Impact of cyber-attacks discussion

User Generated

zevprpernzzna64

Other

Description

In an effort to evaluate the cyber security threats in the public and private sector, research/locate two recent cyber-attacks and discuss its impact, some factors that made this system vulnerable, and our homeland security effort and response to protect this critical infrastructure.

Read at least one peer-reviewed article on the topic of a critical infrastructure. What are the threats and vulnerabilities the author identified? How does the author propose we fix the problems? Give your assessment of the threats and challenges.

Instructions: Fully utilize the materials that have been provided to you in order to support your response. Your initial post should be at least 600 words.

Unformatted Attachment Preview

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 10, No. 2, 2012 A Dynamic Cyber Terrorism Framework Rabiah Ahmad Zahri Yunos Dept of Computer System and Communication Faculty of Information and Communication Technology Universiti Teknikal Malaysia Melaka (UTeM) Melaka, Malaysia rabiah@utem.edu.my CyberSecurity Malaysia Selangor, Malaysia zahri@cybersecurity.my and willingness to conduct operations of different kinds against specific targets are fundamental [5]. If perpetrators follow the lead of hackers, theoretically they have the capability to use ICT to conduct cyber attacks against specific targets. Due to the fact that cyberspace has no boundaries, there is a possibility that the terrorists or terrorist groups may pursue cyber terrorism in conducting offensive attacks and supporting physical violence in the future [6]. Abstract—Many nations all over the world have increased their dependency on cyberspace by maximizing the use of Information and Communication Technology (ICT). In this digital age, the concept of cyber terrorism or the use of cyberspace to carry out terrorist activities has emerged. Interestingly, there are many concepts of cyber terrorism provided by researchers, policy makers and individuals. This paper proposes a framework describing the core components of cyber terrorism. The authors have analyzed the data by using a grounded theory approach, in which the framework is drawn. The framework defines cyber terrorism from six perspectives: Target, motivation, method of attack, domain, action by perpetrator, and impact. In addition, the proposed framework provides a dynamic way in defining cyber terrorism as well as describing its influential considerations. Continued research in this area can be further conducted, which may lead to the development of strategic and technological framework to counter cyber terrorism. II. A. Cyber Terrorism War, crime and terrorism are traditional concepts that occur in the physical domain, the only new aspect is the “cyber” domain. Physical terrorism and cyber terrorism share the same basic elements i.e. sharing a common denominator – terrorism. Several researchers have argued that the underlying principles of terrorism behind the threat remain the same [6], and they have described terrorism activities in the cyber world as cyber terrorism [7]. Keywords-component; Cyber Terrorism, Cyberspace, ICT, Terrorism I. CONCEPTS AND TERMS INTRODUCTION It is noted that several definitions of terrorism have included targets directed at computer systems and its services that control a nation's energy facilities, water distributions, communication systems, and other critical infrastructures. Malaysia’s Penal Code, Chapter VIA, Sections 130B – 130T comprises provisions dealing with terrorism [8]. Section 130B (2) (h) defines terrorism as an act or threat of action designed or intended to disrupt or seriously interfere with, any computer system or the provision of any services directly related to communications infrastructure, banking or financial services, utilities, transportation or other essential infrastructure. Australia’s Security Legislation Amendment (Terrorism) Act 2002 defines terrorism, among others, as actions that seriously interfere, disrupt, or destroy, an electronic system including, but not limited to, an information system; a telecommunications system; a financial system; a system used for the delivery of essential government services; a system used for, or by, an essential public utility; or a system used for, or by, a transport system” [9]. Cyberspace and the Internet are at the center of modern life and have become an important medium for businesses, economics, politics and communities. Many nations all over the world have constantly increased their dependency on cyberspace by maximizing the use of Information and Communication Technology (ICT). ICT offers a double-edged sword. While development in the area of ICT allows for enormous gains in efficiency and productivity, it has also created opportunities for those with devious ambitions to cause harm [1]. At the same time, it can be a powerful tool for perpetrators such as extremists and terrorist groups to promote extremist ideologies and propaganda materials as well as to create public fear by damaging assets that are vital to national interest and security [2] [3]. The same technological advances that are benefiting the public at large are also increasing the arsenal of our adversaries. Critical National Information Infrastructure (CNII) underlies the nation’s economic, political, strategic and socioeconomic activities [4]. Many stakeholders are concerned with terrorist attacks against critical infrastructures such as telecommunications, power distributions, transportation, financial services and essential public utility services. Terrorist cyber attacks on CNII is possible, where the motives, resources The term cyber terrorism was first coined in the 1980s by Barry Collin [10], a senior research fellow at the Institute for Security and Intelligence in California. According to him, the convergence of the “virtual world” and “physical world” form the vehicle of cyber terrorism. Collin further clarifies that the 149 http://sites.google.com/site/ijcsis/ ISSN 1947-5500 (IJCSIS) International Journal of Computer Science and Information Security, Vol. 10, No. 2, 2012 virtual world is the place in which computer programs function and data moves whereas the physical world is the place in which we live and function. The growing convergence of the physical and virtual worlds is becoming more complex. Nowadays, ICT plays a major role in the convergence of these two worlds. perpetrated by the use of computers and telecommunications capabilities, which leads to death, bodily injury, explosions and severe economic loss. Nagpal [19] defines cyber terrorism as the premeditated use of disruptive activities, or the threat thereof, in cyber space, with the intention to further social, ideological, religious, political or similar objectives, or to intimidate any person in furtherance of such objectives. Denning [11] defines cyber terrorism as unlawful attacks and threats of attack against computers, networks and the information stored therein when done to intimidate or coerce a government or its people in furtherance of political or social objectives. Denning also clarifies that, “Further, to qualify as cyber terrorism, an attack should result in violence against persons or property, or at least cause enough harm to generate fear. Attacks that lead to death or bodily injury, explosions, plane crashes, water contamination, or severe economic loss would be examples. Serious attacks against critical infrastructures could be acts of cyber terrorism, depending on their impact. Attacks that disrupt non-essential services, or that are mainly a costly nuisance, would not.” Definition by Denning consists of several important components on the concept of cyber terrorism. First, it refers to unlawful attacks. Second, the attacks and threats of attacks against computers, networks and the information stored within them. Third, the purpose of (unlawful attacks) is intimidating or influencing a government or society to further political or social objectives. Fourth, the attack results in violence against persons or property, or at least causes enough harm to generate fear. Lastly, serious attacks against critical infrastructures could be acts of cyber terrorism. Method of attack in cyber terrorism seems to use computer technology in carrying out the acts of terrorism. Beggs [20] defines cyber terrorism as the use of ICT to attack and control critical information systems with the intent to cause harm and spread fear to people, or at least with the anticipation of changing domestic, national, or international events. Similarly, Weimann [21] defines cyber terrorism as the use of computer network tools to harm or shut down critical national infrastructures (such as energy, transportation and government operations). CRS Report for Congress [22] defines cyber terrorism as the use of computer or weapons, or as targets, by politically motivated international, or sub-national groups, or clandestine agents who threaten or cause violence and fear in order to influence and audience, or cause a government to change its policies. As defined by Denning, the action by perpetrator involves to unlawful attacks to the targeted audiences. This notion is supported by Ariely [23] where cyber terrorism is referred as the intentional use or threat of use, without legally recognized authority, of violence, disruption, or interference against cyber systems. The result would be in death or injury of a person or persons, substantially damage to physical property, civil disorder or significant economic harm. This understanding is in line with study conducted by Nelson et al. [24] which defined cyber terrorism as the unlawful destruction or disruption of digital property to intimidate or coerce governments or societies in the pursuit of goals that are political, religious or ideological. Likewise, Lewis [12] defines cyber terrorism as the use of computer network tools to shut down critical national infrastructures (such as energy, transportation, government operations) or to coerce or intimidate a government or civilian population. Mantel [13] defines cyber terrorism as highly damaging computer attacks by private individuals designed to generate terror and fear to achieve political or social goals. Mshvidobadze [14] defines cyber terrorism as cyber acts designed to foment terror or demoralization among a target population for some purpose of the perpetrator, most likely this will be some kind of attack on critical infrastructure. Cyber terrorism should be involving computer technology and means as a weapon or target by terrorist groups or agents [15]. In the context of cyber terrorism, the above definitions suggest that critical infrastructure's computer system and civilian population would seem become attractive targets and contribute to the uniqueness of cyber terrorism. Here, the direct damage caused by the attack is to the critical infrastructure's computer system and civilian population. Cyber terrorism can have critical impact to the targeted audiences such as to cause fear to anyone in the vicinity or result in violence, death and destruction. Stohl [25] argues that cyber terrorism includes some form of intimidate, coerce, influence as well as violence. He defines cyber terrorism as the purposeful act or the threat of the act of violence to create fear and/or compliant behavior in a victim and/or audience of the act or threat. In a report to the United Nation General Assembly First Committee on Disarmament and International Security, cyber terrorism is mentioned as actions conducted via computer network that may cause violence against or generate fear among people, or lead to serious destruction for political or social problem [26]. Ron Dick, Director of the US's National Infrastructure Protection Center (NIPC) defines cyber terrorism a criminal act perpetrated through computers resulting in violence, death and/or destruction, and creating terror for the purpose of coercing a government to change its policies (as cited in [27]). This definition perhaps is taken from the US Government's definition of terrorism with the inclusion of "computer" in the definition. The context of cyber terrorism seems to argue that this term comprises component of motivation such as political, social and belief. For example, Conway [16] describes that, in order to be labeled as cyber terrorism, the attacks must have a terrorist component, which is result in death and/or large scale destruction and politically motivated. Pollitt [17] defines cyber terrorism as the premeditated, politically motivated attack against information, computer systems, computer programs, and data which result in violence against non-combatants target by sub national groups or clandestine agents. Czerpak [18] argues that cyber terrorism is a politically driven attack Kerr [28] believes that cyber terrorism should have three common elements: The use of violence, political objectives, and the purpose of showing fear within a target population. 