CYBERTERRORISM AFTER STUXNET

8/10/2019 CYBERTERRORISM AFTER STUXNET

1/44


2/44

The United States Army War College

U.S. ARMY WAR COLLEGE

CENTERfor

STRATEGIC

LEADERSHIPand

DEVELOPMENT

The United States Army War College educates and develops leaders for serviceat the strategic level while advancing knowledge in the global application

of Landpower.

The purpose of the United States Army War College is to produce graduateswho are skilled critical thinkers and complex problem solvers. Concurrently,it is our duty to the U.S. Army to also act as a think factory for commandersand civilian leaders at the strategic level worldwide and routinely engagein discourse and debate concerning the role of ground forces in achievingnational security objectives.

The Strategic Studies Institute publishes nationalsecurity and strategic research and analysis to inuencepolicy debate and bridge the gap between militaryand academia.

The Center for Strategic Leadership and Developmentcontributes to the education of world class seniorleaders, develops expert knowledge, and providessolutions to strategic Army issues affecting the national

security community.

The Peacekeeping and Stability Operations Instituteprovides subject matter expertise, technical review,and writing expertise to agencies that develop stabilityoperations concepts and doctrines.

The Senior Leader Development and Resiliency programsupports the United States Army War Colleges lines of

effort to educate strategic leaders and provide well-beingeducation and support by developing self-awarenessthrough leader feedback and leader resiliency.

The School of Strategic Landpower develops strategicleaders by providing a strong foundation of wisdomgrounded in mastery of the profession of arms, andby serving as a crucible for educating future leaders inthe analysis, evaluation, and renement of professionalexpertise in war, strategy, operations, national security,

resource management, and responsible command.

The U.S. Army Heritage and Education Center acquires,conserves, and exhibits historical materials for useto support the U.S. Army, educate an internationalaudience, and honor Soldierspast and present.

U.S. Army War College

SLDRSenior Leader Development and Resiliency


3/44

i

STRATEGICSTUDIES

INSTITUTE

The Strategic Studies Institute (SSI) is part of the U.S. Army WarCollege and is the strategic-level study agent for issues relatedto national security and military strategy with emphasis ongeostrategic analysis.

The mission of SSI is to use independent analysis to conduct strategicstudies that develop policy recommendations on:

Strategy, planning, and policy for joint and combinedemployment of military forces;

Regional strategic appraisals;

The nature of land warfare;

Matters affecting the Armys future;

The concepts, philosophy, and theory of strategy; and,

Other issues of importance to the leadership of the Army.

Studies produced by civilian and military analysts concerntopics having strategic implications for the Army, the Department ofDefense, and the larger national security community.

In addition to its studies, SSI publishes special reports on topicsof special or immediate interest. These include edited proceedingsof conferences and topically oriented roundtables, expanded trip

reports, and quick-reaction responses to senior Army leaders.The Institute provides a valuable analytical capability within theArmy to address strategic and other issues in support of Armyparticipation in national security policy formulation.


4/44


5/44

iii

Strategic Studies Instituteand

U.S. Army War College Press

CYBERTERRORISM AFTER STUXNET

Thomas M. Chen

June 2014

The views expressed in this report are those of the author anddo not necessarily reect the ofcial policy or position of theDepartment of the Army, the Department of Defense, or the U.S.Government. Authors of Strategic Studies Institute (SSI) andU.S. Army War College (USAWC) Press publications enjoy fullacademic freedom, provided they do not disclose classiedinformation, jeopardize operations security, or misrepresentofcial U.S. policy. Such academic freedom empowers them tooffer new and sometimes controversial perspectives in the inter-est of furthering debate on key issues. This report is cleared forpublic release; distribution is unlimited.

*****

This publication is subject to Title 17, United States Code,Sections 101 and 105. It is in the public domain and may not becopyrighted.


6/44

iv

*****

Comments pertaining to this report are invited and shouldbe forwarded to: Director, Strategic Studies Institute and U.S.Army War College Press, U.S. Army War College, 47 AshburnDrive, Carlisle, PA 17013-5010.

*****

This manuscript was funded by the U.S. Army WarCollege External Research Associates Program. Information onthis program is available on our website, www.StrategicStudiesInstitute.army.mil , at the Opportunities tab.

*****

All Strategic Studies Institute (SSI) and U.S. Army WarCollege (USAWC) Press publications may be downloaded freeof charge from the SSI website. Hard copies of this report mayalso be obtained free of charge while supplies last by placingan order on the SSI website. SSI publications may be quotedor reprinted in part or in full with permission and appropriatecredit given to the U.S. Army Strategic Studies Institute and U.S.Army War College Press, U.S. Army War College, Carlisle, PA.Contact SSI by visiting our website at the following address:www.StrategicStudiesInstitute.army.mil.

*****

The Strategic Studies Institute and U.S. Army WarCollege Press publishes a monthly email newsletter to updatethe national security community on the research of our analysts,recent and forthcoming publications, and upcoming confer-ences sponsored by the Institute. Each newsletter also providesa strategic commentary by one of our research analysts. If youare interested in receiving this newsletter, please subscribe on theSSI website at www.StrategicStudiesInstitute.army.mil/newsletter.

ISBN 1-58487-627-1


7/44

v

FOREWORD

Public government statements have cited cyber-attacks by terrorists as a major concern for nationalsecurity. To date, no large-scale cyber-terrorist attackhas been observed, but terrorists are known to be us-ing the Internet for various routine purposes. The dis-covery of Stuxnet in 2010 was a milestone in the arenaof cybersecurity because, although a malware attackon industrial control systems was long believed to betheoretically possible, it was different to see malwareused in reality to cause real physical damage. Stuxnetdemonstrated that a sufciently determined adver-sary with sufcient resources might be able to dam-age U.S. critical infrastructure physically through acyber attack. Did Stuxnet change the threat of cyber-terrorism?

This monograph examines cyberterrorism beforeand after Stuxnet by addressing three questions: 1)MotiveAre terrorists interested in launching cyber-attacks against U.S. critical infrastructures? 2) MeansAre terrorists building capabilities and skills forcyberattacks? and, 3) OpportunityHow vulnerableare U.S. critical infrastructures? Answers to thesequestions give a characterization of the post-Stuxnetcyberterrorism threat. The next question is why a ma-jor cyber-terrorist attack has not happened yet; this isexplained from a cost-benet perspective. Althoughcyberterrorism may not be an imminent threat, thereare reasons to be concerned about the long-term threatand inevitability of cyberattacks.

It is important to assess frequently the threat

landscape and current government policies for en-hancing the protection of national infrastructures.


