It was reported in the daily news that there was a recent cyberattack on two of The Bahamas' government's websites - www.bahamas.com, and www.bahamas-film.com. These attacks were reportedly a defacement of the web pages with propaganda messages. The purpose of this article is to provide interested Bahamians with some technical background concerning cyberterrorism, which is the new frontier for nations in this new order of things.
The attack on the Bahamian websites was allegedly by a Tunisian group known as "Fallaga Team" - a known group of Islamic cyber-terrorists. The team has previously been involved in the hacking of French, Tunisian and Israeli websites, so the attack on The Bahamas' site is not unusual or isolated. According to publicly available information, allegedly posted on Facebook, Fallaga is seen as an Islamist group that opposes secularism and atheism. Fallaga is said not to be an extension of the Islamic State (ISIS), however its Facebook page shares similar religious and political ideas.
The rapid growth of technology is clearly beneficial to humanity and yet at the same time, technology introduces the threat of new vulnerabilities - for example the menace of terrorism using information technology (IT) or cyberterrorism. One definition of cyberterrorism is the convergence of terrorism and cyberspace. This definition refers to unlawful attacks and threats of attack against computers, networks and the information stored, in an effort to intimidate or coerce a government or its people to achieve political and social objectives, or to publicize a cause.
Another definition is the premeditated, politically motivated attack on information, computer systems, and data that results in violence against non-combatant targets by sub-national groups and clandestine agents. The target group could reside in places including the home of the terrorist, or a foreign country that will get the attention of the target group.
In the year 2007, a coordinated cyber-attack occurred in Estonia. At that time, Estonia was one of the most highly wired countries in Europe. The attackers targeted government websites and news media targets, including media websites. These sites came under attack from electronic cudgels known as bot-nets, or remotely controlled computers programmed to participate in an attack. They can be business or home computers, and are known as zombie computers.
When bots were released on Estonia, roughly one million unwitting computers worldwide were employed. Investigating officials said they traced bots to countries as dissimilar as the United States, China, Vietnam, Egypt, and Peru.
The sites of universities and nongovernmental organizations were overwhelmed. Parliament's e-mail service was disabled for 12 hours because of the strain on servers. The example of Estonia shows the effect of a coordinated cyberattack on a country. The same principles demonstrate the possible effect on a business organization, albeit to a lesser extent.
The experience of Estonia showed the world that there is no animal called "a secured information site" as long as there is some connection to the Internet, or some corrupt employee willing to sacrifice integrity for 30 pieces of silver. There will never be 100 percent security for any computer system.
The definitions above indicate that cyberterrorism is an extension of traditional terrorism and a new approach adopted by terrorists to attack cyberspace. Two terms are important here - cyberspace, and terrorism. Cyberspace is the virtual world where computer programs function and data moves. Terrorism is a common term, with many definitions.
The United States Department of State defines terrorism as premeditated, politically motivated violence perpetrated against noncombatant targets by subnational groups or clandestine agents. The distinction between the cyberterrorist and the simple hacker requires some clarification. Hackers are individuals who wish to access or modify data, files, and resources without having the necessary authorization to do so; or they wish to block services to authorized users.
Cyberterrorists, on the other hand, uses computing and network technologies to terrorize. While cyberterrorists can be seen as sub-group of hackers, an important distinction pertains when it comes to their motivation. Cyberterrorists are mostly motivated by politics or religion. Creating fear and panic among civilians, and disrupting or destroying public and private infrastructure is the goal of terrorist. Cyberterrorists wish to coerce a targeted government into negotiating with them; or want to prove their existence to a particular community; or want to demonstrate their technological capabilities to their political and financial supporters.
In contrast, a common hacker's motivation includes addiction to hacking, curiosity, intention to gain power, peer recognition, the sense of belong to a group, and the hope of making money. As modern economies become more and more dependent on information technology for survival, the increased risk of cyberterrorism has become a clear and present danger. All organizations, especially those that comprise the critical infrastructure of the national economies of the world, need to be aware of the potential for a terrorist attack.
Critical infrastructure refers to the essential assets of a country which allow it to function - including energy, transportation, telecommunications, water supply, waste management, agriculture and food supply, finance, public health and essential government services.
Some of these organizations form a part of the private sector, for example, telecommunications, but they are nonetheless an essential part of the critical infrastructure. Indeed, 95 percent of U.S. military information transfers and 90 percent of major corporate information transfers take place or depend on civilian networks. Should a cyberterrorist aiming at military information attack these sites, the attack could spill over into civilian communications by virtue of the use of the same computer networks.
There are many forms of terrorism on the Internet. According to Saint-Claire (2011), there is a difference between the terrorist who makes use of available technology, and the pure cyberterrorist. Traditional terrorists may augment their arsenal of conservative methods - such as bombings, hijackings, and murders - with new methods such as computer viruses, radio frequency weapons, and denial of services attacks.
