This document discusses the growing threat of cybercrime and cyberterrorism as American society becomes increasingly interconnected through digital technology and the internet. It notes that critical infrastructure systems like transportation, energy, water, healthcare and financial services all rely on internet-connected digital systems, making them vulnerable to cyber attacks that could disrupt services or endanger lives. The document advocates for improved cybersecurity measures to protect personal information, businesses, governments and critical infrastructure from online threats.
1. ECEM 722: COMMUNITY PREPAREDNESS
Digital Dilemma
How the Cyber Crime Threat Grows as America
Becomes Interconnected
Guy DeMarco
5/6/2014
2. On April 3, 2014, the news organization Reuters reported a massive security breach of a
subsidiary of Experian Plc. The breach, according to the Reuters report, “exposed the Social
Security numbers of some 200 million people to criminal activity” (Freifeld, 2014). A
Vietnamese man confessed to orchestrating the breach, which enabled him to “run an
underground website that offered clients access to personal data of Americans” (Freifeld, 2014).
Ironically, millions of Americans use Experian (and its counterparts Equifax and Trans Union) to
monitor their credit history in the event of identity theft or a data breach similar to the one that
struck Experian. Many people probably requested credit reports from these companies after
another major data breach that made headlines: the Target attack in November 2013. That
breach, which occurred during one of Target’s busiest shopping seasons of the year, affected
“approximately 40 million credit and debit card accounts” (Target Corporation, 2013). In the
time between the Target attack in 2013 and the Experian attack in March 2014, cybercrimes have
been reported at a number of companies, including (but not limited to): Yahoo, Affinity Gaming,
Neiman Marcus, Comcast and Las Vegas Sands Corporation. Online invasions like these are
becoming increasingly frequent and more difficult to stop. Yet, a growing number of
Americans, public agencies and private companies continue to willingly submit personal
information on the Internet. While the Internet has greatly improved communication, education
and commerce, it also makes people, companies and systems vulnerable to cybercrime and cyber
terrorism. Emergency managers must be ready to mitigate the potential effects of cyber attacks.
They must be ready to respond to and recover from these attacks, even as they become
increasingly sophisticated, and as more people, governments and businesses raise their online
profiles and the likelihood that cyber terrorism will occur.
2
3. Today, Americans live almost their entire lives online. A hacker or computer specialist
can gain access to a massive amount of information about a person’s life. Birth records, death
records, criminal histories, bankruptcies, housing information can all be found on the Internet.
Some of these records can be accessed at zero cost. Other information is available for the right
price. Government records aren’t the only data available online. People shop online. They
conduct banking transactions online. They pay their bills online. Each of these actions increases
a person’s vulnerability to identity theft and/or a cyber attack. Additionally, people willingly
contribute personal information such as pictures, stories, favorite movies, favorite books, etc. on
social media sites such as Facebook, Twitter or Instagram. In the continuing effort to lure
customers, companies are adding online features to vehicles, homes and household appliances.
Even some medical devices contain “computer systems that can be vulnerable to cybersecurity
breaches” (U.S. Food and Drug Administration, 2013). Governments and utilities are placing
their operations online, exposing power grids, water operations, transportation infrastructures
and more to cyber-attacks. As more information is placed online, the risk grows, and it affects
both individuals and entire communities.
