“It’s an important trial because it will shed light on whether what happens in closed chat groups on the Internet falls under freedom of expression or whether you can penalize it if there’s proof of planned attacks,” said Carstensen.[press spokesman for Germany's criminal investigators' union (BdK) ]

Police credited Internet surveillance with playing a key role in the recent arrests while simultaneously claiming that the technical sophistication of terrorists requires better technology and less restrictions on wiretaps. In conjunction with electronic eavesdropping, Canadian authorities have been moving away from collecting evidence to use in criminal cases and have been engaging in the “disrupting” suspected groups.

However, the RCMP admit that they have never “sought greater authority to conduct monitoring and surveillance” because in Canada, law enforcement only needs Ministerial approval to engage in wholesale surveillance — not specific calls or emails but broad wholesale monitoring.

The arrests come at a time when Canad’s “Anti-Terrorism Act” is set to be renewed by Parliament. Despite the fact that many of the new powers granted law enforcement were never used law enforcement and major news media in Canada want the Act renewed.

As Gwynne Dyer points out in one of the few dissenting articles in this country the rationale behind the need for these increased powers is fundamentally flawed. The case for increased surveillance powers to protect Canadians is based on the presumption of an international terrorist network when in fact the threat is from small, isolated nodes:

Any terrorist attack on Canada is bound to be homegrown, because there is no shadowy but powerful network of international Islamist terrorists waging a war against the West. There are isolated small groups of extremists who blow things up once in a while. There are Web sites and other media through which they can exchange ideas and techniques, but there is no headquarters, no chain of command, no organization that can be defeated, dismantled, and destroyed…

The contrast between the received wisdom—that the world, or at least the West, is engaged in a titanic, unending struggle against a terrorist organisation of global reach—and the not very impressive reality is so great that most people in the West believe the official narrative rather than the evidence of their own eyes. There must be a major terrorist threat; otherwise, the government is wrong or lying, the intelligence agencies are wrong or self-serving, the media are fools or cowards, and the invasion of Iraq had nothing to do with fighting terrorism.

The expansion of increased surveillance technology and powers while decreasing the amount of oversight is a threat to the civil liberties and privacy of Canadians. The fact that fear is exploited to push these powers through is deplorable.

The government concluded its “Cyber Storm” wargame Friday, its biggest-ever exercise to test how it would respond to devastating attacks over the Internet from anti-globalization activists, underground hackers and bloggers.

mock cyberterrorism = “no impact on the real Internet”. :)

Oh, and the Internet “survived”.

TIME Magazine (pdf , local archive) then picks up the story and focuses on Shawn Carpenter, a mid-level analyst at Sandia National Laboratories, who claims to have counter-cracked the attackers and pinpointed their location to three routers in China’s Guangdong province. TIME then states the following:

TIME has obtained documents showing that since 2003, the hackers, eager to access American knowhow, have compromised secure networks ranging from the Redstone Arsenal military base to NASA to the World Bank. In one case, the hackers stole flight-planning software from the Army.

It is unclear if “the hackers” are the same alleged Chinese hackers or if this is just a summary of the many attacks on DoD and US Government systems that Lt. Col. Mike VanPutte, vice director of operations of the Joint Task Force for Global Network Operations under the U.S. Strategic Command, attributes to the increased used of downloadable attack tools, which presumably, there are security patches for. In effect, there are increased attacks (i.e. scans or attempts to use known exploits) against Internet-connected, low risk, computers.

This story is eerily familiar.

Moonlight Maze is a continuing story that surfaced in July 1999 about a secret cyber-war aimed at the Pentagon and possibly conducted by the Russians or Chinese. It first appeared in the London Sunday Times in an article by James Adams. The story relied on unnamed sources and claimed that “some of the nation’s most sensitive military secrets, including weapons guidance systems and naval intelligence codes” had been stolen. However, a story in Federal Computer Week refuted these claims by citing yet more unnamed DOD and pentagon officials as calling recent media coverage of Moonlight Maze “a combination of outright fabrications, distortions and incorrect quotations,” and that military secrets had not been compromised.

The Moonlight Maze story re-surfaced after the Sept 11 attacks. USA Today ran a story about Moonlight Maze but in this version the theft of secret data “may be the work of terrorists” or someone working with terrorists.

Titan Rain and Moonlight Maze are amazingly similar ghost stories. In effect, the same story had been told and re-told, with substituted attackers, since at least 1999. I call FUD.

(1) Websites? Hmm… thats some badass HTML :)

Cyber terrorism is a diverse set of technologies that ranges from viruses and denial-of-service attacks to posting messages, pictures and videos on websites whose purpose is to scare people.

Unfortunately, this is a description of the actions of script kiddies and pranksters not necessarily terrorists.

Experts such as Mark Pollitt and Dorothy Denning offer definitions that are similar to the FBI’s National Infrastructure Protection Center (NIPC)
proposed definition:

Cyberterrorism is a criminal act perpetrated by the use of computers and telecommunications capabilities, resulting in violence, destruction and/or disruption of services to create fear by causing confusion and uncertainty within a given population, with the goal of influencing a government or population to conform to a particular political, social, or ideological agenda.

In general, experts agree that the scope and intensity of an attack should be significant. To qualify as cyberterrorism, an attack should not only be politically motivated but should cause extensive destruction, serious injury, death, and/or massive disruptions of essential services while generating a significant amount of fear.

