- Email: [email protected]
Notes on terrorism and data processing
II
Notes on Terrorism and Data Processing 1. Introduction
Belden Menkus P. 0. Box 85, Middleville,
NJ 07855, USA
Terrorism relies on mindless violence to achieve its objectives. Historically it has been employed as a conscious strategy to retain or achieve power by both purportedly legitimate governmental bodies and their opponents. Modern terrorists have begun to refocus their efforts on disruption of the social fabric. Terrorists have failed to recognize the role of DP in perpetuating the social/economic structure, but there have been isolated acts of terrorist violence directed at computer facilities since February 1969. There are many vulnerabilities in DP that terrorists could exploit for their own ends. Keywords:
Terrorism,
Terrorists
Belden Menkus has been a full-time consultant to management since 1968. He is accredited by the Society of Professional Management Consultants (SPMC) and is both a Certified Information Systems Auditor and a Certified Records Manager. He writes and lectures extensively on various aspects of business management. He is executive editor of Journal of Systems Mangemenr and a regular contributor to Software News. Administrative Management, EDP Auditor and Business Insurance. In addition, he is a member of the editorial board of Corporate Crime & Securit.v, and the editor of Data Processing Auditrng Report. Mr. Menkus is a Fellow of both the British Institute of Administrative Management and the American Associatoin of Criminology. He is a vice-president of SPMC and a member of the Board of the EDP Quality Assurance Institute, and the Panel of Arbitrators of the American Arbitration Association, the Association for Systems Management, the New York Crime Prevention Council, and the Business Forms Management Association. He has twice been awarded the silver medallion of the American Management Association and has received the distinguished service citations of both the National Micrographics Association and the Association of Records Executives and Administrators. He has been named a life honorary member of the Federal Emergency Management Administration Staff College faculty.
0 1983, Belden Menkus North-Holland Publishing Company Computers & Security 2 (1983) 1I-15
Terrorism has become, unfortunately, an accepted part of life in most developed countries outside.of the United States. Viewed by its practitioners as a strategy for manipulating the social/governmental process, it relies on what can only be called mindless violence to achieve its objectives. Terrorists place a high priority on disrupting the basic structural elements of society such as power distribution, transportation and communication. As computing assumes a progressively greater role in facilitating and controlling various elements in the social/governmental process, those places and resources needed to sustain data processing activities will become of increasingly greater interest to terrorist groups of all types. The fact that both DP facilities and the United States largely have escaped the attention of terrorist groups does not guarantee that they will continue to avoid their notice indefinitely.
2. Background It is appropriate to define terrorism as the “calculated creation of intense and pervasive fear and apprehension as a means for coercing a populace.” Terrorism historically has been employed as a conscious strategy to retain or achieve power by both purportedly legitimate governmental bodies and- their opponents. Terrorism historically may be traced to the pre-Christian era practice among invading armies of torturing and pillaging a subjugated citizenry. This practice is claimed by some historians to have been formalized by the Roman Emperor Nero in July 64 AD when he ordered a systematic suppression of the then nascent Christian Church as a means of diverting blame from himself as the cause of the burning of Rome. Terrorism recurred periodically in the centuries that followed; it was used variously as a military strategy and as an instrument of governmental policy. However, it emerged in its modern form during the appropriately designated French Reign of Terror during the final decade of the 18th
12
B. Menkus
/
Terromm
Century. Terrorism as an instrument of national policy was systematized by the Committee of Public Safety which functioned as the defucto Government in post-Revolution France. Directly it led in 1804 to the establishment of the dictatorial reign of Napoleon Bonaparte. Less directedly it sanctioned a style and structure of government in France that, in the eyes of some students of French affairs, continues to distort its realization of the republican/democratic process. Terrorism as a tool to be used by those in opposition to a Government emerged during the 19th Century in Russia. It was a reaction to the 1825 refinement of French terror by Czar Nicholas I. By mid-Century it had led Russian exile Nicholas Bakunin to develop the doctrine of anurchism as a response to oppressive Governments. Basically Bakunin contended that all governments were oppressive, they could not be reformed in any way to make them benevolent and, thus, they must be destroyed. In 1888 another Russian exile, Prince Peter Kropotkin, had linked Bakunin’s concept of dissolving the social/governmental structure with an ill-defined idea of replacing these structures by networks of utopian voluntary social cooperatives. In his major work. The Conquest of Bred, Kropotkin sanctioned the use of terrorism as the prime means for realizing the anarchist vision. Violent action was to be directed, according to Kropotkin, not just against the leaders of the State, but against the members of society in general. By 1894 this had led Emile Henry, for example, to set off a bomb in a Paris cafe. When asked, after his capture, about the guilt, if any, of the 20 workers killed and wounded as a result of the explosion, Henry replied that “there are no innocents.” This same sentiment was to be repeated some 85 years later by his ideological greatgrandchildren. Anarchism and terrorism (both that practiced by governments and their opponents) sputtered along together until the start of the Great Depression. An example of the first type of terrorism was that practiced by the Lenin/Bolshevik-dominated Soviet government during the 1920s. An example of the second in the United States was the detonation of a bomb in September 1920 in front of the J.P. Morgan building in the Wall Street area of New York City which resulted in 34 killed and more than 200 wounded.
