The attacks of Sept. 11, 2001 sparked a new urgency to predict future threats to the United States. And though the reviews of our physical security assets, geopolitical strategy, and intelligence gathering apparatus probably gathered the most headlines, the desire to better prepare the nation’s defenses didn’t stop there.
Security experts also drew attention to potential vulnerabilities in our digital infrastructure.
In an age of growing military and economic dependence on information technology connected by networked computers, there was a fear that we might someday experience a “digital 9/11” at the hands of terrorists, or worse, an even more devastating “digital Pearl Harbor” sneak attack by another country that might elude identification as the perpetrator thanks to the camouflage provided by cyberspace.
In the wake of the 9/11 attacks, academic papers, books, and Congressional reports were written on the topic of cyberterrorism. Prominent figures like Richard Clarke, the former White House “Terrorism Czar” and Special Advisor to the President on cybersecurity, voiced the opinion that the potential for massively disruptive cyber-attacks was real.
So with all that new attention being paid to computer security, and given the benefit of hindsight, how much did we get right in the days after 9/11 about the real cyber-threats that we face today? How much did we get wrong and what did we miss entirely? And perhaps most importantly, how well have we prepared ourselves for current and future attacks on our networked digital infrastructure in the decade since the attacks?
We asked some of the top minds in IT security to weigh in on those questions. Interestingly, what we found was that most of the experts agreed that one thing we got very wrong at the time was the conflation of threats to computer security with terrorism.
Identifying the Real Threats
“What we haven’t seen is an increase in ‘cyberterror’ on American shores since 9/11,” said Chris Clymer, manager of advisory services at SecureState. “While there is certainly potential for these types of attacks, the reality remains that terrorists interested in the United States have remained focused on doing physical and bodily damage to U.S. targets. Critical infrastructure is still a target, but more of a target for explosives than cyberterror.”
Clymer’s observation was shared by many of his colleagues. Dmitri Alperovitch, vice president of threat research at McAfee Labs, said that concerns we had about cyberterrorism a decade ago had all but evaporated.
“In those days, the sort of actors that we most worried about are basically the actors we least worry about today,” he said. “The lone hacker living in his parent’s basement and stealing missile codes and launching missiles is of course laughable these days. And the other threat was the terrorist threat, which I think is still a reasonable concern, but we’re a long way from terrorist groups gaining the capability to do any significant damage. And so far, they’ve shown very little interest in cyberwarfare.”
Joseph Steinberg, CEO of Green Armor Solution, noted that China has emerged as a far greater threat to U.S. cybersecurity than terrorist groups like al Qaeda. Graham Cluley, the noted security blogger and senior technology consultant for Sophos, had harsh words for the threat assessments being pushed in certain quarters in the years following the 9/11 attacks.
“I remember that there were lots of folks, some of them high up in the Bush administration, predicting a ‘digital Pearl Harbor,'” Cluley said. “I always found language like that distasteful, and couldn’t really see any evidence of a link between terrorism and cybercrime.
“Ten years on and there’s no reason to believe that terrorists have successfully mounted any kind of attack using the Internet that would be any more difficult to deflect than that produced by a student in his back bedroom.”
Some of the real threats that have emerged were impossible to predict at the time, Steinberg said.
“Smartphones and specialized tablets did not exist on Sept. 11, 2001, so obviously nobody prepared back then for the risks that were created when they emerged and grew into a major access platform,” he said. “The same is true for cloud computing. And, to be blunt, in both cases, most users and businesses are still ill-prepared for them.
“The proliferation of inexpensive flash drives—and the resulting risks—was also not clear a decade ago. And it was probably through a flash drive that the first true act of cyberwarfare occurred—the Stuxnet attack on Iran’s nuclear facilities.”
Some of the other emerging threats that the experts say we didn’t have a good read on include the rise of cybercrime over the past ten years and the less threatening but perhaps more sensational explosion of “hacktivist” attacks by the likes of Anonymous and LulzSec.
But those evaluating cybersecurity after 9/11 did get some things right, the security professionals said.
One of the most thorough assessments of our digital vulnerabilities at the time was a 2004 report authored by Charles Billo and Welton Chang of the Institute for Security Technologies Studies at Dartmouth College, titled “Cyber Warfare: An Analysis of the Means and Motivations of Selected Nation States.” Among other assessments, Billo and Chang identified nation-states as the threats to be feared most in the coming years—think the alleged connection between China and cyberattacks on Google—and pointed to attacks on critical infrastructure as a growing concern.
It took almost a decade after 9/11 for Stuxnet to emerge, but that powerful computer worm’s crippling of an Iranian nuclear facility in 2010 pointed towards a new and deeply troubling type of IT security threat.
Clymer said Richard Clarke’s assessments about threats to critical infrastructure and a lack of adequate security provisioning by both the public and private sectors “were fairly accurate.”
“Clarke focused on the protection of critical infrastructure during the end of his tenure in office, and noted with concern that most corporations spend more on coffee than on information security—and that we were likely to be hacked as a result,” Clymer said.
“In particular there have been increasing numbers of breaches of military contractors, and companies which provide security technology to these contractors. The compromise of servers at RSA Security which presumably contained seed records for RSA tokens is one notable, and recent, example of this.