If a website or virus reaches enough people and incites enough chaos, it’s a cheap, easy way to scare people on a level similar to a “real world” terrorist attack.

�Cyberterror: Prospects and Implications�, a report that focused on the capacity and capability of terrorist groups to acquire the necessary tools and expertise to launch a cyber-terrorist attack, published by the Naval Postgraduate School in Monterey California, concluded that it would take a terrorist organization 2-4 years to move beyond a basic attack constituting a �minor annoyance� and 6-10 years to develop the �ability to launch coordinated attacks against multiple systems that have sophisticated defenses in place causing serious disruptions or damage using sophisticated self-created and developed tools and techniques.�

In Gartner�s Digital Pearl Harbor simulation �[i]t was assumed that the operators would be bankrolled with at least $200 million, would have access to state-level intelligence, and take five years to plan their attacks.� (The Reg) That�s hardly cheap and easy.

The most obvious example of cyber terrorism so far has been websites devoted to westerners held hostage by terrorists in the aftermath of the war in Iraq.

The use of the Internet and computer technology by traditional terrorist organizations for organizational and logistical purposes, data collection, communications and propaganda is not cyberterrorism. Cyberterrorism is limited to instances �when the destructive nature of the �act� itself is carried out via computers�. Furthermore, �[d]elivery of the terrorist’s message via the Internet does not constitute a cyberterrorism event.� (Emphasis in orginal). Terrorists� use of the Internet does not necessarily constitute cyberterrorism.

Here’s a potential scenario. Let’s say a major city in the U.S. or Canada is hit with a terrorist attack similar to the attacks on the World Trade Center� But what if, at the same time as the physical attacks were occurring, an army of viruses with instructions to crash communication networks � emergency radio frequencies and cellphone radio towers � was deployed from elsewhere?

This exact scenario was suggested in Gartner�s DPH. For telecommunications disruption the Gartner study suggested that requirements for a successful attack include working knowledge of telecommunications systems, PHD level education, specific product knowledge of targets and insider assistance. They suggested that it would have large resource requirements and be fairly expensive. The terrorism experts present felt that the operation could not be kept quiet for the period of time necessary to plan and implement, given that they assumed up to 100 lower level operatives. Basically, the same disruption could be caused by �a satchel charge in a manhole�.

The Internet disruption team developed a 6 month scenario that would cost 50 million dollars and required experts in computer security, programming and networking. It assumed the use of insiders at various corporate/government targets and creation of a covert virtual private network through exploits in p2p apps to use for denial of service attacks. They suggested that using multiple worms/trojans/exploits they could disrupt backbone routing, disrupt DNS and cause PC�s to �blue screen�.

Given the expensive budget, high level of expertise, insider cooperation and access to state-level intelligence data disruption was possible. However, even with such resources the consensus was that �while local attacks are possible, it’s virtually impossible to bring off any lasting, nationwide horror.� (The Reg) In the end, cyberterrorism appears to be a dud.

These events will no doubt make their way into “security” literature with the addition of “what if” scenarios in which the disruption was cause by hackers or cyberterrorists rather than the unappealing reality of bugs, glitches and upgrades.

The disruption of air traffic control has been one of the long standing and often repeated attack scenarios envisioned by cyberterrorism experts who craft extravagant and fanciful scenarios in which cyberterrorists break into air traffic control computers and crash planes into one another. In Feb. 2002 former White House cyber security czar Richard Clarke suggested that air traffic control systems were vulnerable to cyber attack because they relied on the Internet. (He was, however, corrected by the Federal Aviation Administration�s chief information officer, Daniel J. Mehan, who pointed out that Air traffic control does not use the Internet.)

There is also the celebrity case of the hacker (sic) who disabled telephone service to the Federal Aviation Administration Tower at the Worcester Airport in 1997 so often used as an example of what cyberterrorists could do.

But this is not the first time the system in the UK has had problems, including an incident in which a jumbo jet and a Boeing were put on a collision course. However, “a crash was only averted when the pilots and the air traffic controller realised data on the two planes had been transposed.”

However, as proven in this case, and argued by Mark Pollitt, there is sufficient human involvement in the air traffic control process to avoid such a catastrophe. First, the computers do “do not control anything” but simply “provide an aid to the human controller”. Secondly, Pollitt states that pilots, the second human buffer in the system, are trained in “situational awareness” and routinely correct errors made by air traffic controllers. Finally, pilots and air traffic controllers are trained for bad weather and other conditions in which the air traffic control system may not be operating at all.

Now, I�m not at all suggestion that critical infrastructure systems should be lax about security. On the contrary, I�m arguing that they should be realistic about it. They should actively secure their systems against real life threats both technologically and through maintaining, what Trapped in the Net author Gene Rochlin calls, human buffering capacity. In terms of air traffic control, this means maintaining flight progress strips (FPSs), manually marked up pieces of paper with air craft information, that air traffic controllers insist on maintaining even while computerized systems are operational.

The mantra of efficiency, and threat of the “insider” have led to the rush to automate; to replace humans with technology, which in turn makes us vulnerable, which leads to the rush to electronically secure it. Critical infrastructure security requires a holistic approach that takes into account technological; security and human buffering capacity. It must also place proportionate emphasis on the true sources of insecurity and not fall victim to the tall tales of snake oil salesmen.