Cybercrime 'much bigger than al Qaeda'

It is unlikely that Americans will ever again see commercial jets crashing into skyscrapers, piloted by terrorists. But Department of Homeland Security (DHS) Secretary Janet Napolitano believes that malicious computer code generated by groups like al Qaeda are just as big a threat to the security and stability of the nation.

Does that mean that we are at war with cyberterrorists? Napolitano doesn't go that far -- she uses the term "cybercrime," as do a number of cybersecurity experts.

Still, the damage worldwide is headed toward a half-trillion dollars a year. Napolitano, in a speech May 30 to business leaders and government officials, said that besides "al Qaeda and al Qaeda-related groups," cybercrime is, "the greatest threat and actual activity that we have seen aimed at the west and at the United States. Unfortunately, it is a growth arena."

"Our cybersecurity as a country is inextricably linked to our economic capability," she said. "The systems we use are interdependent, interconnected and critical to daily life in the United States. Communication, travel, powering our homes, running our banking systems -- these are all interconnected systems."

Napolitano cited a study by Symantec's Norton that estimated the cost of cybercrime worldwide at $388 billion -- more than the global market for heroin, cocaine and marijuana combined, and said, "I think those are conservative numbers, based on the things that come into DHS."

But the U.S. is not just on the defensive. Napolitano's speech came just two days before The New York Times, citing anonymous sources in the Obama administration, reported that the president had secretly ordered the use of the Stuxnet worm to attack the computers that run Iran's main nuclear enrichment facilities.

The Times reported that this was in collaboration with Israel, and was the continuation of a program code-named Olympic Games, started under President George W. Bush. The attack is estimated to have set back the Iranian nuclear program by as much as two years.

Attacking another nation-state's potential military capability may sound like an act of war to some. Joel Harding, a former military intelligence officer and now a communication and public diplomacy information operations expert and consultant, wrote in a blog post shortly after The Times' story, "It's official. The United States of America was the first to use an atomic bomb against an enemy and now the United States is the first to have acknowledged using a cyber weapon against another country. We are now certified bad guys to the rest of the world."

"To whoever leaked the information from the Obama administration, for whatever purpose, you have now doomed the United States to a terrible legacy forever," he wrote.

David Jeffers, writing for PCWorld,Ã'Â called malware such as Flame "the Internet equivalent of biological warfare."

[See also: Flame self-destruct module overwrites file data to prevent forensic analysis]

But Harding told CSO he does not think this means the U.S. has started a cyberwar. "There will never be a pure cyberwar in my opinion," he said. "There will be operations in cyberspace but they will always be in support of other actions. By itself warfare in cyberspace cannot conquer an enemy. The effects will normally be temporary and probably not physical in nature."

Still, he said the admission taints the U.S. in the eyes of the rest of the world. "It is a challenge to maintain a high moral position if we are the first to acknowledge the use of such a weapon," he said.

Other security experts also say that "war" is the wrong term. Bruce Schneier, chief security technology officer at BT and an author, said that "throughout history, the definition of a 'major war' has involved casualties in the hundreds of thousands. That means dead people."

Marc Zwillinger, of the Washington, D.C. law firm ZwillGen and a specialist in cyber conflict calls them "cyberattacks," and said he doubts the U.S. was the first nation to use them. "Our government, government contractors, and ISPs have been pummeled for years," he said.

Whatever the semantics, there is unanimous agreement that the attacks are doing enormous damage.

"Cybercrime is a really big deal," Schneier said. "Much bigger than al Qaeda, which has basically been a fairy scare story since 9/11."

Zwillinger said: "It's something to take very seriously. It's not that hard to undermine our economy and cause lasting effects. How long was the Facebook trading glitch that is being blamed for a lot of uncertainty and panic in the trading of one stock?"

"United States corporations lose billions of dollars in research to cybercrime and espionage every year," Harding said. "Now imagine these efforts [aimed at] national security products. Not only do we lose intellectual property and de facto our investment dollars, but we may have a national security problem."

Another problem with cyberweapons, as a number of articles have pointed out since the discovery of the Flame virus in the Middle East (an espionage tool mainly targeting Iran) and the revelations about Stuxnet, is that they can boomerang, unlike bullets or bombs. Richard Lardner reports for The Associated PressÃ'Â that "a cyberweapon that spreads across the Internet may circle back accidentally to infect computers it was never supposed to target. It's one of the unusual challenges facing the programmers who build such weapons, and presidents who must decide when to launch them."

[See also: U.S. companies, government not likely burned by Flame]

Finally, whether it is cybercrime, cyberattacks or cyberwar, the U.S. seems woefully unprepared for it at some levels. The Washington Post's Robert O'Harrow wrote earlier this week of stunning vulnerabilities U.S. infrastructure. He profiled programmer John Matherly, now 28, who as a teen developed a search engine he called Shodan, and by 2009 discovered "an astonishing fact: Uncounted numbers of industrial control computers, the systems that automate such things as water plants and power grids, were linked in, and in some cases they were wide open to exploitation by even moderately talented hackers."

"Over the past two years, Shodan has gathered data on nearly 100 million devices, recording their exact locations and the software systems that run them. 'Expose online devices,' the Web site says. 'Webcams. Routers. Power Plants. iPhones. Wind Turbines. Refrigerators. VoIP Phones,'" O'Harrow wrote.

The story also told of a 22-year-old hacker from somewhere overseas who was able to hack a Siemens S7 controller and gain control of a water plant serving 16,000 people in South Houston.

Harding said he doesn't know the status of most critical infrastructure. But he said he's "certain that many, if not most are not fully updated, do not have adequate monitoring or protections, have inadequate contingency plans and are unnecessarily exposed to the Internet, and are therefore vulnerable."

"It is too expensive to unhook completely from the Internet, but that decision must be accompanied by diligent efforts to mitigate any vulnerabilities," he said.

Zwillinger said, however, that most nation-states will likely limit their attacks because they still fear the military might of the U.S. "While our critical infrastructure is vulnerable, would-be attackers are hesitant to launch a full scale attack knowing that the U.S. would respond, 'using all instruments of national power,'" Zwillnger said, citing a line from Securing Cyberspace for the 44th Presidency, a report by the Center for Strategic and International Studies.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place