Copyright © 2002 Robert G. Ferrell

A lecture presented at DallasCon on May 4, 2002

It is 5:25 AM on a sultry May morning. The forecast calls for a good chance of thunderstorms, some possibly reaching severe proportions, by mid-morning as a vigorous late spring Pacific cold front collides with a deep layer of warm, moisture-laden Gulf air that has buried the city in a thick blanket of moist haze for the past 48 hours. Traffic is just beginning to liven up on the arteries leading into the industrial and financial districts from the sprawling suburbs. The National Weather Service office at the International Airport is fully staffed, despite the early hour, as the meteorologists prepare for the impending clash of weather systems. The Nexrad radar already shows that several mesoscale complexes have formed along the dry line, currently about 150 miles to the West of the city, and moving East at around 30 mph.

In the Traffic Engineering Control Center, located in the basement of City Hall, rows of monitors provide the technicians on duty a wealth of information about the state of traffic flow around the city. There are wireless cameras at most major intersections, as well as sensors that track the average speed of vehicles moving through traditional trouble spots. When this speed drops below a preset limit, alarms are activated to indicate a possible accident or other impediment to traffic flow, and the closest cameras are highlighted on a master tracking grid.

In addition to the video monitoring, every traffic light in the city is computer controlled from this room, by a fully mirrored cluster of Win 2K boxes. Signal units at most of the major intersections, especially those leading to the medical center area, are equipped with small antennas that pick up signals from transponders in emergency vehicles. The signals cause the computer to turn the lights red in all directions until the emergency vehicle has passed. These communications are also wireless, making use of the city's elaborate 802.11 network.

At the airport, Jetair flight 33 from Miami is on final approach. The aircrew are glad that they've gotten here before the outflow boundary from the thunderstorms developing to the West. The weather was a little shaky over the lower Mississippi valley, but nothing like the way things were going to be rocking and rolling here in a couple of hours. Another fifteen minutes and they'd be on the ground and headed for the motel.

In the North Central Power Plant, a packet filtering firewall detects an incoming TCP connection request. The header on the packet shows it's destined for port 22021. This is not one of the ports controlled by the firewall, so it passes the traffic on up the protocol stack unmolested. After an exchange of handshake information, the connection is established. Sitting at a rather primitive workstation half a world away, the initiator of this connection moves with practiced ease to a certain directory and deletes one of the files there, replacing it with one of his own. He looks up the parent ID of the relevant process and sends an interrupt signal to reload the configuration file. His work done, he runs a utility which erases any trace of his presence from various log files, and quietly exits.

Eight minutes later, a switching station under the control of the utility company's Supervisory Control and Data Acquisition system dumps 128,000 volts onto a grid already running near maximum capacity. Half a dozen breakers trip as the system struggles to redistribute the load. A quarter of the city, including the airport, plunges into darkness.

Of course, all critical systems at the airport are backed up by generators, with failover of less than half a second after a loss of power from the grid. This failover is optimized, however, by a computer system which brings generators on line according to the distribution of power and the pattern of failure. Unfortunately, a small hidden script has been triggered which brings the controlling computer to a halt with a systems crash. It will need a manual restart, which will require an automated page to a technician somewhere on airport property. As it tuns out, he's ten minutes away on the other side of the main terminal building dealing with a separate system crash triggered 15 minutes ago by a similar script.

Meanwhile, a third script planted in the database interface of the air traffic control system makes a very small change in the syntax of a common request generated whenever the radar console software needs to update the position of an aircraft.

The sequence of events to follow is roughly this:

As Jetair 33 lines up on final approach and crosses the outer boundary in the pre-dawn darkness, the runway lights go out. The pilot immediately aborts the landing, and prepares to go around again, while asking ATC for instructions. The air traffic controller is suddenly inundated with radio traffic from pilots who've lost sight of the airfield. His only means of seeing in the darkness is with radar–but now the symbols identifying aircraft flight levels have mysteriously vanished. He can see blips representing targets, but he has no information about the altitude of those targets. He immediately tells all aircraft to hold their current altitudes and bearings until he can work out a plan to keep them safely separated.

The lights still haven't come back on, although the technician is now heading for the stricken computer as quickly as he can under the circumstances.

