A Disabled America

There have long been concerns about attacks upon the systems that run America, chief among them the electrical grid. A disabled America would be a prize that would cheer even the most dour of terrorists. But disabled how? Disabled to prevent critical infrastructure operations? Or disabled to inconvenience? For years, the country has been in cyber evolution—e-mail, the information superhighway, the World Wide Web, electronic commerce, and then portability, first in the form of laptop computers, followed by smartphones and tablets and innumerable applications, plus the explosion of social media. There are smart homes, featuring the ability to set the temperature of any room, lock any electronically activated door in the house from anywhere in the world. And then there are electronically activated industrial controls—access values, gates, dams, various Internet-enabled switches that are part of the electrical grid. In an Internet-enabled world, there is always the chance for an Internet-disabled result.

The goal of the terrorist is to inspire fear. There's no doubt that crippling the electrical grid would go a long way toward creating fear. Electricity runs most everything; not having it generates fear.

Can we expect an Al Qaeda or other terrorist entity strike at U.S. critical infrastructure? That's a near certainty. They want to create confusion, disrupt the global supply chain, interfere with the strategy and operations of capitalism at work, and create uncertainty about financial services, food, water, health services, law and order, and the other elements necessary to sustain a functioning society. But their targets are more likely to be focused. Historically terrorists have not been known to be expert hackers. But they can buy that capability and, increasingly, recruit it. The historic status quo is changing. They may target the Internet-enabled controls for dams or a water supply, a power-generating station, even a hospital. It is unlikely they are under the delusion that they can cast the entire nation into darkness by launching a massive cyber attack against the electrical grid.

While the idea of a disabled Internet, death to America, and capitalism held hostage at the hands of terrorists no doubt gives rise to inspirational messaging, the cold reality is that the Internet is essential to Al Qaeda's recruitment and conversion programming. The Internet is an important component of Al Qaeda's revenue generation, which is linked to narcotics trafficking, which is in turn linked to organized crime and money laundering. This is one reason that what has become known as a potential digital Pearl Harbor is more likely a goal of North Korea or Iran, not Al Qaeda or a subordinate affiliate.

Inspire magazine is an online English-language magazine that is believed to be published by Al Qaeda and is used to promote the cause of global jihad. It is used to recruit terrorists, to raise capital for terrorist attacks, and for other purposes. Inspire without the Internet will have the reach of homing pigeons—not unimportant, but extremely limited. It is doubtful that Inspire would survive the absence of the Internet, probably an unacceptable proposition to the terrorist recruitment effort.

“It used to take an entire nation to wage war,” observe Winn Schwartau in his 2002 novel Pearl Harbor Dot Com. “Today it takes only one man.” Mr. Schwartau is best known for having coined the phrase “electronic Pearl Harbor” and is known as the civilian architect of information warfare.

More than 20 years ago he was asked to report to Congress on the state of cyber readiness in the private sector. In reporting to the Subcommittee on Technology and Competiveness, he testified that “government and commercial computer systems are so poorly protected today they can essentially be considered defenseless—an Electronic Pearl Harbor waiting to happen.” He then, prophetically, addressed the issue of privacy: “As a result of inadequate security planning on the part of both the government and the private sector, the privacy of most Americans has virtually disappeared.”² Move forward more than two decades and things certainly have not gotten any better. But the measure of the loss of privacy is only one metric. The rise of electronic terrorism is arguably even more dangerous.

In the months leading up to September 11, 2001, many in national security knew that something wasn't right. There were even a few within the FBI who knew that the nation was at risk for a major terrorist attack. The signs were there, at least if you looked in the right places. One of the right places to look was on the Internet. The level of Internet chatter by certain groups was escalating. “Chatter,” of course, is a form of signals intelligence, or SIGINT. It is measurable. Electronic chatter rises and falls. While it isn't a blueprint of what is going to happen, it is an indicator that something is up. So, yes, there were clues about an attack. Some even knew that the attacks on the United States were imminent. But these were indicators of attack, early warning symptoms.

Electronic chatter today is even more prevalent and an invaluable intelligence and investigative asset. This is likely attributable to several factors. First, even though the formal group known as Al Qaeda may have been downgraded because of the killing of many of its leaders, make no mistake that it is attracting many adherents from a number of emerging and developed countries. What the formal terrorist organization may lack in actual numbers of soldiers, it more than makes up for in its ability to inspire legions of others who will carry out its objectives around the world. Second, there is more or less unlimited and uninterrupted Internet access, a lot more social media sites for sharing information, and the continuously expanding use of mobile devices, including tablets and smartphones. Third, there is an unending flow of constantly changing information on the Web, a vast source of new intelligence, but also of disinformation. This combination of conditions has laid the foundation for a lot more electronic chatter than in the weeks and months leading up to 9/11. A terrorist group with flexible financial resources has a world stage upon which to act out its ambitions and advertise its agenda, and it seems to be learning how to use that platform in new and creative ways.