8/44

vi

Therefore, the Strategic Studies Institute commendsthis monograph to its readers.

DOUGLAS C. LOVELACE, JR. Director Strategic Studies Institute and U.S. Army War College Press


9/44

vii

ABOUT THE AUTHOR

THOMAS M. CHEN is a professor of cybersecurity inthe School of Engineering and Mathematical Sciencesat City University London, United Kingdom (UK). Hewas formerly a Professor in Networks in the Collegeof Engineering at Swansea University, UK. Prior tojoining Swansea University, he was an Associate Pro-fessor in electrical engineering at Southern Method-ist University, Dallas, Texas, and a senior member oftechnical staff at GTE R&D Laboratories (now VerizonLabs), Waltham, Massachusetts. He has 22 years of re-search experience in academia and industry. Dr. Chenhas published widely on issues related to Internet se-curity. His work has been supported by governmentagencies, such as the National Science Foundation andDepartment of Homeland Security, and various com-

panies including Nortel Networks, Alcatel, and Sprint.He regularly collaborates with researchers in majorsecurity companies. Recently he has been involvedin an interdisciplinary research project in cyberter-rorism with colleagues in Law and Political Scienceat Swansea University. Dr. Chen holds B.S. and M.S.degrees from Massachusetts Institute of Technology,and a Ph.D. in electrical engineering from Universityof California, Berkeley.


10/44


11/44

ix

SUMMARY

Terrorists are known to use the Internet for com-munications, planning, recruitment, propaganda, andreconnaissance. They have shown interest in carry-ing out cyberattacks on U.S. critical infrastructures,although no such serious attacks are known pub-licly to have occurred. The discovery of the Stuxnetmalware in July 2010, and its analysis over the nextseveral months, was widely believed to have been alandmark event in cybersecurity, because it showedthat cyberattacks against industrial control systems,hypothesized for a long time, are actually possible.After Stuxnet, there were public concerns that terror-ists might be encouraged to acquire capabilities forsimilar cyberattacks.

This monograph examines cyberterrorism before

and after Stuxnet by addressing questions of:1. MotiveAre terrorists interested in launching

cyberattacks against U.S. critical infrastructures?2. MeansAre terrorists building capabilities and

skills for cyberattacks?3. OpportunityHow vulnerable are U.S. critical

infrastructures?

It is noted that no serious cyberterrorism attackshave occurred after Stuxnet. This can be explainedfrom a cost-benet perspective that has not changedsince Stuxnet. It can be argued that U.S. policies canreally address vulnerabilities only by strengtheningdefenses of critical infrastructures.


12/44


13/44

1

CYBERTERRORISM AFTER STUXNET

INTRODUCTION

There have been widely publicized governmentconcerns that terrorists might be turning to cyberat-tacks. For instance, Federal Bureau of Investigation(FBI) Director Robert Mueller testied to a Senate Ap-propriations Subcommittee in March 2012 that whileto date terrorists have not used the Internet to launch afull-scale cyber attack, we cannot underestimate theirintent. . . . (terrorists are) using cyberspace to conductoperations.1Cited examples of terrorist cybersavvyincluded al-Qaeda in the Arabian Peninsula, whichpublishes an online magazine entitled Inspire, andthe use of Twitter by the Somali group Al-Shabaab.The prospect of cyberterrorism is understandably

troubling, because of the wide range of possible tar-gets and attack vectors, which would be challengingin terms of defense. In theory, terrorists of sufcientskills might be able to attack the power grid, air trafc,public transport, nancial networks, communicationnetworks, emergency response, utilities, manufactur-ing plants, or military networks. Possible cyberattackscould range from blatant distributed denial of service(DDoS) or sabotage, to more stealthy attacks for datatheft or remote control.

According to Gabriel Weimann, psychologi-cal, political, and economic forces have combined topromote the fear of cyber terrorism.2 The conceptcombines two modern psychological fears: the fear ofrandom violence and the fear of computer technology.

Also, cyberterrorism has been caught up in the U.S.political aftermath of September 11, 2001 (9/11), whenmore terrorist attacks seemed to be a distinct possibil-


14/44

2

ity, and the United States felt vulnerable. The prospectof cyberattacks causing catastrophic damage from a

remote computer seemed like the ultimate threat, per-haps hyped beyond the actual threat level. Weimannstates that a threat is real but must be assessed realisti-cally without overdue emotional inuences.

The rst obstacle in assessing cyberterrorism arethe various denitions that have been proposed. Nosingle denition has been universally accepted (just asa common denition of terrorism has been elusive). Theterm might be traced back originally to Barry Collin,3who noted that physical infrastructures increasinglyare controlled by computers, and that dependence oncomputer networks increased our vulnerability to cy-berattacks. Examples of potential targets for cyberat-tacks included: nancial systems to disrupt stock ex-changes; air-trafc control to crash aircraft; pressure

valves in gas lines to cause explosions; and computercontrols at pharmacies or food processing plants topoison the population. Like traditional terrorist acts,cyberterrorism exhibits scale (mass destruction) andpublicity. Collin postulated that cyberattacks wouldappeal logically to terrorists for their relative ease andsafety. At the same time, Collin predicted that cyber-terrorism would create new challenges to counter ter-rorism because of the need to acquire cyber expertiseand eliminate vulnerabilities in critical infrastructures.

Professor Dorothy Denning offered a denitionof cyberterrorism in testimony before the HouseArmed Services Committee in May 2000 that has beenwidely cited:

Cyberterrorism is the convergence of terrorism and cy-berspace. It is generally understood to mean unlawfulattacks and threats of attack against computers, net-


15/44

3

works and the information stored therein when doneto intimidate or coerce a government or its people infurtherance of political or social objectives. Further, toqualify as cyberterrorism, an attack should result inviolence against persons or property, or at least causeenough harm to generate fear. Attacks that lead todeath or bodily injury, explosions, plane crashes, wa-ter contamination, or severe economic loss would beexamples. Serious attacks against critical infrastruc-tures could be acts of cyberterrorism, depending ontheir impact. Attacks that disrupt nonessential ser-

vices or that are mainly a costly nuisance would not.4

A more concise denition is politically motivatedhacking operations intended to cause grave harm suchas loss of life or severe economic damage.5This de-nition consists of three parts: 1) politically driven in-tention; 2) serious effects; and, 3) computer networksas the means. This meaning shares commonalitieswith the U.S. Department of State denition of terror-ism in Title 22 of the U.S. Code, Section 2656f(d): Pre-meditated politically motivated violence perpetratedagainst noncombatant targets by subnational groupsor clandestine agents, usually intended to inuence anaudience.6

Generally, Dennings denition of cyberterrorism

is the one used here. Denitions are problematic, be-cause complicated scenarios could be imagined. Forexample, a physical attack on computers controllingcritical infrastructures could cause serious harm; inthis case, computers are the target but not the means.Also, terrorists use computer networks for recruiting,planning, communications, and target reconnaissance.These are routine activities that most people use theInternet for, but might be argued to be cyberterrorismin the sense of cyber activities supporting terrorism.