and Dutu Processrng
During the 1930s the Nazis in Germany further refined the idea of government terrorism in its subjugation of dissent and elimination of the country’s Jewish and homosexual citizens. Comparable but less pervasive campaigns of terrorism were carried out by the fascist government in Italy and the military-dominated government of Japan. During World War II all three programs of terrorism were intensified and, in Europe a counter terrorist Resistance ~ sanctioned and directed by the Allied Governments - emerged. After World War II its methods and tools were adopted by the so-called anti-colonialist forces in Africa and the Middle East. The use of the weapons of terrorism by self-proclaimed freedom fighters had achieved, it appeared, a measure of acceptability. Brazilian terrorist Carlos Marighella synthesized this process in the late 1960s in his War Munuul for the Urbun Guerillu. An English translation of this book continues to circulate in the United States along with something called the Anurchist’s Cookbook. Both offer detailed guidance in such things as the setting of booby traps an the independent making of explosives. Politically conservative neo-terrorists tend to rely for guidance in matters like this on reprints of technical manuals prepared by the World War II U.S. Office of Strategic Services, the Central Intelligence Agency of the U.S. Army [l]. The Palestine Liberation Organization (PLO) began during the 1970s intensive training of essentially freelance terrorists who operated on an international scale. Ostensibly a project of the PLO acitivist/ideologue George Habash. head of the PLO Popular Front for The Liberation of Palestine component, the effort appears to some instead, to be largely controlled and financed by Soviet KGB agents. Habash, incidentally, is a leading current exponent of the Emile Henry contention that the terrorist goal justifies any means or action used to try to achieve it. The current U.S. Presidential Administration strongly opposed international terrorism and its ties the PLO training during its first year in office. PLO terrorism already had achieved acceptability of a sort in November 1974 when its head, Yasir Arafat, fully armed, addressed a plenary session of the United Nations General Assembly in New York City. That acceptability was underscored in October 1982 when Mr. Arafat was received in audience by Pope John Paul at the Vatican [2].
B. Menkus
/
Terrorrsm
Clearly terrorism has become respectable in the last quarter of the 20th Century. It is the unacknowledged but very potent third force in international affairs. It appears to be a permanent threat to social/economic/governmental stability. Russian novelist Boris Pasternak recognized this in his 1958 novel Dr. Zhivago. He wrote that “Revolutionaries who take the law into their own hands are terrifying, not as villains, but as mechanisms out of control, as runaway machines.“.
