About an hour after midnight on a lonely stretch of road outside of San Jose, an unknown number of attackers came quietly and calmly through the dark to shut down Silicon Valley.
Their first step was to break into an underground AT&T fiber optic nexus and cut the telecommunications lines passing through… shredding them, so they could not be easily spliced back into service. Ten minutes later, a nearby Level 3 communications vault was similarly hit.
At 1:30 a.m. the shooting started. For fifteen minutes, the attackers lit up a Pacific Gas and Electric (PG&E) substation with 7.62mm assault rifles. In short order, 17 transformers were ventilated, leaking oil and failing. Security camera footage shows a blurred flashlight signal cut the shooting short. When sheriff’s deputies arrived five minutes later, the scene was still. No one was to be seen.
This is no techno-thriller; this actually occurred in April of 2013 and went largely unreported in the media until the incident was described in the Wall Street Journal almost a year later. To date, suspects have never been identified and no one has been arrested.
The utilities had issued brief press releases explaining the incident away as vandalism, and routed around the damage. But to cybersecurity professionals in defense and counterterrorism roles, the attack looked a lot like a dress rehearsal for something more frightening: an all-out assault designed to cripple the U.S. power and communications grid. The timing and almost complete absence of evidence left at the scene—even the rifle shell casings had been wiped clean of fingerprints—spoke of something more sinister than vandalism.
Detecting and preventing such debilitating attacks on national infrastructure and investigating the evidence from incidents like the Metcalf Sniper attack, as it has become known, is the job of cybersecurity professionals in defense and counterterrorism.
They find themselves in the unusual situation of guarding against exclusively online threats to industrial control systems and financial networks, and detecting potential threats to the very physical infrastructure it all runs on. A master’s degree in cybersecurity is only the first step to preparing to join the ranks of these counterterrorism operatives.
Shadowy Threats Require the Vigilance of Many Agencies
Counter-terrorist forces that deal with threats in cyberspace as well as in reality come from both military and civilian agencies, including:
- Department of Defense
- Federal Bureau of Investigation
- Central Intelligence Agency
- Department of Homeland Security
- Many state and local police forces
Together, they have a broad responsibility to monitor and defend the nation’s critical infrastructure and citizens.
Any time so many agencies are involved with a specific mission, though, problems of coordination emerge. With cyberterrorists free to roam across networks at will, cybersecurity experts have recognized that this fragmentation can become a major vulnerability.
NCCIC and the Public-Private Sector Partnership
The Department of Homeland Security (DHS) has taken on the vital task of organizing an information sharing apparatus between various military and law enforcement agencies charged with cyberdefense. The National Cybersecurity and Communications Integration Center (NCCIC) tracks incidents and distributes information about attack vectors and defenses, not only among government agencies, but also to private sector information security specialists.
With so much Internet and communications infrastructure in the U.S. in the hands of corporations, the private sector finds itself bearing the brunt of many cyberattacks with terrorist ties.To date, most of these attacks have been trivial or even childish—website defacement, DoS (Denial of Service) attacks against corporations or government agencies, or hacked social media accounts.
But information security experts in defense and counterterrorism are well aware that it’s only a matter of time before there is a large-scale, costly attack against significant targets.
Cybersecurity professionals prepare for that day by:
- Helping government agencies and private industry adopt information security best practices
- Gathering intelligence about hacking groups and capabilities, including penetrating and surveilling online forums and chatrooms used by terrorists and hackers
- Maintaining strong connections with technology industry developers and designers
How Proactive Engagement Helps Keep the Enemy at Bay
The mission for defense and counterterrorist units extends beyond strictly defensive. Although hardening potential terrorist targets electronically is serious business, counterterrorist information security professionals are also responsible for:
- Penetrating terrorist cells online
- Disrupting communication and coordination technology
- Tracing the flow of money and resources electronically
- Using technology to track and isolate terrorists
How a Password Protected iPhone Started the Public Dialogue About Incription
Much of this work remains classified, but at least one aspect burst into the public realm forcefully in the wake of the December 2015 terrorist attack in San Bernardino that left 14 people dead.
An iPhone recovered from the body of one of the terrorists was thought to contain encrypted information important to the investigation. Although the FBI requested that Apple decrypt the phone, Apple refused, setting off a very public debate about the propriety rights and legal obligations of private companies during a terrorism investigation.
But behind the scenes, government information security teams found a different solution: they engaged an overseas security firm to hack into the phone directly, bypassing Apple, unlocking the phone and accessing the information they were after.
Offensive Cyberoperations Keep Terrorists on Their Heels
A classified budget document that leaked out in 2013 revealed that some 231 offensive cyberoperations had been undertaken by U.S. intelligence agencies in 2011.
One of those was likely a joint U.S.-Israeli operation against Iranian nuclear operations, known as Stuxnet.
Together, the agencies clandestinely developed a computer virus designed to infect the model of Siemens centrifuge controller the Iranian nuclear program was known to use for purifying uranium. Once in place, the virus would subtly modulate the frequency at which the centrifuge operated, over-pressuring them and damaging the rotors.
Although aimed at a national research program, the fear was that a nuclear-capable Iran would develop weapons that could end up in the hands of terrorists. By setting the Iranian weapons program back several years, the hand of negotiators attempting to find a diplomatic solution was strengthened, and the specter of a nuclear terror attack was reduced.