Jetair 33 is in no immediate danger. They have enough fuel to divert to another airport, if necessary, and their flight instruments are good enough that they could land without field lights if that becomes necessary. Other aircraft, however, are not so well-prepared. The pilot of a Beechcraft Bonanza that was lifting off a runway on the other side of the airfield has become disoriented and is frantically asking the tower for help. The controller tells him to maintain level flight and his assigned bearing, but the pilot, who has only recently been granted his multiengine certification, is confused and does not realize that his aircraft is in a slight bank to the left. Onboard Jetair 33, a collision alarm suddenly blares. The crew can see no other aircraft, but take standard evasive action, which unfortunately rolls them right into the path of the Beech,

One minute and 56 seconds after the lights go out, the Beechcraft clips Jetair 33's right wing, shearing off most of the engine nacelle and forcing the landing gear door inwards, damaging the wheel assembly. The Beech disintegrates in midair and leaves burning wreckage strewn across the main highway leading to the airport terminal. Fortunately, traffic is still fairly light.

Jetair 33 declares an emergency as the crew struggle to maintain control of the aircraft. The collision has taken place just as the commercial jet had been lining up for a possible landing attempt, so at least they don't need to make any turns. The runway is cleared and emergency crews, already on full alert from the freak power failure, are standing by. There's no time to foam the runway, so the crew just ease the plane on down onto the tarmac. Despite the damaged gear, the panel shows all wheels down and locked. Touchdown is surprisingly smooth. With the left engine disabled, however, the pilot can't rely on reversing thrust to slow the aircraft down. He stands on the brakes, but the stress is too much for the damaged landing gear and the lefthand carriage collapses, tipping the plane over on its left side. After about a hundred yards of scraping along the tarmac, the outer third of the left wing shears away. The rest of the aircraft careens along for another 500 feet, leaving a stream of burning aviation fuel as it slides.

Emergency vehicles arrive at the plane in less than a minute. The fuselage is largely intact, and people are streaming out of the emergency slides on the right side of the aircraft. The tarmac to the left of the plane and what remains of the left wing are engulfed in burning fuel, and there is a real danger of explosion of the ruptured left wing tank.

The rain has already started to fall in the hills west of the city. Soil still saturated from recent heavy downpours quickly begins to shed the additional water, swelling streams and seasonal creeks to their banks and beyond. A small river runs through the city proper, but its flow rate is strictly regulated by a dam 20 miles upstream, which creates a medium-sized reservoir behind it used primarily for agricultural purposes. The flood gates are controlled by a computer system newly tied into the city's sewage management network, which regulates the flow of waste and runoff water through a complex series of tunnels under the streets.

By 7:45 AM, the morning rush has reached its peak. It has started to rain throughout most of the city, although the precipitation rate at this point is still less than a quarter inch an hour–just enough to emulsify some of the hydrocarbons coating the more heavily traveled streets and make them slick. As the traffic builds, accidents begin to happen. The majority of them are just fender-benders–tailgaters who can't stop in time after a sudden hazard drastically slows the vehicle in front of them, or people who hit a slick spot and lose control just long enough to sideswipe another vehicle or a stationary object. An 18-wheeler swerving to avoid a car which has hit a slick patch and gone into a spin starts a chain reaction that eventually involves over a dozen vehicles, including a commercial passenger bus.

The resulting wreckage blocks the entire southbound side of the Interstate, while the inevitable rubbernecking slows traffic on the northbound side to little more than the speed of a brisk walk. A veritable fleet of fire, police, and EMS vehicles are dispatched to the scene, adding to an automotive mass that is now approaching critical.

About 10 minutes after the first emergency vehicle arrives on the scene, the leading edge of the initial wave of thunderstorms hits. Frequent lightning, torrential rains, and marble-sized hail hampers the rescue workers, who are struggling to pry open the twisted metal hulks that were once cars and trucks to extricate those trapped inside. It is slow and tedious work, made even more difficult by the threat of lightning strikes and the sometimes blinding precipitation.

In the Water District Operations Office, where the computers that control the discharge of water from the dam are located, another little time bomb is about to go off. 36 hours ago, an intruder planted a simple script that cranks the gates all the way open while reporting the requested level to the software designed to provide failsafe auditing and autocorrection of such errors. It is set to go off the next time the flood gates are opened past the 25% mark, which the attackers knew would probably coincide with the next major rainfall event. At 8:18 AM the gates are commanded to open to 50%, in order to keep the water level behind the dam below the spillway. As far as the operator can tell, the gates have opened to the halfway mark, as ordered. It isn't until the flood gauges downriver start to set off alarms about half an hour later that anyone realizes that something isn't right. The operator immediately orders the gates to close, and again, the software reports that action to be complete. The downstream gauges, however, show the river still rising at the same rate. There is a lot of confusion in the Water District office about what's going on, but they know they haven't got a lot of time to figure it out. They contact the City Emergency Operations Center.