150 http://sites.google.com/site/ijcsis/ ISSN 1947-5500 (IJCSIS) International Journal of Computer Science and Information Security, Vol. 10, No. 2, 2012 Ellsmore [29] says that cyber terrorism can be differentiated in terms of intent, outcome and the use of skills. Further analysis suggests that there are at least five elements which must be satisfied to construe cyber terrorism as described in Table I [30]. activity [36]. Malaysia too has enacted the Computer Crimes Act 1997. The purpose of the Act is to provide offenses relating to the misuse of computers. Amongst other things, it also deals with unauthorized access to computer material, unauthorized access with intent to commit other offenses and unauthorized modification of computer contents [38]. From legal perspective, the definition of Malaysia's computer crimes in Computer Crimes Act 1997 and terrorism in Penal Code, Chapter VII A, Section 130B is different. These two concepts cover different areas. In the simplest terms, cyber terrorists’ actions may cause prejudice to national security and public safety whereas cyber criminals’ actions may cause prejudice to individuals or groups for the purpose of monetary gain. Table I: Elements of Cyber Terrorism (adapted from Yunos et al. [30]) Elements of Cyber Terrorism  Politically-motivated cyber attacks that lead to death or bodily injury;  Cyber attacks that cause fear and/or physical harm through cyber attack techniques;  Serious attacks against critical information infrastructures such as financial, energy, transportation and government operations;  Attacks that disrupt non-essential services are not considered cyber terrorism; and  Attacks that are not primarily focused on monetary gain. Many studies have indicated that the Web 2.0 media such as interactive websites and blogs, social networking sites and discussion forums have been rapidly used by extremists as the medium to support their online activities [13]. However, it is important to note that cyber terrorism is different from terrorists' use of the Internet [31]. Taliharm [33] argues that cyber terrorism should not be confused with the use of illicit activities or Internet radicalization in cyberspace by the terrorist groups [33]. Taliharm [33] further argues that terrorists' use of the Internet is just action by certain individual or group to organize illicit activities by using the cyberspace. Based on the discussion above, there is no common agreement on the concept of cyber terrorism at the international front and among the researchers. While there are many definitions of cyber terrorism, these suggest a trend that further analysis of the phenomena could be further conducted. This is evidence as the study of this concept has been the focus of many policy makers and scholarly studies, but their standpoints and views vary. Due to multidimensional structures (or components) of cyber terrorism, we can say that the concept of cyber terrorism is a contested concept who interpret it differently by a number of parties. The context of cyber terrorism denotes different understandings and interpretations. Radicalization and extremism in cyberspace, however, can lead to terrorism [39]. Understanding online radicalization is one of the pillars of the fight against terrorism [21]. Perhaps the main concern is the potential for terrorists to use the Internet to inflict damage. The United Nations' report mentioned that the concern is to prevent moderates from becoming extremists, and extremists from becoming terrorists [40]. Threats from terrorism must be analyzed before they evolve into fullyfledged threats. Many of the actors in foiled plots have been discovered to have been radicalized online, on terrorists’ and extremists’ websites and chat rooms, amongst others, to provide information on weapons and explosives and facilitate large-scale recruitment efforts and propaganda [3]. B. A Clear Line between Terms When discussing cyber terrorism, there is always confusion between the term cyber terrorism with "cyber crimes" and “terrorist use of the Internet” [31]. However, these terms should not be mistaken as synonyms for cyber terrorism. C. Empirical Cyber Terrorism Frameworks Based on literatures, there are several empirical frameworks on cyber terrorism proposed by researchers. Veerasamy proposed a conceptual framework outlining the aspect of cyber terrorism that addresses the operating forces, the techniques and the objectives [41]. The operating forces provide the context in which cyber terrorism is functioning, in which it describes the qualities of a cyber terrorist as well as the properties of cyber terrorism in general. The technique describes practical methods and classification descriptions of carrying out cyber terrorism via invasive or offensive computer and network security practices. The objectives are similar to the motivation, where the intent is to cause direct damage via malicious goals and support functions. The framework provides a high level overview and serves as a basis of considerations in the domain of cyber terrorism. However, the framework’s attributes are not interactive and quite complex. The framework signifies that in order to consider cyber terrorism, at least one or more elements must be fulfilled. However, this is not accurate as cyber terrorism should be seen from a holistic perspective. Cyber terrorism has become a buzzword and is often sensationalized in the media whereby reports of cyber crimes are posed as cyber terrorism [31]. Berner [32] argues terms such as “computer crime” or “economic espionage” must not be associated with the term cyber terrorism. In defining cyber terrorist and cyber crime activities, it is necessary to segment the motivation and action [33]. From the motivation perspective, cyber terrorism is clearly different, operating with a specific agenda to support their actions [34]. Cyber crime and cyber terrorism can be differentiated through financial or economic purposes [35] [36]. The United Nations categorized cyber crime as unauthorized access, damage to computer data or programs, sabotage to hinder the functioning of computer system or network, unauthorized interception of data to, from and within a system or network; and computer espionage [37]. From a legal perspective, cyber crimes and cyber terrorism are two different things. In the United States, The Computer Fraud and Abuse Act (18 USC: 1030) defines cyber crimes as unauthorized computer intrusions or misuse as unlawful 151 http://sites.google.com/site/ijcsis/ ISSN 1947-5500 (IJCSIS) International Journal of Computer Science and Information Security, Vol. 10, No. 2, 2012 physical trauma. Another framework on cyber terrorism, proposed by Tool Kidnapping/ Terrorists use the computer as a Heickero, illustrates the effects and consequences of cyber Harassment/ tool. Facilitating identity theft, terrorism operation from actor-target-effect chain in an Propaganda/ computer viruses, hacking are asymmetric context [5]. The model illustrates how cyber Education examples that fall under this terrorism in different phases could plan and accomplish a cyber category. operation as well as the effects and consequences of the digital Target Government Potential targets are corporations attack. Figure 1 provides an illustration of how cyber terrorism Officials/Cor and government computer is conducted. porations systems. Affiliation Actual/ Affiliation refers to recruitment Claimed in carrying out given instructions. Affiliation can result in the strengthening of individual organizations as they can immediately acquire access to the information resources of their allies. Figure 1. Actor-target-effect Chain (adapted from Heickero [5]) Motivation Social/Politic Political, social and economic al Change are the motivations present in real-world terrorism. The framework provided by Heickero is more relevant in understanding the modus operandi of cyber terrorism, which provides an attribute-chain from one attribute to another. The framework consists of the actors which are antagonists; the driving forces behind motives are social, psychological, economical and political; usage of means such as weapons and economy (resources); targets are objects such as infrastructure, organizations and individual; activities in realizing their goals such as planning and disorganization; and effects or consequences such as physical effect and syntax effect. III. Gordon and Ford [42] viewed cyber terrorism from the following perspectives; people (or groups), locations (of perpetrators, facilitators, victims), methods/modes of action, tools, targets, affiliations and motivations (Table II). They made an analysis on the attributes of traditional terrorism and integrated computer into the matrix. They concluded that the scope of terrorism changes within each other due to the addition of the computer. However, attributes such as perpetrator and place require further investigation as what important is not the perpetrator or the place, but the action [43]. Perhaps further analysis based on case studies is required. Interestingly, most governments in the world do not agree on one single definition of cyber terrorism [11] [44]. The term cyber terrorism generates different meaning in the minds of different people. However, understanding a common understanding as to what phenomenon contributes to this term is important in order for us to get a better understanding on the root causes of cyber terrorism. Unfortunately, we are in situation where there is still no consensus agreement on a definition on the concept of the phenomenon. There is no common definition of cyber terrorism that is widely accepted, hence there is a lack of common ground on which policy makers and researchers can agree on what they are fighting against. In general, previous studies have defined cyber terrorism from various points of view. However, the connectivity between each component highlighted in defining this terminology is still unclear. Therefore, there is a strong need to have a specific concept of cyber terrorism, especially for a legal definition. The concept would provide a foundation to the legal fraternity such as prosecutors and judges. Table II. Matrix of Terrorism with Inclusion of the Computer (adapted from Gordon and Ford [42]) Attributes Description Perpetrator Group/ Individual Place Worldwide Action Threats/ Violence/ Recruitment/ Education/ Strategies ANALYSIS OF FINDINGS Should website defacement be considered cyber terrorism? Would the use of the Internet by the terrorists such as fund raising, recruitment and propaganda be considered cyber terrorism? If somebody commits a certain act that meets the criteria of cyber terrorism, under what law will he/she be charged? Such examples highlight the need for a precise definition of cyber terrorism in order to avoid possible ambiguity and misinterpretation. This also will serve as a guide for distinguishing various terms of cyber incidents. In the cyber context, virtual interactions can lead to anonymity and desensitization. The event does not have to occur in a particular location. The Internet has introduced globalization of the environment. Terrorist scenarios typically are violent or involve threats of violence. Violence in the virtual environment includes psychological effects, possible behavior modification and In this study, the analysis is divided into four processes: Plan, data collection, data analysis, and reporting, which are similar with other traditional stages of research [45]. While most of the research methodologies are described in Section III, the reporting is presented in Section IV. 152 http://sites.google.com/site/ijcsis/ ISSN 1947-5500 (IJCSIS) International Journal of Computer Science and Information Security, Vol. 10, No. 2, 2012 data and allows him or her to see alternative explanations and to recognize properties and dimensions of emerging concepts” [52]. A. Plan The planning stage started with the identification and investigation of research problems surrounding the identified phenomena. There are many terms of cyber terrorism, and some of them only address a subset of cyber terrorism and not the whole context. Due to the complexity of various interacting attributes or elements in cyber terrorism, to formulate a framework as to describe its influential considerations would be beneficial. Therefore, there is a need for a more structured approach in understanding the various attributes of cyber terrorism. This is crucial to the researchers and policy makers in understanding the context of cyber terrorism. Haig argues that the grounded theory research begins by focusing on an area of study and gathers data from a variety of sources, including literatures [53]. It is important to note comment made by Levy [51], where the author explains that these positions recognize that a prior understanding of the literature can therefore be used effectively in developing theory in a number of ways. Based on the review of pertinent literature, the prior knowledge and experience of the researcher are useful to formulate a preliminary conceptual model. Heath and Cowley reveal that a pre-understanding by early reference to the literature can contribute to the researcher’s understanding of social processes observed [54]. They argue that prior reading may be required if the researcher wishes to clarify concepts and build an emergent theory. Heath and Cowley [54] cite the work by Jezewski [55] who carried out a literature-based concept before attempting to further develop the concept via grounded theory. Heath and Cowley [54] further cite the comment by Glaser and Strauss [56] that “the researcher will not enter the field from ideas, but differ considerably in the role they see for the literature”. Thus, specific understanding from experience and literature may be used to stimulate theoretical sensitivity and generate the hypotheses. This notion is supported by Onion [57] who concludes that the application of the grounded theory method to review literature and derive a meta-theory is novel, whereby literature may be used as the primary data by the grounded theory method. This is ascertained by Esteves et al. [58] whereby they conclude that an analysis of issues related with the use of the grounded theory method is very useful for people starting a research project. B. Data Collection The analysis was conducted by reviewing existing literature on terrorism and cyber terrorism. Our goal was to examine whether particular researchers had developed useful insight into this subject and to learn whether consensus agreement had already been reached on this subject. Based on our observations, we have found that there is limited literature focusing on the cyber terrorism framework. However, most of the literature reviewed is valuable in terms of framing the context rather than directly providing a solution to the issues of this study. The materials reviewed include overseas government reports, articles found in websites, published conference materials and referred publications. One example of the qualitative research approach is grounded theory. Grounded theory was first presented by Glaser and Strauss in their 1967 book "The