The Internet is a vital terrorist tool used in shaping public policy. In fact, it is safe to say that Al Qaeda loves the Internet. To Al Qaeda, which is often underfinanced (the attacks of 9/11 are said to have cost only half a million dollars), highly distributed in numerous countries around the world, the Internet is a tool of extreme usefulness. But the Internet is more than a useful tool. It has become the foundation of Al Qaeda's outreach program. It centers on Inspire magazine. Radical Islam has, ironically, embraced the Internet.

As Al Qaeda evolves, it will rely increasingly on Inspire to bring in new recruits, to reach a new generation. The social and cultural adoption of tablets and smartphones and social media will significantly contribute to its sphere of influence. And there is another trend that dovetails comfortably with the propaganda and technology trends: that of the new terrorist profile.

Inspire, first published in July 2010, has become an important public relations vehicle, and not only in the Arabian Peninsula where it is believed to be based. It has become a very popular publication. A 2010 issue links the publication to the Boston Marathon bombing. That issue showed jihadists how to build a pressure cooker bomb, the type used in the bombing, and it provided a justification for lashing out at non-Muslims. It is also believed to have influenced the planned bombing of the London Stock Exchange in 2012. It has helped shape terrorist tactics, encouraging Al Qaeda adherents to engage infidels in a variety of ways. With many of Al Qaeda's leaders dead, Inspire was a unique opportunity to keep their ideals not only alive but a way to reach budding terrorists around the world, in many countries and cultures.

It is too early to know the extent of the conspiracy involved in the bombing. No doubt some of the investigative findings will remain classified. But this much is clear: Two terrorists, who lived largely beneath the radar, were clearly extremist, and were clearly capable. They executed the plan with near precision. They were also unreservedly inspired. Thanks to Inspire, their deadly actions will be used to introduce a new age of terrorist engagement. Inspire will use the events associated with the bombings to further its extremist goals, that much is certain.

A New Age: Inspiring Terrorists and Terrorism

The goal of Inspire is to capitalize on the threat of terror by perpetuating it, aggrandizing it, and praising it as an act of faith above the faith of all others. The result is predictable. Whether before a terrorist attack occurs or in its bloody aftermath, the human and digital imprimatur of Inspire is present. Here's how it is may unfold, although perhaps not with the bang of a digital Pearl Harbor.

On the heels of the 2013 Boston Marathon bombing, Chiheb Esseghaier, 30, and Raed Jaser, 35, have been accused in Canada of “conspiring to murder persons unknown…in association with a terrorist group” by plotting to attack a passenger train operating between Toronto and New York City. The terrorist group referenced is Al Qaeda. While it remains unclear what the investigation of the Boston bombing will ultimately reveal, the planned assault in Canada is quite clear.

Make no mistake, Al Qaeda may be dazed and in some ways diminished, and perhaps even underfinanced from time to time, but it is far from being dead. Whatever Al Qaeda may have reportedly lost in profound direct frontal assault capability, it has made up for in creativity, stealth, resiliency, and Internet enablement. It would be a mistake, and a misrepresentation, to interpret Al Qaeda's simmering low-intensity presence to be a sign of diminished capacity. In some corners, Al Qaeda's current profile seems to have imbued in the United States and elsewhere a dangerous false sense of security.

Al Qaeda's evolving profile may not be the reincarnation of its 9/11 body, but its spirit remains unchanged and unchecked. The organization that brought us the most infamous day in recent decades is as much a threat today as it ever was. It is just a different threat, as the conspiracy in Canada illustrates.

While the details of the Esseghaier and Jaser case continue to emerge, one thing is clear. Esseghaier led two lives. Pursuing his doctorate in Canada in the field of optical and electrochemical biosensors, he published work on methods of detecting prostate cancer and HIV, among other diseases. Science was the way he earned a paycheck. Jihad seems to be how he defined his life's mission. He isn't the only one.

If there is a new face of terrorism, it may look more like the Boston bombing or the terrorist plan in Canada. While deadly in design and execution, these types of attack lack the sophistication of a 9/11 event, yet such attacks have proven fatal, disruptive, and inspirational to other terrorists. The attackers are skilled computer users.

Such terrorists are said to have engaged in behaviors that showed their disdain for the Canadian government and the country's culture. Esseghaier, it is reported, ripped down a poster of a woman, which he considered to be an affront to Islam. He also chastised a Muslim coworker for paying taxes to the government. Such actions eventually came to the attention of law enforcement and intelligence authorities.