The pure cyberterrorist may do without the conventional approach of terrorism, instead exploiting computer technology to put into effect demands, gain ransoms, or cause destruction upon the world population, without exposing themselves to actual harm. Cyberterrorism relies on the development of new technologies that grant its soldiers new weapons. To aid in the distribution of technical data related to the new technologies, cyberterrorists frequently use the Internet.
Another form of cyber-terrorism is unauthorized intrusions into computer systems. Unauthorized entries and the loss of sensitive data are of concern to both governments and businesses alike. Intrusions are no longer limited to hackers, and organized crime and other well- funded groups now realize the possible profits in collecting poorly protected electronic information for financial and other gains.
Distributed Denial of Service (DDoS) has also evolved over time. DDoS attackers use armies of zombie machines (machines not usually staffed and unaware of the presence of malware) taken over and controlled by a person or group to overpower the resources of victims with a flood of packets.
The cyber criminals carrying out DDoS attacks prey on the careless security of the average home computer user, and they have found ways to plant malicious programs to give themselves remote control of home computers usually without the knowledge or participation of the machine users. Hue and Bapna (2013) claim that cyberterrorists breach organization systems for civilian audiences to create chaos and influence, but not for monetary gain.
Common hackers work for money. Most cyber-terrorism targets are of little value to common hackers, and common hackers will not pursue these targets over a long period. To summarize, cyberterrorists will exert more effort than common hackers who may not have the network support and financial resources to launch a highly sophisticated attack against highly protected systems.
Organizations can change their breach function sensitivity, and national governments can influence their deterrence level to some extent. They cannot influence the attacker's preference because the value of an organization's role in national security and information determines its adversaries and their preferences.
Breach function sensitivity reflects the quality of an organization's security administration and configuration.
Compared with the deterrence level, breach function sensitivity is almost entirely under the control of the organization itself. In other words, a small investment can result in a significant decrease in breach probability, and is more efficient than an increase in the deterrence level. It is a submission that organizations should improve their breach function sensitivity and leave the job of increasing the deterrence level to legal frameworks.
The role of the deterrence function is to reduce the attacker's rewards by penalizing the attacker. All attacks require effort and may result in negative consequences. The suggested deterrence function incorporates the attacker's costs and the potential punishment.
Terrorists have previously shown a willingness to sacrifice their lives to inflict damage to the target. Hue and Bapna (2013) argue that deterring cyberterrorists deserves more attention than hackers.
Cyberterrorism is a complex issue that is vital to governments and modern companies, information security specialists, academia, and to some extent, the society at large. In order to deter cyberterrorists, stronger access controls, (admittedly a trade-off - convenience or privacy) are necessary for the future.
A multilayered system will involve some minor sacrifices and inconvenience in order to access data or systems. It will require sacrifices that are far more significant in terms of personal privacy. Some of the authentication information, which requires verification, may include the location and habits of the user, patterns of speech, DNA or other biometric data.
As time passes, the computer industry and modern companies depending on the use of IT for the running of their businesses and governance will require significant investments in stronger access controls. It will inevitably involve inconveniences, but eventually, the public will ignore the inconveniences as it is now common to go through various checkpoints at most airports. The alternative is more exposure to cyberterrorists and a possible loss of confidence in the critical infrastructure, including the financial industry.
Technological progress has changed our way of life. So far, the reliance on traditional passwords and other forms of basic access control are too heavy. The first step is to recognize the inadequacy of the current system. The next step is to be willing to endure the inconvenience and the end of privacy to fix it.
For governments to reduce the risk of cybercrimes, what is needed is strong collaboration with international bodies, including those directly involved with cyber-crimes; the use of international treaties to hunt and punish the attackers; and the use of military methods to seek and destroy attackers, while keeping in mind that the remote cyber-attacker is inherently difficult to locate and identify.
One of the first steps is the passing of strong local anti-cybercrime legislation. Governments can also use the previous knowledge gained from the nuclear proliferation, the uses of outer space by countries, and the treaties governing the laws of the sea. The wide-ranging freedom the common usage of the internet by persons who would never have access to space, and the oceans or nuclear technology, modifies this knowledge.
The Bahamas must strengthen its laws and teamwork amongst themselves to minimize the effect of the cybercriminal, especially the cyberterrorist. This should proceed in conjunction with non-governmental organizations, because private groups control the Internet.
While governments are never going to have 100 per cent security against a myriad of cyberattacks, what they can do is enforce security best practices and enforce security protocols where citizens, employees, and businesses are aware of the risks, and know how to address them.
Click here to read more at The Nassau Guardian
