Dave Carlson presented testimony before the House Committee on Cyber-Threats and Infrastructure Protection concerning cyber terrorism and cyber threats to infrastructure. He stated that the protection of the country’s critical infrastructure from cyber attack is one of the most important homeland defense issues facing us today. Cyber-terrorism is a scary prospect. Fortunately, there has never been a successful cyber attack against our infrastructure that caused significant harm or fear. Unfortunately, our infrastructure relies on complex information systems and automated control. Carlson began his testimony with a definition of cyber-terrorism, confirmed that our nation faces cyber risks, discussed protection concepts, shared some historical background, and concluded with two recommendations for the Committee’s consideration.

Madam Chairman and members of the House Committee on Cyber-Threats and Infrastructure Protection, thank you for the invitation to speak with you about cyber terrorism and cyber threats to infrastructure. When I was asked to address this distinguished group, I immediately accepted the invitation and cleared time on my schedule to prepare for our discussion.

I believe the protection of our critical infrastructure from cyber attack is one of the most important homeland defense issues facing us today, and applaud the House leadership’s decision to form this new committee for exploring protection possibilities. In a February 2007 interview with Domestic Preparedness Journal, Representative Steny Hoyer (D-MD), House majority leader, declared that your “highest duty is to protect the American people, defend our homeland, and strengthen our national security” (Hoyer, 2007, ¶ 23).

I do not envy your responsibility for charting the course this country will take toward protecting critical infrastructure from cyber threats. You have a Herculean task ahead of you. Fortunately, considerable work by others who have preceded you can help focus your efforts. I admire your willingness to invest your valuable time discovering the best course toward cyber safety. Thank you for your valuable service to our great nation.

Because of today’s time constraints, I will keep my comments brief and save time for your questions at the end of my testimony. My testimony during this session will be confined to open source information only, as it is not appropriate for us to discuss classified programs in this forum. I will open with a definition of cyber-terrorism, confirm that our nation faces cyber risks, discuss protection concepts, share a little historical background, and conclude with two recommendations for your consideration.

Quoting Dorothy Denning, a professor of computer science who testified before the House Armed Services Committee in May 2004, Weimann (2004) shares an “unambiguous definition of cyberterrorism” (p. 4).

Cyberterrorism is the convergence of cyberspace and terrorism. It refers to unlawful attacks and threats of attacks against computers, networks and the information stored therein when done to intimidate or coerce a government or its people in furtherance of political or social objectives. Further, to qualify as cyberterrorism, an attack should result in violence against persons or property, or at least cause enough harm to generate fear. Attacks that lead to death or bodily injury, explosions, or severe economic loss would be examples. Serious attacks against critical infrastructures could be acts of cyberterrorism, depending on their impact. Attacks that disrupt nonessential services or that are mainly a costly nuisance would not. (Weimann, 2004, p.4)

Cyber-terrorism is a scary prospect. Fortunately, there has never been a successful cyber attack against our infrastructure that resulted in “violence against persons or property, or at least cause[d] enough harm to generate fear” (Weimann, 2004, p.4). Unfortunately, many of our nation’s critical infrastructure systems rely on complex information systems and automated control. “Information systems can be attacked electronically from anywhere in the world, posing a new kind of threat to both the nation’s critical infrastructure and the American homeland” (Cordesman, 2002, p. 2).

In the 1983 science fiction movie War Games, a teenage boy looking for new computer games cracks into a computer which he believes belongs to a game developer (Wickipedia, 2007). In reality, the computer is a highly classified control computer in the NORAD (North American Aerospace Defense Command) Cheyenne Mountain complex. The plot reveals that the boy, believing he is playing a game, initiates an actual alert which threatens to launch nuclear missiles on the Soviet Union.

I have been to Cheyenne Mountain when NORAD was still operating there. I have some knowledge about the computer systems used there in the 1980’s and can assure you that our nuclear missiles were in no danger from external hackers or crackers. War Games is an interesting and entertaining story, but not a reflection of reality. However, the threat of cyber-terrorism is real.

A 2005 GAO study identified terrorists as a potential source of cyber attacks on critical infrastructures (GAO, 2005, p. 5). Terrorists can “threaten our national security, cause mass casualties, weaken the U.S. economy, and damage public morale and confidence” (GAO, 2005, p. 5). Additionally, terrorists may use phishing schemes or spyware to gather sensitive data that can be used to get money to support their murderous activities (GAO, 2005, p. 5).