Perhaps the day of the full-time, dedicated jihadist is waning, but jihad is growing in another, perhaps even more dangerous way. Terrorists who lead seemingly double lives are often harder to detect and monitor. Terrorist organizations' financial accounts are monitored more carefully now than on September 10, 2001. Today's terrorists are more likely to have their own checking accounts and an income, making it more complicated to track terrorist financing. Consequently, they may not need as much formal financial support in planning and carrying out attacks. That they are dispersed to target nations and engaged in professional pursuits presents new challenges for the intelligence community, elevating the threat of cyber and physical attacks.

As described in my book Threat! Managing Risk in a Hostile World,³ Kafeel Ahmed, one of the terrorists behind the June 30, 2007, Glasgow International Airport attack, led a double life. He was pursuing a doctorate in fluid dynamics and worked below the radar as an aerospace engineer at an overseas company under contract with Boeing Aerospace and Airbus Industries. But Ahmed is best known for loading his Jeep Cherokee with extra tanks of gasoline and driving it, with accomplice Bilal Abdullah, an emergency-room physician, into the security bollards at the entrance of Glasgow International Airport. Traveling at 30 miles per hour, the Jeep detonated on impact. The security barriers prevented the vehicle's penetration into the interior of the airport, and Ahmed was killed in the attack. Abdullah was later found guilty of conspiracy to commit murder and received a prison sentence of 32 years.

Terrorists who do not attract attention to themselves are the bigger concern. The 9/11 hijackers raised suspicion by wanting to learn how to take off and pilot an aircraft but showing no interest in learning how to land. But these were subtle clues that ultimately did not change the outcome. More openly demonstrative behaviors may suggest less formalized training, and perhaps a looser affiliation: jihad by inspiration rather than conscription. This is consistent with an Al Qaeda reinventing itself, often below the intelligence and investigative radar, as its strategic influence and recruitment efforts quietly intensify.

The new breed of Islamic jihadist will likely possess profile characteristics that make it more difficult to identify their affiliations and intent, observe their behaviors, and monitor them on an ongoing basis. They will be young, but they will also be on track to establish themselves in careers. They will be upwardly mobile, many of them, and work in the professions. The use of computers, computer tablets, smartphones, and social media will be second nature to them. Given that terrorists operate in secretive, almost anonymous cellular structures, communication over the Internet is important. The ability to organize using the Internet and tools of social media is important. In a word, the new terrorists will be cyber-enabled, and they will blend into the fabric of any country they live in, as well as their workplace. They will therefore become the ultimate insider threat.

A Call Heard Vaguely

Throughout the course of the Internet age, the nation has failed to predict the extent of the cyber threat, its association with the physical terrorist threat and the overwhelming, massive vulnerability of the Internet, an integration of technologies that were developed purposely not to have any security. Hackers weren't always taken seriously by industry. The 1983 movie War Games was the story of a student hacker who accidentally broke into a military computer system. But that was Hollywood. Although a few early hackers gained notoriety, most were perceived as somewhere between a benign nuisance and a criminal. A few actually thought about a cataclysmic event such as an electronic Pearl Harbor. They were not necessarily ignored, but it is fair to say that they were marginalized.

A few books sounded the warning of a terrorist threat and an attack on U.S. critical infrastructure. One of those books was Black Ice: The Invisible Threat of Cyber-Terrorism, by Dan Verton and published in 2003. As has been said, to everything there is a season. That was not the season. The attacks of 9/11 clearly showed critical infrastructure vulnerability, particularly in communications technology. Afterward, companies began to look more carefully at disaster recovery and business continuity planning. Still, it wasn't time. Now is the time, after so many trade secrets have been stolen, so many personal records compromised. But is it too late? And what is the real threat?

Much is being said and written about the concept of a lone wolf. It's interesting. In nature, a wolf kills when it is hungry or is threatened. Terrorists are not entirely lone wolves. Terrorists are indoctrinated; they are inspired. They may not receive from Inspire or directly from Al Qaeda a complete bomb-making kit. But is there a difference between inspiring someone to kill someone else and in handing them the tools necessary to make the kill? The answer is that in a court of law there may be a difference. In the court of public opinion the answer may be divided. To those who lost a friend or loved one, to those who experienced the physical and mental anguish of the Boston Marathon bombing and its aftermath, the subtlety is irrelevant.

Terrorist action, while extreme and loathsome, even barbaric, is typically well planned. It is an integrated plan backed by lethal impact and painstaking strategic consideration. While whether the Boston bombing was directly or indirectly connected to Inspire is an important consideration in many ways, it is the impact of the action, in the eye of the terrorist, that matters. The Tsarnaev brothers, and whoever else may have been engaged in their strike against the peaceful gathering of athletes and supporters on April 15, 2013, launched an attack that was heard around the world. Inspire may or may not have been the hands-on creator and promoter of it, but it will no doubt be the beneficiary of it.

