14 May 2017

Cyber War’s Terror Trinity: Means, Motive, and Opportunity

By Ian Fairchild

In March of 2003, I commanded an EC-130 Compass Call, an aircraft configured to perform tactical command, control, and communications countermeasures, over the skies of Iraq. My crew’s mission was to jam enemy communications and help allied forces preserve Iraq’s oil infrastructure. During these missions, we positioned ourselves some distance from the intended target, while an electronic warfare officer controlled jamming functions using a keyboard located in the back of the aircraft.

While this mission demonstrates how developments in cyber technology can be used to further US security interests, a little more than a decade later a young man named Junaid “TriCk” Hussain aligned himself with the Islamic State of Iraq and al-Sham (ISIS), and undertook his own form of electronic warfare. Sitting comfortably away from his targets, like my orbiting EC-130, he used a keyboard to launch attacks through cyberspace. Specifically, Hussain built “kill lists” of US military personnel and published them online. He leveraged the increasing power and reach of social media to call for terror attacks against Western interests. These brash moves quickly attracted the attention of the US government. Ultimately, an airstrike from an unmanned aircraft killed TriCk in 2015.

The most alarming piece of Hussain’s terrorism journey is not hacking Gmail accounts, helping lead the CyberCaliphate, or even publishing a kill list. Rather, it is his willingness to undertake the actions in the first place, and the ease with which he could do so. Hackers like TriCk, and those under his tutelage, seek to combine means, motive, and opportunity to exact harm. They operate free from the legal tethering of a nation state, obfuscate their computer code to hide their origin, and have utter disregard for human life. Put simply, Hussain’s actions prove a single keystroke can turn the unfathomable into reality. While Hussain is gone, many others like him threaten US security through cyber terrorism.

The means to conduct such an attack used to reside solely inside the minds of especially talented computer scientists, elite hackers, and well-resourced intelligence agencies. Today, the means are downloadable and online, lowering the barrier to entry. Search engines like Shodan, a platform for seeking out Internet-connected devices, facilitate the process of finding vulnerable infrastructure, including those within hospitals and utility companies. Once found, an attacker need only couple his or her discoveries with software such as Metasploit to launch a successful attack with relatively little skill.

Motivations are shifting. too. Terrorists no longer seek to negotiate, as might have been assumed prior to the attacks on September 11, 2001, when passengers on hijacked aircraft would likely comply with demands, under the longstanding presumption hijackers’ motives were not to destroy the plane, but rather to land and conduct a ground negotiation. On that day, nineteen terrorists, motivated by the intent to kill civilians and terrorize the United States, shattered this long-held paradigm.

US medical and transportation sectors still do not approach security from the point of view which assumes malevolent actors intend to exploit vulnerabilities and cause harm. Technology and distance emboldens criminals like Hussain to engage in previously unimaginable conduct, such as live-streaming rape and broadcasting murder. Yet somehow the notion of a sustained attack, via cyberspace, against patients in a large US hospital remains all but inconceivable. In fact, despite citing unsecure medical devices as a serious threat, less than 25 percent of respondents in a recent Ponemon Institute study crafted a strategy to address the issue.

The reality is, means and motivation will eventually unite with opportunity. Opportunity for attack abounds within especially vulnerable US medical and transportation sectors. One dismaying statistic: nine out of ten hospitals still use Windows XP, an antiquated operating system that Microsoft no longer supports, and that contains well-documented vulnerabilities. Likewise, security researchers have demonstrated automobile flaws which allow remote access to acceleration and brakes. Hackers have locked medical professionals out of critical hospital systems and demanded ransom, and attacked San Francisco’s Muni transportation system using similar tactics. 

For those who still think terrorists will not try to kill citizens in hospitals and transportation systems via cyberspace, Hussain’s activity should dispel these falsehoods and prompt all relevant stakeholders to action. Several organizations have responded accordingly. Last year, the Food and Drug Administration //www.fda.gov/ucm/groups/fdagov-public/@fdagov-meddev-gen/documents/document/ucm482022.pdf">issued guidance for complying with post-market medical device regulations, the Presidential Commission on Enhancing National Cybersecurity met with a distinguished panel of advisers to discuss cybersecurity in healthcare and the protection of connected medical devices, and the Department of Health and Human Services formed a task force to address the same issue. Social media companies have also endeavored to temper hateful speech.

While laudable, these efforts are insufficient. They come to fruition in industries where incentives to secure infrastructure are misaligned or do not exist, and in settings lacking the resources to hire cybersecurity professionals. Overcoming these challenges and defending US citizens against the next Hussain will require collaborative partnerships between government and the private sector, a fundamental adjustment in existing healthcare and transportation structures, and a realization despicable tweets will likely give way to more motivated individuals conducting deliberate attacks.

Boundary-pushing ideas like software liability to hold manufacturers liable for software flaws and consumer device “nutrition labels” to help the public make informed choices on cybersecure products have the potential to propel stagnant industries towards addressing cybersecurity vulnerabilities. Still, it will take increased engagement between the private and public sectors to affect real change, in the same way such efforts to make seatbelts mandatory helped reduce fatalities on dangerous highways.

Hussain’s unbridled motivation completed the triumvirate required to take life via cyberspace. Undoubtedly, others will follow, almost certainly with more sinister goals. The means for attack are low-cost, easily obtainable, and will persist. The remaining task is to make the United States the land without opportunity.

Lt. Col. Ian Fairchild is the US Air Force senior fellow at the Atlantic Council’s Brent Scowcroft Center on International Security. The views expressed in this article are those of the author and do not necessarily reflect the official policy or position of the Air Force, the Department of Defense, or the US government. You can follow him on Twitter @ianmfairchild.

No comments: