John Dewar, Detective Lieutenant, Pasadena Police Department, Pasadena, California; and Doctoral Candidate at USC School of Policy, Planning, and Development
y September 30, 2009, more than 25 percent of the world population was Internet users.1 The information super highway has become the path by which the world is connected. This highway allows access to anyone with a computer and Internet access, including criminals and terrorists. This highway also leads to the most critical computer-operated infrastructures: power grids, communications, water, banking, and unlimited amounts of sensitive data. In developed countries, lives are embedded in the cyber world. This presents law enforcement with a unique dilemma: the communications and computer systems relied upon by law enforcement agencies to respond to emergencies and keep communities safe may also be exploited.
Prior to 9/11, law enforcement had little concern about infrastructure protection. Power grids, water systems, and communications never appeared to be under any credible threat. However, a brief review of recent cyber attacks and intrusions shows that the ability to launch cyber warfare against the critical infrastructure is real.
Computer hacking was the first evidence to the public of any vulnerability in the computer systems, but it was a phenomenon promoted primarily by computer whizzes in college. Law enforcement agencies have become more aware of computer crimes over recent years, although they are usually synonymous with stealing one’s identity or the fraudulent use of bank accounts. Not until quite recently did law enforcement agencies take a more serious look at their critical computer-based infrastructure as a potential target. Recent news headlines underscore that emerging threat:
- U.S. authorities concede that in the early 1990s, China initiated Shashoujian, a military term that loosely means “creating a military weapon or strategy that can get the better of a seemingly invincible enemy.” The result is that the Chinese have been investing heavily in three weapons systems: an antisatellite missile system to knock out U.S. satellites, ultra-quiet diesel electric submarines, and cyber weapons to attack computer-based infrastructures.2
- South Korean police analyzed some of the thousands of computers in South Korea and the United States attacked by a North Korean Military Internet Warfare Unit.3
- The U.S. government reports widespread cyber-spying of the U.S. electronic grid, much of it apparently originating in China and Russia.4
- President Obama moved to create a new director of cybersecurity amid growing concerns that sophisticated attackers will wage a cyber assault on critical infrastructure networks. Russian and Chinese attackers have repeatedly penetrated U.S. electric and power grids.5
- Thieves stole more than 40 million account numbers from computer systems.6 A worldwide investigation revealed the global nature of criminals using the Internet. Suspects were tracked from the United States, China, Estonia, Belarus, and the Ukraine. One of the American suspects, Gonzales, was a confidential informant for the U.S. Secret Service.7
- Simultaneous denial-of-service cyber and physical attacks by Russian military forces against Georgia in 2008 illuminated just how unprepared the world is for this new kind of warfare.8
- The California Independent System Operator, which coordinates and monitors electrical and power systems throughout the state, acknowledged that the California system is vulnerable to acyber attack.9
These are but a few of the recent publically reported incidents that should give law enforcement pause in examining the extent for vulnerability from cyber attacks at the local level. Clearly, if 10 local street gang members from Long Beach can steal information from computers worldwide, or if a North Korean Cyber Warfare Unit can attack a power grid six thousand miles away, how can a local police department assume its piece of the Information Super Highway is safe?
Attacking the Critical Infrastructure
Critical infrastructure is a “good” target for cyber terrorists because most sectors are relatively exposed, vast, interconnected, and unprotected.10 In lay terms, a cyber attack occurs when a skilled computer user intentionally attacks a data-filled target over the Internet. There are typically two target centers of electronic information: data systems and control systems. Police departments use both.
A cyber attack is going to do one or more of the following to the target system:
- Steal data
- Disrupt or damage data
- Deny access to data or access to computers
- Spread disinformation
- Shut down control systems
Supervisory control and data acquisition (SCADA) systems are the standard computers and servers used in gas, water, electric, and telecommunication grids across the country. They are found in almost all industrial processes.11 Electric power grids are controlled by SCADA systems that are often accessible through the Internet, DSL lines, digital radio, Wi-Fi, or telephone modems. Current technology allows employees to operate these systems remotely or by dialing in with a modem. Of course, law enforcement widely uses many of the same systems, networks, and technologies to conduct business, including sharing criminal data information, storing documents and public records, and performing the daily activities endemic to any organization.
One might think that systems can be isolated and protected easily, but that often is not the case. Network systems, in reality, are typically interconnected with corporate networks, business partners, Web sites, and databases outside of law enforcement. There are many “walls” that can be breached from different access points. If employees can access these systems that control the infrastructure, so can attackers. A primary means of attack might be to breach security and then manipulate or share the data resident therein.
Another method of attack is the denial of service in which attackers hijack thousands or millions of other computers that then saturate a computer system with requests, essentially shutting down the computer operation. This forces the operators to reroute their entire network to new servers—a process that, depending on the size and complexity of the systems, could take hours or days to accomplish. The risk that these types of attacks will occur increases as young computer-savvy generations around the world come of age. And the vast number of potential targets guarantees that terrorists will be able to locate weak points to attack in unconventional, asymmetrical ways.
Terrorists Think Asymmetrically
Cyber warfare is appealing to terrorists for several good reasons. It is inexpensive, since an attacker needs only a laptop and an Internet connection. It is also an anonymous method of attack, since attackers can “hide” their locations through the Internet and can attack from remote locations. National War College military theorist Lieutenant Colonel Kenneth McKenzie defined asymmetric warfare in 2001 as “leveraging inferior tactical or operational strength against the vulnerabilities of a superior opponent [American] to achieve disproportionate effect with the aim of undermining the opponent’s [American] will in order to achieve the asymmetric actor’s strategic objectives.”12 Terrorists seek ways to make up for their inferior power by striking critical, poorly defended targets. Their goal is to sow terror in the hearts of targeted populations and cripple that country’s economy. The terrorists’ ability to disrupt the basic human desire to stay connected might be all that is needed to accomplish this goal. Doing so through inexpensive and achievable disruption to the core electronic systems may be one of the best ways to accomplish this task.
Many of the terrorists recently arrested in Europe and Great Britain are well educated. Government officials recently uncovered several online Internet jihadist forums, hosted in Europe, through which individuals could receive advanced instructions for computer hacking. Computer experts, including those capable of breaching government infrastructure, were being sought for the jihad. For the United States, in the recent past, fighting the enemy was in some other part of the world. U.S. citizens have become accustomed to confronting an adversary on a faraway battlefield. That is not the case if the method of warfare utilized is the Internet—the enemy is capable of bringing the fight into U.S. homes and businesses.
Addressing Government Vulnerabilities
The U.S. government has issued a directive addressing the critical infrastructure sectors most likely to be targets of a terrorist attack.13 Included among the 13 sectors noted, is the technological/communications infrastructure. Given that almost all critical infrastructure sectors, including public health, energy, defense, shipping, and emergency services, rely on networked technologies, a cyber attack may be the most proficient means to destroy the most critical components of U.S. society.
Law enforcement executives must not assume that other city employees or departments are managing cybersecurity or have the ability to respond when under such an attack. Steps that can be taken by law enforcement executives effectively to mitigate such an attack and to respond and manage the incident follow:
- Communicate that cybersecurity is a top priority in emergency planning.
- Determine which infrastructure nodes in the jurisdiction are the most vulnerable. This will require a partnership with public works, information technology, and private sector businesses.
- Prioritize the list. This will assist in the proper allocation of resources and funding to the most critical locations first.
- Develop a timeline for implementation to protect these key sites.
- Establish a working group of police, information technology professionals, communications, and public works experts to determine which infrastructures support first responders. These infrastructures include radio frequencies, computer systems, wireless technology, and power systems.
- Ensure that only trusted, key people have access to the critical infrastructure that supports emergency operations. Never assume employees are not vulnerable to influence or corruption. Passwords must be verified and changed often.
- Ensure that redundant, backup communications systems are in place and can function in the field for first responders when all other systems fail. If there is no back-up system, create one. This may be something as simple as direct-talk walkie-talkies.
- Test these redundant backup systems in real-time training scenarios. Include these tests in regional, mutual-aid training days. Include mock cyber attacks in the training matrix.
Preparation for such an attack is essential and training is important. Shut down all communications, power, and computer systems during the exercise. This exercise will assess how quickly first responders can flex to the change, if the backup systems are working, and if the jurisdiction is prepared to handle a cyber attack during an actual critical incident.
Law enforcement has the core responsibility to provide for the safety and security of communities. The police department must be knowledgeable about the rapidly changing environment and adapt to meet these challenges. One such challenge is the use of the Internet by terrorists to further their goals of creating chaos and terror in communities. This is a significant challenge to law enforcement now and will continue to grow more challenging in the years to come. Departments must also be clear about their vulnerabilities and prepare for worst-case scenarios, such as combined cyber/physical attacks.
Those police agencies and jurisdictions that assess the potential for harm from a cyber attack will be in the best position to safeguard against it. If they don’t, those who would see a disruption to the critical infrastructure as a good thing have a clear path to success. ■
1“Internet Usage Statistics: The Internet Big Picture: World Internet Users and Population Stats,” Internet World Stats Usage and Population Statistics, Miniwatts Marketing Group, http://www.internetworldstats.com/stats.htm (accessed February 3, 2010).
2Bret Stephens, “Hiroshima 2.0,” The Wall Street Journal, April 14, 2009, A13, http://online.wsj.com/article/SB123966785804815355.html(accessed February 3, 2010).
3Kwang-Tae Kim, “South Korea Analyzes Hacked Computers,” CBN.com, July 13, 2009, http://www.cbn.com/cbnnews/world/2009/July/S-Korea-Analyzes-Compters-in-Cyber-Attacks (accessed February 3, 2010).
4Stephens, “Hiroshima 2.0.”
5Siobhan Gorman and Yochi J. Dreazan, “Obama Set to Create ‘Cyber Czar’ Position,” The Wall Street Journal, May 29, 2009, A4, http://online.wsj.com/article/SB124355914259564961.html (accessed February 3, 2010).
6Joseph Menn and Andrea Chang, “11 Charged in Massive Identity Theft,” Los Angeles Times, August 6, 2008, http://articles.latimes.com/2008/aug/06/business/fi-hack6 (accessed February 3, 2010).
7U.S. Department of Justice, “Retail Hacking Ring Charged for Stealing and Distributing Credit and Debit Card Numbers from Major U.S. Retailers: More Than 40 Million Credit and Debit Card Numbers Stolen,” press release, August 5, 2008, http://www.justice.gov/opa/pr/2008/August/08-ag-689.html (accessed February 3, 2010).
8“War, Redefined: Even before Russian Troops Arrived, Georgian Government Web Sites Were Under Cyber Attack,” Los Angeles Times, August 17, 2008, A25, http://articles.latimes.com/2008/aug/17/opinion/ed-cyberwar17 (accessed February 3, 2010).
9Charles Piller, “Power Grid Vulnerable to Hackers,” Los Angeles Times, August 13, 2001, http://articles.latimes.com/2001/aug/13/business/fi-33642 (accessed February 3, 2010).
10Theodore G. Lewis, Critical Infrastructure Protection in Homeland Security: Defending a Networked Nation (Hoboken, N.J.: John Wiley and Sons, 2006), 62.
12Kenneth F. McKenzie Jr., “The Rise of Asymmetric Threats: Priorities for Defense Planning,” in QDR 2001, Strategy Driven Choices for America’s Security, ed. Michèle A. Flournoy (Washington, D.C.: National defense University Press, 2001), 76, https://digitalndulibrary.ndu.edu/u?/ndupress,32131 (accessed February 4, 2010).
13Lewis, Critical Infrastructure Protection in Homeland Security, 38; also see Technology Assessment: Cybersecurity for Critical Infrastructure Protection (Washington, D.C.: U.S. General Accounting Office, May 2004), 20, table 5, which lists the 13 critical infrastructures, http://www.gao.gov/new.items/d04321.pdf (accessed February 4, 2010); and Homeland Security Presidential Directive 7 (HSPD-7), http://www.dhs.gov/xabout/laws/gc_1214597989952.shtm (accessed February 4, 2010).
Please cite as:
John Dewar, "Cyberterrorism Attacks on Police Departments," The Police Chief 77 (March 2010): 34–37,
http://policechiefmagazine.org/magazine/index.cfm?fuseaction=display&article_id=2037&issue_id=32010 (insert access date).