Maybe an attack against the power grid or other target will not be made by Islamic fundamentalists, Al Qaeda finding such disruption disadvantageous. Maybe it will be a rogue government, such as Iran or North Korea, maybe Syria and its Syrian Electronic Army. It is well known that Iran has been digitally attacking banks, certainly targets of critical infrastructure. From the point of defense, it doesn't really matter whether the attack comes at the hands of the terrorist or the rogue nation-state or its military. Therefore the justification for investing in a strong cyber defense is that the threat is real, even profound. It should also be noted that critical infrastructure, given its broad definition, is almost certainly on the cyber target list.

In October 2009, the Department of Homeland Security opened the National Cybersecurity and Communications Integration Center. This 24-hour watch and warning center serves as the nation's principal hub for organizing cyber response efforts and maintaining the national cyber and communications common operational picture. DHS also works with the private sector, other government agencies, and the international community to mitigate risks by leveraging the tools, tradecraft, and techniques malicious actors use and converting them into actionable information for all 18 critical infrastructure sectors to use against cyber threats.

At the front lines vital partnerships have been forged with antivirus companies to take proactive measures to stop possible threats from reaching public- and private-sector partners by developing and sharing standardized threat indication, prevention, mitigation, and response information products with its .gov partners and constituents. This was accomplished by the U.S. Computer Emergency Readiness Team (US-CERT). In 2011, US-CERT responded to more than 106,000 incident reports and released more than 5,000 actionable cyber security alerts and information products to public- and private-sector partners.

In 2011, the DHS Industrial Control Systems Computer Emergency Response Team (ICS-CERT) conducted 78 assessments of control system entities, which helps the business community to identify security gaps and prioritize mitigation measures. DHS also empowers owners and operators by providing a cyber self-evaluation tool, which was utilized by over 1,000 companies in 2011, as well as in-person and online training sessions.

“The aggregation of large amounts of data that can potentially be accessed under one attack could cause both security liabilities and privacy liabilities for hundreds of insured policyholders simultaneously,”⁴ says John B. Graham, a security and privacy subject matter expert at Zurich North America. “This same scenario could also mean direct harm to insured companies by causing interruptions to their operations, which could diminish their flow of income. For example, many insureds could end up using the same industry-leading cloud provider to store and manage the sensitive data of their customers. If that provider suffered a significant breach, are there adequate safeguards in place to prevent a large-scale impact to many insureds at the same time?” he wonders.

“Similarly, large-scale attacks against any of the 16 critical infrastructure sectors that can affect multiple insureds at once could cause interruptions to their operations,” says Graham. “Can there really be a digital Pearl Harbor? Many experts don't think that's possible. If it's not feasible today, could it be feasible in two years or five years?”

A cyber by attack by terrorists is not always easily identifiable. Cyber attack is pretty much a continuous experience, and the identity of the attacker isn't always obvious. The constant probe attacks, in the form of cyber probes against critical infrastructure, could come from cyber criminals, nation-states intent on stealing information, or from hostile military forces. Such attacks may come from independent, unaffiliated hacker groups. Unless an attack originates with a known cyber terrorist group, or unless a terrorist group takes credit for an attack, reliable identification is complex and not always possible.

Attack Upon Attack, No Peace in Sight

In part the issue is the sheer number of cyber attacks taking place at any given time. These attacks are against critical infrastructure, government offices, and private-sector companies outside the defense contractor network and critical infrastructure.

According to Nextgov (www.nextgov.com), the United Kingdom receives 120,000 attacks daily. The state of Utah sustains about 20 million attack attempts a day, up from 1 million a day several years ago. But no one really knows how many are directly attributable to cyber terrorist attacks. Then again, all could be considered terrorist attacks.

One thing is certain: The current state of preparedness against a dizzying array of critical infrastructure targets is not what it needs to be. That is not only disappointing, it is dangerous.

In many ways, it seems astounding how fast technology has evolved and how fully it has been embraced, for purposes good and bad. We have figured out to make most any activity subject to some type of Internet application. Yet the ability to secure that activity has fallen far short of where it needs to be. Undeniably, more security exists today than two decades ago, when Mr. Schwartau addressed Congress. But that's not the point. A number of security and privacy regulations have been introduced into the marketplace. More standards and guidelines exist. But what has been lost is advantage. It doesn't matter that the United States was behind the development of the Internet. It doesn't matter that the many products and services associated with the Internet were created from U.S. capital and ingenuity. None of this matters. What does matter is the vulnerability of virtually every industry built upon an Internet-enabled foundation. That means that it is accessible by anyone with the will and the talent to break into it. That's the bad news. The worse news is that the number of those with the will and the skills to break into it is growing exponentially.