Last year the FBI completed a cybercrime study which revealed “90 percent of U.S. businesses were affected by cybercrime in one way or another, and the overall economic cost to the United States is now close to $70 billion annually” (Kellermann, 2006, ¶ 1). Kellerman (2006) warns us that today’s terrorists are “better educated than their forebears, but motivated by the same hatred of Western culture” (¶ 13). This “new generation of terrorists can move quickly and virtually through cyberspace to strike at the very heart of the Western economic infrastructure” (¶ 13).

Lewis (2006) identifies the vastness of the country as one of the most significant challenges to protecting national infrastructure. “Each sector in the United States is a vast network that is so large and complex that it is impractical to protect every component of each sector” (p. 49).

In a 2005 Report to Congressional Requesters, the GAO identified thirteen responsibilities of the Department of Homeland Security (DHS) related to cybersecurity. The first DHS responsibility is to “develop a national plan for critical infrastructure protection that includes cybersecurity” (GAO, 2005, p. 22). This responsibility includes “developing a comprehensive national plan for securing key resources and critical infrastructure of the United States” (GAO, 2005, p. 22).

The GAO (2005) concluded that the Department of Homeland Security has a long way to go toward meeting their final objective of security for critical infrastructure, but it applauded DHS for its efforts. The GAO acknowledged that DHS was heading in the right direction. Particularly noteworthy was the development of the Interim National Infrastructure Protection Plan (Interim NIPP), which addresses many requirements specified in federal law and policy (p. 29).

Additionally, “DHS has undertaken numerous initiatives to foster partnerships and enhance information sharing with other federal agencies, state and local governments, and the private sector about cyber attacks, threats, and vulnerabilities” (GAO, 2005, p. 30). As you are aware, most of our critical infrastructure is owned and maintained by private industry. You will not be able to protect our critical national infrastructure without their cooperation and assistance. “Neither the public nor private sectors will be able to recover from a major emergency or disaster alone” (Goldstein, 2007, p. 67). Appropriate partnerships are critical to developing effective protection and recovery measures.

Threats to automated systems have existed almost since their creation. The concept of self-replicating computer programs, now known as computer viruses, first emerged as early as 1949 (Fact Monster, 2005, ¶ 1). The theory that self-replicating computer programs were possible was proven in 1985, when Xerox Corporation produced the first functional self-replicating program (Colombell, 2002, ¶ 6). Since then, computer viruses have continued to mutate and spread faster than a virulent human virus. Today, networked systems without adequate anti-virus protection will succumb quickly to the onslaughts of the thousands of nasty computer virus variants.

Congress officially acknowledged that computer viruses could be a threat to critical national infrastructure in 1984. Initial attempts to protect computer systems were included in the Counterfeit Access Device and Computer Fraud and Abuse Act (Colombell, 2002, ¶ 20). This legislation was improved, with the passage of the Computer Fraud and Abuse Act of 1986 (Colombell, 2002, ¶ 21). “The passing of this legislation marked the government’s first effective step in the fight against computer crime” (Colombell, 2002, ¶ 21).

The Computer Fraud and Abuse Act of 1986 was amended in 1996 by the National Information Infrastructure Protection Act, which closed several legal loopholes and addressed critical infrastructure concerns (Colombell, 2002, ¶ 29-30). The most recent attempts to allow for prosecution of individuals attacking computer systems are included in The Anti-Terrorism Act of 2001 (Colombell, 2002, ¶ 31).

In addition to legislation to help control computer crimes, such as spreading of computer viruses, the federal government has taken significant steps in the past several years to protect our physical infrastructure assets. A notable example of protection of critical infrastructure is the effort exerted by the Bureau of Reclamation to protect the Hoover Dam.

The Bureau of Reclamation cooperated with other government agencies to institute several measures to protect Hoover Dam. “Three of these security measures include, protection of navigable waterways by the U.S. Coast Guard, building of a by-pass bridge by the U.S. Department of Transportation, and internal physical security measures instituted by the Bureau of Reclamation” (Carlson, 2007, p. 5). This cooperation by different federal agencies helped pave the road ahead on the way toward a comprehensive critical national infrastructure protection plan.

I leave you with two recommendations: Increase our cooperation with other nations in the fight against cyber-terrorism and clarify internal responsibilities for cyber-protection.