One area in which cyber terrorism could affect millions of Americans is in the
transportation industry. In 2013, 823,657,070 people traveled via airplanes on both domestic and
international flights (Research and Innovative Technology Administration Bureau of
Transportation Statistics). Amtrak, one of the leading rail companies in the United States,
reached record ridership in 2012, carrying 31.2 million passengers (Amtrak, 2012). These
transportation systems have long been targets for traditional terrorist methods (as evidenced by
9/11 and the 2005 London train bombings). Yet, in an effort to increase efficiency, these
systems are turning to online technologies, making transportation systems vulnerable targets for
3
4. cyber terrorism. According to Michael Dinning with the Department of Transportation’s Volpe
Center, “The FAA and the aviation industry (are) moving quickly to a next-generation or the
NextGen system of air traffic control. In NextGen, we’ll be dependent on digital
communications and satellite-based systems instead of our current analog and radar-based
systems” (Research and Innovative Technology Administration, 2011). Planes and terminals are
also increasingly relying on web-based technology. The purpose of utilizing digital systems in
the airline industry is to increase efficiency, reduce wait-times and enable travelers to reach their
destinations safely. While these are noble goals, relying on digital systems makes air travel
vulnerable to acts of cyber terrorism. PC World stated as much in 2009, when it cited a
Department of Transportation report that found more than 3,700 vulnerabilities in air traffic
control – ranging from weak passwords to the ability to hack into and take control of an air
traffic control system (Kirk, 2009). The vulnerabilities do not end with the airline industry. Rail
and transit systems, which are increasingly using digital systems, are equally susceptible to cyber
attacks. Likewise, people who travel by automobile are not immune to cyber crime. New
vehicles are hitting the market that include wireless Internet capabilities, making cars
increasingly vulnerable to cyber attack. The features are sold as options of convenience, but
those conveniences could be costly. It is not out of the realm of possibility for a terrorist to
wirelessly hack into the digital system of a plane, bus, train or automobile and use it as a missile
in a 9/11-type of attack. Until online security systems are improved in the transportation
industry, these transportation systems will be tempting targets for those who wish to do harm.
One feature that these transportation systems all share is their reliance on power to
operate. Unfortunately, reliance on digital technology leaves the nation’s energy infrastructure
vulnerable to cyberterrorism. If cyberterrorists target power utilities and the plants that supply
4
5. power, the damage can range from crippling (i.e., widespread power outages) to catastrophic
(i.e., nuclear plant shut downs). The U.S. Department of Energy is moving forward with the use
of digital technology through its Smart Grid system. The DOE states the purpose of Smart Grid
is to connect power plants and their customers in a developing network that is designed to
provide efficient, reliable energy that is protected from natural and man-made outages (U.S.
Department of Energy). The Smart Grid, however, utilizes a Supervisory Control and Data
Acquisition System (SCADA) (U.S. Department of Energy). This system makes the
interconnected grid vulnerable. Retired FBI Agent William Tafoya wrote of SCADA systems in
2011, “These obscure little drone-like computer systems have virtually no security, firewalls,
routers, or antivirus software to protect them. They are spread far and wide across the nation,
even in some of the most remote places imaginable. One anonymous hacker interviewed for a
television program said, ‘SCADA is a standard approach toward control systems that pervades
everything from water supply to fuel lines.’ He goes on to describe that the systems run
operating systems that make them vulnerable” (Tafoya, 2011). A recent exercise that tested the
security of North American power grids also showed the grids are susceptible to cyber attacks
(Wald, 2014). Equally as alarming is the increasing reliance on digital technology to operate the
nation’s nuclear power plants. Despite steps taken by the Nuclear Regulatory Commission in
2009 to mandate cybersecurity standards in the nuclear industry (Holt, 2014), a U.S. State
Department report in 2012 conceded, “Nuclear power plants may be vulnerable to cyber-attacks,
which might – in extreme cases – lead to substantial releases of radioactive material with
consequent loss of lives, radiation sickness and psycho-trauma, extensive property destruction
and economic upheaval” (Martellini, 2012). The continued use of cyber technology in the
5
6. energy industry makes the industry vulnerable to, at best, widespread disruption and economic
losses and, at worst, severe damage and significant loss of life.
Energy is an essential component of life in the United States. So too is water, especially
in arid states such as Nevada and Arizona. Such a precious commodity could be a popular target
for terrorists, and they can disrupt water service with a few clicks on a computer keyboard.
Water utilities are embracing digital technology as a way of improving service for customers.
According to the water utility trade magazine Water World, “With over four billion mobile
devices in the world (and roughly a quarter of them smartphones), more people spend time
communicating online than they do in person… For water utilities, mobility can mean a faster,
more efficient way to collect data and make better decisions more quickly. By putting devices
and applications in the hands of employees and customers wherever they are, field employees
and customers can input service order information or requests in a more streamlined fashion”
(Zhang, 2012). As with energy companies and transportation systems, the quest for improved
delivery via digital technology opens the door for cyberterrorism. The threat to water utilities is
two-fold according to a 2006 U.S. Army manual which states fresh water supplies and
wastewater collection are the likeliest targets. “The nation has over 170,000 public water
systems which include reservoirs, dams, wells, aquifers, treatment facilities, pumping stations,
aqueducts and transmission pipelines. Waste collection extends to 19,500 municipal sanitary
sewer systems, and 800,000 miles of sewer lines” (p. II-2). The Environmental Protection
Agency states cyber attacks could cause changes in chemical treatment of water, disable delivery
or overflow untreated sewage into public waterways (Environmental Protection Agency, 2012).