Discovery of Grounded Theory", which Goulding [46] describes the book was premised on a strong intellectual justification for using qualitative research to develop theoretical analysis. The phrase grounded theory refers to theory or general concepts that are developed from a corpus of data [47], [48] and the theory emerges through a close and careful analysis of the data [49]. As mentioned by Borgatti [47], the basic idea of the grounded theory approach is to read (and re-read) a textual database (such as a corpus of field note) and discover or label variables (called categories, concept and properties) and their interrelationship. C. Data Analysis The data analysis was conducted in two steps. In the first step, data analysis proceeded through axial coding (examining conditions, strategies and consequences). This method has been well described by Egan [45] and Borgatti [47]. In the second step, the data was mapped into a matrix format [58], where attributes as well as similarities or patterns between them emerged. In grounded theory development, the literature review provides theoretical construct, categories and their properties that can be used to organize the data and discover new connections between theory and real-world phenomena [50]. Developing grounded theory should formulate them into a logical, systematic and explanatory scheme [51], [49]. The theory should be based exclusively on data collected whereby the researchers bring a considerable background in professional and disciplinary knowledge to an inquiry. Researchers approach the question with background and some knowledge with the literature in the domain [49]. Levy [51] explains that these positions recognize that a prior understanding of the literature can be therefore be used effectively in developing theory in a number of ways. Based on the review of pertinent literature, prior knowledge and experience of the researcher is useful to formulate of a preliminary conceptual model. As described by Borgatti [47], axial coding is the process of relating codes (categories and properties) to each other, via a combination of inductive and deductive thinking. Borgatti [47] explains that grounded theorists emphasize causal relationships, and fit things into a basic frame of generic relationships. The author simplifies the process of axial coding framework as per Table III. This framework consists of systematized cause-and-effect schema which the researchers used to explicate relationships between categories (or attributes) and sub-categories. Egan [45] explains that a general understanding of the phenomenon under investigation is considered sufficient for the initiation of this type of research. Egan [45] further explains, “Having established a problem or topic in general terms and chosen a site where the research questions could be examined more closely, evidence is allowed to accumulate by the “ .. experience and knowledge are what sensitize the researcher to significant problems and issues in the 153 http://sites.google.com/site/ijcsis/ ISSN 1947-5500 (IJCSIS) International Journal of Computer Science and Information Security, Vol. 10, No. 2, 2012 researcher, resulting in an emerging theory”. To develop this theory, “early activities by the researcher involve the identification of categories capturing uniformities in the data and then identifying compelling properties and dimensions of the data”. This argument is further stressed by Glaser and Strauss [56] where they say, “A discovered, grounded theory, then, will tend to combine mostly concepts and hypothesis that have emerged from the data with some existing ones that are clearly useful”. impact or consequence is high as the cyber attacks are done to intimidate or coerce a government or people that lead to violence against persons or properties. The framework describing the components of cyber terrorism is proposed in Figure 2. The framework provides a baseline when establishing and defining cyber terrorism. The aim is to show a more dynamic way in defining cyber terrorism as well as describing its influential considerations. Thus, it can be seen that formulating the framework from various strategic considerations would be beneficial in understanding cyber terrorism in its full context. Summarily, these factors will determine whether someone is involved in cyber terrorism or not. Levy [51] explains that sampling should be directed by the logic and the types of coding procedures used in analyzing and interpreting data. The result is the revelation of meaningful differences and similarities among and between categories. The possibility for a hypothesis about the relationships between categories is always present. By using the framework provided by Borgatti [47], the relationships of categories are analyzed and observed. Table III. Axial Coding Framework (adapted from Borgatti [47]) Elements Phenomenon Causal conditions Action strategies Consequences IV. Description This is what in schema theory might be called the name of the schema or frame. It is the concept that holds the bits together. In grounded theory it is sometimes the outcome of interest, or it can be the subject. These are the events or variables that lead to the occurrence or development of the phenomenon. It is a set of causes and their properties. The purposeful, goal-oriented activities that agents perform in response to the phenomenon and intervening conditions. These are the consequences of the action strategies, intended and unintended. Figure 2. A Dynamic Cyber Terrorism Framework The framework is dynamic in many aspects since the influential factors on the decision are based on all attributes (or components) within the framework. In other words, the framework suggests that all attributes (or components) contribute in the decision-making process in order to determine whether someone gets involved in cyber terrorism or not. The authors suggest that the framework presented here is an improvement over existing frameworks as it captures the important factors when considering that the perpetrator may combine these factors for conducting cyber terrorism. The components of cyber terrorism in this framework are bind together to form the concept of cyber terrorism. We need to combine the components with conjunction "AND", which means that each of those components is necessary to constitute cyber terrorism. Otherwise, if one or more components are not provided, it would not constitute cyber terrorism. THE PROPOSED FRAMEWORK A conceptual framework links various concepts and serves as a motion for the formulation of theory [59]. A complete analysis of the data has revealed six emergent perspectives of cyber terrorism, which became the major findings of the study. In our view, the nature of cyber terrorism framework should have these six perspectives: Target, motivation, method of attack, domain, action by perpetrator, and impact. With the growing interconnectedness of critical infrastructures on ICT, the selection of a target that allows the maximum level of disruption would significantly influence the terrorists. Motivation is about influencing human beings and the decisions they make. Motivation forces behind cyber terrorism are social, political and belief. Cyber terrorists can exploit vulnerabilities over a targeted system through a vast array of intrusive tools and techniques. The method of attack could be through network warfare and psychological warfare. Cyberspace is the domain in which a terrorist-type attack is conducted. Cyber terrorists employ unlawful use of force or unlawful attacks to conduct the premeditated attack. The A. Target The act of cyber terrorism is unique as it combines a specific target with a wider audience [60], which is illustrated in Figure 3. With this argument, the CNII computer system and civilian population contribute to the uniqueness of cyber terrorism [61]. The possibility of disabling the entire CNII communication networks and attacking civilian community at large would seem to provide a variety of attractive targets. At 154 http://sites.google.com/site/ijcsis/ ISSN 1947-5500 (IJCSIS) International Journal of Computer Science and Information Security, Vol. 10, No. 2, 2012 the same time, targets that are high-profile would probably be among the most influential factors in a terrorist group’s decision as the damage and destruction would be extraordinarily significant and costly to society and the country attacked. or its people in furtherance of political or social objectives [11]. Digital technologies thus offer contemporary terrorists and terrorist organizations a wide range of opportunities to support their campaigns of violence and if they are proficient, significantly support their political objectives [25]. Terrorists wish to undermine confidence in the political structure and create difficulty within the body of politics. Cyber terrorists cause harm or damage to people or groups of people with a political agenda [32]. C. Method of Attack Heickero [5] concludes that cyber terrorism comprises different types of methods such as computer network operations and psychological operations. The capability to conduct a cyber attack can be divided into three groups: Simple (unstructured), advanced (structured) and complex (coordinated) [64]. Heickero’s [5] description of a computer network operation and O’Hara’s [64] model of technical capabilities of a cyber attack fit well with the definition of network warfare. Veerasamy [65] defines network warfare as a modern form of conflict in which computers and networks are used as the weapons with information serving as the leverage control. Modern forms of network warfare include all the computer and network security means through which computers are attacked and exploited (worms, denial-ofservice, bots) as well as all the protective mechanism being implemented (intrusion detection tools, anti-virus software and firewalls). Figure 3. Target Model (adapted from Ackerman et al. [60]) The assumption that attacks against computer systems are less dangerous, such as leading to economic losses rather than human lives is not true. Due to the advancement of technology, many essential computing services are using the Supervisory Control and Data Acquisition (SCADA) systems, and nowadays, they are connected to the Internet and can be controlled remotely. An attack to the SCADA system that controls and manages critical infrastructures may have been unthinkable in the past, but with current technological developments, it is now possible for the SCADA system to become a target for terrorist attacks. Brunst [62] discusses that there are three scenarios that could be taken into consideration; attacks on hydroelectric dams, tampering with railways and air traffic control systems, and taking over control of power plants. Brunst in his literature review provides excellent examples of terrorist attacks in these control systems, which would generate fear within a population. Successful cyber attacks on these control systems certainly have long-term effects, create fear and pose immediate danger to human lives. Taliharm [31] suggests that the term cyber terrorism should also involve several other activities carried out by the terrorist via the Internet, including propaganda via terrorist websites. Spreading of propaganda via Web 2.0 media is part of psychological operation [43]. Web 2.0 media enables terrorists or terrorist groups to establish their presence in cyberspace and to spread propaganda, especially for the press and public attention [62]. Coverage of mainstream media is important as news coverage in the media is always repeated, thus increasing the propaganda message’s reach. Apart from focusing on the ICT infrastructure, cyber terrorism also targets civilian population [5] [25] [60]. Attacks against critical infrastructure that spread fear and harm to innocent people within a community would be classified as cyber terrorism [20]. From an effect perspective, consequences on civilian population are bigger, thus it would get more media attention and be more widely publicized. The selection of a target that allows the maximum level of disruption would significantly influence the terrorists. From a psychological perspective, a disgruntled employee within an organization also poses threats to the organization. One incident took place in Australia where a man had access to the sewerage control systems, which harmed the environment and killed wildlife [66]. It was reported that he had worked for the company and had knowledge of the tools that operated the sewerage control system. The driving forces for his action were revenge and the feeling of unfair treatment from the management. On the other hand, this category of individuals can be bought; and information can be sold to terrorist groups. An insider could also act as a cyber terrorist [5]. The extra advantage is that they have the inside knowledge. An insider can be planted within the organization or through a sympathizer who is working in that organization. The objective is perhaps to provide sensitive information or to perform certain tasks such as putting malware into critical control systems for future attacks. In the US, it was reported that 20 employees were arrested for possession of false identification used to obtain security access to facilities containing restricted and sensitive military technology [43]. B. Motivation Motivation is about influencing human beings and the decisions they make [1]. The motivating forces behind cyber terrorism are social, political and belief [63]. Through these forces, terrorists are psychologically motivated to drive terrorism. From the motivation perspective, cyber terrorism exists if the person or group of people operates with a specific political or ideological agenda to support their activities [20]. For example, the Irish Republican Army engages in terrorist activity for a predetermined political purpose with the objective to maintain and strengthen political control [6]. Cyber terrorism is defined as unlawful attacks and threats of attack against computers, networks and the information