What Happened to Cyber 9/11?

A recent article in the Atlantic asks why we haven't seen a"cyber 9/11" in the past fifteen or so years. (I, too, remember the increasingly frantic and fearful warnings of a "cyber Peal Harbor," "cyber Katrina" -- when that was a thing -- or "cyber 9/11." I made fun of those warnings back then.) The author's answer:

Three main barriers are likely preventing this. For one, cyberattacks can lack the kind of drama and immediate physical carnage that terrorists seek. Identifying the specific perpetrator of a cyberattack can also be difficult, meaning terrorists might have trouble reaping the propaganda benefits of clear attribution. Finally, and most simply, it's possible that they just can't pull it off.

Commenting on the article, Rob Graham adds:

I think there are lots of warning from so-called "experts" who aren't qualified to make such warnings, that the press errs on the side of giving such warnings credibility instead of challenging them.

I think mostly the reason why cyberterrorism doesn't happen is that which motivates violent people is different than what which motivates technical people, pulling apart the groups who would want to commit cyberterrorism from those who can.

These are all good reasons, but I think both authors missed the most important one: there simply aren't a lot of terrorists out there. Let's ask the question more generally: why hasn't there been another 9/11 since 2001? I also remember dire predictions that large-scale terrorism was the new normal, and that we would see 9/11-scale attacks regularly. But since then, nothing. We could credit the fantastic counterterrorism work of the US and other countries, but a more reasonable explanation is that there are very few terrorists and even fewer organized ones. Our fear of terrorism is far greater than the actual risk.

This isn't to say that cyberterrorism can never happen. Of course it will, sooner or later. But I don't foresee it becoming a preferred terrorism method anytime soon. Graham again:

In the end, if your goal is to cause major power blackouts, your best bet is to bomb power lines and distribution centers, rather than hack them.

Posted on November 19, 2018 at 6:50 AM • 36 Comments

Comments

jonNovember 19, 2018 7:10 AM

One of the strangest things about society is that any one of us, at any point, can just punch some one in the face for no reason, any time we feel like it, but we don't.

Some people attribute this to the after effects of punching some one in the face, the court cases, the arrests, etc... but the reality is if you hit a stranger in the face hard enough, and keep moving, unless someone is there to stop you from walking away, you will probably be able to do just that, with few lingering consequences once your hand stops hurting...

The fact that this doesn't happen regularly suggests that most people have no desire to actually punch some one in the face. Though still people read into it as if laws and law enforcement is the key to stopping this, when in reality it's a lack of supply for law enforcement that should be astonishing us.

wiredogNovember 19, 2018 8:16 AM

"why hasn't there been another 9/11 since 2001?"
That style of attack is unlikely because previous to that people were trained to co-operate with hijackers, and since then they have known not to. There have been several incidents where troublemakers on aircraft were taken down by other passengers. The only arguably useful preventative measure (in aircraft) since then has been hardening the cockpit doors. All else has been security theater.

As far as a "cyber 9/11" goes you often see people, even here, who think "networked" automatically means "publicly accessible" and "on the internet". Industrial systems may be networked, but not necessarily on the internet. And they may be "publicly accessible" but only if an attacker physically splices into a communication line. And for systems connected to the phone networks, the specific knowledge of the protocols may not be widely known and may require a fair amount of training to pull off.

I'd be more worried about state actors, as with Stuxnet, than terrorists.

Did the authorities ever figure out who shot up the electrical substation in California a few years back, and why?

Snarki, child of LokiNovember 19, 2018 8:59 AM

"Making Windoze crash" just doesn't seem that exceptional.

Why, it would be as if AQ staged an attack on commercial airliners that contaminated all the airline food to make it awful and give you a mild stomach bug. Would anyone notice?

name.withheld.for.obvious.reasonsNovember 19, 2018 9:19 AM

I wholeheartedly concur with your observation here Bruce, I stated years ago that more people will die in their bathtubs this year than those killed by terrorists but no one has suggested that the TSA be the Toiletry Security Administration. One area that I have briefly touched on is related to the energy utility sector. As a former technician in the energy sector, a power generation facility in particular, it surprised me at the level and types of vulnerabilities and the inability of the industry to grasp the nature or types of risks.

In California as an example, the ISO is responsible for integrating generators, transmission operators, and others in order to service a more efficient market place for energy (of course regulatory capture plays an oversized role in setting the basis for decisions and the environment that results).