Much like energy systems, water utilities rely on SCADA technology, making these systems
vulnerable to hackers. A disruption of water service can have disastrous effects in any
6
7. community in America, but especially in the nation’s driest areas. Large cities such as Las
Vegas, Phoenix and Los Angeles are already suffering from drought and a dwindling water
supply from the Colorado River. If that supply is compromised by a cyber attack, millions of
residents and businesses would feel an immediate impact. The potential for cyberterrorism could
threaten their access to the west’s most precious resource.
Saving lives is the primary duty of doctors, hospitals and medical facilities around the
country, but that mission could be threatened by the medical industry’s digital push. When the
Affordable Care Act became law in 2010, it mandated insurance coverage for most Americans.
The White House estimates 7.1 million Americans have enrolled in private health coverage
under the act. Among its many provisions, the act requires that health plans shift to electronic
health records in an effort to cut down on paperwork and administrative costs. An increase in
patients, combined with a shift to online medical records, creates a target-rich environment for
cyber terrorists. In a 2013 article published in Telemedicine and eHealth, two researchers
detailed the risk facing hospitals and medical systems, which are becoming increasingly
interconnected. The article detailed a hypothetical attack that “began with hackers using
‘phishing’ e-mails to introduce four separate packages of malware into the hospital networks.
Once planted, these packages would trigger in sequence a few days or weeks apart. The first
would infect patient record databases and alter doctors’ orders, medication doses, and other
information, spreading confusion and possibly causing illness and deaths. A few days later, the
next program would trigger, interfering with portable devices that nurses use to record patient
information. The third wave would attack the software in intensive care unit monitors, altering
the data display and switching off alarms. The fourth and final wave would infect the software
controlling drug infusion pumps and similar devices” (p. 62-63). The article lists health care as a
7
8. target, because systems have been slow to secure their digital information (Yellowlees, 2013).
The threat goes beyond medical facilities and their IT systems. The Food and Drug
Administration warned in 2013 that as medical devices become increasingly connected to
networks, cybersecurity vulnerabilities grow and could threaten computers and mobile devices
(Food and Drug Administration, 2013). Even life-saving items such as pacemakers are now
susceptible to cyber attack (Wadhwa, 2012). As these examples illustrate, facilities and systems
designed to save lives may actually be putting them at risk with increased use of cyber
technology.
The risk facing Americans does not always involve physical harm. The U.S. economy is
also a tempting target. When the U.S. economy collapsed in 2008, it cost the nation trillions of
dollars in lost income, lost real estate wealth and lost stock market wealth, as well as 5.5 million
American jobs (Swagel, 2010). That financial crisis was the result of careless practices and
reckless investments by the nation’s largest financial institutions. What if such a crisis were
intentional? According to a U.S. Army training manual in 2006, “The financial sectors
infrastructure includes computer networks, storage devices and telecommunications networks.
This sector is also extremely vulnerable to public perception; an impression of weakness could
easily result in a damaging cascading effect. Normal operations are necessary to maintain public
confidence” (p. II-8). As more banking options move online and on mobile devices, the risk of a
cyber attack on these institutions and platforms grows. In a statement before the House Financial
Services Committee in September 2011, FBI Cyber Division Assistant Director Gordon Snow
warned of the growing threat of cyberterrorism on the nation’s financial institutions. Snow
stated, “The FBI is currently investigating over 400 reported cases of corporate account
takeovers in which cyber criminals have initiated unauthorized ACH and wire transfers from the
8
9. bank accounts of U.S. businesses. These cases involve the attempted theft of over $255 million
and have resulted in the actual loss of approximately $85 million” (Snow, 2011). Snow also
emphasized vulnerabilities with ATMs and point of sale devices used at many retail stores.