16/44

4

Aside from the problem of denition, there is thepractical problem of determining whether a particu-

lar cyberattack qualies as cyberterrorism.7

First, at-tribution of cyberattacks to the real attacker is dif-cult and often impossible. Attackers can compromiseother computers to use as intermediaries, or channelthrough anonymizing proxies that hide their Internetprotocol (IP) address. Second, the complete effects ofan attack might be concealed, e.g., if stealthy malwarehas been installed without detection. Third, even ifattribution is solved, there is another problem: de-termining the intent of the attacker. For instance, itwould be difcult to determine if a hacking group isacting for its own gain or was hired by another party.

Aside from denitions, the cyberterrorism litera-ture has addressed mostly: 1) how terrorists use theInternet for propaganda, recruiting, fund raising, in-

telligence gathering, and planning; 2) vulnerabilitiesin critical infrastructures, providing opportunities forcyberattacks; and, 3) whether cyberterrorism is a realthreat. Most of the literature understandably predatesStuxnet, since the discovery of Stuxnet was relativelyrecent. Stuxnet vividly demonstrated to the worldthat industrial systems can be sabotaged physically bymalware, a threat long believed to be possible by thecybersecurity community but not actually observed.The literature has not really explored whether Stuxnethad any effect on cyberterrorism.

This monograph examines cyberterrorism beforeand after Stuxnet by addressing these questions: 1)MotiveAre terrorists interested in launching cy-berattacks against U.S. critical infrastructures? 2)

MeansAre terrorists building capabilities and skillsfor cyberattacks? and, 3) OpportunityHow vulner-able are U.S. critical infrastructures? It is noted thatno serious cyberterrorism attacks have occurred af-


17/44

5

ter Stuxnet; this can be explained from a cost-benetperspective, which has not changed since Stuxnet.

In that sense, cyberterrorist attacks do not seem tobe imminent, although Stuxnet has implications forthe cost-benet weights of potential future attacks.It can be argued that U.S. policies can really addressonly the opportunities for terrorism (but not motiveor means) by strengthening the defenses of criticalinfrastructures.

STUXNET

Stuxnet was a milestone in the eld of cyber sce-curity. Although experts had long believed that amalware attack on industrial control systems waspossible, it was different to see it used in reality asa surgical strike against an enemys infrastructure.

Stuxnet revealed the level of sophistication requiredfor a weaponized malware.

The unusual size and sophistication of Stuxnet,discovered in June 2010, took a team of antivirus com-panies several months to diagnose its functions fully.Today, Stuxnet is well understood8and documented9

but still surprising in the level of effort invested by theterrorists and its technical sophistication. The descrip-tion of Stuxnet here is summarized from the literature.

Stuxnet stood out from typical malware due to itslarge size (around 500 kilobytes [kb]) and complexity.It was unusual in that it used two stolen digital certi-cates and multiple zero-day exploits. As zero-day ex-ploits are valuable, typical malware usually containsat most one zero-day (or often none, as reused known

exploits can still be effective against unpatched tar-gets). The level of investment suggests that the targetwas considered very valuable, but it took months toanalyze the payload and ascertain the probable target.


18/44

6

Methods of Spreading.

The initial infection vector was suspected to be aremovable drive because the target network was notconnected to the Internet. Once a personal computer(PC) has been infected, Stuxnet uses various means tospread through local networks to other PCs:

Stuxnet detects the presence of removabledrives (probably a universal serial bus [USB]ash) and installs several les for infecting aWindows PC, exploiting a vulnerability in theprocessing of shortcuts and .lnk les (MS10-046). When the infected drive is opened in a PC,Stuxnets binaries will be executed.

Stuxnet exploits a vulnerability in the Win-dows Print Spooler service to spread by send-

ing a malicious print request to a target PC overa remote procedure call (RPC).

Stuxnet exploits an old vulnerability in Win-dows Server Service (MS08 067) which does notproperly handle specially crafted RPC requests.

Stuxnet spreads to other PCs through networkshares.

Stuxnet takes advantage of a hard-coded de-fault password in Siemens Simatic WinCC soft-ware (CVE-2010-2772). The password allowsprivileged access to a back-end WinCC data-base. Once connected to the database, Stuxnetinjects a copy of itself into the database, therebyinfecting the PC running the WinCC database.


19/44

7

Target.

While Stuxnet is capable of spreading more aggres-sively, it is interested only in Windows PCs runningSimatic Step 7 software, because the ultimate targetwas a Siemens Simatic S7 PLC (programmable logiccontroller). Stuxnet contains code to test that the tar-get is correct. Also, the analysis of the payload pointedto a Siemens Simatic S7 PLC target. PLCs are special-ized computers used widely to control various typesof industrial equipment found in factories, assemblylines, manufacturing plants, and critical infrastruc-tures.10Like PCs, PLCs are programmable for exibil-ity but differ in a few important respects: they are formore rugged environments and for specic real-timeapplications; they are not connected to the Internet or

wide-area networks; and, they are typically equippedwith more elaborate input/output interfaces than PCs.PLCs are commonly connected to a programming de-viceusually a regular PCand disconnected after aprogram is loaded.

Stuxnet is interested only in Siemens Simatic S7PLCs, which are programmed by Windows PCs run-ning Simatic Step 7 software.11After Stuxnet infects aPC running Simatic Step 7, Stuxnet will then load itsown malicious blocks into a connected Simatic S7 PLC.The malicious blocks are capable of hiding their pres-ence from the human operator. Stuxnet also checksthe type of central processing unit (CPU) in the PLC,the presence of Probus (a standard industrial net-work bus), and the presence of at least 33 frequency

converter drives made by Fararo Paya (Iran) or Vacon(Finland). The reason is that the payload evidently isaimed at affecting these specic frequency converterdrives. The creators of Stuxnet had knowledge that


20/44

8

the intended target PLCs would have these frequencyconverter drives.

Payload.

