solutions in advance of yearend commercial policy renewals.
"September 11 kind of eclipsed concerns over whether we should be developing
new products to deal with cyber risks," says MacKenzie. However, she adds,
"we will want to revisit it" in the future.
Overriding concern
Regardless of new cyber covers, with the current terrorism exclusions being
written, any act deemed as "cyber terrorism" would not be covered, as the
terrorism exclusion would be overriding. In the wake of September 11, with
reinsurers refusing to cover terrorism in their treaties, insurers were forced
to either introduce similar exclusions in their policies or to negotiate a
deal with the government, which would act as excess of loss reinsurer through
a "terrorism pool" arrangement.
By yearend, no such pool had been devised, despite lengthy discussions between
IBC representatives and the government. "The nature of the discussions evolved
as the market evolved," says Cooke, who is also chair of the IBC. "The decision
was taken to wait. It was probably a smart decision."
The U.S. government's inability to come to a solution prior to breaking
at the end of the year was among the contributing factors. Cooke recognizes
that it was "politically difficult" for the Canadian government to come forward
with a solution before the U.S., given the fact that the situation was not
of the same scale here. This situation may change as the U.S. House reconvenes
in late January. "People have said that the government wasn't prepared to
act, but I don't buy that," he adds. "Minister Peterson and the staff in Finance
were seriously engaged in discussions and are prepared to act if the need
arises."
The need for a solution may not be quite as pressing as originally thought,
with renewals moving along despite the lack of a solution, and the fact that
many commercial policies on target risks have not yet reached renewal.
However, Cooke still feels a solution is needed. The government has consulted
with other associations, most notably the Canadian Bankers Association (CBA),
who claim that there is no need for the coverage. "I think they're wrong,"
Cooke says, but their resistance makes it difficult for insurers to press
for a solution. He is most displeased with the view that insurers are looking
for a "bail out". "We are not doing an 'Air Canada' here. We're more than
prepared to take our pains for our past sins." But without reinsurance coverage
in place, it is not economically feasible for insurers to offer the coverage.
The terrorism task force was "driven by the sudden recognition that there
was now infinite risk and infinite exposure and that wasn't economically sustainable,"
says MacKenzie. "It [terrorism coverage] isn't anything we could write even
if we wanted to."
With no cap on the exposure, insurers would be leaving themselves open to
unquantifiable risks, a situation that extends into the domain of cyber terrorism.
"Putting a box around the exposure" or quantifying the risk is especially
difficult with cyber risks, says Soper.. "The 'net is worldwide. It is difficult
to know where it (an attack) is going to come from, and how it's going to
come."
She adds, "It's hard when you're an industry that likes to put dollars and
cents to things. There's just no history. You can't go into the archives and
pluck out something and say 'this is going to work for me today'." September
11 was a "humbling" experience for the industry, says MacKenzie, and as the
industry learns more about that event, "we realize we don't know about all
the risks". Prior to September 11 "there was a sense that we could talk about
100-year events and worst case scenarios...everyone's trying to come up with
scenarios, however, the end of the conversation always comes to the same conclusion,
we just can't imagine."
Web Site Defacements, 2001 (increase over 2000)
Source: mi2g
| Location |
Domain |
Number
Incidents |
Percentage
Increase |
| Canada |
.ca |
215 |
265 |
| China |
.cn |
1298 |
1326 |
| Taiwan |
.tw |
1355 |
1178 |
| Israel |
.il |
413 |
220 |
| India |
.in |
250 |
205 |
| pakistan |
.pk |
72 |
300 |
| UK government |
.gov.uk |
43 |
378 |
| UK organisations |
.org.uk |
25 |
400 |
| UK companies |
.co.uk |
385 |
181 |
| US government |
.gov.com |
248 |
37 |
| US military |
.mil.com |
n/a |
128 |