Snow stated, “A criminal affixes a skimmer to the outside or inside of an ATM to collect card
numbers and personal identification number (PIN) codes. The criminal then either sells the
stolen data over the Internet or makes fake cards to withdraw money from the compromised
accounts… Point of Sale (POS) terminals, which are primarily used to conduct the daily sale
operations in restaurants, retail stores, and places of business, have been a primary target for
cyber criminals engaging in credit card fraud and have resulted in the compromise of millions of
credit and debit cards the U.S.” (Snow, 2011). The Target breach mentioned earlier involved
Point-of-Sale data. Equally alarming is the expansion of mobile banking technology, which
gives people (and cyber criminals) access to bank account information on mobile devices. Snow
stated, “Cyber criminals have successfully demonstrated man-in-the-middle attacks against
mobile phones using a variation of ZeuS malware. The malware is installed on the phone
through a link imbedded in a malicious text message, and then the user is instructed to enter their
complete mobile information. Because financial institutions sometimes use text messaging to
verify that online transactions are initiated by a legitimate user, the infected mobile phones
forward messages to the criminal, thwarting the bank’s two-factor authentication” (Snow, 2011).
The danger of cyber-attacks on financial institutions and platforms is two-fold. These attacks not
only strike the U.S. economy and the personal finances of average Americans, they can also be
used to steal identities and money that can later be used for terrorist attacks. Yet, an increasing
number of banks and financial institutions are relying on digital technology and making digital
9
10. banking easier for customers, increasing the risk of cyber terrorism. The financial industry is
certainly a vulnerable area for online attacks.
With so many systems utilizing online/digital components and raising the risk of cyber
terrorism, what, if any, steps can be taken to reduce the risk? The solutions range from basic,
common-sense steps to complex legislation. Personal protection represents the front line of
cyber security. Individuals can protect their identities, passwords, banking information, credit
card numbers, etc. from falling into the wrong hands by frequently checking their bank
statements for potentially fraudulent activity, utilizing anti-virus and anti-malware software on
personal computers, and never giving out credit card or Social Security numbers to unknown or
untrusted parties. Businesses and governments can also take steps to protect vital information
and access. As outlined in the 1996 book Information Warfare, steps include (but are not limited
to): performing a comprehensive risk analysis, re-examining the organization’s networks from a
hacker’s standpoint, vigilantly screening potential employees, developing response plans in the
event of a cyber-attack and frequently testing the security of the system for weaknesses
(Schwartau, 1996). Cybersecurity should also be considered a national priority. In Cyber
Attack: Protecting National Infrastructure, Edward Amoroso cited ways in which the federal
government can improve cyber security. Those steps include (but are not limited to): providing
warnings of potential threats, sharing information inside and outside government, analyzing
cyber vulnerabilities and providing technical assistance (Amoroso, 2013). Finally, Congress and
the President can pass any number of bills into law that would strengthen cyber security. Bills
currently under consideration include: the Federal Information Security Amendments Act, the
Cyber Intelligence Sharing and Protection Act, the Cybersecurity Enhancement Act, the
Cybersecurity Act of 2012 and/or the Cybersecurity Act of 2013 (Chabrow, 2013). Each of
10
11. those bills would add another level of security to the nation’s infrastructure and businesses.
Whether the focus is personal, business or governmental, cybersecurity must be considered a top
priority moving forward.
The recent attacks on digital systems in the private sector underscore the growing threat
of cyber security. The U.S. possesses no shortage of enemies, many of whom are growing more
sophisticated in their ability to cause the nation harm. Cyberspace may be the next battlefield in
the ongoing war on terror. Yet, the American public, government and business community
continue to provide new targets for the country’s enemies by making more information and
systems available online. Until online security and systems are better protected from cyber
attacks, the next 9/11 could occur in the digital realm.
11
12. BIBLIOGRAPHY
Amoroso, E. (2013). Cyber Attacks: Protecting National Infrastructure. Waltham, Massachusetts: Elsevier
Inc.