3. Situation Government-directed terrorism lies outside of the scope of the balance of this discussion. It is no less reprehensible than that of extra-governmental groups, but unlike the latter it is intended to dissent rather than to disrupt the suppress social/economic structure. Thus, Government terror is less likely to be directed towards computing facilities and the functions they perform. Extra-governmental terrorists have tended, in recent years, to direct most of their efforts towards what some have termed guerilla theatre. This has involved creating incidents that would receive maximum news coverage and create minimal danger to those carrying out the acts of terrorism involved. These have mainly called for bombings of government offices, places of worship, schools, automobiles and buses, and theatres and restaurants. Consequently the unarmed have been attacked. These tactics have been supplemented by commercial aircraft hijackings and kidnappings in which ransom as a means of fundraising for the terrorist group itself was the real goal. However, during the past few years extragovernmental terrorists - primarily those operating in Central America -- have begun to refocus their efforts to include the disruption of the key elements in the social fabric - communications, transportation and the public electrical power and water supplies. There have been earlier, essentially isolated incidents of this type in various countries including the United States. For example, electric power distribution system towers have been bombed periodically in the Western States - usually, however, by people who appeared to have a grievance against the power supplier. Modern common carrier communications, transportation and utility services all are surpris-
and Dora Processm~
13
ingly fragile. Incidents in the New York City area of the United States illustrate just a small segment of that fragility. A February 1975 fire that gutted a New York Telephone local office switching center building cut off all service to well over 100 thousand subscribers, including a number of corporate data centers, for nearly a month. Original Bell System estimates of the outage had been at least 180 days. Several incidents in which a truck carrying a hazardous cargo blocked the George Washington Bridge with New Jersey resulted in traffic blockages that spread over dozens of miles of roadway in Manhattan and elsewhere. Electric power failures in 1965, 1977 and 1981 lasted for hours and affected large areas of New York City proper and nearby Westchester County. Again these outages halted the operations of many area data processing facilities - including those supporting the regular trading of the New York, American and Commodities Exchanges [3]. In addition, computing has begun to play an increasingly sensitive role asa facilitator of social/economic activities. It serves in such roles as a distributor of funds, a monitor of hospital patient condition and a maintainer of communications network message switching processes. Here, too, interaction with the larger world is very sensitive. For example, while it resulted from organized union action rather than terrorist activities, work stoppages by employees of United Kingdom Government data centers played a major role in bringing down the Labour Government which led to the installation of a Conservative Government and the designation of Margaret Thatcher as the current Prime Minister. Relations between the United Kingdom Government and its unionized DP employees have remained somewhat stormy. Wildcat strikes in March 198 1, for instance, disrupted British participation in the Winsex North American Treaty Organization military exercises. Thus far, organized terrorist groups have failed to focus on DP facilities as a key to disruptive incidents. However there have been a number of isolated acts since February 1969 when rioting students burned the computer center at Montreal’s Sir George Williams University. Later that year and next, DP facilities were attacked at Boston University, California’s Fresno State College, the University of Kansas and the University of Wisconsin Mathematics Research Center. This last
14
B. Menkus
/ Terrorism
incident purportedly was carried out as a Vietnam War protest because of the Center’s work under contract to the U.S. Army. Here a graduate student, unexpectedly working after hours, lost his life in the explosion. In at least five incidences between 1971 and 1975 various IBM installations in the United States and Mexico were attacked. And, in March 1976 a Hewlett-Packard electronic circuit manufacturing site in Palo Alto, California was bombed. In May 1976 bombs were exploded in two floors of a Kennebec building housing the DP facilities of Central Maine Power. There was no material damage to the computing hardware in use. At this point openly identified acts by organized terrorists against computers largely appear to have ceased. However, the Italian Red Brigade terrorist organization did attack a number of data centers in that country in 1976. And a group dedicated to destroying computers reportedly has been active in France [4].
4. Vulnerabilities The current generation of terrorists appears to be ignoring both the growing significance of computing in the overall social structure and the disruptive potential of an attack on the facilities used to carry it on. However, there is no reason to believe that they will take forever to discover that significance. Modern terrorists have proven consistently that they can be “fast learners” when necessary. Terrorist actions against DP facilities, incidentally, could stimulate imitative actions by persons operating independently of organized terrorist groups. These loners may be employees or outsiders with real or imagined grievances against particular uses of DP; they believe that they can remedy them by disrupting the computing process. As demonstrated by the aftermath of the October 1982 so-called Tylenol killings in Chicago [5], there is a tendency for dramatic, socially disruptive acts to be copied by others. As demonstrated by the inability of law enforcement officials to specify the culprits in most of these incidents, loners historically have proven to be difficult to identify and trace. These people have tended to be more reckless in their actions than members of organized
and Dura Processrng
groups and to be more willing to patiently gather the information needed to perfect their actions. Lone disgruntled employees are especially likely to collect the exact knowledge needed to disrupt a computer system most effectively. Terrorist actions that might be directed against a computer can be classed as either direct or indirect. Direct actions can involve actual assaults upon a central DP facility and/or the electrical power and communications resources that it uses. One Vietnam War protest action inside the Pentagon did involve the bombing of an unoccupied restroom. Water from the damaged plumbing lines reportedly flooded and disabled a nearby classified U.S. Air Force computing center. Indirect actions can involve the compromise of key data base content or manipulation of remote diagnostic capabilities. The possibility of the latter vulnerability being exploited in a military computing environment is under active study at present by one of the U.S. military services. The former vulnerability has been exploited repeatedly over the past 15 years in a variety of academic, business and military computing environments. It has involved selective delection/insertion of data and efforts to crash critical systems. In addition to software design flaws and limitations that could be exploited by a knowledgeable terrorist, there is historical warrant to expect frontal assaults on data centers. placement of explosives on-site, vandalization and arson. There does not appear to be any feasible way to disrupt computing activities that has not already been tried at least once!