Stuxnet chooses one of three infection sequencesfor delivering the payload, depending on the cong-uration of the Siemens Simatic S7 PLC. In actuality,the rst two sequences are similar, while the third se-quence is disabled; hence, there is essentially one in-fection sequence and one payload. The payload givesStuxnet the capability to modify data to and from theconnected frequency converter drives. By modifyingthe data, Stuxnet can alter the operating frequenciesof the drives to make them fail over time. Accordingto later reports, the target was Irans Natanz uraniumenrichment plant; the sabotage was deliberately subtle

so that the human operators would be mystied aboutthe cause.12

According to the control systems security rmLangner Communications, the payload in Stuxnet alsoattempts to disrupt turbine control systems. If this the-ory is valid, it would suggest that Stuxnet could havebeen created for Irans Bushehr nuclear power plantas well as the Natanz uranium-enrichment plant. Thepayload modules aimed at the turbine control systemsat Bushehr appear to carry out a man-in-the-middleattack in order to pass fake input and output values tothe genuine plant control code, presumably to disruptthe turbine control systems.

Signifcance and Implication.

Most malware is intended for computer systems(e.g., stealing data, establishing backdoors), but Stux-net was clearly designed for real-world damage (sabo-


21/44

9

tage) of industrial control systems. Moreover, it wascrafted deliberately to deliver a payload to a specic

high-value target. Stuxnet is too specic to worryabout its reuse by terrorists. Even if terrorists acquireda copy of the source code, it would take an enormousamount of effort to re-engineer a different payload.Most likely different exploits would be needed be-cause the exploits used by Stuxnet have mostly beenpatched since its discovery.

More worrisome is that Stuxnet demonstrates thata sufciently determined adversary with sufcientresources might be able to damage U.S. critical infra-structure physically through a cyberattack. The levelof effort to create Stuxnet has been estimated to costmillions of dollars, so the required resources wouldbe very substantial. However, that cost is not beyondthe budget of large terrorist organizations. Terrorists

do not have to invest in creating their own custom-built malware, but eventually will be able to buy at-tack tools from criminal organizations or friendlynations. Stuxnet has gotten the attention of the worldby promoting an arms race to develop offensive (anddefensive) cybercapabilities among nations and theunderground.

In summary, Stuxnet changed a theoretical hy-pothesis into reality; terrorists now know that cyber-attacks are not limited to computers, and investmentin cyberattacks can actually pay off in real-worldbreaking things and killing people. There is morelikely to be a long-term affect than a short-term one.The following sections ask if Stuxnet has had an ef-fect in terms of motive, means, and opportunity

for terrorists.


22/44

10

TERRORIST MOTIVES AND INTEREST

IN CYBER

ATTACKS

There are many logical reasons to expect terroriststo be interested in cyberterrorism.13First, consider theirmotivations. Their main aim is clearly to gain visibil-ity and inuence by creating fear through breakingthings and killing people.14Lesser goals are to main-tain their operations and carry out their activities, e.g.,fund raising, planning, recruitment, and intelligencegathering. The cyber domain offers several benets toachieve those aims:

Anonymous communications with otherterrorists;

Personal safety compared to physical attacks(e.g., bombs, suicide missions);

Easy access to online data about potential tar-gets;

Low cost (PC or smart phone); Availability of abundance of cyber attack tools; Low skill entry: many attack tools are automat-

ed, needing little expertise; Remote access to vulnerable targets; Reachability to any network-connected target; Connection to a worldwide audience for pro-

paganda; Asymmetry: small terrorist groups can carry

out large-scale attacks.

Terrorist Uses of the Internet.

It has been well documented that terrorists areknowledgeable about computers and use the Internetregularly for various activities supporting terrorism,


23/44

11

such as propaganda, recruiting, communications,planning, and intelligence gathering.15A recent Unit-

ed Nations (UN) Ofce on Drugs and Crime report16

found that terrorists use the Internet to:

Spread propaganda related to instruction,explanations, justications, or promotion ofterrorist activities;

Incite violence; Recruit and radicalize individuals; Raise funds through direct solicitation, e-com-

merce, the exploitation of online payment tools,and through charitable organizations;

Train followers for combat tactics, the use ofexplosives and of weapons;

Plan and coordinate attacks, often involvingcovert communication among several parties.

Internet usage has increased with changes in ter-rorist organizations. In the past, terrorist groups havebeen mostly hierarchical, which is a more effectivestructure for carrying out tasks and missions. Morerecently, terrorist groups such as al-Qaeda and Hamashave been organized as loosely interconnected, semi-independent cells without a single commanding hier-archy, for resilience against disruption or capture. TheInternet is vital for facilitating communications andcoordination among loosely interconnected groups.

Denning pointed out that it is not simply that ter-rorists are using the Internet, but more signicantly,that the Internet has transformed the current practiceof terrorism.17For instance, most terrorist groups nowhave a Web presence. Al-Qaeda has been using the

Web since the late-1990s, initially through the website,alneda.com. Today al-Qaeda has thousands of websites.Jihadist websites are used to distribute a wide variety


24/44

12

of materials such as the writings and recordings ofOsama bin Laden, Ayman al-Zawahiri, and other al-

Qaeda leaders; videos of bombings and other terroristacts; fatwas (religious edicts); electronic magazines;training manuals and videos; news reports; calls to jointhe jihad; and software tools. Al-Qaedas online train-ing materials have evidently been useful for planningattacks. Reportedly, the principal architect of the 9/11attacks, Khalid Shaikh Mohammed, trained high-levelal-Qaeda operatives in the use of encryption (terror-ists have been captured with encrypted les on theircomputers).

Besides the Web, terrorists have established groupson social networking sites. Marc Sageman (author ofLeaderless Jihad) has noted that websites are used pri-marily for distributing materials and propaganda, butit is through interactive forums and chat rooms that

relationships are built and personal bonding takesplace. Individuals are drawn online with little riskor cost, from anywhere in the world. They can sup-port terrorism without necessarily having to acquireor handle explosives or anything directly harmfulto people.

In November 2003, the Saudi-owned London dailyAl-Shrq al-Awsatreported that al-Qaeda had opened avirtual university on the Internet called al-Qaeda Uni-versity for Jihad Sciences. It includes colleges for tech-nologies related to explosive devices and to electronicand media jihad.

Interest in Cyberattacks.

Terrorists have been active online but not at a levelof sophistication comparable to that of Stuxnet. Per-haps one of the rst reported incidents was in 1997.


25/44

13

A group called Internet Black Tigers, aligned with theLiberation Tigers of Tamil Eelam (LTTE), claimed re-

sponsibility for suicide email bombings against SriLankan embassies over a 2-week period. The cyberat-tacks consisted of disk-operating systems and Webdefacements.

