by Rick Lawhorn
As a CISO, I faced a daily uphill battle getting buy-in for the most basic security controls and services - so the notion of worrying about the potential risk of terrorism against my organization seemed to be the lowest priority. Interestingly, terrorism today seems to be an emerging concern in the commercial world, and many are actively pursuing methods and technology to help combat the problem. As a result, I began to research this trend to determine its drivers and its potential implications to information security.
I have been able to identify two main factors to date that play a part in the increased concern for businesses. First, governments all around the globe are spending vast amounts of money trying to track and contain Internet terrorism, and as former government security professionals are landing executive roles as CSOs and CISOs in the private sector, awareness and education about terrorism is increasing. Second, the news media is making Internet terrorism and the targeted attacks front-page news, which impacts a much larger audience. The combination of these factors propels companies and their leadership to ask the important questions in order to determine the risk it presents, especially in the critical industries like utilities and supply chains.
The Definition Problem
Understanding this threat and its impact on organizations today requires some background on how terrorism is defined. This is no easy task. Each of us has a pre-conceived notion of what terrorism means. I am confident that your definition differs from mine – though there are undoubtedly some common characteristics - since our definitions are shaped by our personal environment and experience. In fact, it might be impossible to arrive at a definitive answer because definitions fluctuate according to historical and geographical contexts. Some forms of terrorism are indistinguishable from crime, revolution, and war.
Even the US government is struggling with a consistent definition by evidence of the following chart:
State Department definition, Title 22 of the U.S. Code, Chapter 38, Section 2656f(d): premeditated, politically motivated violence perpetrated against noncombatant targets by subnational groups or clandestine agents, usually intended to influence an audience.
FBI definition: the unlawful use of force or violence against persons or property to intimidate or coerce a government, the civilian population, or any segment thereof, in furtherance of political or social objectives.
Defense Department definition: the calculated use, or threatened use, of force or violence against individuals or property to coerce or intimidate governments or societies, often to achieve political, religious, or ideological objectives.
United Nations definition: any act intended to cause death or serious bodily injury to a civilian, or to any other person not taking an active part in the hostilities in a situation of armed conflict, when the purpose of such act, by its nature or context, is to intimidate a population, or to compel a government or an international organization to do or to abstain from doing any act. Article 2(b) of International Convention for the Suppression of the Financing of Terrorism, May 5, 2004)
Realistically, the lack of a solid, universally accepted definition and having to rely on intent is the first major strike against understanding the threat. The first rule in being able to track a threat is to understand what that threat is and the characteristics that make up the profile. If we do not have this understanding up front, it will spur a great amount of activity for the least possible value in targeting Internet terrorism. With so many different definitions, and with each of them relying to some extent on the intent of the perpetrator, you can start to understand the reason behind failures in the identification and of course, tracking and monitoring of actual Internet terrorist activities.
The Search for Action Items
So how we identify the threat and what can we do to protect ourselves? Internet terrorism is really about two separate uses of the Internet, each requiring its own defensive approach.
First is the direct threat: Terrorists can utilize the Internet as a vehicle to cause outages and denial of services with an overarching message to instill fear and to threaten physical harm. From an information security point of view, we can readily understand this first point since we experience this noise today within on our networks. But as we know, attacks that are conducted against our organizations can originate from many diverse groups with for different reasons. Former employees, competitors, and fraudsters all have their reasons in their mind to electronically cause pain or reputational harm to an organization. The challenge is to know when these seemingly “innocent” attacks actually become terror. Does the act require a certain number of members, a certain political/ideological principle, or a certain funding to be considered terrorism? Can one person, acting alone, be considered a terrorist? These are great questions that need a clear answers. Again, since the activity and characteristics are not well defined, the message today will be a hard sell for information security professionals and will get lost in the shuffle of shifting priorities. Likewise, when the terrorist begin to electronically target organizations and prevent services from working, companies today would see the threat as noise since there is nothing that distinguishes them from the rest of the attack pack. The challenge is determining how to distinguish the noise that is normally experienced from an actual terrorist activity.
Second is the indirect threat: Terrorists’ use of technologies to build and coordinate their activities such as recruitment, fundraising and data mining. The Internet is the perfect tool to use for such activity since much of it is not regulated and it offers the cloak of anonymity. These qualities help terrorist groups to build membership and raise funding to further their cause and distribute their message to a wider audience. But can this activity equate to electronic violence, or transform into physical harm? Each one of us use the Internet for these very same purposes - minus the terrorist intent - so tracking and monitoring are quite difficult to nail down without spilling over to affect our civil liberties as a whole. The perceived harm that can be identified is the ability to organize a group for the intent of personal or physical violence. In order for an organization to keep on top of this issue, it would require vast amounts of resources and capital to infiltrate each terrorist group and monitor their progress. Such steps go way beyond what any commercial organization would do, especially since many still require basic security controls and services. A CISO requesting budget to address unpredictable and poorly-definined attacks would certainly invoke some strange looks.