Between the torrential rainfall from what was now the second wave of heavy thunderstorms and the sudden release of millions of gallons of water from the dam, the river which normally runs placidly through the downtown tourist district is now churning angrily, spilling over its banks in numerous spots and threatening to engulf countless streamside restaurants, nightclubs, and hotels. The EOC orders an evacuation of everyone in the flood zone adjacent to the river. This will mean a lot of people who just got to work will now have to turn around and leave again. Traffic downtown is snarled and the streets crowded to capacity at rush hour even under ideal weather conditions. As people begin to evacuate, the hopelessly inadequate thoroughfares simply clog up and all traffic comes to an effective halt.

To make matters far worse, however, yet another malicious script planted in a computer in the Traffic Engineering Control Center now overrides the normal complex processing path for signal controls and simply sets all signals under the control of the TECC to green. In the driving rain, with the roads jammed to capacity, this is bound to lead to disaster.

At 9:04 AM, it does. An ambulance heading to a downtown hospital with a patient from the Jetair incident, being transferred from the small facility where she was taken afer the crash to the better-equipped hospital downtown now that she was stabilized, broadsides a tanker full of liquified petroleum gas at 35 miles an hour, after the tanker driver proceeds through an intersection where he has a green light. The rain prevents the ambulance driver and the tanker driver from seeing one another until it is too late. The ruptured tanker explodes, sending nearby automobiles flying into buildings and blowing out windows in a three block radius. The intersection becomes a raging inferno of melted metal and ignited fuel, which being petroleum-based is not extinguished by the rain but merely spread ever more widely.

911 calls have increased dramatically since the lights all went green; most people still haven't realized that this is the case, and collisions are occurring at the rate of several a minute in the downtown area. Police, fire, and EMS are rapidly approaching the saturation point, and emergency services from all surrounding communities have been requested, at least those that aren't dealing with accidents of their own from the slick streets and poor visibility, not to mention fires from lightning strikes. Even when units are able to respond, traffic is at a total standstill in many places, and there is little or no room along the narrow downtown streets for emergency vehicles to skirt around the trapped cars. And the river is still rising, it's cold waters lapping at the doors of many vehicles after having swept through virtually all of the buildings along its banks. Some of these buildings now have four feet of water in their lobbies; those who failed to heed the evacuation order are now trapped. The lucky ones have upper floors to which to retreat.

For the coup de grace, the cyberterrorists have left one last script, which is triggered at 9:45 AM, in the very midst of the chaos. It changes the index page of the city's primary Web portal to read, in pulsing bloody letters on a coal black background:

Once we were content merely to hack your Web page.
Now we own you and your city.
Tomorrow we will own your entire country.
There is no escape.
DEATH TO AMERICA.


Cyberterrorism.

The word itself is an ungainly hybrid: the age-old menace of terrorism made sleek and modern by the addition of that ubiquitous indicator of our early twenty-first century obsession, the microprocessor. Want to try an experiment? Go to a popular information technology-related mailing list such as Bugtraq, and ask the subscribers what they think the term "Cyberterrorism" means. Chances are you'll get 30 or 40 replies (not to mention at least a dozen flames from people who don't think the question is on-topic, don't like the OS and/or mail program you're using, or just haven't flamed anyone in half an hour and are experiencing withdrawal) and in all probability none of them will have quite the same definition as any other. As with all relatively newly coined terms, the reasons for this center primarily on the fact that there hasn't been enough of it to create a definite template in the public perception. Consequently, while a lot of people have strong opinions on cyberterrorism, which they're willing to share with you at the drop of a hat, most of them are just extrapolating a definition based on the word itself, and on what they've seen reported in the mass media under that general heading.

The information security world is flooded on a regular basis with what has come to be known as FUD–Fear, Uncertainty, and Doubt. This affliction is usually the result of the announcement of a new vulnerability or some other perceived threat that seems to present a greater than average potential for malicious exploitation. FUD can be generated by almost anyone: government officials, infosec industry spokespersons, the news media, even outspoken members of the hacker/cracker community. I myself was indirectly accused of spreading FUD only last week. I don't think I was, but that's OK. I'd rather people crank up their FUD detection meters, even if it means a few false positives now and then.

