ABC Radio in Australia ran an edited version of a public speaking engagement I did while I was there. The broadcast ran well after I had left the country, so I didn’t get a chance to hear it, but the transcript is available below.

Broadcast Monday 14 October 2002
with Richard Aedy

There’s no evidence yet of genuine cyber-terrorism. But that doesn’t mean it won’t happen. Terrorism expert Matthew Devost says cyber-terrorism is becoming likelier for two reasons: firstly, critical infrastructure is increasingly migrating to the internet and secondly the attack tools are becoming both more powerful and easier to use.

Details or Transcript:
Richard Aedy: After the tragic events on Saturday night in Bali it very much appears that hundred of people, many of them Australians, have been victims of a terrorist attack. Today we’re going to hear about something related but far less serious – cyber-terrorism. This is the use of computing resources to intimidate or coerce a government or civilian population to further a political or social objective.
That means it isn’t a hacker breaking into a credit union to steal money, or some 14 year old from Nowheresville, Idaho, launching a denial of service attack on say, Yahoo, because he can. Cyber-terrorism, properly speaking, is conducted by terrorist organisations or nation states. This is one of the key messages of Matthew Devost, President of the Terrorism Research Centre in the United States. He recently spoke on cyber-terrorism at the US Consulate in Sydney.
Matthew Devost: The interesting thing though is from a cyber-terrorism perspective this really is an emerging threat. We don’t have any evidence that someone can point to that says this was an act of cyber-terrorism – it just hasn’t happened yet. That doesn’t mean that the threat isn’t real, that doesn’t mean that the infrastructures aren’t vulnerable or that terrorist organisations aren’t seeking to acquire that capability. It just means that the variables haven’t perfectly aligned to ensure the success of the operation.
And that presents us, in our opinion, with a pretty unique opportunity. Given the fact that we have indicators that they are interested in this topic and we have the lead-time, we basically have a window of opportunity where we can start being proactive. The infrastructures are vulnerable, you run the risk of not only losing your ability to perform the functions infrastructure provides but with some of the infrastructures you have a very distinct advantage of being able to cause a lot of, what we call disruption of social integrity. Where you’re going to have public panic, fear and distrust in the infrastructures. It could have a destabilising impact on the society itself.
We like to pick on the financial infrastructure with that regard because we think it probably gives you the biggest bang for the buck. I come from a very rural area in upstate Vermont in the United States, population of 150 people, no one in that town including my parents fear that they will be a victim of conventional terrorism. They do fear though things that have an impact on them from a financial perspective, their stock portfolio going down. After September 11th we saw major impact on the economy, we saw the freezing of our markets for several days, those things impact them. They’re very distrusting of the fact that our infrastructures are now electronic to include banking and finance. And if they had any evidence to show that that money that was in electronic form was susceptible or vulnerable I think they would probably be one of millions of people that would run on the bank and try and withdraw their money and bring it back into that tangible format which can be very destabilising.
So we think about cyber-terrorism from those perspectives as well. Some trends that we’re seeing with regards to attack tools: increasingly automated and stealthy. As someone who works technically in the security profession as well, our job is becoming that much more difficult because these tools are becoming more difficult to counter. We’re seeing tools that have cross platform implications, that attack multiple operating systems at once, that have very sophisticated capability. We see tools out there that exploit emerging technologies. As a matter of convenience we’ve seen companies that literally invest millions of dollars in their perimeter security posture implement a technology that allows someone sitting across the street to gain access to their internal network. And we’re seeing just a whole slew of tools surrounding those new protocols, surrounding those new technologies from an attack perspective.
The fact that these tools are more sophisticated and automated gives someone who is less sophisticated the ability to inflict more harm. And this really is only true right now in IP network, if you think with regards to the internet. There are tools that exist out there where someone could go and obtain them and a pretty significant damage from a denial of service perspective against who they’re targeting. Fortunately from a critical infrastructure protection perspective we’re a little bit more protected, with regard to these infrastructures run on a lot of proprietary tools, they’re on segmented networks, there are things that make it more difficult for someone to just acquire a generic capability to attack.
Unfortunately, as we move forward over time, these proprietary networks are moving to common tools, to common platforms, they are being connected, really in what we call a negligent manner to public networks, to the internal networks of companies. They are being made available over wireless technologies so the trend or the ability to have an impact on the infrastructures is actually increasing over time.
What do we know about terrorist use, or conventional terrorist use of technology? Not a lot, we do know that they’re using it very effectively for communications. Not only from a propaganda perspective to obtain financial support but also to establish communications between individual entities in their cells. A good example of that is Richard Reid the shoe bomber – profiling works, he’s turned away from his first flight, goes out, sends an email asking whether he continues on with the operation, receives a response back. Obviously premeditated, he knew who to send the email to, knew that he’d receive a response, there’s somebody on the other end that’s looking for the email and making some sort of command decision.
