Threat of multi-agent attacks on United States increasing, experts warn

Nothing seemed out of the ordinary the morning Massoud Amin stood before top U.S. officials warning about the threat of catastrophic attacks.

But the meeting, held less than a mile from the Pentagon, was cut short when cell phones and beepers rattled with news that two planes had hit the World Trade Center towers , one had hit the Pentagon and another was missing. Amin, director of the University of Minnesota Technological Leadership Institute (TLI), immediately worried about the nation’s electrical, cyber and energy infrastructure, all of which could have been the next victims.

“A determined, multi-pronged attack on these systems can cause many troubles for our nation,” he said, “an economic impact as well as on our security and quality of life.”

More than eight years after 9/11, the amount and severity of cyber attacks — incidents that can leave their victims defenseless against further modes of attack — have risen dramatically, prompting the approval of a new Master of Science in Security Technologies (MSST) program slated to begin this summer.

Amin, director of MSST, designed the 14-month program, aimed at preparing future business leaders, policy makers and public health, science and technology professionals to carry out the grave responsibility of protecting national infrastructure.

“We’ve been pushing in this area for close to 12 years now,” Amin said, “and we still have a long way to go.”

‘We are all connected’

Societies have become increasingly dependent upon networks of critical infrastructure — energy, the electricity grid, cyber communication, finance, transportation and others — that’s underlying interdependence makes countries like the United States more vulnerable to massive attacks.

If one part of the nation’s infrastructure goes unprotected, that vulnerability quickly cascades into the other networks, putting every individual at risk, Amin said.

“We are all connected,” he said. “Whether it’s sneezing when we have a flu and propagating it to everybody in the room or whether it’s our computers.”

Scott Borg , director and chief economist of the U.S. Cyber Consequences Unit , a nonprofit research institute that informs the government about cyber attack hazards, said this type of attack opens the door to a whole realm of attack possibilities, such as the entire “shut down” of a country due to a massive power outage.

Such a power outage would have little economic impact for the first three days, but after eight to 10 days, 70 percent of all economic activity would come to a halt, he said.

“We have a lot of things that cause us to lose sleep,” he said.

Attacks on the nation’s cyber networks, including viruses, information theft and hijacking of controls, have been on the rise for the past 15 years, Amin said.

In 1990, Congress issued a report on terrorists’ ability to sabotage critical power networks, rendering the nation “vulnerable to saboteurs with explosives or just high-powered rifles.”

A late 1997 report issued by the Clinton administration stressed the need to develop security measures for the complex, interactive networks. At the time, experts identified eight areas of critical infrastructure. That number has since risen to 18, each of which will be examined in the MSST program, Amin said.

In 2001, there were about 30,000 attempts per day to penetrate vital U.S. government Web sites, such as the Federal Bureau of Investigation and Central Intelligence Agency , Amin said. By 2003, that number had risen to over 80,000. Today’s average is substantially larger but can’t be revealed out of consideration for national security, he said.

The July attack on United States and South Korean government sites, including U.S. agencies responsible for monitoring cyber crime, was a reminder of national vulnerability and proof of the underlying linkage of those private sites, Amin said. A few months before the attack, the Government Accountability Office released a report on nearly 17,000 threats or attacks on federal sites in 2008, which is three times that of 2006.

“The number of cyber attacks has increased, the speed has increased and the severity of the successful ones has increased,” Amin said.

Perpetrators of such attacks range from disgruntled employees and computer hackers to foreign governments or domestic and foreign terrorists with a plot to cause sweeping harm.

The dependence on information technology renders the United States vulnerable to physical forms of attack — such as radiological bombs, aerosol anthrax dispersal or bombings using large vehicles or explosive vests — if the country’s vital communication networks are disabled, Amin said.

“It’s not just the cyber information leakage,” he said, “it’s a multi-hazard, multi-prong attack that we worry about, whether it’s a combination of cyber, physical together with biological, radiological or chemical weapons.”

In nearly all modern conflicts, physical attacks are made possible through cyber attacks, Borg said. If an enemy wanted to damage an American refinery, for example, it would be very difficult to do so with a physical attack alone, he said.

“But with an appropriate cyber attack, the attackers could have their names added to the list of people to be given access into the facility,” he said. “Their counterfeit badges would be read by the scanners as credentials giving them priority treatment. They could drive in with full teams of assistants and equipment.”

A protected U

Like any large organization, the University of Minnesota is not immune to cyber attacks. While it has yet to suffer a crippling attack, the issue “seems like it’s getting more difficult all the time,” Ken Hanna , Information Technology Manager in the Office of Information Technology , said.

Given that the University is such a large network — there are about 60,000 to 70,000 computers on campus — it’s constantly a target, Hanna said.

The implications of a successful attack on the University are far and wide. For students, it can mean having to re-install a computer operating system. For the institution, it can mean having private data stolen or the entire network becoming unavailable, Hanna said.

OIT takes several measures to protect against cyber attacks, and students play an important role, Hanna said. In residence halls, for example, they can’t get on the network unless they install free Symantec AntiVirus software. Although this tends to help, Hanna said, “computers in the residence halls come from all over the world, and some are already infected when they get here.”

Various spam filters constantly weed out potential spam or viral e-mails. About 80 percent of e-mails that come to the University are rejected before they’re read, Hanna said.

Most importantly, students must make sure their computers have the appropriate “patches,” software designed to fix security issues and improve performance, he said.

Password protection is key, Alok Gupta , professor in the Carlson School of Management and future MSST professor, said. Human mistakes, such as choosing an obvious password or posting it where others can see, are responsible for over 76 percent of successful cyber attacks, he said.

Gupta said it’s important to learn how to manage the risk of attacks before they occur.

“Nothing that is connected to a network is completely secure,” he said. “The only secure computer is one that is locked up and never turned on.”

Solutions for the future

The idea behind the MSST program is to bring together experts from a number of different disciplines that wouldn’t normally communicate, Jeff Bender , director of University’s Center for Animal Health and Food Safety and future MSST professor, said.

Despite being long overdue, the program provides an important collaborative approach to finding solutions.

“We’ve got food science, epidemiologists and public policy folks coming together to develop a program in an area that unfortunately, in this day and age, we really need to develop,” he said.

The program, a division of the TLI, will include professors from the University’s Institute of Technology , Carlson School, the Humphrey Institute of Public Affairs , the Law School and the School of Public Health , among others.

With the program, approved by the Board of Regents earlier this year, Amin intends to build upon his concept of “self-healing” infrastructure, grids of sensors that would monitor the precursors to attacks and include multiple layers of defense, rather than leaving critical infrastructure exposed.

If the United States could break the grid into separate sections and allow them to operate independently, that would greatly reduce the harm from an attack, Borg said.

“If we have a greater diversity of generation facilities, then we’re less vulnerable to scalable cyber attacks,” he said.

The 9/11 Commission cited a “failure of imagination” as one of the root causes of that disaster. Amin said he agrees, and urges the nation to envision possibilities, rather than simply focus on the obvious.

“Instead of being reactive,” he said, “We need to create a proactive culture that is strategically preparing for these things.”