stored therein when done to intimidate or coerce a government 155 http://sites.google.com/site/ijcsis/ ISSN 1947-5500 (IJCSIS) International Journal of Computer Science and Information Security, Vol. 10, No. 2, 2012 D. Domain Cyber terrorism is the convergence of cyberspace and terrorism. Cyberspace, whether accessed by computer systems or other devices, is the domain (medium) through which a cyber attack would be delivered. The National Security Presidential Directive 54/Homeland Security Presidential Directive 23 of the US Government defines cyberspace as the interdependent network of information technology infrastructures, and includes the Internet, telecommunications networks, computer systems, and embedded processors and controllers [67]. The UK Government defines cyberspace as an “interactive domain that is made up of digital networks that is used to store, modify and communicate information. It includes the Internet, but also the other information systems that support our businesses, infrastructure and services” [68]. F. Impact The act of cyber terrorism is unique as it combines a specific target with a wider audience [6]. In this argument, the components of a purposeful violence against persons or properties, disruption or serious interference of critical services operation, causing fear, death or bodily injury, severe economic loss, and prejudice to national security and public safety contribute to the uniqueness of cyber terrorism. Cyber terrorism exists when there is an attack on a computer system that leads to violence against a person or property; and the disruption is enough to generate fear, death or bodily injury [11] [12]. Cyber terrorism is done to cause grave harm or severe economic damage or extreme financial harm [6] [22]. As reported by Rollins and Wilson [43], if terrorists were to launch a widespread cyber attack, the economy would be the intended target for disruption, while death and destruction might be considered collateral damage. Terrorist-type cyber attacks may target chemical, biological, radiological or nuclear (CBRN) computer network installations [18] [43]. A successful attack to these installations would cause enough severe economic disruption and harm to civilian population (death and bodily injury). Cyber terrorism thus can be seen as a relevant threat due to its strong relation to ICT and cyberspace. Apart from land, sea, air and space, cyberspace is another dimension of warfare. Weimann [21] writes that cyberspace is in many ways an ideal arena for activity of extremist of terrorist organizations. Among others, it offers easy and fast flow of information. By its very nature, cyberspace is also capable of reaching out to a wide audience throughout the world and disseminates information in a multimedia environment via the combined use of text, graphics, audio and video. With the growing interconnectedness and interdependencies of critical infrastructure sectors, the target selection of cyber terrorism is likely to be significantly influenced by those targets that allow for a maximum level of disruption [6] [20]. Terrorists' cyber attacks probably aim at critical infrastructure as their target. Successful cyber attacks in one sector will have cascading effects on other sectors. Due to this nature, a largescale terrorist-type cyber attack could bring unpredictable and perhaps catastrophic impact to other sectors, and possibly longlasting impact to the country’s economy. E. Action by Perpetrator Flemming and Stohl [6] argue that, terrorism is a process that involves acts or threats, emotional reactions and the social effects of the acts or threats and the resultant action. Terrorism in the cyber environment involves all of the above components. The advancement of ICT and rapid changes in the technological environment influence terrorist resources and opportunities. The convergence of physical terrorism and new advancements of ICT have spawned a new term called cyber terrorism. V. CONCLUSION The term cyber terrorism generates different meanings in the minds of different people. Cyber terrorism is about threat perception that makes the concept differ from one to another. The concept of this term is an essentially-contested concept where it is interpreted differently at different levels such as researcher, professional and policy maker. Understanding similarities and differences in perception of what constitutes cyber terrorism can provide insight on the concept of cyber terrorism. Rollins and William [43] argue that, there are two views in defining cyber terrorism, which are based on impact (effectbased) and intention (intent-based). They clarify that, effectbased cyber terrorism exists when computer attacks result in effects that are disruptive enough to generate fear comparable to a traditional act of terrorism, even if done by criminals. This implies that, cyber terrorism should focus on the act rather than the perpetrator. While, intent-based cyber terrorism exists when "unlawful or politically-motivated computer attacks are done to intimidate or coerce a government or people to further a political objective, or to cause grave harm or severe economic damage". In this work, the data collected from the extensive literatures was analyzed using the grounded theory approach, in which the framework was drawn. The analysis was conducted to determine how the components of the concept of cyber terrorism come together to form the concept. From the finding, the authors have concluded that the concept of cyber terrorism can be described from six perspectives: Target, motivation, method of attack, domain, action by perpetrator, and impact. The cyber terrorist can have the same motives as the traditional terrorist, but they use computer and network media to attack [69]. Cyber terrorists conduct unlawful use of force or unlawful attack to conduct the premeditated attack to intimidate or coerce a government or people to further political, social or belief objectives, or to cause severe economic damage. The impact or consequence is high as the attacks are done to intimidate or coerce a government or people that lead to violence against persons or properties. This work provides a baseline when establishing and defining the concept of cyber terrorism. The perspectives are useful in determining whether someone is involved in cyber terrorism or not. In addition, the proposed framework shows an overall framework of cyber terrorism in a simplistic and dynamic manner. For future works, this framework can be 156 http://sites.google.com/site/ijcsis/ ISSN 1947-5500 (IJCSIS) International Journal of Computer Science and Information Security, Vol. 10, No. 2, 2012 validated and assessed by encompassing both qualitative and quantitative techniques. Continued research in this area can be further conducted, which may lead to the development of strategic and technological framework to counter cyber terrorism. [19] R. Nagpal, “Cyber Terrorism in the Context of Globalization,” in II World Congress on Informatics and Law, 2002, no. September, pp. 1-23. [20] C. Beggs, “Cyber-Terrorism in Australia,” IGI Global, pp. 108-113, 2008. [21] G. Weimann, “www.terror.net: How Modern Terrorism Uses the Internet,” United States Institute of Peace, no. 116, pp. 1-11, 2004. [22] C. Wilson, “Computer Attack and Cyberterrorism: Vulnerabilities and Policy Issues for Congress,” 2005. [23] G. Ariely, “Knowledge Management, Terrorism and Cyber Terrorism,” in Cyber Warfare and Cyber Terrorism, L. J. Janczewski and A. M. Corarik, Eds. Hersey, New York: Information Science Reference, 2008. [24] B. Nelson, R. Choi, M. Iacobucci, M. Mitchell, and G. Gagnon, “Cyberterror: Prospects and Implications.” Center for the Study of Terrorism and Irregular Warfare, Montery, CA, 1999. [25] M. Stohl, “Cyber Terrorism : A Clear and Present Danger, the Sum of All Fears, Breaking Point or Patriot Game?,” Springer Science + Business Media B.V, 2007. [26] S. T. Dang, “The Prevention of Cyberterrorism and Cyberwar,” in Old Dominion University Model United Nations Conference (ODUMUNC), 2011, pp. 1-6. [27] S. Berinato, “Cybersecurity - The Truth About Cyberterrorism,” 2002. [Online]. Available: http://www.cio.com/article/30933/CYBERSECURITY_The_Truth_Abo ut_Cyberterrorism?page=2&taxonomyId=3089. [Accessed: 26-Jan2012]. [28] K. Kerr, “Putting Cyberterrorism into Context,” The Journal of The System Administrators Guild of Australia, vol. 9, no. 3, pp. 5-10, 2003. [29] N. Ellsmore, “Cyber-terrorism in Australia: The Risk to Business and a Plan to Prepare.” SIFT Pty Ltd, 2002. [30] Z. Yunos, S. H. Suid, R. Ahmad, and Z. Ismail, “Safeguarding Malaysia’s Critical National Information Infrastructure (CNII) Against Cyber Terrorism: Towards Development of a Policy Framework,” IEEE Sixth International Conference on Information Assurance & Security, pp. 21-27, 2010. [31] A. M. Taliharm, “Digital Development Debates: Emerging Security Challenges and Cyber Terrorism,” no. 5, 2011. [32] S. Berner, “Cyber-Terrorism : Reality or Paranoia ?,” South African Journal of Information Management, vol. 5, no. 1, pp. 1-4, 2003. [33] E. Noor, “The Problem with Cyber Terrorism,” Proceeding of Southeast Asia Regional Center for Counter Terrorism’s (SEARCCT) Selection of Articles, Ministry of Foreign Affairs Malaysia, vol. Volume 2/2, pp. 5164, 2011. [34] Y. Li, “National Information Infrastructure Security and Cyber Terrorism in the Process of Industrializations,” in Proceeding of the IEEE Computer Society, 2009, pp. 532-535. [35] N. Veerasamy and M. Grobler, “Countermeasures to Consider in the Combat Against Cyberterrorism,” Proceedings of the Workshop on ICT Uses in Warfare and the Safeguarding of Peace, pp. 56-85, 2010. [36] C. Wilson, “Holding Management Accountable : A New Policy for Protection Against Computer Crime,” IEEE Explore, pp. 272-281, 2000. [37] N. B. Sukhai, “Hacking And Cybercrime,” Proceeding of InfoSecCD Conference, pp. 128-132, 2004. [38] “Malaysia’s Computer Crime Act 1997,” 1997. [Online]. Available: http://unpan1.un.org/intradoc/groups/public/documents/APCITY/UNPA N025630.pdf. [Accessed: 20-Oct-2011]. [39] A. Bergin, S. Osman, C. Ungerer, and N. A. Mohamed Yasin, “Countering Internet Radicalisation in Southeast Asia.” An RSIS–ASPI Joint Report by S. Rajaratnam School of International Studies and Australian Strategic Policy Institute, 2009. [40] United Nations General Assembly, “Uniting Against Terrorism: Recommendations for a Global Counter-terrorism Strategy.” 2006. [41] N. Veerasamy, “A Conceptual High-level Framework of Cyberterrorism,” International Journal of Information Warfare, vol. 8, no. 1, pp. 1-14, 2009. [42] S. Gordon and R. Ford, “Cyberterrorism?,” Symantec White Paper, 2002. [43] J. Rollins and C. Wilson, “Terrorist Capabilities for Cyberattack: Overview and Policy Issues,” CRS Report for Congress, 2007. [44] J. J. Prichard and L. E. MacDonald, “Cyber Terrorism: A Study of the Extent of Coverage in Computer Security Textbooks,” Journal of Information Technology Education, vol. 3, 2004. ACKNOWLEDGMENT The authors would like to thank the following individuals who provided valuable input to this paper: Professor Dato' Husin Jazri, CEO of CyberSecurity Malaysia; Sazali Sukardi, Head of Strategic Policy Research, CyberSecurity Malaysia and Nor'azuwa Muhamad Pahri, Specialist of Research Division, CyberSecurity Malaysia. We also would like to thank the Universiti Teknikal Malaysia Melaka (UTeM) that provided research grant for this project. REFERENCES [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] N. Veerasamy and J. H. P. Eloff, “Towards a Framework for a Network Warfare Capability,” in Council of Scientific and Industrial Research, Pretoria, South Africa, 2008. D. E. Denning, “Activism, Hactivism and Cyberterorism: The Internet as a Tool for Influencing Foreign Policy,” in Conference on The Internet and International System: Information Technology and American Policy Decision Making, 1999. The Lipman Report Editors, “Cyberterrorism: The Invisible Threat Stealth Cyber Predators in a Climate of Escalating Risk,” Guardsmark, LLC, Memphis, Tennessee, USA. 2010. Ministry of Science Technology and Innovation of Malaysia, “National Cyber Security Policy.” 2006. R. Heickero, “Terrorism Online and the Change of Modus Operandi,” Swedish Defence Research Agency, Stockholm, Sweden, pp. 1-13, 2007. P. Flemming and M. Stohl, “Myths and Realities of Cyberterrorism,” Proceeding on Countering Terrorism through Enhanced International Cooperation, pp. 70-105, 2000. C. Lim, K. I. Eng, and A. S. Nugroho, “Implementation of Intelligent Searching Using Self-Organizing Map for Webmining Used in Document Containing Information in Relation to Cyber Terrorism,” in 2010 Second International Conference on Advances in Computing, Control, and Telecommunication Technologies, 2010, pp. 195-197. ACT 574 Penal Code, “Chapter VIA – Offences Relating To Terrorism. Section 130B (1) & (3) (h).” Zul Rafique & Partner Report, 1997. “Australia’s Security Legislation Amendment (Terrorism) Act,” no. 2005. 2002. B. L. Collin, “The Future of Cyberterrorism: Where the Physical and Virtual Worlds Converge,” in 11th Annual International Symposium Criminal Justice Issues, 1996, vol. 93, no. 4. D. E. Denning, “Cyberterrorism,” Testimony given to the House Armed Services Committee Special Oversight Panel on Terrorism, 2000. J. A. Lewis, “Assessing the Risks of Cyberterrorism, Cyber War and Other Cyber Threats,” Center for Strategic and International Studies, 2002. B. Mantel, “Terrorism and the Internet. Should Web Sites That Promote Terrorism Be Shut Down?,” CQ Researcher, pp. 129-152, 2009. K. Mshvidobadze, “State-sponsored Cyber Terrorism : Georgia’s Experience,” Presentation to the Georgian Foundation for Strategic and International Studies, pp. 1-7, 2011. S. Krasavin, “What is Cyber-terrorism,” Computer Crime Research Center (CCRC), 2001. [Online]. Available: www.crimeresearch.org/library/cyber-terrorism.htm. [Accessed: 09-Jun-2008]. M. Conway, “Reality Bytes : Cyberterrorism and Terrorist ‘ Use ’ of the Internet,” FIRST MONDAY, Journal on the Internet, 2002. [Online]. Available: www.firstmonday.org/ISSUES/issue7_11/conway. [Accessed: 09-Jun-2008]. M. M. Pollitt, “Cyberterrorism — Fact or Fancy?,” Computer Fraud & Security, no. 2, pp. 8-10, 1998. P. Czerpak, “The European Dimension of the Flight against Cyberterrorism – A Theoretical Approach,” 2005. 