Thomas Homer-Dixon postulates a future scenario:^[20] In different parts of a US state, half a dozen small groups of men and women gather. Each travels in a rented mini-van to its prearranged destination—for some, a location outside one of the hundreds of electrical substations throughout the state: for others, a point upwind from key, high-voltage transmission lines. The groups unload their equipment from the vans. Those outside the substations put together simple mortars made from materials bought at local hardware stores, while those near the transmission lines use helium to inflate weather balloons with long silvery tails. At a precisely coordinated moment, the homemade mortars are fired, sending showers of aluminium chaff over the substations. The balloons are released and drift into the transmission lines.

Simultaneously, other groups are doing the same thing along the eastern seaboard and in the south and southwest of the United States. A national electrical system already under heavy strain is short-circuited, causing a cascade of power failures across the country. Traffic lights shut off. Water and sewerage systems are disabled. Communications systems break down. The financial system and national economy come to a halt. And if that is not of sufficient concern, Brad Ashley^[21] of the US Air Force notes that:

Indeed, Ashley goes well beyond Homer-Dixon’s scenario and depicts a number of scenarios all rolled into one devastating attack.^[23] Ashley postulates that military systems are under relentless electronic attack and the global media is reporting these attacks with great zeal, thereby adding to the problem. An unknown adversary has seized control of military logistics, transportation and administration systems associated with deployment of forces.

Commercial websites are inundated with requests for connection, which paralyses parts of the Internet. Worldwide computer virus attacks occur, affecting over 60 million computers, including military systems. An orchestrated campaign of individuals flooding Defence and security websites is carried out, a cyber Jihad is started, and national infrastructure computers are infiltrated, leading to raw sewage being released into rivers and coastal waters.

Worse still, Defence networks are penetrated, power grids are infiltrated and shut down, computer problems close the stock market in several capitals. The competitive media helps spread the ensuing panic throughout the world.

If these incidents sound plausible, it is because they have occurred, in varying forms and to varying levels of success over a lengthy period of time. However, were they to be orchestrated over a very short time span as Ashley postulates, their results could be devastating.

To some, the scenarios postulated of Homer-Dixon and Ashley may have sounded far-fetched in 2000; however, the 11 September 2001 terrorist attacks on the United States changed all that. Many nations have since realised that their societies are susceptible to terrorist attacks. There are two trends that explain this: the growing technological capacity of small groups or even individuals to wreak havoc; and the increasing vulnerability of economic and technological systems to quite deliberate and specific attacks.

Adding to the vulnerabilities are the changing communications technologies that now encompass satellite phones and the Internet which permit the coordination of resources and activities across the world. Criminal and terrorist organisations can use the Internet to share information on weapons and tactics, transfer funds, and plan criminal activities or attacks. The links between crime and terrorist organisations mean that any criminal cyber-attack could be financing a terrorist organisation. Identity theft is also cause for concern for banks and financial institutions, as once again a criminal cyber-attack could be linked to a terrorist organisation.

There are several reasons why hackers will seek to gain illegal access to IT systems. These include: to gain financially, to commit sabotage, to steal identities, to commit fraud, to carry out espionage, or to cover up other physical theft. The level of sophistication needed to hack into sites has decreased while the availability of hacking tools has increased substantially. As Ashley notes, adversaries in cyber-space require minimal technology, little training or funding, no infrastructure support, and can launch attacks from anywhere at anytime.^[24] A report in 2004 by Trend Micro indicated that viruses affecting personal computers (PCs) cost businesses worldwide some US$13 billion in damages in 2001, US$20 billion in 2002, and US$55 billion in 2003.^[25] Add to this, the estimated annual loss due to computer crime of US$67.2 billion, for US organisations alone.^[26]

Information-processing technologies have also boosted the power of terrorists by allowing them to hide or encrypt their messages, with the power of a modern lap-top computer today exceeding anything that could have been imagined three to four decades ago. Not only can terrorists and criminals run readily available sophisticated encryption software, they can also use less advanced computer technologies to achieve similar effect. Steganography (hidden writing) that allows people to embed messages into digital photographs or music clips which can then be posted on the World Wide Web for subsequent downloading was reportedly used by terrorists who planned an attack on the US embassy in Paris in 2004.^[27]