Coordinate with other nations to allow for extradition of individuals suspected of cyber crimes. Gabrys (2002b) suggests that it would be good for countries to develop laws that create the ability to support extradition efforts of other countries, even if a specific cybercrime is not defined in their own country (p. 26). This cooperation would allow a country suffering from a cyber attack originating from another country to prosecute perpetrators of such attacks.

Gabrys (2002a) cites a specific instance where someone who caused billions of dollars worth of damage through the release of a computer worm could not be prosecuted for his offense (p. 28-29). The ILOVEYOU computer worm released from the Philippines in May 2000 caused significant damage in the United States. However, U.S. officials were unable to extradite the guilty individual because his offense was not illegal under Philippine law and no extradition treaty existed between Philippines and the United States to cover the offense.

Having a treaty which allows extradition for offenses not specifically covered in the originating country will provide an additional deterrent and a method for prosecuting cyber criminals. Of course, any extradition agreement must balance the needs for each country to protect its citizens from laws and punishments that are excessive. Extradition treaties may not be a perfect solution, but it might be a step in the right direction.

Cordesman (2002) acknowledges that there is no question about which U.S. organization has the responsibility for response to cyber attacks from a military opponent—it is the U.S. Military. However, there is no clear delineation of responsibility for offensive action against cyber attacks by an unknown entity (p. 173). The Department of Homeland Security has the lead for developing protection from cyber threats to critical infrastructure. It would be appropriate for this Committee to work with DHS to identify and plug gaps in our nation’s coverage for protection from all forms of cyber terrorism.

Additionally, Cordesman (2002) proposes that the United States should develop “a deterrent capability for massive retaliation that could convincingly devastate the information and communication systems of any opponent, cripple its economy, and produce direct and indirect casualties far higher than any opponent can inflict upon the US” (p. 173). Much of our strategic defense doctrine is focused on preemptive strikes. It is appropriate to evaluate the possibility of stopping cyber terrorism before it has a chance to wield its nefarious virtual weaponry.

A major roadblock toward a rapid response to or preemption of cyber attacks is the lack of a centralized chain of command to direct an appropriate response or timely preemptive strike. “Response times are incredibly important in this area, and multiple layers of approval will fatally compromise any action by adding excessive latency” (Cordesman, 2002, p. 173). Because of the speed with which cyber weapons can be employed, sometimes an appropriate response decision cycle is only a matter of minutes. The current system response time is measured in days or weeks, and sometimes not at all. The Department of Homeland Security is taking appropriate steps in the right direction with their formation of the National Cyber Response Coordination Group “to coordinate the federal response to cyber incidents of national significance” (GAO, 2005, p. 55). Even so, there still remains much to be done.

During today’s brief testimony, I have presented a definition of cyber-terrorism, confirmed that our nation faces cyber risks, discussed protection concepts, shared some historical background, and offered you two recommendations to consider. If needed, I can be available to assist the Committee with research to help you develop a Critical Infrastructure Protection Plan. If you desire, we also can schedule a closed committee session to discuss classified infrastructure protection programs.

I will close with the words of Ron Fauset, a well-known Certified Business Continuity Professional: “If I do my job well, nothing happens” (Fauset, 2007, p. 68). I encourage you to think that way about your job. If you develop and implement appropriate critical infrastructure protection plans, the highest complement future generations can pay you for your hard work is, “Why did that House Committee make such a fuss over cyber-terrorism? Nothing happened.”

Ironic, isn’t it? What are your questions?

Carlson, D. W. (2007). Evaluation of U.S. Infrastructure Protection Programs. Unpublished paper submitted to Northcentral University.

Colombell, M. R. (2002, Spring). The legislative response to the evolution of computer viruses. The Richmond Journal of Law and Technology, 8(3), [Electronic version]. Retrieved February 8, 2007 from http://law.richmond.edu/jolt/v8i3/article18.html

Cordesman, A. H. (2002). Cyber-Threats, information warfare, and critical infrastructure protection: Defending the U.S. homeland. Westport, CT: Praeger.

Fact Monster. (2005). Computer Virus Timeline. Retrieved February 6, 2007 from http://www.factmonster.com/ipka/A0872842.html

Fauset, R. (2007, Winter). Nothing ever happens. Disaster Recovery Journal

Gabrys, Ed. (2002a, SEP/OCT). The international dimensions of cyber-crime, part 1. [Electronic version]. Information Systems Security, 11(4), 21-32.