What exactly is FUD? It's the spreading of alarmist or unnecessarily negative rhetoric concerning an event or development. While FUD generally isn't composed of downright falsehoods, it often exaggerates malicious potential or uses facts out of context to paint an unrealistic picture. The term "cyberterrorism" has been a prominent victim of this insidious process.

So, just what constitutes cyberterrorism? Is it defacing Web pages, as some pending legislation seems to suggest? Is it stealing credit card numbers or confidential patient records from Internet-accessible databases? Or is it something more chilling, along the lines of my fictitious little melodrama?

One of the main problems with the term cyberterrorism is that it contains within it the word terrorism. While some people may have been a little unclear on the exactly what terrorism was prior to 9/11, I doubt that there is anyone in the country today who doesn't have a pretty clear picture in their own mind of what terrorists do. So obviously, a cyberterrorist is a terrorist who uses a computer, right?

Well, yes and no. While the little worst-case scenario I just related outlines what I think most people would recognize as a series of cyberterroristic acts, there is still a fundamental difference between terrorism and cyberterrorism. Terrorists are quite often called upon to place themselves in great danger, or even to die in the service of their cause. Hardly a day goes by that some twenty-something zealot in one of the world's trouble spots doesn't strap some ordnance to himself and try to take as many people with him as he can.

Cyberterrorists, on the other hand, can do their dirty work from the comfort of their own homes. Own a few boxes in Korea via a proxy in a country that doesn't prosecute or just doesn't care, do some stealth scanning over a period of weeks or months, and hit your victim with an easy-to-use, publicly available exploit. If he's patched, hit him with one of the zero-days you've been creating and saving up. Piece o' cake. You can even get done in time to watch those old reruns of Rat Patrol.

Does that mean that cyberterrorists are less dangerous than just plain ol' terrorists? Well, they're less likely to blow themselves up in front of your favorite supermarket, so in the sense that you're probably not going to get hit by high velocity hacker fragments on your way to get bread and milk, yes. In a broader context, however, cyberterrorists can in their own way do a lot of damage, in that they have the potential to affect a greater number of geographically separated people in much more subtle ways. The real problem comes in trying to define just what constitutes cyberterrorism. To be considered terroristic, it's generally agreed that an act must incite terror in the victim and be performed in a context of coercion.

Compare these two terroristic threats:

Let our leader go or we'll blow up your courthouse.
Get your troops out of Saudi Arabia or we'll bring down online banking.

The former is an immediate threat of physical damage to a building, in conjunction with possible loss of life. But the event is over with quickly, once initiated, and the full extent of the damage is usually fairly evident and assessable.

The latter threat has no definite timetable or even a clear process attached to it. We all pretty much know what "blow up you courthouse" means. "Bring down online banking," on the other hand, is not precise. It could mean any of several things–physically destroy ATMs, launch a massive DDOS that effectively halts transaction communications, infiltrate viruses or worms into financial processing systems and subvert their functioning...It's just hard to tell what sort of form this attack might take. And yet, it's a very real and dangerous possibility, and a threat we could not afford to take lightly. And this segues neatly into my final topic: prevention.

The response of the US government to the events of 9/11 has been primarily to draft a host of new, rather draconian laws to curtail terrorism in its many forms. Politicians have tried to convince us that we must give up some of our hard-won civil liberties in order to weed out the terrorists in our midst. Whether or not this argument holds any water (and I personally think it doesn't), can we legislate terrorism out of existence? My answer is, no, we can't, because terrorists don't care about the law. Historically, tightening legislative control over an activity really only serves to make law-abiding citizens more miserable, while affecting the criminal element relatively little. Drafting a plethora of new laws to control cyberterrorism when we haven't even reached a consensus about what that is strikes me as silly at the very least and dangerously reactionary at the worst.

So, does this mean we're helpless to combat cyberterrorism? Not at all. The way to do it successfully involves not legislation, but education. If every computer connected to the Internet had a responsible systems administrator who kept it patched and took a bare minimum of common sense precautions, the potential for catastrophic cyberterroristic attacks would virtually disappear. Terrorists can take any number of avenues of attack, so guarding a physical structure can be very complex and labor-intensive. Cyberterrorists on the other hand, or at least cyberterrorists from an external source such as another country, have to come in through that wire or fiber optic cable going into the back of your computer. If you stand guard over that one little doorway, they're out of luck.

Back