Surprisingly, without deliberately planning or defining any particular discovery process or an analysis related to operational integrity and resilience I discovered two significant generator (as defined by the industry as a provider of power prior to transmission/switching/phasing) vulnerabilities that provide dangerously successful means of shutting down individual generators (natural gas, liquid fuels, and most all turbine driven power plants--including hydro). As a systems engineer my perspective was far broader than the operational roles of many of my colleagues.

Plant supervisors or engineers seemingly compartmentalized the nature and practice of plant operations. Even though operations theory tends to develop or speak lightly of a systems management approach but rarely goes beyond conventional management theory that is over forty years old. Academic treaties on systems management matured in the mid to late 1970's but little has impacted systems and systems management practices that can be exemplified in the nuclear power industry. And not due to safety or integrity issues by-and-large, but by costs of operation and profitability.

Early in 2009 when exercising my own internal risk assessment (was for the most part responsible by title but not authorized to affect or analyze that very responsibility), the first e-mail came. The formatted X-header immediately informed me of the source and reason for the mail, it meant I would likely be too late to avoid the shutdown of a naval power generation site (100MW). My relief and my dismay where delivered shortly after preventing the inadvertent hard slam of the spinning turbines... Relief came when after scrambling to secure a terminal session to the analysis management system(s) the enter key was pressed in time (after pressing a lot of other keys first). The cascade of events that was certain to take all the generators out in an unpredictable manner (hard stop) had been adverted. Did this event need to be reported? Not under authorities understood by many.

I'd spent some time instrumenting an internal monitoring system using layers of logical and physical control (mapped as expected availability, redundancy, and serviceability irrespective of event type (sans solar flares). But, not unlike the complexity and lessons that brought about systems and science management theory (space programs) it was the hubris of certainty and the use of a sufficiently fast and accurate slide rule--the ride to the abyss finds its own way.

The second awakening was to come not long after this near miss. Unable to make important the first wakeup call such that senior management would allow themselves to act, consideration of a career move that might lead to a title of "journeyman whistleblower" was unthinkable. But, when another site, not a naval station though not very far away, slammed to the ground in an event that really had not been predicted or expected but I was present. The sound of the two spinning turbines, the pumps, values, gates, and switches committing hari-kari with the same sword at the same time had a reason. It was immediately obvious to whom guilt could be awarded. I instantly had a severe headache, my stomach tensed to a degree I'd never experienced, and realized that it was not going to be my day, week, year, or decade.

What I'd "accomplished" with my "fix/repair" informed no-one of the implications. From 80MW to less than 0W in milliseconds--no prize or bonus was offered me though my contribution had been singular in plant history. This event soon lead me to believe that a title change could soon be in order.


JohnnySNovember 19, 2018 9:56 AM

@wiredog

as per your comment "Industrial systems may be networked, but not necessarily on the internet. And they may be "publicly accessible" but only if an attacker physically splices into a communication line."

You're whistling past the graveyard. A quick search on Shodan shows that many such systems are visible on the Internet, even if their operators *think* they are air-gapped and/or firewalled. All it takes is "Dave" to plug in a router he bought from the local TargeWalmar store and pretty soon, anyone with a browser can find them on Shodan.

https://imgur.com/gallery/OgWs3

I used to do "Kismet walkabout" looking for rogue APs at a large financial institution. We didn't do that because we were checking off a compliance requirement: We did it because we OFTEN found such rogue devices.

wumpusNovember 19, 2018 10:29 AM

I'm guessing the Morris Worm was it. And that a presumable "Cyber 9/11" in the future would look a lot like it. Mostly the idea that it would try to take over critical parts of the net without crashing the whole thing (it did) while any attacker would be unlikely to be able to simulate it well enough to prevent obvious damage (which gave away the attack).

The thing about the Morris Worm that the only reason we know about it is that it was a failure. Crashing the Internet not only put Morris in jail (and possibly disowned), it also exposed that he had nearly taken entire control of the internet. While Morris likely wanted control of the Internet as a personal toy, don't be so sure of attackers since.

Perhaps there a old hackers and flashy hackers, but there are no old, flashy hackers (out of prison).