Many forums have sprung up to distribute manu-als and tools for hacking, and to promote and coor-dinate cyberattacks (sometimes called electronicjihad). Sites such as 7hj.7hj.com teach surfers the artof computer attacks and trains individuals in hackingskills to serve Islam. A 2006 report by the JamestownFoundation reported that most radical jihadi forumsdevote an entire section to hacking.18For example, itreported that the al-Ghorabaa site published informa-tion about how to penetrate computer devices and in-tranet servers and steal passwords,19including a 344-

page book on hacking techniques.20

Al-Qaeda has long supported electronic jihad,

particularly as a means of disrupting the U.S. econo-my. While truck bombs could accomplish a great dealof physical damage, there would not be much damageto the U.S. economy. On the other hand, a cyberattackmight have a chance to take down the entire nancialservices network. Muhammad bin Ahmad as-Salim,in a book entitled 39 Ways to Serve and Participate inJihad, encourages the use of electronic jihad as one ofthe ways to support al-Qaeda. In another book en-titled al-Zarqawial-Qaedas Second Generation, jour-nalist Fouad Hussein describes a seven-phase war byal-Qaeda in which the organization plans to take overthe world and turn it into an Islamic state.21

Phase 1 consisted of raising the consciousness ofMuslims worldwide after the 9/11 attacks. Phase 4,spanning 2010 to 2013, included cyberterrorism todamage the U.S. economy.


26/44

14

After 9/11, Osama bin Laden was quoted by thePakistani newspaperAusafas saying:

Hundreds of young men had pledged to him that theywere ready to die and that hundreds of Muslim scien-tists were with him and who would use their knowl-edge in chemistry, biology and ranging from comput-ers to electronics against the indels.22

This suggested that bin Laden had some capa-

bilities of launching cyberattacks. Al-Qaeda prison-ers have told interrogators about their intent to usecyberattack tools, and captured al-Qaeda computershave been found to contain schematics and softwarefor simulating catastrophic scenarios of a dam.23 Al-Qaeda computers have also reportedly contained evi-dence of surveillance of nuclear power plants, dams,and other critical infrastructures.24 Lamar Smith, a

Representative from Texas, reported that Congresshas been briefed on al-Qaeda operatives probing theelectronic infrastructure in search of ways to disruptor disable power, phones, and water supplies. Smithclaimed, There is a 50 percent chance that the nexttime al Qaeda terrorists strike the United States, theirattack will include a cyberattack.25

Has Stuxnet increased terrorist interest in cyberat-tacks on U.S. critical infrastructure? In late-2010, thepopular Al-Shamukh jihadist forum called for attackson industrial control systems, noting the success ofStuxnet. The Forum posted a broad overview of super-visory control and data acquisition (SCADA) systems,but not information on how to attack them. Congres-sional testimony after Stuxnet raised concerns about

the damage caused by a potential Stuxnet-like attack,but no testimony warned of any imminent attack orchange in the capabilities of terrorists.26Thus, it seems


27/44

15

that Stuxnet might have raised awareness but did notsignicantly change the intent or interest of terrorists.

TERRORIST CAPABILITIES

Having established that terrorists are interestedin cyberattacks, the next question is whether terror-ists are building up capabilities and skills for suchcyberattacks. There seems little doubt about their in-tentions, although their skill levels currently are notnearly comparable to the level of Stuxnet. In March2010, testimony, FBI Director Mueller stated:

We in the FBI, with our partners in the intelligencecommunity, believe the cyber terrorism threat is real,and it is rapidly expanding. Terrorists have shown aclear interest in pursuing hacking skills. And they willeither train their own recruits or hire outsiders, with

an eye toward combining physical attacks with cyberattacks.27

It is true that a multitude of easy-to-use softwareattack tools are readily available at no or low cost.For a small investment, attacks such as DDoS can bewaged with serious and costly impact. It is also true

that Islamic fundamentalist organizations such as Ha-mas, al-Qaeda, Algerias Armed Islamic Group, Hez-bollah, and the Egyptian Islamic Group are known tobe versed in information technology. However, thetype of attacks that are possible with low-cost toolsdo not yet rise anywhere near the level of breakingthings and killing people. It is very unlikely thatany terrorist organization such as al-Qaeda will be

able to deploy a cyberattack with the sophisticationof Stuxnet. Stuxnet was developed by military expertprogrammers with detailed knowledge about their


28/44

16

targets. It would take enormous time and human re-sources to develop that level of sophisticated skills.

Although terrorists might turn to the undergroundto hire hackers with sufcient skills, Giampiero Gi-acomello has argued that this approach is unlikely,because it would be far more costly than traditionalphysical attacks that terrorists have used more or lesssuccessfully in the past.28

In addition to IT skills, an important element of ma-jor cyberattacks is zero-day exploits (as used in Stux-net), because no patch is available to defend againstthem. There is a thriving market for zero-day exploits,and it might be assumed that terrorists might be ableto buy them easily as needed. However, there is alsocompetition. At the recent Black Hat conference, rep-resentatives from the U.S. military and intelligencecommunity were among the thousands of attendees

to learn about vulnerabilities and buy exploits andsoftware tools, among other things. Many of the com-panies involved in discovering vulnerabilities andcreating exploits are in Western countries unfriendlyto terrorists, so terrorists may nd it very difcult toacquire zero-day exploits.

Denning described a model for assessing cyberter-ror capability that consisted of three levels:29

1. Simple-unstructured: the capability to conductbasic hacks against individual systems using toolscreated by someone else. The organization has littletarget analysis, command and control, or learningcapability.

2. Advanced-structured: the capability to conductmore sophisticated attacks against multiple systems

or networks and possibly to modify or create basichacking tools. The organization possesses an ele-mentary target analysis, command and control, andlearning capability.


29/44


30/44

18

around the world develop cyber weapons,it will become easier for terrorists over time to

acquire attack tools from friendly nations. New for-hire hacker groups (or cyber merce-

naries) are emerging to prot from workingfor clients. For example, security rm Symantecreported on a for-hire group of 50-100 hackerscalled Hidden Lynx.30The group is suspectedof penetrating more than 100 organizationsaround the world since 2009, including U.S. de-fense contractors, investment banks, and secu-rity companies. It is suspected of compromisingsecurity rm Bit9 in 2012, a company that sellsan application whitelisting service to othercompanies. By stealing the cryptographic keysfor the Bit9 service, the hacker group was ableto compromise other companies depending

on that service, including military contractingrms. A smaller for-hire group called Icefogwas reported by Kasperky Labs.31 This groupof 6-10 hackers seems to specialize in surgicalhit-and-run attacks on the supply chain, usingcustom-made attack tools.

