Experts Expect a Major Cyberattack

A terrorist-sponsored cyberattack against major U.S. networks and businesses is no longer a question of if, but when and to what extent, according to former senior intelligence and security officials.

Although the laundry list of warnings surrounding possible attacks has left people confused about what to prepare for, many experts with firsthand experience in counterterrorism say plans should be put in place to respond to a conventional bombing or chemical attack against a prominent private U.S. company, which would be followed closely by a cyber- or physical attack against regional communications and power systems to hamper rescue and recovery efforts.

A former senior intelligence official says companies considered American icons, such as General Electric, General Motors, or IBM, could find themselves under siege.

The ex-official, who requested anonymity, says it's urgent that secure communications channels be established between CEOs of large multinational companies and government agencies such as local FBI offices.

Despite reports that Osama bin Laden has ordered the direct targeting of U.S. economic symbols, there has been no evidence to suggest that traditional terrorist groups have abandoned bombs and guns for computers, says Eric Shaw, a former CIA profiler who now works at Stroz Associates, a cybercrime consulting firm in New York.

Specific Plots

Global corporations, especially ones with ties to India or Israel, are big targets, Shaw says. In fact, he adds, shortly after Indian authorities apprehended an al-Qaeda operative who warned of the December 2001 attack against the Indian Parliament, the suspect reportedly confessed to having knowledge of an infiltration operation against Microsoft.

Microsoft spokesperson Matt Pilla says the company hasn't been contacted by Indian authorities. But based on an internal security review and the various claims made by the suspect, the company doesn't consider the threat to be credible. However, Pilla says, Microsoft has beefed up both network and physical security around its corporate offices in the wake of September 11.

Microsoft likely wouldn't be the only company targeted by so-called hackers for hire, experts say.

There are thousands of hackers capable of causing significant regional disruptions of the telecommunications and power grids as a way to amplify the effects of a physical attack, according to Stuart McClure, president and chief technology officer of Mission Viejo, California-based Foundstone.

"It's also safe to say that they have the blueprints for the networks," he says.

Documented Threats

Jim Williams, director of security solutions at Omaha-based security services company Solutionary and a former member of the FBI's San Francisco computer-intrusion squad, says the cyberthreats to the nation's telecommunications, power, and emergency services systems are well documented.

"These are not hypothetical vulnerabilities," Williams says.

In fact, there have already been compromises that have risen to the level of an "immediate national security concern and response," he says.

A former director of one of the nation's major intelligence agencies, who requested anonymity, says a "red team" exercise in 1997 employing world-class hackers carrying out attacks aimed at degrading banking services showed that a real attack "could have done strategic damage to the money supply." The results of that study remain classified.

Two Fronts

But the former intelligence chief says a cyberattack conducted in conjunction with a major physical attack could "probably shake the foundation of the country" and lead to damages "in the trillions of dollars".

Although he doesn't expect a cyberincident that security professionals haven't seen before, King Nelson, a CIO with Pittsburgh-based Tatum CIO Partners, which provides companies with permanent, interim, or project CIOs, says it's incumbent upon executives at large companies to plan ahead.

"Until now, my job was to provide an infrastructure and protect my company," says Nelson. "Now, I have to protect the country and the economy."

Exposing Vulnerabilities

Understanding the threats posed by cyberattacks against the nation's critical telecommunications, energy, and emergency infrastructures has given way to learning about how failures in one industry segment can affect other sectors.

That was the conclusion of the Blue Cascades critical-infrastructure protection exercise that was held June 12 in Portland, Oregon. A detailed action plan based on the results of Blue Cascades is scheduled to be completed this week.

The exercise was the second such regional critical-infrastructure protection exercise sponsored by the Pacific Northwest Economic Region, a public/private partnership created by five U.S. states and three Canadian provinces. The first exercise, code-named Black Ice and held in Salt Lake City in November 2000, demonstrated how the effects of a major terrorist attack or natural disaster could be made significantly worse by a simultaneous cyberattack.

"Blue Cascades and Black Ice centered on prolonged power outages that were accompanied by natural gas infrastructure and telecommunications failures stemming from unknown causes," says Paula Scalingi, former director of the U.S. Department of Energy's Critical Infrastructure Protection Office and now a private consultant. Scalingi, who took part in both exercises, says response and reconstitution of services was hampered by infrastructure interdependencies during both exercises.

The Pacific Northwest's infrastructure systems are highly integrated with Canada's. For example, more than 80 percent of the region's natural gas supply flows south from Canada through pipelines that are dependent on IT-based control systems, prompting a need for what state and local officials characterized as a multiyear effort to develop "a disaster-resistant region."

"September 11 demonstrated that U.S. intelligence cannot provide the necessary alert and warning to prevent terrorists from striking," says Scalingi. Instead, it's up to regional officials to prepare "to deal with the unthinkable," she says.