The World Wide Web also provides ample access to information about critical infrastructure. For example, the floor plans and design of the World Trade Center in New York were readily available, as was information on how to collapse large buildings. Instructions for making bombs and other destructive materials are also readily available. Indeed, practically anything needed on kidnapping, bomb-making, and assassination is now available on-line.^[28]

Australia’s economic and technological systems make the nation, the Government and the ADF all the more vulnerable because of the interconnectedness across modern society and the increasing geographic concentration of wealth, people, knowledge, and communication links such as highways, rail lines, electrical grids, and fibre-optic cables. As societies modernise, their networks become more interconnected, which means that the number of nodes increases, the links among the nodes increases, and the speed at which things move across these links increases. All of this adds to the rich array of potential targets.

Not only does vulnerability increase through greater numbers, but also the features of interconnected networks can make their behaviour unstable and unpredictable. One obvious example is that of a stock market crash, in which selling drives down prices, which, in turn, leads to more selling. The tight coupling of networks also makes it more likely that problems with one node can spread to others. The United States has experienced a number of cascading effects when electrical, telephone, and air traffic systems have suffered partial failure, which has spread across the country. In addition, the nature of these networks also sees a small shock producing a disproportionately large disruption.^[29]

A special commission set up by President Bill Clinton in 1997 reported that ‘growing complexity and interdependence, especially in the energy and communications infrastructures, create an increased possibility that a rather minor and routine disturbance can cascade into a regional outage’. The commission continued: ‘We are convinced that our vulnerabilities are increasing steadily, that the means to exploit those weaknesses are readily available and that the costs [of launching an attack] continue to drop’.^[30]

So much for physical networks: what about psychological networks? Australian citizens are nodes in this network, linked through the Internet, satellites, fibre-optic cables, radio, and television news. Immediately after a crisis, the media and others report the story across this network. Televisions stay on, telephone lines and e-mail messages are used constantly, to the extent that services, especially the Internet, become noticeably slower immediately after the event.

The Australian Government should expect terrorists of the future to target the critical networks that underpin society. This would include networks for producing and distributing energy, information, water, and food; the highways, railways, and airports that make up the nation’s transportation grid; and the health care system.^[31] While an attack on the food system would be of greatest concern to people, vulnerability of the energy and information networks attract a lot of attention because they so clearly underpin the vitality of modern economies.^[32]

The use of Supervisory Control and Data Acquisition (SCADA) systems that monitor and direct equipment at unmanned facilities from a central point pose a worrying potential vulnerability. In 1998, a 12-year old hacker gained control of the SCADA systems that run the Roosevelt Dam in Arizona and, in 2001, a disgruntled worker, Vitek Boden,^[33] released waste water in Maroochy Shire, Queensland. More than three million SCADA devices exist throughout the world.^[34]

The real concern is that these SCADA networks sit ‘squarely at the intersection of the digital and physical worlds. They’re vulnerable, they’re unpatchable, and they’re connected to the Internet’.^[35]

SCADA systems are used to digitise and automate tasks such as opening and closing valves in pipes and circuit breakers, monitoring temperatures and pressures, and managing machinery on the assembly line. As these systems connect to corporate networks and as those corporate networks connect to the Internet or adopt wireless technology, the vulnerabilities become more pronounced. The power grid could be taken down, emergency telephone systems could be rendered useless, floodgates to a dam could be disabled, and so on.

These control systems have been designed and developed with efficiency and reliability in mind, not security. Many of the legacy control systems cannot accommodate the newer security technologies such as encryption. Compounding these technical difficulties is a range of cultural and management issues, firmly rooted in the physical world, that pays scant attention to cyber-security concerns.

Initially, SCADA systems were developed with proprietary technology, with no connectivity to corporate networks. However, the impact of globalisation and the Information Age demanded greater efficiency, greater transparency and greater connectivity, which resulted in linking the control networks to corporate networks. This means that hackers who seek to insert worms and viruses in corporate networks can get an additional dividend in that any connectivity to control systems that are not turned off can be affected by the worm or virus.