157 http://sites.google.com/site/ijcsis/ ISSN 1947-5500 (IJCSIS) International Journal of Computer Science and Information Security, Vol. 10, No. 2, 2012 [63] M. D. Cavelty, “Critical Information Infrastructure: Vulnerabilities, Threats and Responses,” 2007. [64] T. F. O’Hara, “Cyber Warfare/Cyber Terrorism,” USAWC Strategy Research Project, 2004. [65] N. Veerasamy and J. H. P. Eloff, “Application Of Non-Quantitative Modelling In The Analysis Of A Network Warfare Environment,” in World Academy of Science, Engineering and Technology Conference, Paris, France, 2008. [66] D. E. Denning, “Is Cyberterrorism Coming?,” 2002. [Online]. Available: www.marshall.org/pdf/materials/58.pdf . [Accessed: 17-Oct-2010]. [67] United States of America, “Cyberspace Policy Review : Assuring a Trusted and Resilient Information and Communication Infrastructure.” 2009. [68] UK Cabinet Office, “The UK Cyber Security Strategy - Protecting and Promoting the UK in a Digital World,” 2011. [69] N. Veerasamy, “Motivation for Cyberterrorism,” 9th Annual Information Security South Africa (ISSA) - Towards New Security Paradigms, p. 6, 2010. [45] T. M. Egan, “Grounded Theory Research and Theory Building,” in Advances in Developing Human Resources, vol. 4, no. 3, Sage Publications, 2002, pp. 277-295. [46] C. Goulding, “Grounded Theory: Some Reflections on Paradigm, Procedures and Misconceptions,” pp. 1-29, 1999. [47] S. Borgatti, “Intro to Grounded Theory,” 1996. [Online]. Available: trp.jlu.edu.cn:8000/yuhongyan_jpk/.../20061201165241756.doc. [48] D. R. Cooper and P. S. Schindler, Business Research Method. NY: McGraw-Hill Companies, Inc, 2008. [49] L. Lingard, M. Albert, and W. Levinson, “Grounded Theory, Mixed Methods, and Action Research,” British Medical Journal, vol. 337, pp. 459-461, Aug. 2008. [50] C. Marshall and G. B. Rossman, “The ‘What’ of the Study - Building the Conceptual Framework,” in Designing Qualitative Research 3rd Edition, Sage Publications, 1999, pp. 21-54. [51] D. Levy, “Qualitative Methodology and Grounded Theory in Property Research,” Pacific Rim Property Research Journal, vol. 12, no. 4, pp. 369-388, 2006. [52] A. Strauss and J. Corbin, Basics of Qualitative Research: Techniques and Procedures for Developing Grounded Theory. Newbury Park, CA: Sage Publications, 1990. [53] B. D. Haig, “Grounded Theory as Scientific Method,” in In Philosophy of Education 1995 : Current Issues, no. 1, University of Illinois Press, 1996, pp. 281-290. [54] H. Heath and S. Cowley, “Developing a Grounded Theory Approach: A Comparison of Glaser and Strauss,” International Journal of Nursing Studies, vol. 41, no. 2, pp. 141-150, Feb. 2004. [55] M. A. Jezewski, “Evolution of a Grounded Theory. Conflict Resolution through Cultural Brokering,” Advances in Nursing Science, vol. 17, no. 3, pp. 14-30, 1995. [56] B. Glasser and A. Strauss, “The Discovery of Grounded Theory,” in Strategies for Qualitative Research, New York: Aldine, 1967. [57] P. E. W. Onions, “Grounded Theory Applications in Reviewing Knowledge Management Literature,” Leeds Metropolitan University Innovation North Research Conference, pp. 1-20, 2006. [58] J. Esteves, U. Politécnica, and J. Carvalho, “Use of Grounded Theory in Information Systems Area : An Exploratory Analysis,” European Conference on Research Methodology for Business and Management, pp. 129-136, 2000. [59] G. A. Bowen, “Grounded Theory and Sensitizing Concepts,” International Journal of Qualitative Methods, pp. 12-22, 2006. [60] G. Ackerman et al., “Assessing Terrorist Motivations for Attacking Critical Infrastructure,” Center for Nonproliferation Studies, Monterey Institute of International Studies, California, Jul. 2007. [61] T. G. Lewis, T. J. Mackin, and R. Darken, “Critical Infrastructure as Complex Emergent Systems,” International Journal of Cyber Warfare & Terrorism, vol. 1, no. 1, pp. 1-12, 2011. [62] P. W. Brunst, “Terrorism and the Internet: New Threats Posed by Counterterrorism and Terrorist Use of the Internet,” pp. 51-79, 2010. AUTHORS PROFILE Rabiah Ahmad is an Associate Professor at the Faculty of Information Technology and Communication, Universiti Teknikal Malaysia Melaka, Malaysia. She received her PhD in Information Studies (health informatics) from the University of Sheffield, UK, and M.Sc. (information security) from the Royal Holloway University of London, UK. Her research interests include healthcare system security and information security architecture. She has delivered papers at various health informatics and information security conferences at national as well as international levels. She has also published papers in accredited national/international journals. Besides that, she also serves as a reviewer for various conferences and journals. Zahri Yunos is currently working with CyberSecurity Malaysia. Zahri holds a Master’s degree in Electrical Engineering from the Universiti Teknologi Malaysia, Malaysia and a Bachelor’s degree in Computer Science from the Fairleigh Dickinson University, New Jersey, USA. He is a certified Associate Business Continuity Professional by the Disaster Recovery Institute International, USA. Zahri has been awarded Senior Information Security Professional Honouree in July 2010 by the (IS2)2, USA. He has contributed various articles and presented papers on topics related to cyber security and Business Continuity Management. He is currently pursuing his PhD at the Universiti Teknikal Malaysia Melaka, Malaysia. 158 http://sites.google.com/site/ijcsis/ ISSN 1947-5500 Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. United States Government Accountability Office Report to Congressional Committees April 2016 CIVIL SUPPORT DOD Needs to Clarify Its Roles and Responsibilities for Defense Support of Civil Authorities during Cyber Incidents GAO-16-332 April 2016 CIVIL SUPPORT Highlights of GAO-16-332, a report to congressional committees DOD Needs to Clarify Its Roles and Responsibilities for Defense Support of Civil Authorities during Cyber Incidents Why GAO Did This Study What GAO Found Cyber threats to U.S. national and economic security are increasing in frequency, scale, sophistication, and severity of impact. DOD’s 2013 Strategy for Homeland Defense and Defense Support of Civil Authorities states that DOD must be prepared to support civil authorities in all domains—including cyberspace—and recognizes that the department plays a crucial role in supporting a national effort to confront cyber threats to critical infrastructure. The Department of Defense (DOD) has developed overarching guidance about how it is to support civil authorities as part of its Defense Support of Civil Authorities (DSCA) mission, but DOD’s guidance does not clearly define its roles and responsibilities for cyber incidents. Specifically, DOD has developed and issued key DSCA guidance—such as DOD Directive 3025.18, Defense Support of Civil Authorities—that provides guidance for the execution and oversight of DSCA. However, DOD guidance does not clarify the roles and responsibilities of key DOD entities—such as DOD components, the supported command, and the dual-status commander—that may be called upon to support a cyber incident. Specifically: House Report 114-102 included a provision that GAO assess DOD’s plans for providing support to civil authorities related to a domestic cyber incident. This report assesses the extent to which DOD has developed guidance that clearly defines the roles and responsibilities for providing support to civil authorities in response to a cyber incident.  DOD components: DOD Directive 3025.18 identifies the specific responsibilities of DOD officials who oversee DOD components responsible for various elements of DSCA, such as the Assistant Secretary of Defense for Health Affairs for health or medical-related support, but does not specify the responsibilities of DOD components (such as the Assistant Secretary of Defense for Homeland Defense and Global Security) in supporting civil authorities for cyber incidents.  Supported command: Various guidance documents are inconsistent on which combatant command would be designated the supported command and have primary responsibility for supporting civil authorities during a cyber incident. U.S. Northern Command’s DSCA response concept plan states that U.S. Northern Command would be the supported command for a DSCA mission that may include cyber domain incidents and activities. However, other guidance directs and DOD officials stated that a different command, U.S. Cyber Command, would be responsible for supporting civil authorities in a cyber incident.  Dual-status commander: Key DSCA guidance documents do not identify the role of the dual-status commander—that is, the commander who has authority over federal military and National Guard forces—in supporting civil authorities during a cyber incident. According to U.S. Northern Command officials, in a recent cyber exercise there was a lack of unity of effort among the DOD and National Guard forces that were responding to the emergency but were not under the control of the dualstatus commander. GAO reviewed DOD DSCA guidance, policies, and plans; and met with relevant DOD, National Guard Bureau, and Department of Homeland Security officials. What GAO Recommends GAO recommends that DOD issue or update guidance that clarifies DOD roles and responsibilities to support civil authorities in a domestic cyber incident. DOD concurred with the recommendation and stated that the department will issue or update guidance. View GAO-16-332. For more information, contact Joseph W. Kirschbaum at (202) 5129971 or kirschbaumj@gao.gov. DOD officials acknowledged the limitations of current guidance to direct the department’s efforts in supporting civil authorities in a cyber incident and discussed with GAO the need for clarified guidance on roles and responsibilities. DOD officials stated that the department had not yet determined the approach it would take to support a civil authority in a cyber incident and, as of January 2016, DOD had not begun efforts to issue or update guidance and did not have an estimate on when the guidance will be finalized. Until DOD clarifies the roles and responsibilities of its key entities for cyber incidents, there would continue to be uncertainty about which DOD component or command should be providing support to civil authorities in the event of a major cyber incident. United States Government Accountability Office Contents Letter 1 Background DOD Has Developed Guidance for Supporting Civil Authorities, but the Guidance Does Not Clearly Define Roles and Responsibilities for Domestic Cyber Incidents Conclusions Recommendation for Executive Action Agency Comments and Our Evaluation 5 10 20 20 21 Appendix I List of Offices GAO Contacted in Its Review 24 Appendix II Comments from the Department of Defense 25 Appendix III GAO Contact and Staff Acknowledgments 27 Abbreviations DOD DSCA Stafford Act Department of Defense Defense Support of Civil Authorities Robert T. Stafford Disaster Relief and Emergency Assistance Act This is a work of the U.S. government and is not subject to copyright protection in the United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Page i GAO-16-332 Civil Support Letter 441 G St. N.W. Washington, DC 20548 April 4, 2016 Congressional Committees Cyber threats to U.S. national and economic security are increasing in frequency, scale, sophistication, and severity of impact.1 The Department of Defense’s (DOD) 2015 Cyber Strategy reports that threat actors are planning to conduct disruptive and destructive cyberattacks on the United States and that the government, military, and private sectors are vulnerable to this cyber threat.2 DOD’s 2013 Strategy for Homeland Defense and Defense Support of Civil Authorities states that DOD must be prepared to defend the homeland and support civil authorities in all domains—including cyberspace—and recognizes that the department plays a crucial role in supporting a national effort to confront cyber threats to critical infrastructure.3 Generally, DOD supports civil authorities through its Defense Support of Civil Authorities (DSCA) mission.4 We have previously reported on the progress DOD has made to address issues related to civil support. For example, in June 2015, we testified on the progress DOD had made in implementing our prior recommendations to support civil authorities including strengthening its strategy, plans, and guidance; interagency coordination; and capabilities.5 We found that DOD had taken action to address some of our prior recommendations but had not fully addressed others. For example, we found that DOD had improved interagency coordination for support of civil authorities by 1 James R. Clapper, Director of National Intelligence, Statement for the Record on the Worldwide Threat Assessment of the US Intelligence Community for the Senate Armed Services Committee (Feb. 26, 2015). 2 Department of Defense, The DOD Cyber Strategy (April 2015). (Hereinafter referred to as The DOD Cyber Strategy). 3 Department of Defense, Strategy for Homeland Defense and Defense Support of Civil Authorities (February 2013). 4 DSCA is DOD’s mission to provide support through the federal military force, National Guard, and other resources in response to requests for assistance from civil authorities for domestic emergencies (e.g., hurricanes and wildfires), special events (e.g., political party national conventions), designated law-enforcement support, and other domestic activities. Throughout this report we also refer to DSCA as “civil support.” 