@wiredog: "As far as a "cyber 9/11" goes you often see people, even here, who think "networked" automatically means "publicly accessible" and "on the internet". Industrial systems may be networked, but not necessarily on the internet. And they may be "publicly accessible" but only if an attacker physically splices into a communication line. And for systems connected to the phone networks, the specific knowledge of the protocols may not be widely known and may require a fair amount of training to pull off. "

The larger a computer network, the sooner it is somebody connects a computer that also connects to the internet (possibly just charging their tethereable phone, or perhaps a Wifi dongle used for security updates that nobody knew was present in that printer). And for sufficiently juicy targets, there is almost always a theoretical attack between air-gaped computers (lots of work on using audio for covert channels). Stuxnet really proved that for a sufficiently desired target, you can jump an air gap.

I suppose less high-profile air-gapped networks may wind up with plenty of strange malware, but it would be unlikely to contain the elaborate malware needed to set up the covert channel (nobody wants to give away their best tricks by mass deployment). But when somebody charges a phone capable of tethering, expect nasty things to happen.

Impossibly StupidNovember 19, 2018 10:31 AM

Terrorists aren't all that different from anyone else when it comes to planning operations. The resource usage logistics are always going to favor actions that get the most bang for the buck. There is still a lot more lower hanging fruit out there than cyberattacks. Yeah, if there were some easy to exploit vulnerability that would make headlines and screw with millions of people for months or years, I'm sure they'd be all over it. But, absent that, it's best to plan actions around whatever conventional resources you have that can effectively target whatever infrastructure your enemy has left most vulnerable.

It's also probably a factor that the West is in decline. The damage done on 9/11 pales in comparison to the self-inflicted harm that US policies have caused since then. Any thinking terrorist is going to search for ways to similarly amplify the losses that are the result of any new attacks.

wiredogNovember 19, 2018 10:34 AM

@JohnnyS
As I said "the specific knowledge of the protocols may not be widely known and may require a fair amount of training to pull off".

I worked in industrial automation a couple of decades ago when the primary security was to unplug the network cable connecting the machine to the network. Which is very effective against remote attackers. But even if the system were connected you still would have to know the various protocols needed to control things, and your average attacker won't have that knowledge. A State actor who is willing and able to make the effort to learn the protocols may be a threat, but a terrorist? Not likely.

It took at least one, probably two, and maybe 3, western intelligence agencies to pull off Stuxnet. Stuxnet was very successful, but required a major investment of time and effort.

TimothyNovember 19, 2018 12:12 PM

The National Counterterrorism Center’s Acting Director shed some light on the terrorist landscape at a Senate hearing in October.

He identified the most significant threat groups being Homegrown Violent Extremists (HVEs), ISIS, Al-Qa’ida, plus Iran, Lebanese Hizballah, and other Shia Extremist Groups.

He says that the National Counterterrorism Center processes 10,000 terrorism-related messages every day, a five-fold increase since the Center’s early days. Their terrorist identities database (TIDE – Terrorist Identities Datamart Environment) has grown significantly since 9/11 and is quite resource intensive.

The CT community is grappling with the growth of social media, structured and non-structured data, and attempting to leverage technologies like AI and ML to process it. Additionally, he says, the information that is collected is not always accessible to every analyst based on legal, policy, privacy, etc. considerations.

Although the first response to terrorist attacks such as 9/11 were largely kinetic, he acknowledges that new approaches are being prioritized. From his written testimony:

As the new strategy highlights, this will require a wide range of partnerships, including working with like-minded countries, to fund micro initiatives at the community level to redirect those who join terrorist groups for economic reasons or to promote reconciliation among disputing factions. In doing so, we must be far more entrepreneurial in funding pilot programs to test what works. We also need to demonstrate more patience as we seek to resolve underlying conditions that are often slow to change.

I am glad to hear that efforts are largely being considered and addressed at a higher level of resource-organization and government. @Bruce it seems that you, and others, are also deeply involved in producing a lot of guides and resources for the community.

DogenNovember 19, 2018 12:20 PM

This seems too obvious, but no one else has mentioned it, so here goes.

Why should a cyber attack resemble physical attacks? I don’t think they do, in general.

Russia’s takeover of the US’s Commander-in-Chief position has to rank as the most successful cyber attack in history, and also one of the most successful accomplishments of all kinds of warfare in history.

I’d argue that cyber terrorism is happening basically all the time. We now know that a large number of Internet trolls are foreign provacateurs, and they seem to be quite effective. The nazis and their fellow-travelers who have committed essentially all mass murders in the last two years have been primed by the trolls.

Yes, physical infrastructure is often very vulnerable, and the IoT is a freaking disaster, BGP is wide open, etc etc. But I think y’all are paying too much attention to yesterday’s threats.

