While lawmakers and regulatory officials insist that the threat of a “digital Pearl Harbor” requires the government be given more power to ward off cyber-attacks, some experts say the threat has been exaggerated.
Instead, the impending threat of “cyber-terror” — as one expert called it — lies in the potential damage inflicted from the manipulation of information by the nation’s enemies, also known as information warfare.
Yael Shahar, director of Israel’s Institute for Counter-Terrorism, warned that information warfare conducted against the U.S. and American citizens, including the manipulation of financial institutions’ data, was a more imminent threat than cyber-attacks against networks.
“The real threat now, the thing that worries me most of all, is not the use of cyber-tactics and cyber-weapons, and not attacks against infrastructure, and not against IT infrastructure,” Shahar told The Daily Caller.
“What worries me more is information warfare — using information technology that’s already out there to manipulate information to make people think that they know something that they don’t know or to make people know something that isn’t true,” she added.
After being planted by hackers, such misinformation can then quickly spread around the Internet.
The digital threat to critical infrastructure like public safety or energy systems, however, is real. The STUXNET worm, one notable example, disrupted uranium enrichment processes in an Iranian nuclear facility at Nataanz.
A recent report by the Washington Post said that the Pentagon is “accelerating efforts to develop a new generation of cyber-weapons capable of disrupting enemy military networks even when those networks are not connected to the Internet.” In 2011 the Pentagon announced that cyber-attacks against the U.S. could be considered as acts of war.
Lawmakers are worried about casualties that would result from such an attack, but examples of casualties caused by cyber-attacks are lacking.
A recent article in Foreign Policy magazine by warfare scholar Thomas Rid noted that “there is no known cyber-attack that has caused the loss of human life.”
“No cyber-offense has ever injured a person or damaged a building,” said Rid. “And if an act is not at least potentially violent, it’s not an act of war.”
The threat of the manipulation of economic and financial information, however, could cause severe damage to a company or government.
“For example, changing numbers in stock markets without attribution, changing foreign currency numbers in national banks, they can do a lot of damage,” said Shahar, “but quite frankly that’s not what terrorists are after.”
Instead, countries like Russia, China, India and Iran have more of “an interest in knowing how to manipulate information,” Shahar told TheDC.
Hacktivist group Anonymous caused panics in the media and government by openly attacking financial institutions in 2011. In 2010 the SEC froze the assets of a Russian hacker at the firm BroCo Investments, Inc. after it was suspected of manipulating the trading prices of at least 38 companies in order to financially gain from the rise and fall of the prices. In 2008, an Indian hacker — Thirugnanam Ramanathan — was convicted of a similar crime after he had hacked into the online trading accounts of at least 60 traders with TD Ameritrade, E*Trade, Fidelity and others, and manipulated the market prices of various financial and biotechnology companies.
Reuters reported in October 2011 that the NSA was working closely with financial institutions on Wall Street by providing intelligence on foreign hackers.
A recent report by the Washington Post said that the Pentagon is also “accelerating efforts to develop a new generation of cyber-weapons capable of disrupting enemy military networks even when those networks are not connected to the Internet.”
“The U.S. is already thinking in terms of high-level weapons, military grade weapons, things that would bring down enemy defenses,” said Shahar. The typical response by the U.S., Shaha told TheDC, is to “throw money at the problem.”
“Iran is more likely to be waging a homefront battle,” said Shahar. “They’re going to be trying to influence the population to put pressure on the government. They’re not actually going to be fighting a conventional battle.”
“The U.S. is preparing for a conventional battle using cyber-methods, among others,” said Shahar. “It’s very military-based.”
NSA Director General Keith Alexander, who is also head of the nation’s Cyber Command, said in a Senate hearing last week that he opposed the militarization of private networks.
“If we go too far, it sends the wrong message,” said Alexander.
Shahar also expressed concern about misinformation planted by hackers, which can spread through online media and social networks. Media outlets, such as news sites and blogs could be hacked, and a small piece of inaccurate information could be inserted into an article without the media outlet’s knowledge. A resulting rumor could then circulate and cause damage to a company, organization or person.
In 2011 a plan by Anonymous to attack security contractor Booze Allen Hamilton included using fake profiles to fill up various social networks with misinformation about the company, The Economist reported. Another act of misinformation used to damage a person’s reputation was the Internet rumor about former ESPN commentator Craig James, in which he allegedly killed five hookers while at SMU. The rumors, however, are false.
“I think that private citizens need to be much more aware of the possibility of manipulation,” said Shahar, “to the point where they don’t automatically trust everything and always try to research it.”
“The problem is that people aren’t all that savvy in that sense,” said Shahar. “They will re-circulate rumors just because it fits within their political worldview, and it’s become more of a problem now because of the echo chamber effects the Internet has produced.”