5 GAO, Civil Support: DOD Is Taking Action to Strengthen Support of Civil Authorities, GAO-15-686T (Washington, D.C.: June 10, 2015). Page 1 GAO-16-332 Civil Support defining interagency roles and responsibilities and had identified capabilities it could provide for DSCA; however, it had not issued implementation guidance on the use of dual-status commanders.6 House Report 114-102 accompanying a bill for the National Defense Authorization Act for Fiscal Year 20167 included a provision that GAO assess DOD’s plans for providing support to civil authorities related to a domestic cyber incident.8 This report assesses the extent to which DOD has developed guidance that clearly defines the roles and responsibilities for providing support to civil authorities in response to cyber incidents. To assess the extent to which DOD has developed guidance that clearly defines the roles and responsibilities for providing support to civil authorities in response to cyber incidents, we reviewed key DOD policies, guidance, strategies, and instructions such as Joint Publication 3-28, Defense Support of Civil Authorities;9 The DOD Cyber Strategy;10 Chairman of the Joint Chiefs of Staff Execute Order, Defense Support to Civil Authorities (DSCA);11 and DOD Directive 3025.18, Defense Support of Civil Authorities (DSCA).12 DOD officials identified these documents as the key documents the department uses to guide its DSCA efforts. We reviewed these documents to identify: (1) DOD’s authority to respond to 6 Dual-status commanders are commissioned officers (Army or Air Force or a federally recognized Army National Guard or Air National Guard officer) who serve as an intermediate link between the separate chains of command for state and federal forces and have authority over both National Guard forces under state control and active-duty forces under federal control during a civil support incident or special event. 7 See H.R. Rep. No. 114-102 at 289–290 (2015). 8 A cyber incident is likely to cause, or is causing, harm to critical functions and services across the public and private sectors by impairing the confidentiality, integrity, or availability of electronic information, information systems, services, or networks; or threaten public health or safety, undermine public confidence, have a negative effect on the national economy, or diminish the security posture of the nation; or both. 9 Joint Chiefs of Staff, Joint Publication 3-28, Defense Support of Civil Authorities (July 31, 2013). (Hereinafter cited as Joint Publication 3-28.) 10 DOD, The DOD Cyber Strategy. 11 Chairman of the Joint Chiefs of Staff Standing Execute Order, Defense Support of Civil Authorities (DSCA) (June 2013). (Hereinafter cited as Chairman of the Joint Chiefs of Staff Standing Execute Order, Defense Support of Civil Authorities.) 12 DOD Directive 3025.18, Defense Support of Civil Authorities (DSCA) (Dec. 29, 2010) (incorporating change 1, Sept. 21, 2012). (Hereinafter cited as DOD Directive 3025.18.) Page 2 GAO-16-332 Civil Support cyber incidents for civil authorities, (2) DOD’s role in the Department of Homeland Security’s National Response Framework, (3) DOD components’ roles and responsibilities for providing support to civil authorities for a cyber incident,13 (4) DOD’s request for assistance procedures, (5) criteria DOD uses to support a request for assistance from civil authorities, and (6) the extent to which DOD has incorporated and provided specific information on responding to a cyber incident into its guidance on DSCA. We also reviewed the President of the United States’ Unified Command Plan,14 DOD’s and the Department of Homeland Security’s memorandum of agreement regarding cybersecurity,15 and U.S. Northern Command’s Defense Support of Civil Authorities concept plan16 to determine the extent to which the documents identify the role of DOD components in supporting civil authorities in a cyber incident. We compared these documents to the standards and guidance for setting agency roles and responsibilities and command relationships identified in the National Response Framework,17 Standards for Internal Control in the Federal Government,18 the Office of Management and Budget’s Management Responsibility for Internal 13 DOD defines “DOD components” to include the Office of the Secretary of Defense, the military departments, the Office of the Chairman of the Joint Chiefs of Staff and the Joint Staff, the combatant commands, the DOD Office of Inspector General, the defense agencies, the DOD field activities, and all other entities within DOD. 14 The President of the United States, Unified Command Plan (Washington, D.C.: Apr. 6, 2011, with change 1, dated Sept. 12, 2011). (Hereinafter cited as Unified Command Plan.) 15 Department of Homeland Security and Department of Defense, Memorandum of Agreement Between the Department of Homeland Security and the Department of Defense Regarding Cybersecurity (Sept. 27, 2010). (Hereinafter cited as Memorandum of Agreement Between the Department of Homeland Security and the Department of Defense Regarding Cybersecurity.) 16 U.S. Northern Command, Concept Plan 3500-14, Defense Support of Civil Authorities Response (Colorado Springs, Colorado: July 2014). (Hereinafter cited as U.S. Northern Command, Concept Plan 3500-14.) 17 Department of Homeland Security, National Response Framework, 2nd ed. (May 2013).The National Response Framework is a guide on how the United States responds to all types of disasters and emergencies. 18 GAO, Standards for Internal Control in the Federal Government, GAO/AIMD-00-21.3.1 (Washington, D.C.: Nov. 1, 1999). These standards were in effect prior to fiscal year 2016 and cover the period of DOD’s DSCA guidance. These standards were subsequently updated. The updates went into effect on October 1, 2015. See GAO, Standards for Internal Control in the Federal Government, GAO-14-704G (Washington, D.C.: Sept. 10, 2014). Page 3 GAO-16-332 Civil Support Control,19 the Joint Action Plan for Developing Unity of Effort,20 Joint Action Plan for State-Federal Unity of Effort on Cybersecurity,21 and DOD’s Joint Publication 3-12(R), Cyberspace Operations.22 We did not review any state or local agency civil support–related documents because our review focused on DSCA provided by federal military and National Guard forces. Additionally, we interviewed officials from DOD involved in DSCA from the Office of the Deputy Assistant Secretary of Defense for Homeland Defense Integration and Defense Support of Civil Authorities and U.S. Northern Command to obtain further information regarding: the roles and responsibilities of DOD components in responding to cyber incidents; the cyber response framework; and the challenges in developing the framework, if any. We also interviewed officials from the Department of Homeland Security’s National Cybersecurity and Communications Integration Center and the Federal Emergency Management Agency to obtain information regarding their efforts to coordinate with DOD components to support civil authorities in a cyber incident. A full list of the offices we contacted is in appendix I. We conducted this performance audit from June 2015 to April 2016 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. 19 Office of Management and Budget, Circular A-123, Management’s Responsibility for Internal Control (Washington, D.C.: Dec. 21, 2004). 20 Department of Defense, Council of Governors, and Department of Homeland Security, Joint Action Plan for Developing Unity of Effort (Washington, D.C.: 2010). (Hereinafter cited as Joint Action Plan for Developing Unity of Effort.) 21 Council of Governors, Department of Homeland Security, and Department of Defense, Joint Action Plan for State-Federal Unity of Effort on Cybersecurity (Washington, D.C.: July 2014). (Hereinafter cited as Joint Action Plan for State-Federal Unity of Effort on Cybersecurity.) 22 Joint Chiefs of Staff, Joint Publication 3-12(R), Cyberspace Operations (Feb. 5, 2013). (Hereinafter cited as Joint Publication 3-12(R)). Page 4 GAO-16-332 Civil Support Background DOD Support to Major Disasters and Emergencies Under the Robert T. Stafford Disaster Relief and Emergency Assistance Act (Stafford Act), when state capabilities and resources are overwhelmed and the President declares an emergency or disaster, the Governor of an affected state can request assistance from the federal government for major disasters or emergencies.23 Additionally under the Economy Act, a federal agency may request the support of another federal agency, including DOD, without a presidential declaration of an emergency.24 The federal government’s response to major disasters and emergencies in the United States is guided by the Department of Homeland Security’s National Response Framework, a national-level guide on how local, state, and federal governments respond to major disasters and emergencies.25 The Department of Homeland Security’s interim National Cyber Incident Response Plan outlines domestic cyber incident response coordination and execution among federal, state and territorial, and local governments, 23 See Pub. L. No. 100-707 (1988) (codified as amended at 42 U.S.C. § 5121, et seq.). The Stafford Act aims to provide a means of assistance by the federal government to state and local governments in responding to a presidentially declared major disaster or emergency. 24 See 31 U.S.C. § 1535(a), which permits one federal agency to request the support of another federal agency provided that the service is available and cannot be obtained more cheaply or conveniently by contract. 31 U.S.C. § 1535(a)(1)-(4). 25 Department of Homeland Security, National Response Framework, 2nd ed. The National Response Framework is a component of the National Preparedness System mandated in Presidential Policy Directive 8, National Preparedness. The National Response Framework sets the doctrine for how the United States builds, sustains, and delivers the response core capabilities identified in the National Preparedness Goal. The National Preparedness Goal establishes the capabilities and outcomes the United States must accomplish in order to be secure and resilient. The National Response Framework identifies 14 emergency support functions that serve as the federal government’s primary coordinating structure for building, sustaining, and delivering response capabilities. The Department of Homeland Security is responsible for overseeing the preparedness activities of the communications emergency support functions, among others, which include cybersecurity. Page 5 GAO-16-332 Civil Support and the private sector.26 Various federal agencies can play a lead or supporting role in responding to major disasters and emergencies. Overall coordination of federal incident-management activities is generally the responsibility of the Department of Homeland Security. DOD supports the lead federal agency in the federal response to a major disaster or emergency. Defense resources are committed after the lead agency submits a request for assistance and the President or Secretary of Defense directs DOD to provide support. DOD does not generally develop military forces specifically for the DSCA mission and the department does not provide funding to train, equip, or exercise specifically for DSCA unless directed to do so by Congress, the President, or the Secretary of Defense. Examples of DOD’s DSCA missions include responding to major disasters and emergencies (both natural and man-made); support of civilian law enforcement agencies, including civil disturbance operations; restoring public health, medical services, and civil order, such as animal/plant disease eradication and counterdrug operations; and providing support for national special security events. Specifically, in its DSCA mission, DOD supports civil authorities by providing them with resources for responses to disasters like Hurricane Sandy and wildfires in the western United States as well as national special security events such as political-party national conventions. When authorized to provide support to civil authorities for domestic emergencies, DOD may provide capabilities and resources—such as military forces (including the National Guard under Title 10 and Title 32, U.S. Code), DOD civilians, and DOD contractors.27 DOD components can also provide support to civil authorities under separate authority. For example, the DOD Cyber Crime Center can support digital and 26 Department of Homeland Security, National Cyber Incident Response Plan, Interim Version (Washington, D.C.: September 2010). Department of Homeland Security officials told us that while the plan is identified as an “Interim Version,” the officials have been told to treat this plan as if it was finalized. 27 Title 10 and Title 32, U.S. Code, govern the operations of the Department of Defense and the National Guard respectively. Military forces, both active and reserve, may support domestic missions in Title 10 or Title 32. Title 32 provides the authority for the National Guard to conduct activities in a federal pay status but subject to state control. The National Guard normally responds to domestic emergencies in a state active duty status. Under state active duty, the National Guard can be used for state purposes in accordance with the state constitution and statues, and the respective state is responsible for National Guard expenses. Page 6 GAO-16-332 Civil Support multimedia forensic requests and provide training services to non-DOD government organizations.28 Additionally, the National Security Agency, as an element of the Intelligence Community, is authorized to provide any other assistance and cooperation to law enforcement and other civil authorities not precluded by applicable law.29 In an effort to facilitate DSCA across the nation and at all organizational levels, DOD has assigned responsibilities within the Office of the Secretary of Defense (such as the Assistant Secretary of Defense for Homeland Defense and Global Security), the Chairman of the Joint Chiefs of Staff, various combatant commanders (such as the U.S. Northern Command and U.S. Pacific Command commanders), and the chief of the National Guard Bureau, among others.30 DOD’s Assistant Secretary of Defense for Homeland Defense and Global Security is the principal civilian advisor responsible for homeland defense, DSCA, and cyber policy for the department.31 This official is to develop policies, conduct analysis, provide advice, and make recommendations on homeland defense, DSCA, emergency preparedness, and cyberspace operations within the department.32 The Chairman of the Joint Chiefs of Staff advises the Secretary of Defense on the effects of requests for 28 DOD Directive 5505.13E, DOD Executive Agent (EA) for the DOD Cyber Crime Center (DC3) (Mar. 1, 2010). 