We’ve one case that’s been documented in a public record of individuals associated with terrorist organisations actually soliciting just unstructured hackers. We had a media article regarding what some hacker had done and then was later approached by an individual that was associated with a terrorist organisation, to the extent that they actually sent him money in the mail as a gesture of goodwill. He reported it to law enforcement so we don’t know exactly what their intentions were. I am working with a couple of hackers in the UK who did jobs on basically a mercenary basis, not knowing who the client was, and now fear that they might have been acting on behalf of terrorist organisations.
Richard Aedy: You’re listening to The Buzz on ABC Radio National and this is an edited version of a speech given at the US Consulate by cyber terrorism expert Mathew Devost – back to the speech.
Matthew Devost: …And to speak to what we think some of the likely aspects (of) cyber-terrorism are. There’s no evidence to show that a group like Al Quaeda is ever going to just give up what they know and migrate their tactics to cyber-terrorism. We just don’t see that happening. There are other groups that are more single issue that might have used political violence in the past that may seek to divert themselves to cyber-terrorism but not a global threat like Al Quaeda. How do we think that they might use it? The primary one is where they can use it to augment the impact of a physical attack.
So maybe you launch a cyber-terrorism attack in parallel with the physical attack with the sole implication being that you can augment or increase the impact of the physical attack by going in and eliminating, or taking down the emergency communications system prior to launching a physical attack and thereby having a greater impact. To decrease confidence in an infrastructure; maybe they won’t be able to kill anybody with the attack but they can have that course of impact. You can take down, temporarily, telecommunications, or electric power and it’s fully recoverable and the overall national strategic impact is minimal but still, from a psychological perspective, people are going to be afraid, it’s going to cause fears with regards to what could happen next. So that becomes attractive as well.
And then in those rare instances where we have infrastructures that allow for physical damage or physical consequence through solely an IT based attack. Those obviously become very attractive because you have the best of both worlds. You can be geographically dislocated from your target, go in and still have some sort of physical consequence. Fortunately there are enough safeguards and measures in place on some of those infrastructures that have the human safety component that that attack is very difficult to perpetrate. But where those opportunities present themselves they are likely to be exploited. Aviation is an obvious area that needs additional consideration because of the potential for that mass casualty.
Our current assessment of the threat – we do think that it’s an emerging threat but from a national strategic or sustainable impact perspective there’s a line we like to use that those with the intent, lack the capability. Does a terrorist organisation have the intent to use cyber-terrorism? Absolutely, it’s attractive for a whole plethora of reasons. Do they have the ability right now to have some sort of sustainable infrastructure impact? Our belief is, at this point in time, probably not. The risks in saying something like that though is that we don’t have adequate insight into their planning cycle. We know that it’s on the radar screen, we’ve no evidence to show that it’s been on the radar screen for more than a year, but we could be wrong. And then the other thing that makes that a dangerous statement is the fact that some of these infrastructures are becoming easier to attack, it’s becoming easier to acquire the capability to attack them as they migrate to publicly available technologies, as they make themselves available on public networks.
And those with the capability lack the intent is the other side of the coin that we always put on that slide. There are entities out there that have the capability for sustainable infrastructure attacks: nation states, people that have a decade of experience in assessing issues like this. But there are all sorts of classical deterrent factors that come into play. The economic impact of the nation state that’s involved in the global economy and launching some sort of attack can come back and have negative implications. The fact that they would fear some sort of response or conventional response, that they would have global condemnation.
But we also like to acknowledge that that variable’s changing slightly as well. And the reason why we say that is there is doctrine out there with regards to fourth generational warfare, unrestricted warfare, I don’t know if anyone’s read any of the documents surround that. And their theory was that hegemonic war is a thing of the past unless you could predetermine the outcome. So if you have two nations that could potentially be involved in conflict and it’s pretty clear that one’s going to win over the other, those nations are still going to engage in conflict. If you can’t predetermine the outcome their thesis was that they’re going to start resorting to what they called unrestricted wars. And unrestricted wars were strategic attacks to destabilise economies, currencies, information warfare, attacks against infrastructures and conventional terrorism.
So if we put ourselves in that mindset and think that there are nations out there that might have some reason to do some sort of limited strategic attack in that model, our feeling is you could probably get away doing so anonymously right now because we exist in an environment where everything would be blamed on Al Quaeda. What we call the blame Ben Ladin variable. So if I’m a nation state and I’m following that sort of doctrine and I’ve determined that it might make sense to try and attack the financial system, right now is the most attractive time to do that because it would likely blamed on a terrorist organisation and that’s something we need to be cognisant of.
Richard Aedy: Matthew Devost is President of the Terrorism Research Centre Incorporated, an institute with a rather arresting web address He’s also Executive Director of the consultancy, Technical Defence.