In the days following 9/11 we heard alarmist warnings of a coming wave of cyberterrorism. In the early days of the war in Afghanistan when an Al Qaeda computer was found, it was treated as evidence that terrorists knew how to use computers so therefore they would soon be sending worms to shut down or blow up our power plants. During that time I was interviewed on a CNN talk show describing what a terrorist might be doing with a computer that was found to have computer aided design (CAD) software on it. I said it might be used to figure out the best place to plant a bomb to cause the most damage to a structure. This wasn’t cyberterrorism. It was using the computer as an engineering tool. Somehow this got lost by the host of the show who kept on plugging away that cyberterror from Al Qaeda was coming soon. That never materialized and in the last 10 years I don’t think there has been any documented cases of cyberterrorism.
Could there have been or still be cyberterror? I don’t really think so because while it is easy to shut off computers or steal the information stored on them, it takes a relatively sophisticated group of experts to cause the type of kinetic damage that would be terrorizing. If people don’t die it isn’t really terrorism and while there is a great example in the Stuxnet worm of causing kinetic damage I don’t think this is something terrorists would replicate. There are much more cost effective and easier ways to reach their goals.
We shouldn’t rest easy that since we haven’t seen the extreme case of cyberterror that everything is safe and sound in cyberspace. There are still many vulnerabilities in the computer systems of government and corporate computers that are exploited daily. Vulnerabilities have always been there over the last 10 years and don’t seem to be abating. New technology with brand new vulnerabilities is constantly being deployed and along with each new technology comes new vulnerabilities. Some of the technology waves that have brought us new types of vulnerabilities are web applications, instant messaging, social networking, WiFi, mobile devices, and installing software over the web. Most of these technologies are still causing us security headaches years after introduction while older technologies introduced in the 90’s such as firewalls and Internet servers such as email and web servers have finally been tamed.
The number of vulnerabilities hasn’t changed dramatically in the last 10 years, just what technologies the vulnerabilities are in. Attackers have always been able to leverage this pool of changing yet ever available vulnerabilities to reach their goals. What has changed over the last 10 years is the attacker landscape. Cyberterrorism never reared its ugly head. Cyberwar is still theoretical. The big new attacker growth over the past 10 years is the cyber criminal. Techniques to monetize vulnerabilities have steadily improved and become more sophisticated against simple defenses. The other big new attacker growth area is the cyber spy. We see reports of APT and the organizations that have had their secrets compromised on a daily basis. Most recently there has been a dramatic rise in hacktivism.
So as I look back over the last 10 years I don’t see much of a change in the vulnerability-scape, if you will, but in the threat landscape. New classes of attackers have gone mainstream and global. They are sophisticated and effective. But our defenses have barely gotten better. There has been an incremental approach to defenses: deeper packet inspections, more heuristic anti-malware, more auto-update patching, but it hasn’t been able to keep up. I hope over the next 10 years there are some radical changes in how we perform security or the problem will get dramatically worse. The criminals, spies, and hacktivists are here to stay unless we stop them.
Chris Wysopal is the CTO of Veracode and one of the founders of the L0pht hacking collective. He has been involved in computer security for more than 15 years.