29 White House, Executive Order 12333, as amended, United States Intelligence Activities, paragraph 2.6(d). 30 According to Joint Chiefs of Staff, Joint Publication 1-02, Department of Defense Dictionary of Military and Associated Terms (Nov. 8, 2010, as amended through Nov. 15, 2015), a combatant command is a unified or specified command with a broad continuing mission under a single commander established and designated by the President, through the Secretary of Defense and with the advice and assistance of the Chairman of the Joint Chiefs of Staff. 31 In January 2015, the Office of the Under Secretary of Defense for Policy reorganized its missions and renamed the Assistant Secretary of Defense for Homeland Defense and Americas’ Security Affairs as the Assistant Secretary of Defense for Homeland Defense and Global Security. The Deputy Assistant Secretary of Defense for Homeland Defense Integration and Defense Support of Civil Authorities and the Deputy Assistant Secretary of Defense for Cyber Policy report to this official. 32 According to Joint Publication 1-02, cyberspace operations are the employment of cyberspace capabilities where the primary purpose is to achieve objectives in or through cyberspace. Joint Publication 1-02 defines cyberspace as a global domain within the information environment consisting of the interdependent network of information technology infrastructures and resident data, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers. Page 7 GAO-16-332 Civil Support DSCA on national security and identifies available resources for support in response to DSCA requests. U.S. Northern Command and U.S. Pacific Command provide support to civil authorities at the federal, state, and local levels as directed. Further, U.S. Cyber Command synchronizes the planning for cyberspace operations in coordination with other combatant commands, the military services, and other appropriate federal agencies.33 The National Guard Bureau is supposed to coordinate communications between DOD components and states for National Guard matters and conducts an annual assessment on the readiness of the National Guard to conduct DSCA activities.34 Additionally, a dualstatus commander could serve as an intermediate link between the separate chains of command for state and federal forces and is intended to promote unity of effort between federal and state forces to facilitate a rapid response during major disasters and emergencies.35 In military operations where multiple combatant commands have a role, the Secretary of Defense will establish support relationships and determine the supported and supporting combatant commanders. A supported combatant commander has primary responsibility for all aspects of an operation including capability requests, identifying tasks for DOD components, and developing a plan to achieve the common goal. Supporting combatant commanders provide the requested assistance, as available, to assist the supported combatant commander to accomplish missions. 33 U.S. Cyber Command is a subordinate unified command to U.S. Strategic Command. A subordinate unified command is established by a commander of a unified command to conduct operations on a continuing basis in accordance with the criteria set forth for unified commands. See Joint Publication 1-02, Department of Defense Dictionary of Military and Associated Terms. 34 The Army National Guard and Air National Guard of the United States perform federal missions under the command of the President, and the National Guard of each state performs state missions under the command of the state’s governor. 35 The National Defense Authorization Act for Fiscal Year 2012, Pub. L. No. 112-81, § 515 (2011) provided that a dual-status commander should be the usual and customary command and control arrangement in situations when the armed forces and National Guard are employed simultaneously in support of civil authorities, including missions involving major disasters and emergencies. In their technical comments to our draft report, DOD officials stated that additional DOD components may also promote DOD unity of effort and support DSCA missions to include defense coordinating officers and elements, liaisons, and other coordinating mechanisms. Page 8 GAO-16-332 Civil Support DOD Cyber Reports to Congress In response to a provision in the National Defense Authorization Act for Fiscal Year 2014,36 DOD issued a cyber mission analysis report on the department’s efforts to conduct cyberspace operations using its total cyber forces including its active and reserve components—the Army National Guard of the United States, Army Reserve, Air Force Reserve, Air National Guard of the United States, Marine Corps Reserve, and Navy Reserve.37 In this analysis, DOD found advantages to using its reserve components for cyber missions such as load sharing and providing surge capabilities. The report recommends, among other things, that National Guard state active-duty policies and processes be clarified to ensure unity of effort between DOD and National Guard forces, and that the National Guard focus on support roles such as coordinate, train, advise, and assist with state or local agencies or private industry when directed by their respective governor or authorized by DOD. Additionally, section 933(e) of the National Defense Authorization Act for Fiscal Year 2014 mandated that the Chief of the National Guard Bureau assess DOD’s description of the role of the National Guard in supporting DOD’s cyber operations. In September 2014, the National Guard Bureau issued its report highlighting, among other things, that the bureau concurs with DOD’s finding that the cyber reserve components can offer load sharing and surge capacity and supports DOD’s plan to integrate reserve personnel into cyberspace forces.38 Additionally, a provision in the National Defense Authorization Act for Fiscal Year 2016 requires DOD to develop a comprehensive plan for U.S. Cyber Command to support civil authorities in response to a cyber attack by a foreign power. Among the elements required in the plan is a description of the roles, responsibilities, and expectations of active and reserve components of the armed forces.39 This plan is due to Congress in May 2016. 36 Pub. L. No. 113-66, § 933 (2013). 37 DOD, Cyber Mission Analysis: Mission Analysis for Cyber Operations of Department of Defense (Washington, D.C.: Aug. 21, 2014). 38 Chief, National Guard Bureau, National Guard Bureau Cyber Mission Analysis Assessment (Sept. 29, 2014). 39 See Pub. L. No. 114-92, § 1648(a) (2015). Page 9 GAO-16-332 Civil Support DOD Has Developed Guidance for Supporting Civil Authorities, but the Guidance Does Not Clearly Define Roles and Responsibilities for Domestic Cyber Incidents DOD Has Developed DSCA Guidance DOD has developed and issued overarching policies and guidance for the department’s activities to support civil authorities. DOD officials that we met with identified several key documents that guide their DSCA activities:  DOD Directive 3025.18, Defense Support of Civil Authorities (DSCA), establishes DSCA policy and provides guidance for the execution and oversight of DSCA.40 This directive also establishes the criteria to evaluate all requests for assistance from civil authorities.41  DOD’s Joint Publication 3-28, Defense Support of Civil Authorities, provides guidelines to assist in planning and governing the department’s activities in DSCA operations and states that DOD may be requested to provide cyberspace support services during DSCA incidents.42 Joint Publication 3-28 also explains how DOD will support 40 DOD Directive 3025.18. In addition to this directive, DOD has issued other DOD directives and instructions to guide DOD components in supporting civil authorities for specific DSCA missions. For example, DOD Directive 3025.13 provides policy and guidance on DOD support to the U.S. Secret Service and DOD Instruction 3025.21 provides policy and guidance on DOD’s support of civilian law enforcement agencies. 41 DOD Directive 3025.18 states that all requests from civil authorities and qualifying entities for assistance shall be evaluated for: legality, lethality, risk, cost, readiness, and appropriateness. 42 Joint Chiefs of Staff, Joint Publication 3-28. Page 10 GAO-16-332 Civil Support a comprehensive all-hazards response to a catastrophic incident or event, law-enforcement activities and other domestic activities, and special events such as presidential inaugurations. The publication also establishes procedures, assigns responsibilities, and provides instructions for the designation, employment, and training of dualstatus commanders for use in DSCA. DOD’s DSCA Standing Execute Order provides the authority for supported combatant commanders to conduct DSCA operations for actual or potential domestic incidents within the commander’s area of responsibility.43  In addition, U.S. Northern Command officials identified U.S. Northern Command’s Concept Plan, Defense Support of Civil Authorities Response, as a key document to guide their DSCA efforts. Specifically, the plan provides the framework for a DSCA response within the domestic portions of U.S. Northern Command’s area of responsibility.44 Further, in April 2015, DOD issued The DOD Cyber Strategy as a guide to develop DOD’s cyber forces and strengthen DOD’s cyber defense and deterrence posture.45 The cyber strategy directs DOD to develop a framework and to conduct exercises on their capabilities to support civil authorities, the Department of Homeland Security, state and local authorities, and other agencies to help defend the federal government and the private sector in an emergency, if directed. DOD officials told us that the department is in the process of implementing and tracking the status of tasks as part of the framework, to include developing cyberspace operations policies, identified in the strategy. 43 Chairman of the Joint Chiefs of Staff Standing Execute Order, Defense Support to Civil Authorities. This execute order directs DOD’s DSCA in support of the Department of Homeland Security’s National Response Framework and establishes the authorities to conduct DSCA operations through assigned and allocated forces, preidentified resources, internal resources, and large-scale response resources. 44 U.S. Northern Command, Concept Plan. U.S. Northern Command’s area of responsibility for civil support is comprised of the contiguous 48 states, Alaska, and the District of Columbia and the command may also support civil authorities’ major disaster and emergency response operations in the Commonwealth of Puerto Rico and the U.S. Virgin Islands. 45 DOD, The DOD Cyber Strategy. Page 11 GAO-16-332 Civil Support DOD Guidance Does Not Clearly Define DSCA Roles and Responsibilities for Domestic Cyber Incidents We found that DOD guidance that we reviewed—identified by DOD officials as the key documents that guide DOD’s DSCA activities—does not clearly define the roles and responsibilities of key DOD entities, such as DOD components, the supported command, or the dual-status commander, if they are requested to support civil authorities in a cyber incident. Further, we found that, in some cases, DOD guidance provides specific details on other types of DSCA-related responses, such as assigning roles and responsibilities for fire or emergency services support and medical support, but does not provide the same level of detail or assign roles and responsibilities for cyber support. In other cases, the designation of cyber roles and responsibilities in DOD guidance is inconsistent. National and DOD guidance documents highlight the importance of clearly established roles, responsibilities, and command relationships. For example, the Department of Homeland Security’s National Response Framework highlights that incident response structures should be based on clearly established roles, responsibilities, and reporting protocols.46 Also, the 2010 Joint Action Plan for Developing Unity of Effort emphasizes the importance of properly configured command and control arrangements for designated planned events or in response to emergencies or natural disasters within the United States.47 The 2014 Joint Action Plan for State-Federal Unity of Effort on Cybersecurity also emphasizes that agencies should develop, enhance, and clarify policies, roles, and responsibilities that promote a national approach to preventing, responding to, and recovering from cyber incidents.48 Further, DOD’s Joint Publication 3-12(R), Cyberspace Operations, states that clearly established command relationships are 46 Department of Homeland Security, National Response Framework, 2nd ed. 47 Department of Defense, Council of Governors, and Department of Homeland Security, Joint Action Plan for Developing Unity of Effort. In 2010, DOD worked with the Department of Homeland Security, the Federal Emergency Management Agency, and the Council of Governors to develop the Joint Action Plan for Developing Unity of Effort, which provides a framework for state and federal agencies to coordinate their response to domestic incidents and describes the general arrangement of the dual-status commander construct. 48 Council of Governors, Department of Homeland Security, and Department of Defense, Joint Action Plan for State-Federal Unity of Effort on Cybersecurity. According to DOD’s 2014 Cyber Mission Analysis Report—which DOD provided to Congress in response to a reporting requirement identified in the National Defense Authorization Act for Fiscal Year 2014—this joint action plan is a commitment by the states, Department of Homeland Security, and DOD to improve the nation's cy...
Purchase answer to see full attachment
User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.