Killing people, or terrorizing them in other ways, are simply means to achieve various goals. Why would a state actor (or would-be state actor) bother with that messy stuff if they can find more effective approaches?

ReziacNovember 19, 2018 1:08 PM

I can think of a dozen major power stations just in my old neighborhood where a drive-by, a decent throwing arm, and a hand grenade would do a LOT of damage, with zero risk of being seen or caught. Why bother with hacks to cause shutdowns or lockups that may only require a reboot to fix, when you can both knock out a big chunk of the system for days and maybe start a brushfire into the bargain?

JohnnySNovember 19, 2018 1:49 PM

@wiredog

Sorry, you don't need to know the exact protocol definitions to cause havoc. A buddy of mine once watched a security survey of a wireless network on a manufacturing floor where they had a large robot: There were carefully painted lines on the floor all around the robot to show workers where they were safe, keeping the workers outside of the arm's *normal* operating range.

The surveyor had connected to the open wireless network with no authentication, then figured out the robot's IP on the network and sent it a packet with random content. At that point, the robot simply extended it's arm all the way and made a 360 degree horizontal sweep at full speed: The arm was well OUTSIDE the painted safety lines. Fortunately there was no-one near it at that moment, since they would have been killed. They rather quickly repainted the lines and started to redesign the network for security.

Thinking that "you have to know teh s3cr3ts" before you can attack an industrial network is "security by obscurity" and it simply doesn't work. It doesn't take a nation state to cause disruption and danger in an industrial setting.

Impossibly StupidNovember 19, 2018 4:12 PM

@Dogen

Why should a cyber attack resemble physical attacks?

I don't think anyone is saying they must, just like nobody is dismissive of terrorist attacks on scales smaller than that experienced on 9/11. It's just that script kiddies doing other, lesser cyber crimes isn't going to be big enough to capture headlines globally.

Killing people, or terrorizing them in other ways, are simply means to achieve various goals. Why would a state actor (or would-be state actor) bother with that messy stuff if they can find more effective approaches?

Yes, fine, but then it is by definition not terrorism, let alone terrorism on the scale of 9/11. Propaganda and other misinformation campaigns are nothing new. Involving modern technology does scale it up, but it still doesn't have the kind of control most would like (e.g., Trump isn't so much a Russian puppet as a bull in a China shop). The tools just aren't advanced enough yet to make it truly effective for machinations that unfold on a global stage.

AJWMNovember 19, 2018 4:49 PM

Attacking power substations with bombs or hand-grenades is unnecessary and fraught with risk to the attacker.

It's amazing the damage to infrastructure someone who is a good shot with a .50 cal sniper rifle could do without the messiness of dealing with explosives. No, I'm not going to elaborate. But certain pieces of infrastructure equipment have long lead times to replace and don't work well with half-inch holes in them. (Although the situation has improved somewhat since the late 80s when this first came to my attention.)

F.JNovember 19, 2018 5:06 PM

@Bruce:

"... why hasn't there been another 9/11 since 2001 ..."

From my point of view we haven't seen once since because USGOV hasn't found the need of another one to push terror on it's own population to strip peoples civil rights, have a pretext for invading other countries in search of chemical weapons and so on.

If people still think two airplanes can melt the steal structure of entire buildings to the point of colapse in free fall then I would advise studying some basic physics and doing some math. Ah...and don't forget the third building colapsing and the lack of airplane debries in the Pentagon.

Men in BlackNovember 19, 2018 6:02 PM

"What Happened to Cyber 9/11?"

To answer the question, it's a death by a thousand cuts rather than one massive catastrophic event.

The continual onslaught of adware, malware, spyware, worms, Trojans, viruses, and keyloggers which the Microsoft / Intel / Apple / Android / Facebook cartel adamantly refuses to allow us to secure ourselves against.

For every online security measure introduced, there is an entire industry of mandated insecurity.

echoNovember 19, 2018 10:13 PM

https://www.theregister.co.uk/2018/11/19/uk_cni_report_parliament/

Though the National Cyber Security Centre arm of GCHQ was set up a couple of years ago to help counter this kind of threat, the report also warned that "there appears to be little beyond anecdotal evidence that the UK is at the forefront of international efforts on cybersecurity", suggesting that, despite its publicity, GCHQ may in fact not be able to cope with the scale of the threat if things got truly nasty.

Whoops!

Clive RobinsonNovember 20, 2018 2:08 AM

@ wiredog,

A State actor who is willing and able to make the effort to learn the protocols may be a threat, but a terrorist? Not likely.