5. Responses There is no simple single activity - like installing some sort of special alarm device - that can protect a DP site from the threat of terrorist action. What should be done, basically, is to create a genuinely secure environment in which data may be processed. What is required to do this has not changed materially over the last 10 years [6]. This calls for doing such things as hardening the site against attack, removing all exterior signs identifying the site and what takes place there, and installing and maintaining tight controls over access to and within - the site. Alternate secure electric
B. Menkus / Terrorism and Data Processing
power resources and communication circuits should be provided; a failure of the primary resource should not half DP operations. Where the data center site is a remote location an alternate protected water source should be available. In addition, the data center disaster recovery plan should be expanded to include a planned response to a terrorist action. Among the issues to be resolved are bomb incident handling and fire protection tactics. Communications networks, which are at the heart of any distribution of DP resources, should be designed to be redundant. This should also be the practice in designing all application programs. There should always be another way to sustain the workload when recovering from a terrorist action or other disaster. Information handling systems and the programs that sustain them should be designed so that they avoid antagonizing the people who are affected by them. It is not possible to avoid completely creating grievances against particular computer installations. It is inexcusable not to try to minimize the possible issues that might motivate or be exploited by - terrorists. Finally, be sure that corporate management, the DP staff and system users understand that terrorist action is a possibility and that that each group has a stake in sensibly preparing to deal with the risk that it poses. Notes
[ 11 The most dangerous
information accessible to both groups appears to be unclassified data sufficient to permit creation of a nuclear weapon. Released over the years by the U.S. Atomic Energy Commission, it could be used by terrorists,
15
according to hydrogen weapon developer Theodore Taylor, to create a device that would not be optimally efficient but would produce a nuclear explosion of sufficient magnitude to satisfy their goals. For more information on this treat see Nuclear TheJt: Risk and Safeguards. Mason Willrich and Theodore Taylor. Ballinger Publishing, Cambridge MA, 1974. PI The history and philosophy of terrorism are more complex than it has been possible to suggest here. For an excellent analysis of its background see Terrorism: From RobespIerre to Am/at. Albert Perry. The Vanguard Press, New York, 1976. A more contemporary account of international terrorism may be found in The Terror Network. Claire Sterling, Holt, Rinehart, Winston; New York, 1981. [31 A broad view of the fragile nature of the United States’ energy distribution system is contained in Britile Power: Energy Strategy For National Security. Amory Lewis and L. Hunter Louvins. Brick House Publishing, Andover MA., 1982. Based on a report prepared a year earlier for the U.S. Federal Emergency Management Agency, this book, unfortunately, has received scant attention from the news media, the Congress and the current U.S. Presidential Administration. actions appears increasingly to be taking two 141 Terrorist different focuses. What might be called ideological actions tend to focus on issues; they usually seek to destroy or disrupt the operation of equipment or social/economic processes and to avoid injuring people. By contrast what might be called carnage-creating actions deliberately seek to injure or kill people; any other consequences of the action are incidental to this basic goal. While both types of actions have been carried out by terrorists over the past 200 years, the latter type of action appears to be favore by PLO-trained terrorist groups. [51 7 people otherwise unrelated died in the Chicago IL area in mid-October 1982 after ingesting Tylenol - brand analgesic capsules. ‘1he contents of these capsules had been replaced with cyanide and replaced in shelf cartons by someone still unidentified. See TIME Magazine cover story for 18 October 1982. [6] For a discussion of what is needed see my “Computer Facility Physical Security” in Computer Security Handbook. Douglas Hoyt, Ed. (Macmillan Information, New York NY, 1973).