VULNERABILITIES IN U.S. CRITICALINFRASTRUCTURES

It is well known that about 90 percent of U.S. criti-cal infrastructure is privately owned, consisting of awide variety of custom-built equipment, though thesector is moving toward more common, off-the-shelfsystems. Cybersecurity tends to be a low priority for

system administrators, and systems are difcult topatch. Consequently, many vulnerabilities continue toexist. Often, a mixture of private and public networks


31/44

19

is used. Although the risks of public networks arewell-known, private networks can also be equally vul-

nerable to intrusions, though owners tend to believethey are safer because they are not connected to publicnetworks.

The number of vulnerabilities appears to be in-creasing rapidly. A recent vulnerability report by NSSLabs stated that SCADA/industrial control systems(ICS) vulnerability disclosures increased from 72 in2011 to 124 in 2012; the count represents a 600 percent.increase from 2010.32The 124 vulnerabilities affect theproducts of 49 vendors.

Another vulnerability is the complexity and highconnectedness of systems, which increases the risk ofcascade failures (seen in past incidents with the powergrid). The government states:

This vast and diverse aggregation of highly intercon-nected assets, systems, and networks may also presentan attractive array of targets to domestic and interna-tional terrorists and magnify greatly the potential forcascading failure in the wake of catastrophic naturalor manmade disasters.33

Electric systems, as an example, are not designed

to withstand or recover quickly from damage inict-ed simultaneously on multiple components. A well-planned, coordinated attack could take down portionsof the electric power system for a long time.

Although vulnerabilities exist, intruders need ex-pertise to be successful, and chances are that only asmall number of people have the necessary expertisefor a given control system, which is often proprietary

or customized. Although not many attacks on criti-cal infrastructures have been publicized, attacks havebeen known to happen. In August 2012, Saudi Ara-


32/44

20

bias state oil company, Saudi Aramco, saw more than30,000 systems infected by a malware attack. Critical

functions like oil production were unaffected, but ba-sic oil operations were taken down. Shortly after, Qa-tars liquied natural gas company, RasGas, suffereda malware attack that had the same modus operandi.

Cyberattacks might become easier, given the re-cent invention of the SHODAN search engine by JohnMatherly. SHODAN is a search engine that nds spe-cic types of computers (routers, servers, etc.) using avariety of lters on service banners. SHODAN crawlsthe Internet for publicly accessible devices, concen-trating on SCADA systems. Cybersecurity researchersuse SHODAN to search for vulnerable SCADA sys-tems. A student, Eireann Leverett, has used SHODANto demonstrate he could nd 10,000 ICS connected tothe public Internet. These included water and sewage

plants, which were easy to compromise due to weaksecurity.34

WHY NOT A MAJOR CYBERATTACK

Having established motive, means, and opportu-nity for terrorists, the natural question is why a majorcyberattack has not happened yet. It seems that al-Qa-eda and other terrorist groups still prefer bombs andphysical attacks, even after Stuxnet.35In the absence ofan attack, a case could be argued that cyberterrorismis more of a hypothetical threat than a real one.36How-ever, there is debate about whether an actual cyber-attack by terrorists has happened.37No major attackshave occurred, according to the public record, some

observers have speculated that attacks have happenedbut have been kept condential so as not to discloseweaknesses in the national infrastructure.


33/44

21

In 2007, Denning postulated three indicators thatcould precede a successful cyberterrorism attack:38

1. Failed cyberattacks against critical infrastruc-tures, such as ICS. Unlike the case with the profes-sionally developed Stuxnet, Denning expected thatthe rst cyberterrorist attack would likely be unsuc-cessful, considering that even terrorist kinetic attacksfrequently fail.

2. Research and training labs, where terroristssimulate their cyberattacks against targets, test attacktools, and train people. Israel reportedly had centri-fuges at its Dimona complex to test Stuxnet on.

3. Extensive discussions and planning relatingto attacks against critical infrastructures, not justwebsites.

So far, none of these indicators has been observed,

which would imply that terrorists are not trying hardto prepare for cyberattacks.

Conway has argued against the likelihood of cy-berterrorism in the near future.39Her argument con-sists of these reasons:

Violent jihadis IT knowledge is not superior. Real-world attacks are difcult enough. Hiring hackers would compromise operational

security. For a true terrorist event, spectacular moving

images are crucial. Terrorists will not favor a cyberattack with the

potential to be hidden, portrayed as an acci-dent, or otherwise remaining unknown.

Perhaps the most straightforward explanation ofthe lack of observed cyberattacks is the cost-benetargument put forth by Giacomello.40He compared the


34/44

22

costs of traditional physical terrorist attacks with cy-berattacks of the break things and kill people type.

Specically, Giacomello estimated the costs of threecyberterrorism scenarios aimed at the power grid; ahydroelectric dam; and an air trafc control system. Ifthe power grid was viewed as an unlikely target, fa-talities will be indirect or accidental. For a hydroelec-tric dam, the cost is based on a historical incident of aninsider sabotaging the controls at the dam. Somewhatarbitrarily, the estimate assumed two procient hack-ers with supporting personnel, totaling up to $1.3 mil-lion. For an air trafc control system, a higher num-ber of skilled hackers are needed to compromise thesystem, prevent the air controllers from detecting andresponding to the intrusion, and defeat built-in safetymechanisms. Again, it is not explicitly stated, but ayear of work seems to be assumed, since the total is

based on a years salary. The resulting estimated costwas up to $3 million.

For comparison, Giacomello pointed out that theWorld Trade Center bomb cost only $400 to build,yet, it injured 1,000 people and caused $550 million ofphysical damages. The March 2004 attacks in Madrid,exploding 10 simultaneous bombs on four commutertrains using mining explosives and cellphones, costabout $10,000 to carry out. The 9/11 Commission Re-port stated that the 9/11 attacks cost between $400,000and $500,000 to plan and execute.41

An examination of these comparative costs makesit clear that bombs are a much cheaper approach thancyberattacks by orders of magnitude. Stuxnet, esti-mated to have cost millions of dollars, does not change

the cost-benet comparison. At the present time andin the near future, cyberattacks of the break thingsand kill people type require an enormous amount of


35/44

23

effort by highly skilled experts. In contrast, bombs canbe made cheaply and deployed without skilled effort.

In addition, physical attacks are appealing because ofthe higher certainty of success.

