I was planning to attend RSA conference, but unfortunately it didn’t work out. In the end it boiled down mostly to a monetary issue. In a blunt attempt to save the $2000+ attendance fee, I offered to do a presentation, but RSA said the agenda had already been closed. So I couldn’t take the opportunity to meet several friends (I do have friends), several other people who may view me as an enemy, and a whole bunch of interesting people as well. If I had gone to the Moscone Center, one of the sessions that I would have attended was Tuesday’s presentation by William Lynn on DoD’s cyber strategy.

According to Wired magazine, Lynn focused his talk on the subject of cyber terrorism. Unfortunately, Wired used the odd headline “What if al-Qaeda got Stuxnet?” The question seems kind of silly at first sight because the simple answer may probably just be something like “Shit, Osama, we got a virus on our computer”. However, for anyone studying cyber terrorism, drawing a connection between Stuxnet and the subject is anything but silly. The public image of an al-Qaeda operative may be the complete opposite of a hacker, but that doesn’t say anything. Remember Atta and his gang from the Hamburg cell? They were students at the technical university of Hamburg-Harburg. That’s a well-reputed academic institution where you can learn all about control systems you want to know. Actually it’s even a place where we recruit employees.

So let’s assume for a moment that a group of intelligent, frustrated, radical Islamists of the Atta caliber decides to spend more time in the university’s control system lab rather than in a prayer room sponsored by the university dean. The typical lab equipment of a German technical university looks pretty much like the pictures from Idaho that we pulled off the Siemens web site in December. Siemens sponsors most of the faculties, so you’ll find all the good and expensive stuff there.

Our assumed wannabe cyber terrorists won’t even be questioned about what they’re doing because in the aftermath of Stuxnet, control system security projects pop up everywhere, and you gotta study offense in order to defend, right? (Wrong. That’s similar to “I want to learn how to fly, but I’m not interested in learning how to land the damn airplane”. But that’s another story that I’m presently writing a book about.) When they have finished their first controller virus, test-driving it in a real environment is not difficult. As it turns out, one of their buddies from the mosque does an internship at a big chemical plant, power plant, automotive factory, you name it. All he needs to do is to plug in a thumb drive in any computer system. That’s it.

Certainly the first attempt will be rudimentary and foolish. So what? These guys are under no time pressure. They will learn from their mistakes and will improve, same as the authors of Stuxnet. The potential victims are the ones under time pressure. We expect the threat level for cyber terrorist attacks to turn deep red within two or three years. Will we manage to secure all potential targets within this timeframe? I doubt. It’s one of the issues I would have loved to discuss with Lynn.

Ralph Langner

Suggested reading

Sagemann, M.: Leaderless jihad. Terror networks in the twenty-first century. University of Pennsylvania Press, 2008

Wright, L.: The looming tower. Al-Qaeda and the road to 9/11. Vintage Books, 2007