The problem with that is, many states are waning in power and resources in comparison to the newer International Corporations,

1, Many Corps are above state level.
2, Many States will do what Corps ask even the USG.
3, Industrial espionage is not always passive.
4, Terrorists come in all flavours.
5, Terrorists do not care who they get into bed with to further their aims.
6, Most States have a "proxie" history of supporting terrorists.
7, Corps are replacing states in many things.

Terrorists come in a range of action, from indiscriminately terrorising anyone through to highly directed attacks. The IRA for instance attacked shops, cinemas, public events through to targeting specific members at the very top of society[1].

We know from numerous sources that those corps involved with getting and transporting raw resources out of the ground, that "rough shod" is a polite description of their business practices where others contrary interests are involved (which leads to retaliation branded as "terrorism").

We also know that criminals of all manner of interests, view corporations as a way to legitimize much of what they do in various ways, not just money laundering.

Thus saying terrorists are not going to put in the time to learn things is kind of missing the point, others can and will do when objectives align. But terrorists will put in the time, as was seen with 9/11, they were willing to learn sufficient to fly the aircraft to achive their objective. Likewise others were prepared to put in the effort to develop their own cryptographic applications. Like other "goal driven" individuals they will do what they need to do to reach their goals.

[1] Admiral of the Fleet Louis Francis Albert Victor Nicholas Mountbatten, 1st Earl Mountbatten of Burma, KG, GCB, OM, GCSI, GCIE, GCVO, DSO, PC, FRS was a British Royal Navy officer, war hero, diplomat and statesman. Also an uncle of Prince Philip, Duke of Edinburgh, and second cousin once removed of Queen Elizabeth II. Was sadly murdered in County Sligo, Ireland Aug 79 by the IRA.

EvanNovember 20, 2018 5:27 AM

If a "Cyber 9/11" happens, dollars to doughnuts it'll happen in a place like China and we in the West might not even notice it. Muslim extremists are increasingly going after their own, or bigger threats to their worldview than US policy.

Petre Peter November 20, 2018 6:16 AM

I am not sure of a cyber Perl Harbor but I am sure of attacks with a cyber component.

wiredogNovember 20, 2018 6:32 AM

@Clive Robinson and others
Yes, individual cyber attacks against discrete targets with localized damage are a possibility, but the "Cyber 9/11" with thousands dead and millions inconvenienced are the subject here. The latter requiring more organization than a terrorist group is likely to pull off.

Clive, blowing up Lord Louis' fishing boat was a "We only have to be lucky once" attack. (Off-topic, I wonder if the Brexiteers have considered the effect of Brexit on the Troubles?)

Clive RobinsonNovember 20, 2018 7:52 AM

@ echo,

The bit that is perhaps more of note is,

    "Many CNI [Critical National Infrastructure] operators are utility providers whose funding streams are pre-agreed, often by regulators, and limited by price controls. Without a more flexible approach to price controls, the question often asked in relation to cyber security – 'how much is enough?' – can become particularly acute for these CNI operators," wrote the report's authors

Because it highlights a particular dynamic the report does not mention. Which is longterm managment behaviour with regards infrastructue maintanence and investment...

When the utilities were in public ownership they were often the leaders in distributed data communications and command and control systems. They invested in the future to make improvments in infrastructur maintainability and robustness. When MilCom design companies were looking for how to do things on national scale it was these utilities they studied.

But that was soon to fall by the wayside. Because back then when Maggie Thatcher PM was planning on "selling all the family silver" the internet was something few in the UK had heard of (as it was called ARPANET back then) let alone knowingly used.

People justifiably feared the privatisation would lead to massively increased bills, thus we got given "regulators" to keep prices down... Well in that they failed, as they took way to much note of what the industry had to say rather than those who payed the bills, who they were supposed to protect...

Whilst Contenental European countries found ways to stop other nations buying up their utilities, there was no such thing in the UK thus European utility companies such as France's EDF bought up energy companies and ran them to cross subsidize the home nations utilities (EDF have a lot of "dirty nuke reactors" that swallow cash faster than the same sized hole in the ground for instance). Other utilities such as some water companies dived into risky ventures that were not "regulator capped" but obtained low rate bank loans because the utility customers could be bilked in various ways to cover it, thus the banks saw little or no risk just profit from utility company customers.

As such hidden costs mounted, costs in other areas had to be cut to keep shareholders happy. So longterm maintanence and upgrades got the axe along with the staff involved. This was obviously not enough so other things got the chop in short order.