This argument points to two fallacies in popularthinking. First, there is sometimes a misconceptionabout the cost of cyberattacks. For example, Weimannstated that cyberterrorism would be attractive becausecyberattacks require only a PC and Internet connec-tion. This is true for simple attacks, but terroristswould aim for more sophisticated attacks requiringa high level of skill. Second, there was concern thatStuxnet could fall into the hands of terrorists, whowould then use it against the United States. Clearly,by now, Stuxnet would no longer be effective after theworld had seen its set of exploits. Although terroristscould modify Stuxnet for their own purposes, it is a

high-precision weapon designed for a specic target.Terrorists would need to replace at least its payloadand exploits, which would require a high level of ex-pertise and time and still have an uncertain chanceof success.

However, the cost-benet argument does not com-pletely rule out the possibility of cyberattacks as ameans to complement physical attacks. In that case,the cyberattacks could be much more modest, not nec-essarily of the break things and kill people type. Forinstance, a cyberattack that takes down a communi-cation network or emergency system during a crisiscaused by a physical attack could be very effective inamplifying the total impact.

In addition, it is quite possible that development

costs for Stuxnet-like malware could decrease inthe future (as is usually the case with software andhardware). If that happens, the cost-benet argument


36/44

24

could predict a point in the future when cyberattacksbecome attractive for terrorists.

CONCLUSIONS AND RECOMMENDATIONS

Previous sections have examined motive, means,and opportunity for cyberterrorism. Our ndings canbe summarized as:

Terrorists are familiar with IT technologies anddepend on the Internet for many common ac-tivities, similar to most people.

Terrorists are interested in cyberattacks but notat a high level of sophistication yet.

Terrorists have not built up a high level of cy-ber skills or capabilities (e.g., acquiring zero-day exploits) yet.

Instead of developing their own capabilities,

terrorists might seek help from friendly nationsor for-hire hackers.

Vulnerabilities existing in national infrastruc-tures present opportunities for cyberattacksbut require a high level of expertise to exploit.

The absence of cyberterrorist attacks might beexplained most simply by a cost-benet argu-ment that physical attacks are orders of magni-tude less costly than cyberattacks.

Stuxnet has not seemed to have changed signi-cantly the motive, means, or opportunity. And,despite concerns by some, it has not changedthe cost-benet trade-off either.

The last point implies that even after Stuxnet, ter-

rorists still face a considerable cost barrier to carryingout large-scale cyberattacks. Therefore, such cyberat-tacks are probably unlikely in the near future. How-


37/44

25

ever, Stuxnet does have long-term implications, be-cause the world has started on a cyberarms race. In the

long term, there is likely to be a proliferation of majorcyber weapons, which might fall into the handsof terrorists.

There seems little that can be done to change mo-tive for terrorists. Some have proposed the idea ofdeterrence, but it is questionable whether deterrenceis possible in cyberwarfare in the same way thatnuclear deterrence worked through fear of mutuallyassured destruction (MAD). Deterrence is predicatedon the possibility of discouraging terrorists from at-tack by presenting a strong likelihood of retaliation.Unfortunately, the cyberenvironment is completelydifferent from the nuclear environment, in whichnuclear weapons can be traced and counted. In orderto be effective, cyberdeterrence must overcome a few

practical obstacles.The rst and most obvious problem is attribution

the identication of the real source of a cyberattack.Attackers have the advantage of plausible deniabilityin cyberspace. Attribution is difcult because cyberat-tacks can be anonymized in many ways. In malwareattacks, the creator is very difcult to discover fromcode disassembly. The second practical problem, evenif attribution can be solved, is credible capacity fordestructive retaliation. Probably no one doubts the of-fensive capability of the United States, but it has notbeen demonstrated yet.

Also, there seems little that can be done to changemeans for terrorists. Although terrorists do not have ahigh level of cybercapabilities yet, it would be practi-

cally difcult to prevent them from acquiring skills orhelp from third parties. Cybersecurity knowledge isfreely available, and the barrier is low for terrorists toacquire training in cybersecurity.


38/44

26

The only factor that is feasible to address, then,is opportunity. Specically, policies should enhance

protection of national infrastructures to reduce therisk exposure to cyberattacks. Fortunately, the U.S.Government has already placed top priority on vul-nerabilities in critical infrastructures, and a new Cy-ber Intelligence Sharing and Protection Act (CISPA)is under consideration, which is intended to facilitatesecurity information sharing and enhance protectionof critical infrastructures. However, it is not certainwhether the Act will be sufciently comprehensiveand enforceable. For instance, some of the measuresare voluntary rather than mandatory. Without man-datory measures to improve critical infrastructure se-curity, it will be important to implement appropriateeconomic incentives to encourage desired actions.

Also, the National Infrastructure Protection Plan

(NIPP) provides a unifying framework that integratesa range of efforts designed to improve protection ofcritical infrastructures. NIPP aims to prevent, deter,neutralize, or mitigate the effects of a terrorist attackor natural disaster, and to strengthen national pre-paredness, response, and recovery in the event of anemergency. It takes a risk-management approach con-sisting of identifying assets and assessing threats andvulnerabilities.

All measures to reduce the opportunity for cyber-terrorists are recommended. However, the adaptive-ness and resourcefulness of terrorists should not beunderestimated. The NIPP says:

As security measures around more predictable targets

increase, terrorists are likely to shift their focus to lessprotected targets. Enhancing countermeasures to ad-dress any one terrorist tactic or target may increase thelikelihood that terrorists will shift to another.42


39/44

27

The openness of the security problem means that itwill be practically impossible to x every vulnerability

and eliminate all opportunities for terrorists. Perhapspolicies should recognize that cyberattacks are inevi-table and instead address the cost-benet propositionfor terrorists. If systems can be designed to increasecosts and reduce benets to adversaries, attacks willbecome less appealing.

ENDNOTES

1. C. Cratty, FBI on Guard against Terrorist CyberAttacks,CNN, March 16, 2012, available from edition.cnn.com/2012/03/15/us/cyber-attacks.

2. G. Weimann, Cyberterrorism: How Real is the Threat?Washington, DC: United States Institute of Peace, December 2004,available from www.usip.org.

3. B. Collin, The Future of Cyberterrorism, Crime and JusticeInternational Journal, March 1997, p. 15.

4. Dorothy Denning, CyberterrorismTestimony beforethe Special Oversight Panel on Terrorism, Committee on ArmedServices, U.S. House of Representatives, Washington, DC: U.S.House of Representatives, May 23, 2000, available from www.stealth-iss.com/documents/pdf/CYBERTERRORISM.pdf .

5. Dorothy Denning, Activism, Hacktivism, and Cyberter-rorism: the Internet as a Tool for Inuencing Foreign Policy, J.Arquilla and D. Ronfeldt, eds., Networks and Netwars, Santa Mon-ica, CA: Rand, 2001.