It was in this way that the Sasser virus disabled several oil platforms in the Gulf of Mexico for two days in 2004, while the SoBig virus affected the rail signalling and dispatching systems of CSX Transportation in August 2003, stopping train services for up to six hours.^[36]

While Distributed Control Systems were the predominant form of control systems decades ago, whereby they existed within a small geographic area (say a single manufacturing plant), had all components (hardware, software, master controllers, workstations, etc) provided by the same vendor, and operated over a dedicated Local Area Network, that is no longer the case. The proliferation of SCADA systems across a wide geographic area to distribute oil and electricity in the main sees a lot of master systems communicating with remote devices over the Internet, wireless radio, the public telephone system, or private microwave and fibre-optic networks. The remote units are not only controlled by their master, they also send real-time data back.

The SCADA networks themselves are also vulnerable because of their dependency on the telecommunications that support them. Transmissions could be intercepted and altered, redirected or even destroyed, so the transport medium introduces another area of vulnerability. The use of dial-up modems, where little or no authentication is required, introduces yet another form of vulnerability. Not many companies would operate today without firewalls and Intrusion Detection Systems (IDS) on their IT networks, yet very few have such security mechanisms on their control networks. Even if firewall filters were fitted to the control networks, most firewalls have been designed to filter Internet Protocols (IPs) but not control system protocols.

It is not just about improving SCADA systems, however. More can be done to improve the information security on the corporate networks. Improved router configuration, antivirus software, IDS, and more diligent software patching would all help reduce the vulnerability. There are also non-technology actions that can be taken, such as improved configuration management, better documentation of network architectures, and better contingency planning.^[37]

Returning to the broader issue of cyber-terrorism, it is worth noting the US House Armed Services Committee’s Sub-committee on Terrorism, Unconventional Threats and Capabilities consideration of ‘Cyber Terrorism: The New Asymmetric Threat’^[38] on 24 July 2003. The Committee chairman, Jim Saxton, argued that the rapid flow of information was becoming increasingly important on the battlefield. He said that in the nineteenth century three words per minute could be transferred whilst 38 830 soldiers were needed to provide information over 10 square kilometres. In the 1990–91 Gulf War, the transmission rate was increased to 192 000 words per minute whilst only 24 soldiers were needed to cover 10 square kilometres. It is expected that by 2010 the data transfer rate will be further increased to one trillion words per minute whilst only three soldiers will be needed to cover 10 square kilometres.^[39]

At the same hearing, Dr Eugene Spafford^[40] said that threats from malicious software (malware) had grown steadily for 15 years and threatened military, government, industry, academic and general public information systems. The interconnections across these segments of the community meant that a threat to one could readily spread to the others. His concern is exacerbated by the malware’s use of victim computers to carry out the attack, which presents an asymmetric threat to computer systems.

Spafford went on to say that the malware threat to US systems, and the military in particular, is significant because software is at the heart of most advanced systems, spanning weapons, command and control, communications, mission planning, and platform guidance. Furthermore, intelligence, surveillance, and logistics all depend on massive computational resources.^[41]

There is also the threat from simple failure that must be factored in. Systems are becoming more complex and much of the software is commercial off-the-shelf (COTS) and not developed to contend with active attacks and degraded environments. Moreover, software vendors have tended to concentrate more on time-to-market as the most important criterion for success, rather than well-designed and well-tested code.^[42] Increased connectivity, whereby systems are configured so that every machine has network access, which is needed to provide for remote backups, access to patches, and user access to World Wide Web browsing and e-mail, adds to the threat.^[43] Spafford went on to offer a number of recommendations:^[44]

There are clearly deficiencies in US and Australian cyber-defences. Malicious and incorrect software pose particular threats because of their asymmetric potential—small operators can initiate large and devastating attacks. The situation cannot be remedied simply by continuing to spend more on newer models of the same systems that are currently deficient. It will require vision and willingness to make hard choices to equip the military and other national security agencies with the defensible IT systems they deserve.^[45]

Mr Robert Lentz, Director, Information Assurance, Department of Defense also gave testimony at the hearing,^[46] where he argued that a new era of warfare had emerged, through the greater power, agility, and speed afforded by connectivity. Thus, a smaller force can mass combat effects virtually anywhere, anytime through these multiple connections. However, this increasing dependence on information networks creates new vulnerabilities, as adversaries develop new ways of attacking and disrupting friendly forces.