Secure communications networks can be eye wateringly expense to opperate as others want to make large proffits from frequency allocation costs and equipment costs such ad leased lines. As the Internet became available it was easy to change "work patterns" to shed more staff and whilst effectively reducing full pay working time, vastly increased low/no payed "on call time" by connecting the data networks to engineers homes over the rapidly price falling Internet, that was begining to become popular.

Thus the Privatised utilities "investment" in networking was not what it had been when Public utilities. The old "innovation", "improvment", and "future proofing", gave way to a wholesale cost cutting race to the bottom. Where the only investment criteria was proving cost savings of a fifth or more per annum, nothing else...

Thus what the utilities sought was low quality at lowest cost and if possible no maintanence cost... Not exactly the way to go about keeping a secure distributed system... Oh and their suppliers got into the game as well, by not just quoting low, but of supplying fragile or incomplete systems, then making big profits on well overpriced "upgrades" and "upgrade maintanence contracts" etc...

Which is why we have so many ills in our utility infrastructure. That now the utility managment have dug themselves a big hole into, they are now reliant on the politically biased regulators to pull them out yet again. And as always by some deal which obliges the customers to "pick up the tab" in probably "the worst possible way". As Private Eye would say "Cherching... Trebles all round", with a few honours thrown in at the new year.

Whilst the poor old customers find out yet again what the current political incumbrants realy think of them, compared to those who give them "political donations" or hugely over renumerated sinecure employment if the voters wise up and kick them out of tax payed employment...

Clive RobinsonNovember 20, 2018 10:08 AM

@ wiredog,

Yes, individual cyber attacks against discrete targets with localized damage are a possibility, but the "Cyber 9/11" with thousands dead and millions inconvenienced are the subject here.

Yes it is, and actually they are not that difficult to achive with cascade failures to infrastructure under significant stress, and that is a significant issue that people are avoiding.

For instance in some countries a failure in a small part of the electricity infrastructure will lead in a three to seven days period, to hundreds of cases of hyperthermia. Which will cause some significant petcentage of elderly and vulnerable people to die.

Causing the disruption with a cyber attack is fairly easy when compared to maintaining it for a week. Thus you would be looking for a more specialised form of cyber attack that actually causes infrastructute damage to insufficiently protected crittical difficult to replace components. Such attacks have already happened.

And as you have pointed out this generaly requires specialised knowledge both technically and speciffically.

What I am disagreeing with is your assumption off,

The latter requiring more organization than a terrorist group is likely to pull off.

Because the information needed can be given to them by others with a common or allied interest or objective, not all of whom are states.

In the past that "common interest" was "Super Powers" both the US and Russia were up to their eyes in funding terrorist groups. So much so that they actively created and trained terrorist groups Osama Bin Laden and AQ being the product of such conflict with Russia having invaded Afghanistan.

Over time "funding terrorism" has slipped down the level of State ranking to countries with GDP so small the whole place could be bought by any one of a number of large International Corporations, and be smaller than an ordinary corporate "merger and acquisition".

It's quite reasonable to suppose that corporations are into "funding terrorism" we know that "arms dealers" who front up certain military equipment suppliers and manufactures do actively "stir it up" as part of the business process. The fact the US were easily able to arrange such via Israel in the Iran-Contra deal back in the 80's should be a bit of a red flag. Likewise the behaviour of some US Security firms getting fat contracts in Iraq...

If you have something that needs doing "paying off" terrorists in various ways would not be any more of a problem than laundering a bribe to government officials as a part of obtaining a military supply contract with that country.

The "pay off" does not have to be money, it can be weapons delivered into other places or just high value information.

The hard part of doing a Cyber 9/11 is getting the right information to the terrorists in a way they can use. And as has been seen it's well known by engineers working in the utility companies just where the realy bad/usefull attack points are. Thus the hard part is not getting the information but avoiding raising suspicion should an attack using the information happen.

To be blunt "accidents and suicides" happen to all sorts of people sometimes conveniently so. Thus suspicion can die with them.

My point is that whilst Bruce is correct the number of terrorists is apparently reduced, that may be because they have gone off to fight in the Middle East. Where untill recently they would have found their outlet in the likes of ISIS or one of the groups fighting them.

Now however the M.E. conflicts are dying down, thus the question arises as to where will such people go and what will they do...

We know for certain that some will end up in places like the Molenbeek-Saint-Jean area of Belgium, firing up the local disaffected to become yet more terrorists. They will need resources, thus the question as to where they will get them from?