Notes on Terrorism and Data Processing 1. Introduction
Belden Menkus P. 0. Box 85, Middleville,
NJ 07855, USA
Terrorism relies on mindless violence to achieve its objectives. Historically it has been employed as a conscious strategy to retain or achieve power by both purportedly legitimate governmental bodies and their opponents. Modern terrorists have begun to refocus their efforts on disruption of the social fabric. Terrorists have failed to recognize the role of DP in perpetuating the social/economic structure, but there have been isolated acts of terrorist violence directed at computer facilities since February 1969. There are many vulnerabilities in DP that terrorists could exploit for their own ends. Keywords:
Terrorism,
Terrorists
Belden Menkus has been a full-time consultant to management since 1968. He is accredited by the Society of Professional Management Consultants (SPMC) and is both a Certified Information Systems Auditor and a Certified Records Manager. He writes and lectures extensively on various aspects of business management. He is executive editor of Journal of Systems Mangemenr and a regular contributor to Software News. Administrative Management, EDP Auditor and Business Insurance. In addition, he is a member of the editorial board of Corporate Crime & Securit.v, and the editor of Data Processing Auditrng Report. Mr. Menkus is a Fellow of both the British Institute of Administrative Management and the American Associatoin of Criminology. He is a vice-president of SPMC and a member of the Board of the EDP Quality Assurance Institute, and the Panel of Arbitrators of the American Arbitration Association, the Association for Systems Management, the New York Crime Prevention Council, and the Business Forms Management Association. He has twice been awarded the silver medallion of the American Management Association and has received the distinguished service citations of both the National Micrographics Association and the Association of Records Executives and Administrators. He has been named a life honorary member of the Federal Emergency Management Administration Staff College faculty.
0 1983, Belden Menkus North-Holland Publishing Company Computers & Security 2 (1983) 1I-15
Terrorism has become, unfortunately, an accepted part of life in most developed countries outside.of the United States. Viewed by its practitioners as a strategy for manipulating the social/governmental process, it relies on what can only be called mindless violence to achieve its objectives. Terrorists place a high priority on disrupting the basic structural elements of society such as power distribution, transportation and communication. As computing assumes a progressively greater role in facilitating and controlling various elements in the social/governmental process, those places and resources needed to sustain data processing activities will become of increasingly greater interest to terrorist groups of all types. The fact that both DP facilities and the United States largely have escaped the attention of terrorist groups does not guarantee that they will continue to avoid their notice indefinitely.
2. Background It is appropriate to define terrorism as the “calculated creation of intense and pervasive fear and apprehension as a means for coercing a populace.” Terrorism historically has been employed as a conscious strategy to retain or achieve power by both purportedly legitimate governmental bodies and- their opponents. Terrorism historically may be traced to the pre-Christian era practice among invading armies of torturing and pillaging a subjugated citizenry. This practice is claimed by some historians to have been formalized by the Roman Emperor Nero in July 64 AD when he ordered a systematic suppression of the then nascent Christian Church as a means of diverting blame from himself as the cause of the burning of Rome. Terrorism recurred periodically in the centuries that followed; it was used variously as a military strategy and as an instrument of governmental policy. However, it emerged in its modern form during the appropriately designated French Reign of Terror during the final decade of the 18th
12
B. Menkus
/
Terromm
Century. Terrorism as an instrument of national policy was systematized by the Committee of Public Safety which functioned as the defucto Government in post-Revolution France. Directly it led in 1804 to the establishment of the dictatorial reign of Napoleon Bonaparte. Less directedly it sanctioned a style and structure of government in France that, in the eyes of some students of French affairs, continues to distort its realization of the republican/democratic process. Terrorism as a tool to be used by those in opposition to a Government emerged during the 19th Century in Russia. It was a reaction to the 1825 refinement of French terror by Czar Nicholas I. By mid-Century it had led Russian exile Nicholas Bakunin to develop the doctrine of anurchism as a response to oppressive Governments. Basically Bakunin contended that all governments were oppressive, they could not be reformed in any way to make them benevolent and, thus, they must be destroyed. In 1888 another Russian exile, Prince Peter Kropotkin, had linked Bakunin’s concept of dissolving the social/governmental structure with an ill-defined idea of replacing these structures by networks of utopian voluntary social cooperatives. In his major work. The Conquest of Bred, Kropotkin sanctioned the use of terrorism as the prime means for realizing the anarchist vision. Violent action was to be directed, according to Kropotkin, not just against the leaders of the State, but against the members of society in general. By 1894 this had led Emile Henry, for example, to set off a bomb in a Paris cafe. When asked, after his capture, about the guilt, if any, of the 20 workers killed and wounded as a result of the explosion, Henry replied that “there are no innocents.” This same sentiment was to be repeated some 85 years later by his ideological greatgrandchildren. Anarchism and terrorism (both that practiced by governments and their opponents) sputtered along together until the start of the Great Depression. An example of the first type of terrorism was that practiced by the Lenin/Bolshevik-dominated Soviet government during the 1920s. An example of the second in the United States was the detonation of a bomb in September 1920 in front of the J.P. Morgan building in the Wall Street area of New York City which resulted in 34 killed and more than 200 wounded.