Lentz also described the goals that then Defense Secretary Rumsfeld established for networks, namely to^[47]

Through these goals, Secretary Rumsfeld was seeking to establish the Department’s IA Program—the strategy, policy and resources required to create a trusted, reliable network. While the challenges for IA are substantial because of the size and diversity of the Defence and national security IA community and because IA is both pervasive and interdependent upon many other policies and processes, there are clear opportunities. In the first instance, the policy formulation process could be more open, more visible, more collaborative, and, as a consequence, faster.^[48]

Lentz also made the telling comment that the US Administration did not expect to achieve guaranteed protection of its information, systems and networks. However, it had put in place ‘a robust Computer Network Defence capability within the Department, a capability that continues to evolve and transform itself in pace with the evolving and transforming threat’.^[49]

Finally, Lentz offered a telling reason for factoring legacy systems into strategic planning, by saying that all systems are legacy systems as soon as they go on-line. The demand for greater bandwidth, functionality, connectivity and other features is constantly expanding. Lentz argued that the demand would be met, but that the greater task was to ensure it was met securely. To that end, development of protective technologies for space-based laser, advanced fibre-optic, and wireless transport networks were being pursued, as was the development of end-to-end IA architectures and technologies.^[50]

The rate of adoption of Internet-based technology, including dependence on the Internet for voice communications and data distribution, means that nations today have the ability to conduct cyber-warfare.^[51] Thus, organisations need to have a strategy for keeping their businesses running, if information systems and facilities that depend on those information systems are unable to operate.

The increasing use of IP networking technology to connect critical infrastructure and the movement to packet-switched voice communications (away from a circuit-based architecture) has increased the vulnerability. Additionally, Voice over Internet Protocol (VOIP) equipment is susceptible to traditional Internet threats like worms, viruses and break-ins from hackers. Denial of Service (DS) attacks, which have been experienced in recent times and taken down websites, could be used to disrupt the flow of voice-carrying packets on an IP network, thereby causing a major breakdown in communications. At the infrastructure level, interfaces that allow maintenance and control of equipment have traditionally been accessed through dial-up modems, and are increasingly being converted to IP network connections.

The Gartner Report^[52] identified potential targets as the network interfaces found in equipment used by dams, railroads, electrical grids and power generation facilities, and the interface points between the public switched telephone network and IP networks. Connecting computer systems in banking and finance, law enforcement, rail transportation, and in industries such as chemical, oil and gas, and electrical to IP networking adds to the increasing vulnerability of critical infrastructure.

The phrase ‘digital Pearl Harbor’ has been around since 1995, according to Jim Lewis in 2003, then with the Center for Strategic and International Studies and a former Clinton Administration technology policy official.^[54] Lewis considered the threat from cyber-terrorists to have been over-stated. Indeed, work carried out by Gartner in 2003 highlighted that disgruntled insiders, not foreign terrorists, posed the greatest cyber-security threat to companies.^[55]

Even the most comprehensive IT security technology cannot stop the careless, uninformed, or disgruntled person with access to the network from wreaking havoc. ‘The fact is that some of the most devastating threats to computer security have come from individuals who were deemed trusted insiders’.^[56]

Costs associated with security policies and software are significant enough, without having their effect decreased by insiders who may not fully appreciate their role in maintaining a secure enterprise. The main reasons behind internal security breaches are noted as ignorance, carelessness, disregard for security policies, and maliciousness.^[57] Hence, the best way to address the potential for such breaches is through an awareness and education program, aimed at reducing the effect of ‘social engineering’.