Here is where the government steps in on the war on Internet terror. The government has the funding and resources to concentrate on infiltrating the terrorist groups to provide the community greater insight into the problem. We know that the government’s main concern is infrastructure and self-preservation so terrorism targeting one specific entity or business becomes secondary by default. Disclosure of the intelligence from government to private-sector entities takes a considerable amount of time, since the information has to be interpreted and correlated against other data. I have not experienced a mechanism or process that would release intelligence in a timely manner to a commercial business unless it was a matter of national security. I have participated in existing information-sharing activities such as the ISACs and have found that the actionable information delivered from the government is not timely or is too vague. In addition, membership is very expensive and the overall base is extremely low relative to the number of companies that exist. So beyond the problem of definitions, strike two against Internet terrorism is the inability, either by design or accident, to make the intelligence gathering and disclosure transparent and timely. This seems to be the greatest gap in protecting our commercial industries from Internet terrorist today. The lack of communication, fear or retaliation coupled with the shear expense prevents organizations from becoming the watchdogs for their respective industries. The terrorists seem to capitalize on this shortfall and use it to their benefit.
There are many journals and white papers that clearly confirm that the Internet terrorist community is becoming increasingly sophisticated and beginning to leverage technology to protect their interests. (I find this is amazing considering the lack of a fundamental definition to understand what we are monitoring, but I digress.) Online session encryption and file encryption are being used to conceal information about activity and potential targets. They are building redundant systems that have the ability to withstand constant bombardment of noise by other terrorist groups or disgruntled citizens. They are beginning to build highly dynamic services that can disappear, re-emerge to change locations quickly and easily. The content on their sites is rich with multimedia such as training movies or propaganda audio files. They even implement their own security controls to track and prevent their version of threats to their presence. As the use of technology sophistication continues to grow, the less insight our governments will have about their activities and potential targets. The small amount of information we could potentially access today is drying up fast. We really need to open our eyes to this problem and build better methods to keep up or offset this threat growing into something much larger. We need to convince our governments that our society can be radically impacted by the collapse of our commercial industries as well as our critical infrastructure. Monitoring and active communication of emerging threats can further assist our industries to prepare or prevent the attacks, given the time to react. Sure, the down side is overreacting, but given that the majority of our businesses are on-line, I would enjoy the ability and time to manage my reaction.
Information security professionals are limited in what we can do to offer physical and logical protection. We always have to balance the security control with the convenience factor and no one wants to complicate any process that is suppose to generate revenue or get the revenue generators to their desks. In the physical security space, we have a few more choices in protective services that push the terrorist out further into someone else’s yard, but we are still very limited in coordinated information sharing within our respected industries. In the electronic world, we can continue to insist on the basic levels of security controls to detect and potentially prevent attacks, but it will always be perceived as Internet noise vs. terrorism until we accurately define the risk.
So let’s return to how we identify the threat and what can we do to protect ourselves. We now know that there is no consistent method to define or track internet terrorism. We understand that the issue is extremely complex since the characteristics can change based on our environment and experience. We can now understand the government’s role in being the watchdog for our critical national infrastructure and the government services, but this takes considerable resources and funding. We also know that our communication in both our local community and our global industry vertical is limited since the intelligence is not readily available to share. The message we are left with is that there is very little we can do until we define with certainty the meaning and characteristics of Internet terrorism.
- A great place to start would be to have the government develop a single definition that can be communicated to its agencies so that the right profile can be understood.
- Another key development would be to rebuild certain structures that gather intelligence to facilitate a greater level of communication to impacted industries.
With a clear definition and greater communication, we can then begin to monitor and track certain behaviors that could be potential threats with greater accuracy. Accuracy equates to a reduction in cost and resources, which can then be reinvested into greater communication and intelligence gathering. Sounds simple, but my guess is that it will take a great amount of time to achieve, if we achieve it at all. In the meantime, we are left with vague definitions, variable characteristics and a method of attack that blends in with the normal noise we see on the Internet daily. #
firstname.lastname@example.org or on the LinkedIn network.
Rick Lawhorn, CISPP, CISA, is the director of information security and compliance at PlanIT Technology Group and previously was CISO for GE Financial Assurance and Genworth Financial. He has more than 17 years of experience in information technology and an extensive information security background. He serves on several advisory boards and has created a working group focused on developing meaningful metrics for CISOs. He can be reached at