Currently the money for terrorism comes from the citizens of US and other Western Nations[1] as "Petro-Dollars" to the House of Saud in Saudi Arabia, and similar in other Arab Principality countries. Where old men with faded views of the world pass the money on to maintain a war between various sects of the Muslim faiths that has existed for centuries but did not have the funding previously to become an issue outside of restricted areas of the Middle East. In their twisted minds they blaim the US and West for their failures, thus attacking "The Great Satan" to bring them into the war is seen as a just and right thing to do...

Well the current sources of income are drying up and likewise the various conflicts in the Middle East are not producing the wanted results. We have seen a cyber-terrorist attack on a Saudi Oil Company[2] that was planned to be sold off to raise funding for Saudi. Potentialy to fund their war against Muslims in other prts of the M.E. Though not killing people --which it was designed to do-- the cyber attack potentially has saved many thousands of lives by the massive financial impact it has caused to Saudi.

The question is who resourced that cyber-terrorist attack? The one thing you can bet on is the House of Saud got the message loud and clear. Whilst the knowledge may not have effected ordinary people it would have had a very substantial effect on the House of Saud. Technically the attack was against safety systems, thus the knowledge would have had to have come from inside the company or other entities close to it...

Those most likely to have understood which information to use almost certainly would have been engineers with both technical and speciffic information on the company attacked. According to one source[3] it was only a single coding error that stopped the explosion because it inadvertantly shutdown the plant first. The equipment targeted (Triconex) as a "lock and key" system was believed untill the attack to be secure against remote hacking...

Whilst the state of Iran would have benifited from such an explosion and the even worse financial turmoil Saudi would have suffered, it's not difficult to find others that would have greatly benifited. Not least several major International Corporations, who have objected to Saudi's current "oil policy". Likewise the USG and China would also benifit as the Saudi oil policy is keeping oil prices higher than many would like.

Thus my point is cyber terrorism is happening and has been planed to do 9/11 type results, and although it has not happened, the message it will is getting through to certain people, loud and clear.

The fact that international corporations have been involved with terrorist in the past indicates that they might well not just carry on, but get more deeply involved. Because "proxie war" provides not just "plausible deniability" but effectively low cost high return benifits, those corporates who care not a jot about bribery legislation will not blink twice at using terrorists. In fact we have good reason to believe some already do.

Thus terrorists getting information is not realy any different from them getting other resources that they get. Likewise they care not a jot where the information comes from as long as it helps them accomplish their aims and objectives...

I can see a growing form of symbiosis between international corporates, and the increasing glut of homecoming terrorists from the Middle East battlefields.

I could be wrong, but as they say "time will tell"... So keep an eye out for the trends.

[1] Due to economic expansion China has likewise been taking money from the US and Western nations and funneling it into buying oil etc through Turky and other places where the likes of ISIS were selling it very cheaply.

[2] https://foreignpolicy.com/2017/12/21/cyber-attack-targets-safety-system-at-saudi-aramco/

[3] https://www.independent.co.uk/news/long_reads/cyber-warfare-saudi-arabia-petrochemical-security-america-a8258636.html

GrauhutNovember 20, 2018 12:14 PM

@jon: "The fact that this doesn't happen regularly suggests that most people have no desire to actually punch some one in the face."

And thats why i think there can not be too many terrorists around us.

"if your goal is to cause major power blackouts, your best bet is to bomb power lines and distribution centers"

If there were more terrorist idiots we would see power line poles fall daily.

How many of them have to fall to shut down a major city or some type of power plants...?

OtterNovember 20, 2018 12:37 PM

"Technically the attack was against safety systems, thus the knowledge would have had to have come from inside the company or other entities close to it..." like...

The faceless bureaucrat, who actually wrote the RFP, and informed the Prince which bids met it, and negotiated compliance with the supplier he preferred.

The German gig-engineer, hired by the fourth level sub-contractor, who designed the design and drew the drawings. Or maybe his night janitor, whose second cousin knew where to get good money for anything he copied.

The third level sub-contractor's copy room clerk, who did a favour for a sweet guy, who was so anxious to see some real engineering drawings that could relate to the courses he was taking to improve himself.

The factory girl in Malaysia, who smuggled a box to the local market, for a few pennies to buy her mother some medicine.

The Japanese factory supervisor, who wasn't paid nearly enough to support his prefered life style. Maybe his boss in Tokyo, whose generous friend, some kind of nearly important manager in another company, was curious.

