IEEE DISTRIBUTED SYSTEMS ONLINE 1541-4922 2004 Published by the IEEE Computer Society Vol. 5, No.

. 10; October 2004 Editor: Marcin Paprzycki, http://www.cs.okstate.edu/%7Emarcin/.

The Emergence of Cyber-Terrorism

Juan M. Estevez-Tapiador

Black Ice: The Invisible Threat of Cyber-Terrorism By Dan Verton 304 pages US$24.99 McGraw-Hill Osborne Media, 2003 ISBN 0-07-222787-7

The idea of cyber-terrorism has been around for more than a decade. But to what extent are terrorist groups aware of the damage they could inflict using information and communication technology? Is cyber-terrorism a serious risk or a phantom menace? In Black Ice: The Invisible Threat of Cyber-Terrorism, Dan Verton, a journalist and former intelligence officer concerned with Internet security, investigates this form of terrorism's most relevant facets. His view is indeed frightening.

The many faces of cyber-terrorism

Beyond isolated and annoying attacks on official Web sites, potential targets for a hypothetical cyber-terrorist act in the US include most of the nation's critical infrastructure, including utilities such as electricity, water, and gas facilities and their supply systems; financial services such as banks, ATMs, and trading houses; and information and
IEEE Distributed Systems Online October 2004

communication systems. Our society's reliance on these services is obvious. Perhaps less evident are their interdependence and the cheap, unprotected systems that increasingly interconnect and manage them. This situation shapes a sort of battlefield in which IT plays a major role and could act as a force multiplier for traditional terrorist acts. Verton clearly defines cyber-terrorism, which sounds like a buzzword or the stuff of Hollywood movies. Over 11 chapters and four appendices, he discusses a plethora of detailed threats and serious vulnerabilities. Verton often resorts to fictional scenarios to illustrate the possible chain of events during an attack. Many of these scenarios, which are certainly nightmarish, are based on actual exercises carried out with the aim of evaluating the potential threat. The lessons learned don't seem very hopeful. The book commences with a scenario involving a carefully orchestrated terrorist attack. Among its strongest repercussions are power outages that "last for weeks, in some areas for months," businesses and banks that lose connectivity, and a government overwhelmed by the situation and unable to properly manage the attack's effects. This is clearly an exaggeration, an arrangement of events whose existence is possible but highly improbable. Like this scenario, most of Verton's examples concern the nation's critical infrastructure. For instance, the discussion relating to infrastructure control systems connected to the Internet is scary. A successful attack on unprotected Supervisory Control and Data Acquisition systems massively used in the electric grid and gas pipelines, among other systems could cause terror on a grand scale. The same is applicable to other essential components, such as computer networks in hospitals and banks, communication systems for emergency services, and airline information systems. Verton also discusses viruses and other forms of hostile code as weapons for a cyberterrorist attack. He doesn't mention, however, that the main responsibility for such vulnerabilities belongs to major operating systems vendors and their disregard of security as an integral component of the design process. In relation to this issue, he points out another serious problem: public companies own and operate most of the nation's critical infrastructure. He says "it has been estimated that 80 percent of this infrastructure lies not in the hands of the military or government, but in private institutions." Such critical systems' security, which is entrusted to people maybe more worried about marketplace tribulations than security, ought to be somehow enforced and supervised.

IEEE Distributed Systems Online October 2004

A digital Cassandra?
I consider cyber-terrorism a real threat, but many of Verton's fictional scenarios are highly speculative and border on sensationalism. Even if he just meant them as an awareness tool, I don't find the exaggeration necessary. Furthermore, there's a controversial debate concerning not only the term cyber-terrorism, but also whether it's viable to use the Internet to launch attacks against the critical infrastructure. A significant number of security experts hold more skeptical opinions than Verton and his sources. I would have liked to see counterarguments from their viewpoints.

Conclusion
The material in Black Ice: The Invisible Threat of Cyber-Terrorism is undoubtedly the result of good research. But in my opinion, it ends up being a one-sided discussion on the question of cyber-terror. This is in essence a nontechnical book, which is definitely fun to read and accessible to the masses as well as security experts. I recommend it to everyone who aims to form an opinion about what cyber-terrorism is and the potential threat it poses. Don't forget, however, to consult other sources before being persuaded.

Juan M. Estevez-Tapiador is a researcher at the University of Granada. He is currently a visiting professor at the University Carlos III of Madrid. Contact him at tapiador@ieee.org.

IEEE Distributed Systems Online October 2004