and Dutu Processrng
During the 1930s the Nazis in Germany further refined the idea of government terrorism in its subjugation of dissent and elimination of the country’s Jewish and homosexual citizens. Comparable but less pervasive campaigns of terrorism were carried out by the fascist government in Italy and the military-dominated government of Japan. During World War II all three programs of terrorism were intensified and, in Europe a counter terrorist Resistance ~ sanctioned and directed by the Allied Governments - emerged. After World War II its methods and tools were adopted by the so-called anti-colonialist forces in Africa and the Middle East. The use of the weapons of terrorism by self-proclaimed freedom fighters had achieved, it appeared, a measure of acceptability. Brazilian terrorist Carlos Marighella synthesized this process in the late 1960s in his War Munuul for the Urbun Guerillu. An English translation of this book continues to circulate in the United States along with something called the Anurchist’s Cookbook. Both offer detailed guidance in such things as the setting of booby traps an the independent making of explosives. Politically conservative neo-terrorists tend to rely for guidance in matters like this on reprints of technical manuals prepared by the World War II U.S. Office of Strategic Services, the Central Intelligence Agency of the U.S. Army [l]. The Palestine Liberation Organization (PLO) began during the 1970s intensive training of essentially freelance terrorists who operated on an international scale. Ostensibly a project of the PLO acitivist/ideologue George Habash. head of the PLO Popular Front for The Liberation of Palestine component, the effort appears to some instead, to be largely controlled and financed by Soviet KGB agents. Habash, incidentally, is a leading current exponent of the Emile Henry contention that the terrorist goal justifies any means or action used to try to achieve it. The current U.S. Presidential Administration strongly opposed international terrorism and its ties the PLO training during its first year in office. PLO terrorism already had achieved acceptability of a sort in November 1974 when its head, Yasir Arafat, fully armed, addressed a plenary session of the United Nations General Assembly in New York City. That acceptability was underscored in October 1982 when Mr. Arafat was received in audience by Pope John Paul at the Vatican [2].
B. Menkus
/
Terrorrsm
Clearly terrorism has become respectable in the last quarter of the 20th Century. It is the unacknowledged but very potent third force in international affairs. It appears to be a permanent threat to social/economic/governmental stability. Russian novelist Boris Pasternak recognized this in his 1958 novel Dr. Zhivago. He wrote that “Revolutionaries who take the law into their own hands are terrifying, not as villains, but as mechanisms out of control, as runaway machines.“.
