By Meg King, Special to CNN
Editor's note: Meg King is the national security adviser to the president and CEO of the Woodrow Wilson International Center for Scholars.
People operate computer systems that monitor power grids, nuclear power plants and air traffic control systems and do it through e-mail, company networks and government networks. People write the code that tells one computer to speak with another and to carry out various tasks from financial exchanges to changing traffic lights.
Somewhere in the mass of 1s and 0s, there is bound to be a mistake. One that a terrorist is eager to abuse.
Many information technology experts suggest that terror groups aren’t now - and might never be - capable of carrying out an act of cyberterror. It’s true that terror groups won’t be likely to craft a damaging computer virus such as the ILOVEYOU Virus (2001), The Klez (2001), Code Red Worm (2002), Blaster Virus (2004) or Conficker Worm (2008).But recent plots and propaganda suggest that the motive exists and the know-how is growing. Cyberterror is just around the corner: It could be a physical attack on the Internet’s infrastructure, as attempted in London in 2007, that could halt important financial traffic. Or it might be an attack on a system controlling critical infrastructure – from oil refineries and nuclear plants to transportation networks. And we aren’t prepared.
Just like Inspire magazine provides how-to-guides for building bombs, countless websites – most not even related to terrorism – provide the same step-by-step instructions for “hacking” into key networks. And what’s worse, the trail is easier to hide.
Your neighborhood lone wolf terrorist, radicalized in part by messages on the Internet, can too easily purchase a so-called “exploit” – a piece of software or a sequence of commands that takes advantage of a mistake or vulnerability in it and then can be infiltrated to harm computer software, hardware or other electronic equipment. Or he or she could at no cost send a spear phishing e-mail and break into an entire power company’s computer system. The directions are posted anywhere you turn in the digital universe; the only trouble is that there may be too many instructions from which to choose.
We know that terror groups are interested in these sorts of attacks. The first calls to action came in 2005. In late 2011, al Qaeda urged “electronic jihad” and called for cyberattacks against the networks of government and critical infrastructure.
With time, increased access to computer equipment and technological sophistication only grows. There is also concern that a nefarious, highly skilled hacker will team up with whatever terror group proves to be the highest bidder. Al Qaeda in the Arabian Peninsula is certainly one option.
It’s surprising, but many Americans – even the young “digital natives” – don’t realize critical U.S. infrastructure is connected to or “faces” the Internet. Any technology, database or communications device, even with protections such as firewalls, risks being attacked at some point. The question is how many times and to what extent. Some compare our increasing reliance on information technology and its uneven layers of security to our aviation system before 9/11.
According to the Department of Homeland Security’s figures, more than 200 attacks occurred against critical infrastructure in the United States in the first half of 2013, focusing mostly on the energy sector. That’s the same number of attacks on critical infrastructure for the entire year before.
Imagine what would happen if a savvy cyberterrorist decided to shut down the electric grid powering the East Coast until certain demands are met. Are we doing what’s needed now to prevent that terrorist from penetrating the grid’s network in the first place? We’re certainly not preparing our citizens adequately for the consequences.
We will never be able to protect every sensitive system, so managing the risk of attack must be our priority.
As Congress goes into election mode for 2014, those of us deeply concerned by the cyberthreat hope a law can be passed to set standards across the board for securing networks and that reporting can become more routine and transparent. In the absence of legislation, and in addition to the President’s executive order, there are four steps the U.S. government can take to reduce the risk of catastrophic and even lower-grade cyberterror attacks.
1. Prevent: The Department of Homeland Security runs a campaign called “Stop. Think. Connect.” Its goal is to increase public awareness of cyberthreats and to help the American public be safer and more secure online. Too few people know about this effort – certainly not the older generation that interacts less regularly and more dangerously online. The profile of this effort needs to be raised to the presidential level and broadcast in public service announcements in partnership with the private sector.
2. Detect: Though we consider the Internet to be “everywhere” – mostly because of wireless connections to our smartphones and laptops – there are key “nodes” and routers that direct Internet traffic. Many are in surprisingly unsecured office buildings. This means that a tech-sophisticated attacker isn’t the only one who can threaten the Internet or do damage to important critical infrastructure. DHS, in partnership with the Federal Bureau of Investigation, should work together to map these facilities and monitor security efforts now.
3. Respond: The relationship between government and industry on cyberissues is improving, but it’s not good enough. Plus, we still don’t have full-scale reporting of cyberincidents. Part of the problem is the sheer number. But if our government can’t analyze the full scope of attacks, it is harder to help identify new ones.
4. Recover: A frank conversation with the American public is needed. President Barack Obama spoke about the threats to critical infrastructure when he announced his executive order in January, but he didn’t call for Americans to take on the effort themselves by learning when they might be the prey of a hacker, how to secure better their personal devices – especially those that connect to office networks – and when to report security concerns.
If Americans are involved in the prevention effort, they will be in a better position for recovery in the event of an attack.