6. Patterns of Global Terrorism 2003, Washington, DC: U.S.Department of State, April 2004, available from www.state.gov/documents/organization/31912.pdf.

7. C. Wilson, Computer Attack and Cyberterrorism: Vulner-abilities and Policy Issues for Congress, Congressional ResearchService (CRS) Report for Congress RL32114, Washington, DC:CRS, April 2005.


40/44

28

8. Stuxnet under the Microscope 1.3, Eset, 2010, availablefromgo.eset.com/us/resources/white-papers/Stuxnet_Under_the_Microscope.pdf.

9. W32.Stuxnet Dossier Version 1.3, Symantec, November2010, available from www.symantec.com/content/en/us/enterprise/media/security_response/ whitepapers/w32_stuxnet_dossier.pdf.

10. F. Petruzella, Programmable Logic Controllers, Boston, MA:McGraw Hill Higher Education, 2005.

11. H. Berger,Automating with SIMATIC, Erlangen, Germany:Publicis Corporate Publishing, 2003.

12. D. Sanger, Obama Order Sped up Wave of Cyberattacksagainst Iran, The New York Times, June 1, 2012, available fromwww.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html.

13. P. Brunst, Terrorism and the Internet: New Threats Posedby Cyberterrorism and Terrorist Use of the Internet, M. Wadeaand A. Maljevic, eds., A War on Terror: The European Stance on aNew Threat, Changing Laws and Human Rights Implications, NewYork: Springer, 2010.

14. G. Giacomello, Bangs for the Buck: A Cost Benet Analy-sis of Cyberterrorism, Studies in Confict and Terrorism, Vol. 27,2004, pp. 387-408.

15. Brunst.

16. Ofce on Drugs and Crime, The Use of the Internetfor Terrorist Purposes, New York: United Nations, September2013, available from www.unodc.org/documents/frontpage/Use_of_Internet_for_Terrorist_Purposes.pdf.

17. Dorothy Denning, Terrors Web: How the Internet isTransforming Terrorism, Y. Jewkes and M. Yar, eds., Handbookon Internet Crime, Abingdon, Oxon, United Kingdom (UK): WillanPublishing, 2009.


41/44

29

18. Stephen Ulph, Internet Mujahideen Rene ElectronicWarfare Tactics, Washington, DC: The Jamestown Founda-tion, February 7, 2006, available from www.mafhoum.com/press9/268T44.htm.

19. Ibid.

20. Ibid.

21. A. Hall, Al-Qaeda Chiefs Reveal World DominationDesign, The Age, August 24, 2005, available from www.theage.com.au/news/war-on-terror/alqaeda-chiefs-reveal-world-domination-design/2005/08/23/1124562861654.html.

22. Al-Qaeda Cyber Capability, Ofce of Critical Infrastruc-ture Protection and Emergency Preparedness, Threat AnalysisTAV01-001, Ottawa, Ontario, Canada: Government of Canada,November 2, 2001.

23. P. Brush, Use of Web in Terror Attack Feared, CBSNews, February 11, 2009, available from www.cbsnews.com/sto-ries/2002/06/27/attack/main513582.shtml.

24. B. Gellman, Cyber-attacks by Al Qaeda Feared, TheWashington Post, June 27, 2002, available from www.washington-post.com/wp-dyn/content/article/2006/06/12/AR2006061200711.html.

25. W. Matthews, Al Qaeda Cyber Alarm Sounded, July25, 2002, available from fcw.com/articles/2002/07/25/al-qaeda-cyber-alarm-sounded.aspx.

26. S. Ackerman, Pentagon Deputy: What if al-QaedaGot Stuxnet? February 15, 2011, available from www.wired.com/2011/02/pentagon-deputy-what-if-al-qaeda-got-stuxnet/.

27. R. Mueller, SpeechesRSA Cyber Security Conference,San Francisco, CA, March 04, 2010, available from www.fbi.gov/news/speeches/tackling-the-cyber-threat.

28. Giacomello, pp. 387-408.

29. Denning, Cyberterrorism.


42/44

30

30. D. Goodin, Meet Hidden Lynx: The Most Elite HackerCrew Youre Never Heard Of, September 17, 2013, availablefrom arstechnica.com/security/2013/09/meet-hidden-lynx-the-most-elite-hacker-crew-youve-never-heard-of/.

31. Kaspersky Lab, The Icefog APT: A Tale of Cloak andThree Daggers, September 25, 2013, available from www.securel-ist.com/en/blog/208214064/The_Icefog_APT_A_Tale_of_Cloak_and_Three_Daggers.

32. S. Frei, Vulnerability Threat Trends, 2013, availablefrom www.nsslabs.com/reports/vulnerability-threat-trends.

33. National Infrastructure Protection Plan: Partnering toEnhance Protection and Resiliency, Washington, DC: U.S. De-partment of Homeland Security, 2009, available from www.dhs.gov/xlibrary/assets/NIPP_Plan.pdf.

34. K. Zetter, 10k Reasons to Worry about Critical Infra-structure, January 24, 2012, available from www.wired.com/threatlevel/2012/01/10000-control-systems-online/.

35. Dorothy Denning, Stuxnet: What Has Changed, FutureInternet, Vol. 4, 2012, pp. 672-687.

36. Weimann.

37. Brunst.

38. Dorothy Denning, A View of Cyberterrorism Five YearsLater, K. Himma, ed., Readings in Internet Security: Hacking, Coun-terhacking, and Society, Boston, MA: Jones and Bartlett, 2007.

39. M. Conway, Against Cyberterrorism, Communications ofACM, Vol. 54, No. 2, February 2011, pp. 26-28.

40. Giacomello, pp. 387-408.

41. The 9/11 Commission Report, Washington, DC: Na-tional Commission on Terrorist Attacks Upon the United States,available fromgovinfo.library.unt.edu/911/report/index.htm.

42. National Infrastructure Protection Plan.


43/44

U.S. ARMY WAR COLLEGE

Major General Anthony A. Cucolo IIICommandant

*****

STRATEGIC STUDIES INSTITUTEand

U.S. ARMY WAR COLLEGE PRESS

DirectorProfessor Douglas C. Lovelace, Jr.

Director of ResearchDr. Steven K. Metz

AuthorDr. Thomas M. Chen

Editor for ProductionDr. James G. Pierce

Publications AssistantMs. Rita A. Rummel

*****

Composition

Mrs. Jennifer E. Nevil


44/44

CYBERTERRORISM AFTER STUXNET

Documents

Transcript of CYBERTERRORISM AFTER STUXNET