3. Situation Government-directed terrorism lies outside of the scope of the balance of this discussion. It is no less reprehensible than that of extra-governmental groups, but unlike the latter it is intended to dissent rather than to disrupt the suppress social/economic structure. Thus, Government terror is less likely to be directed towards computing facilities and the functions they perform. Extra-governmental terrorists have tended, in recent years, to direct most of their efforts towards what some have termed guerilla theatre. This has involved creating incidents that would receive maximum news coverage and create minimal danger to those carrying out the acts of terrorism involved. These have mainly called for bombings of government offices, places of worship, schools, automobiles and buses, and theatres and restaurants. Consequently the unarmed have been attacked. These tactics have been supplemented by commercial aircraft hijackings and kidnappings in which ransom as a means of fundraising for the terrorist group itself was the real goal. However, during the past few years extragovernmental terrorists - primarily those operating in Central America -- have begun to refocus their efforts to include the disruption of the key elements in the social fabric - communications, transportation and the public electrical power and water supplies. There have been earlier, essentially isolated incidents of this type in various countries including the United States. For example, electric power distribution system towers have been bombed periodically in the Western States - usually, however, by people who appeared to have a grievance against the power supplier. Modern common carrier communications, transportation and utility services all are surpris-
and Dora Processm~
13
ingly fragile. Incidents in the New York City area of the United States illustrate just a small segment of that fragility. A February 1975 fire that gutted a New York Telephone local office switching center building cut off all service to well over 100 thousand subscribers, including a number of corporate data centers, for nearly a month. Original Bell System estimates of the outage had been at least 180 days. Several incidents in which a truck carrying a hazardous cargo blocked the George Washington Bridge with New Jersey resulted in traffic blockages that spread over dozens of miles of roadway in Manhattan and elsewhere. Electric power failures in 1965, 1977 and 1981 lasted for hours and affected large areas of New York City proper and nearby Westchester County. Again these outages halted the operations of many area data processing facilities - including those supporting the regular trading of the New York, American and Commodities Exchanges [3]. In addition, computing has begun to play an increasingly sensitive role asa facilitator of social/economic activities. It serves in such roles as a distributor of funds, a monitor of hospital patient condition and a maintainer of communications network message switching processes. Here, too, interaction with the larger world is very sensitive. For example, while it resulted from organized union action rather than terrorist activities, work stoppages by employees of United Kingdom Government data centers played a major role in bringing down the Labour Government which led to the installation of a Conservative Government and the designation of Margaret Thatcher as the current Prime Minister. Relations between the United Kingdom Government and its unionized DP employees have remained somewhat stormy. Wildcat strikes in March 198 1, for instance, disrupted British participation in the Winsex North American Treaty Organization military exercises. Thus far, organized terrorist groups have failed to focus on DP facilities as a key to disruptive incidents. However there have been a number of isolated acts since February 1969 when rioting students burned the computer center at Montreal’s Sir George Williams University. Later that year and next, DP facilities were attacked at Boston University, California’s Fresno State College, the University of Kansas and the University of Wisconsin Mathematics Research Center. This last
14
B. Menkus
/ Terrorism
incident purportedly was carried out as a Vietnam War protest because of the Center’s work under contract to the U.S. Army. Here a graduate student, unexpectedly working after hours, lost his life in the explosion. In at least five incidences between 1971 and 1975 various IBM installations in the United States and Mexico were attacked. And, in March 1976 a Hewlett-Packard electronic circuit manufacturing site in Palo Alto, California was bombed. In May 1976 bombs were exploded in two floors of a Kennebec building housing the DP facilities of Central Maine Power. There was no material damage to the computing hardware in use. At this point openly identified acts by organized terrorists against computers largely appear to have ceased. However, the Italian Red Brigade terrorist organization did attack a number of data centers in that country in 1976. And a group dedicated to destroying computers reportedly has been active in France [4].
4. Vulnerabilities The current generation of terrorists appears to be ignoring both the growing significance of computing in the overall social structure and the disruptive potential of an attack on the facilities used to carry it on. However, there is no reason to believe that they will take forever to discover that significance. Modern terrorists have proven consistently that they can be “fast learners” when necessary. Terrorist actions against DP facilities, incidentally, could stimulate imitative actions by persons operating independently of organized terrorist groups. These loners may be employees or outsiders with real or imagined grievances against particular uses of DP; they believe that they can remedy them by disrupting the computing process. As demonstrated by the aftermath of the October 1982 so-called Tylenol killings in Chicago [5], there is a tendency for dramatic, socially disruptive acts to be copied by others. As demonstrated by the inability of law enforcement officials to specify the culprits in most of these incidents, loners historically have proven to be difficult to identify and trace. These people have tended to be more reckless in their actions than members of organized
and Dura Processrng
groups and to be more willing to patiently gather the information needed to perfect their actions. Lone disgruntled employees are especially likely to collect the exact knowledge needed to disrupt a computer system most effectively. Terrorist actions that might be directed against a computer can be classed as either direct or indirect. Direct actions can involve actual assaults upon a central DP facility and/or the electrical power and communications resources that it uses. One Vietnam War protest action inside the Pentagon did involve the bombing of an unoccupied restroom. Water from the damaged plumbing lines reportedly flooded and disabled a nearby classified U.S. Air Force computing center. Indirect actions can involve the compromise of key data base content or manipulation of remote diagnostic capabilities. The possibility of the latter vulnerability being exploited in a military computing environment is under active study at present by one of the U.S. military services. The former vulnerability has been exploited repeatedly over the past 15 years in a variety of academic, business and military computing environments. It has involved selective delection/insertion of data and efforts to crash critical systems. In addition to software design flaws and limitations that could be exploited by a knowledgeable terrorist, there is historical warrant to expect frontal assaults on data centers. placement of explosives on-site, vandalization and arson. There does not appear to be any feasible way to disrupt computing activities that has not already been tried at least once!