Amtrak. (2012). Annual Report Fiscal Year 2012. Retrieved April 7, 2014, from Amtrak.com:
http://www.amtrak.com/ccurl/103/360/Amtrak-Annual-Report-2012.pdf
Chabrow, E. (2013, September 13). Cybersecurity Legislation: What's Next? Retrieved April 15, 2014,
from BankInfoSecurity.com: http://www.bankinfosecurity.com/cybersecurity-legislation-whats-
next-a-6063/op-1
Environmental Protection Agency. (2012, July). Cyber Security 101 for Water Utilities. Retrieved April 14,
2014, from EPA.gov:
http://water.epa.gov/infrastructure/watersecurity/features/upload/epa817k12004.pdf
Food and Drug Administration. (2013, June 13). FDA Safety Communication: Cybersecurity for Medical
Devices and Hospital Networks. Retrieved April 12, 2014, from FDA.gov:
http://www.fda.gov/medicaldevices/safety/alertsandnotices/ucm356423.htm
Freifeld, J. F. (2014, April 3). Exclusive: U.S. states probing security breach at Experian unit. Retrieved
April 5, 2014, from Reuters.com: http://www.reuters.com/article/2014/04/03/us-experian-
databreach-idUSBREA321SL20140403
Holt, M. (2014). Nuclear Power Plant Security and Vulnerabilities. Washington, DC: Congressional
Research Office.
Kirk, J. (2009, May 7). Study: US Air Traffic Control Vulnerable to Cyberattack. Retrieved April 8, 2014,
from pcworld.com: http://www.pcworld.com/article/164501/article.html
Martellini, M. (2012). Cyber Security for Nuclear Power Plants. Washington, D.C.: U.S. Department of
State.
Research and Innovative Technology Administration. (2011, 7 December). T3 Talking Technology and
Transportation Webinars. Retrieved April 2014, 7, from pcb.its.dot.gov:
http://www.pcb.its.dot.gov/t3/s111207/111207.html
Research and Innovative Technology Administration Bureau of Transportation Statistics. (n.d.).
TranStats. Retrieved April 7, 2014, from transtats.bts.gov:
http://www.transtats.bts.gov/Data_Elements.aspx?Data=1
Schwartau, W. (1996). Information Warfare. Emeryville, California: Publishers Group West.
12
13. Snow, G. (2011, September 14). Testimony: Cyber Security Threats to the Financial Sector. Retrieved
April 13, 2014, from FBI.gov: http://www.fbi.gov/news/testimony/cyber-security-threats-to-the-
financial-sector
Swagel, P. (2010). The Cost of the Financial Crisis: The Impact of the September 2009 Economic Collapse.
Pew Charitable Trusts.
Tafoya, W. (2011, November). Cyber Terror. Retrieved April 10, 2014, from fbi.gov:
http://www.fbi.gov/stats-services/publications/law-enforcement-bulletin/november-
2011/cyber-terror
Target Corporation. (2013, December 19). Target confirms unauthorized access to payment card data in
U.S. stores. Retrieved April 5, 2014, from Target.com:
http://pressroom.target.com/news/target-confirms-unauthorized-access-to-payment-card-
data-in-u-s-stores
U.S. Army. (2006). Critical Infrastructure: Threats and Terrorism. Fort Leavenworth, Kansas: U.S. Army
Training and Doctrine Command.
U.S. Department of Energy. (n.d.). Smart Grid Investment Grant Program. Retrieved April 10, 2014, from
smartgrid.gov:
https://www.smartgrid.gov/recovery_act/overview/smart_grid_investment_grant_program
U.S. Department of Energy. (n.d.). smartgrid.gov. Retrieved April 10, 2014, from What is the Smart
Grid?: https://www.smartgrid.gov/the_smart_grid
U.S. Food and Drug Administration. (2013, June 13). FDA Safety Communication: Cybersecurity for
medical devices and hospital networks. Retrieved April 2014, 5, from fda.gov:
http://www.fda.gov/medicaldevices/safety/alertsandnotices/ucm356423.htm
Wadhwa, T. (2012, December 6). Yes, You Can Hack a Pacemaker (and Other Medical Devices Too).
Forbes Magazine.
Wald, M. (2014, March 12). Power Grid Preparedness Falls Short, Report Says. Retrieved April 10, 2014,
from NewYorkTimes.com: http://www.nytimes.com/2014/03/13/business/energy-
environment/power-grid-preparedness-falls-short-report-says.html?_r=0
Yellowlees, D. H. (2013). Brief Communication - Cyberterrorism: Is the U.S. Healthcare System Safe?
Telemedicine and eHealth.
Zhang, J. (2012, December 1). Water Utilities and the Digital Transformation. Water World.
13