Social engineering plays upon the inherent trust that people have in one another and their basic desire to help others. Social engineering tactics will not work if people are informed and aware. Thus, employees should not open unsolicited email attachments and they should scan attached documents for a virus before opening them. They should be aware that attackers will seek to take advantage of a natural trust in sharing files. Employees who use Internet Relay Chat and Instant Messaging services should know about ploys that might be used to lure them into downloading and executing malware that would allow an intruder to use the systems as attack platforms for launching distributed DS attacks. Employees should treat with extreme caution any requests for passwords or any other sensitive information.^[58]

Richard Hunter of Gartner has cautioned companies to alert their employees against social engineering. Hunter’s view is that the most successful ways for foreigners to steal US secrets is to use such practices or to buy US companies in possession of secrets. After all, computer hacking constitutes only 6 per cent of theft attempts.^[59]

At a conference in 2004, concern was expressed over US federal agencies not securing their computer networks and failing to factor technology security into long-term planning. House Government Reform Committee Chairman, Tom Davis, called for increased investment in IT security infrastructure, but acknowledged that the appropriations process ‘is always about the here and now’.^[60] The problem is, of course, that information network defence requires long-term investment and top-level attention, which is not a natural by-product of the annual budgetary cycle.

The Internet continues to hold so much promise, but, according to the Economist, it has to become more trustworthy if it is to realise its full potential.^[61] Detracting from trust in the Internet is the continuing worm and virus attacks such as the Blaster worm and SoBig virus that attacked in 2003, causing estimated losses of US$35 billion.^[62] As the uptake of broadband increases and as more PCs and other devices are connected, the potential fall-out from further virus, or the more insidious worm, attacks can only increase.

The speed with which these attacks can be launched is also increasing (i.e. attacks are happening faster). The time from initial disclosure of a flaw to the attack by the Slammer worm in January 2003 was six months, which halved the time taken in the previous year. For the Blaster worm in August 2003, the time had fallen drastically to three weeks.^[63] Over 500 000 computers were infected and CSX Corporation had to stop its train services as its rail signalling system was brought down, and check-in services of a number of major airlines were disrupted.^[64]

Worse still, the intensity of attacks has increased, with the Slammer worm infecting 90 per cent of vulnerable computers within 10 minutes.^[65] The network-security monitoring firm, Qualys, has argued that most organisations take on average one month to patch their known vulnerabilities, whereas future attacks could inflict their intended damage within a couple of minutes.^[66]

On 27 January 2004, the world experienced the MyDoom virus (also known as Norvarg or Shimgapi). It was immediately rated as a high-level security threat, geared as it was around mounting DS attacks on SCO’s website (a US software company). Attacks, such as this, which aim to bring down a company’s systems by flooding them with traffic, could very well be precursors to cyber-attacks by nations or terrorist organisations.

Indeed, John Donovan’s (Managing Director of Symantec—an Internet security company) research indicated that politically motivated attacks were likely to increase.^[67] The attack on SCO was even more insidious as MyDoom left a communications port open on the infected computer, which could have been remotely accessed by a hacker.

Furthermore, as Robert Lemos (a staff writer for CNET News.com) argued, such a virus allowed hackers to hide their real locations, thus making it very difficult to trace any on-line attack. The Code Red virus infected many computers in July 2001, with tens of thousands still infected in 2004 (according to Lemos).^[68]

The Sobig.F virus of August 2003 accounted for one out of every 17 email messages and infected over 570 000 computers, while MyDoom accounted for one in 12. Message Labs (a company that filters email for corporate customers) had detected and quarantined more than 1.5 million infected emails within 27 hours.^[69] The Sobig virus could have launched an Internet-wide attack had its programming been so designed.^[70]

The dramatic increase in cyber-incidents can be seen from the following statistics—between 1995 and 2005, the reports to Carnegie Mellon’s Computer Emergency Response Team increased from 171 incidents to 5990.^[71]

Trust in the Internet is also undermined through fraud and spam. Indeed, the statistics quoted by the Economist are alarming—citing that some 10 per cent of all emails were scams of one sort or another.^[72] The degree of cunning in much of this fraud is worrying; for example, brand spoofs that claim to come from trusted companies, fake web pages, fake press releases, and ‘phishing’—tricking recipients into giving out sensitive information, such as credit-card numbers, pin numbers and passwords.