5. Responses There is no simple single activity - like installing some sort of special alarm device - that can protect a DP site from the threat of terrorist action. What should be done, basically, is to create a genuinely secure environment in which data may be processed. What is required to do this has not changed materially over the last 10 years [6]. This calls for doing such things as hardening the site against attack, removing all exterior signs identifying the site and what takes place there, and installing and maintaining tight controls over access to and within - the site. Alternate secure electric
B. Menkus / Terrorism and Data Processing
power resources and communication circuits should be provided; a failure of the primary resource should not half DP operations. Where the data center site is a remote location an alternate protected water source should be available. In addition, the data center disaster recovery plan should be expanded to include a planned response to a terrorist action. Among the issues to be resolved are bomb incident handling and fire protection tactics. Communications networks, which are at the heart of any distribution of DP resources, should be designed to be redundant. This should also be the practice in designing all application programs. There should always be another way to sustain the workload when recovering from a terrorist action or other disaster. Information handling systems and the programs that sustain them should be designed so that they avoid antagonizing the people who are affected by them. It is not possible to avoid completely creating grievances against particular computer installations. It is inexcusable not to try to minimize the possible issues that might motivate or be exploited by - terrorists. Finally, be sure that corporate management, the DP staff and system users understand that terrorist action is a possibility and that that each group has a stake in sensibly preparing to deal with the risk that it poses. Notes
[ 11 The most dangerous
information accessible to both groups appears to be unclassified data sufficient to permit creation of a nuclear weapon. Released over the years by the U.S. Atomic Energy Commission, it could be used by terrorists,
15
according to hydrogen weapon developer Theodore Taylor, to create a device that would not be optimally efficient but would produce a nuclear explosion of sufficient magnitude to satisfy their goals. For more information on this treat see Nuclear TheJt: Risk and Safeguards. Mason Willrich and Theodore Taylor. Ballinger Publishing, Cambridge MA, 1974. PI The history and philosophy of terrorism are more complex than it has been possible to suggest here. For an excellent analysis of its background see Terrorism: From RobespIerre to Am/at. Albert Perry. The Vanguard Press, New York, 1976. A more contemporary account of international terrorism may be found in The Terror Network. Claire Sterling, Holt, Rinehart, Winston; New York, 1981. [31 A broad view of the fragile nature of the United States’ energy distribution system is contained in Britile Power: Energy Strategy For National Security. Amory Lewis and L. Hunter Louvins. Brick House Publishing, Andover MA., 1982. Based on a report prepared a year earlier for the U.S. Federal Emergency Management Agency, this book, unfortunately, has received scant attention from the news media, the Congress and the current U.S. Presidential Administration. actions appears increasingly to be taking two 141 Terrorist different focuses. What might be called ideological actions tend to focus on issues; they usually seek to destroy or disrupt the operation of equipment or social/economic processes and to avoid injuring people. By contrast what might be called carnage-creating actions deliberately seek to injure or kill people; any other consequences of the action are incidental to this basic goal. While both types of actions have been carried out by terrorists over the past 200 years, the latter type of action appears to be favore by PLO-trained terrorist groups. [51 7 people otherwise unrelated died in the Chicago IL area in mid-October 1982 after ingesting Tylenol - brand analgesic capsules. ‘1he contents of these capsules had been replaced with cyanide and replaced in shelf cartons by someone still unidentified. See TIME Magazine cover story for 18 October 1982. [6] For a discussion of what is needed see my “Computer Facility Physical Security” in Computer Security Handbook. Douglas Hoyt, Ed. (Macmillan Information, New York NY, 1973).