The supply chain, an eleven dimensional rats nest. Papers everywhere. Customs agents everywhere. Guards everywhere. Truck drivers everywhere.

The Bangladeshi slave labourers, who finally pulled the wires and screwed the screws. Or the guy who showed up on the worksite one day, with a clipboard and silver pencil, sketching sketches and copying numbers. Nobody dared accost or report him : somebody said he dressed like a Saud.

Not mention the Prince Himself, and his brothers, and servants, not above inflating his importance, or accepting a small favour to show off a few impressive secrets.

And the corporations, rivals, suppliers, customers. All the three, four, and five letter organizations.

Don't forget the guy with the excellent suit and a pied a terre (mail box) in The City, attending trade fairs, combing the internet, writing letters on fancy paper, signed with a real goldplated fountainpen.

Yeah, and the insiders.

wumpusNovember 20, 2018 2:31 PM

@reziak "I can think of a dozen major power stations just in my old neighborhood where a drive-by, a decent throwing arm, and a hand grenade ... when you can both knock out a big chunk of the system for days and maybe start a brushfire into the bargain?"

This type of thinking makes more sense from a state-driven strategic campaign (such as a war) and doesn't really fit into modern terrorism. The goal of terrorism is more morale based, and presumably more in increasing home morale and being seen doing impressive damage. Actually doing effective damage isn't probably even an afterthought (this certainly applies to US counterattacks as well. All those cruise missiles at camps didn't appear to be about maximizing damage but instead being seen "doing something").

supersaurusNovember 20, 2018 3:43 PM

repeat of original 9/11 attack: putting locks on the cockpit doors made 9/11 revisited much more difficult. as I recall the airlines fought this for years because of the weight penalty, but I can't point to a source for this. obviously there is no such simple and practical counter available to prevent cyber terrorism.

Clive RobinsonNovember 21, 2018 4:56 AM

@ supersaurus,

[O]bviously there is no such simple and practical counter available to prevent cyber terrorism.

Yes there is, and it's been around since before even me and @Bruce, and it works just the sane way.

It's "Segregation/seperation" with a "Mandated&Enumerated choke point interface".

As segregation was once described to me by a "box bashing type" who liked silver plate, "If you put the screws down tight, nothing is going to get in or out"...

Which like a locked cockpit door is going to keep "untrusted" passengers/crew from "trusted" crew.

Ollie JonesNovember 21, 2018 7:36 AM

Dr. Schneier, you wrote:

I also remember dire predictions that large-scale terrorism was the new normal, and that we would see 9/11-scale attacks regularly. But since then, nothing.

With respect, you should amend this to "nothing in the US." Or maybe even "nothing except domestic terrorism in the US."

France, England, and Spain have all suffered nasty attacks since 9/11.

SteveNovember 21, 2018 1:05 PM

How about the election of 2016?

The results are as devastating as any attack with automatic weapons or bombs.

Clive RobinsonNovember 22, 2018 1:20 AM

@ Sancho_P,

May I refer to:

Yes, "insider attacks" are perhaps the oldest attacks recorded in history. The solution chosen is probably as old.

But the solution too has problems, which brings us around to Juvenal's question,

    Quis custodiet ipsos custodes?

Which after a little thought brings us to the partial thought Jonathan Swift gave in "Rhapsody",

    The vermin only teaze and pinch, their foes superior by an inch. So, naturalists observe, a flea Has smaller fleas that on him prey; and these have smaller still to bite 'em, and so proceed ad infinitum. Thus every poet, in his kind, Is bit by him that comes behind.

Which true to the word, the mathmatician Augustus De Morgan in part stole and added the observation in "Siphonaptera" of what goes down must also, in like kind, go up...

    And the great fleas, themselves, in turn, have greater fleas to go on. While these again have greater still, and greater still, and so on.

It is a fundemental problem of hierarchical structures, and one which causes certain "Super AI" types the thought that we will be cast out from "Man's domain under heaven upon earth" by our own creations surpassing us, which as "The master should train the neophyte to be as his master, to pay his debt" is kind of the natural order of things, and has been long prior to the written word.

We have to hope we raise our betters, though sometimes we fail, and others pay the price. The alternative though is stagnation, atrophy and cessation...

baudDecember 17, 2018 3:52 AM

There simply aren't a lot of terrorists out there

I'm pretty the people in the Bataclan, the Hypercacher, Nice and the Charlie Hebdo offices would disagree with this idea.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.