Most companies, government agencies and indeed a number of private individuals are now using firewalls to keep malicious code out of their internal networks, and IDS that analyse what gets past the firewalls. Anti-virus software has become commonplace, although there remains a concern over how up-to-date that software is.^[73]

While many argue that greater government intervention is needed, that is likely to simply drive up the cost of being connected. Others argue that software vendors should be liable for its security—in other words, vendors should be writing simpler, safer software. So, perhaps, the solution is a combination of both, whereby government legislates that vendors are liable. This would then compel software companies to carry product-liability insurance. Insurance companies would respond by pricing the risk, whereby software companies that write safer code would have an economic advantage.^[74]

Another option might be to eliminate Internet anonymity, such that every user could be traced.^[75] One way of doing this might be to authenticate each email before it can be sent, by referring to a driving licence, passport, tax file number, social-security number, or some other trusted form of identification.^[76]

As Ed Waltz observes, by using a basic risk management approach we can aim to prevent access to 80 per cent of possible attacks.^[77] We can detect the presence of the remaining 20 per cent, noting that we would seek to contain 19 per cent of those attacks, and aim to have in place the recovery mechanisms for the 1 per cent that are not prevented, detected or contained.^[78] Even with this methodology in place, we must acknowledge that there may be attacks from which we cannot recover and, therefore, we also need to cater for that residual of less than 1 per cent.^[79]

Functions that are needed to support protection include monitoring the information infrastructure; generating alerts if an attack is detected or anticipated; controlling the response to modify protection levels or restore service if an attack has been carried out; conducting forensic analysis (including attack patterns, attacker behaviour, damage, and so forth); and reporting to higher authority.^[80]

The potential for individuals, organisations or nation-states to mount an information attack with the intent of exploiting, disrupting, or manipulating Australian Government or ADF operations is increasing, to the extent that some analysts have coined the term ‘weapons of mass effect’, because they can threaten national interests.^[81] Hence, it would be prudent for the Australian Government and the ADF to develop the capabilities for discerning, deterring and defending against such threats.

The Australian Government recognises the country’s increased vulnerability to acts of cyber-terrorism and other e-security threats because of the nation’s growing dependence on the information economy. Accordingly, the Government has designed an e-security policy framework to^[82]

The Australian Government has also enacted the Cybercrime Act 2001 to ‘prosecute groups who use the Internet to plan and launch cyber-attacks that could seriously interfere with the functioning of the government, financial sector and industry’.^[83] The Government’s definition of cyber-attacks includes activities such as hacking, computer virus propagation and DS attacks.

Computer Emergency Response Teams (CERTs) have been set up internationally to improve computer systems’ security. Australia has set up a team, AusCERT. This is a not-for-profit body operated by the University of Queensland. The Attorney-General’s Department also has the Australian Government Computer Emergency Readiness Team (GovCERT.au) that

Australia is also leading an Asia-Pacific Economic Cooperation (APEC) initiative to build CERT capacities in developing economies.

The Australian Federal Police (AFP) hosts the Australian High Tech Crime Centre, which investigates e-security incidents in public and private sector organisations. The Centre ‘performs a national coordination role for the law enforcement effort in combating serious, multi-jurisdictional crime involving complex technology’.^[85]

While the Australian Government and the Australian business sector have established solid risk management guidelines and adhere to sound international risk management standards, Heinrich de Nysschen argues that:

Heinrich de Nysschen’s view tends to be echoed by comments in 2006 from the US Cyber Security Industry Alliance, which argued for a short list of high priorities on communications and cyber-security to be addressed very quickly.^[87] First, a more aggressive research and development program to build secure information systems is needed to mitigate the risk. Of the US$1 billion science and technology budget for the US Department of Homeland Security (DHS) in 2007, only US$20 million is earmarked for cyber-security.^[88] The second priority is an early-warning system, while the third is the ability to assure communications bandwidth in an emergency. The fourth priority is a plan to recover the Internet after a disaster and to cope with the interim.