Explanation & Answer

Attached.

Running head: IMPACT OF CYBER-ATTACKS

Impact of cyber-attacks
Student’s name:
Institutional affiliation:

1

IMPACT OF CYBER-ATTACKS

2

Impact of cyber-attacks
Cyber incident one
One major cyber incident that continues to amaze U.S. citizens is the exposure of the 191
million voters’ database online. This data breach occurred in 2015 and involved a security
expert, Chris Vickery, who discovered that the United States database of voters was exposed
online (Finkle, & Volz, 2015). The major vulnerability that led to this scenario is poor storage
and securing of the database, leading to its exposure online. The major impact of this breach is
loss of user trust in governmental agencies and systems (Finkle, & Volz, 2015). There is need to
prevent direct sharing and exposure of such vital infrastructure to the public. The department of
defense did not give a direct comment on how they intervened in this situation but they worked
with Vickery to ensure that the database is hidden from the public.
Cyber incident two
Another core attack on critical infrastructure is the December 2018 attack on media
companies (The Guardian, 2018). This attack paralyzed disbursement of news from various news
companies including Chicago Tribune, New York Times, Los Angeles Times, and the wall street
journal. Information centers are an important infrastructure to the nation and any attack on them
could lead to non-availability of important information (The Guardian, 2018). The major
vulnerability of the system was poor management of network intrusion detection. The network
supporting the pr...

Similar Content

Related Tags