“[The] threat will involve the joining of the growing cyber-crime capability we see today with the terrorists' realization that the cyber realm is ripe for exploitation and that joining with cyber criminals will be their path to that exploitation.” - Steven Bucci, IBM (2010) “It is clear that terrorist groups are using computers and the Internet to further goals associated with spreading terrorism. This can be seen in the way that extremists are creating and using numerous Internet websites for recruitment and fund raising activities.... Several criminals who have recently been convicted of cybercrimes used their technical skills to acquire stolen credit card information in order to finance other conventional terrorist activities.” - Clay Wilson, CRS (2008) So far, the customary practice of nations in cyberspace seems to be, "Do unto others whatever you can get away with." Sadly, until a major player like the United States suffers a catastrophic cyber event, it appears likely to stay that way. – Gary D. Brown, Joint Forces Quarterly (2011)

Sources: National Commission on Terrorist Attacks Upon the United States, UN Monitoring Team Report on al-Qaeda and the Taliban, The United Kingdom Home Office, FBI, Intelligence Bureau (India). AttackDateEstimated Cost in USD Operation HaemorrhageOctober 2010$4200 Failed Times Square Bombing05/01/10$13,000 – 15,000 Mumbai Attacks11/11/08~$750,000 London Transport System07/07/05$15,000 Madrid Train Bombings03/11/04$10,000 Jakarta Marriott Hotel Bombing08/05/03$30,000 Bali Bombings10/12/02$50,000 9/11 Attacks09/11/01~$500,000 USS Cole Attack10/12/00$10,000 Estimated Costs of Physical Attacks

Estimated Costs of Virtual Attacks? Costs are most often represented in lost sales or remediation and clean-up efforts Extraordinary challenge to figure out “how much” it cost to create attack software Recent attacks show that sometimes “simple” moves can have surprisingly powerful effects

 The Kroll annual Global Fraud report notes that 2010 marked the first time ever that the cost of electronic theft has topped that of physical theft.  Attacks now shifting from financial fraud and espionage to disruption and destruction.  North Korea, Iran, China, all have cyber military units that many experts suspect are moving into disruption and destruction Data Points

Differentiations  Hacktivists  Cybercriminals  Warriors

Politically-Oriented Groups Lulzsec Malsec Spexsec

Major Trends in 2012

Rapid Rise in Social Networks If Facebook were a country, it would be the world’s 3 rd largest Globally, people spend over 6 hours a day on social networking sites

 Social network phishing and click-jacking  Mobile attacks  Distributed Denial of Service (DDoS) Most Common Attacks

The UK founder of the infamous GhostMarket.net cyber crime forum was convicted along with three others of computer offenses linked to the theft of 130,000 compromised credit card numbers and a botnet infecting 15,000 computers in over 150 countries. In 2008 Albert Gonzalez was charged with the largest case of credit and debit card data theft ever in the United States: Stealing 130 million credit card accounts on top of 40 million he stole previously, from retailers including 7 Eleven, T.J. Maxx, Barnes & Noble, Sports Authority and OfficeMax.

Cybercriminals: Nigeria, Russia or the United States?

State-sponsored Cyber *Attack* Units: Iran, North Korea, China, Russia, United States, others?

Rapid Technological Shifts

A Proliferation of Mobile Devices

Types of Attacks that Terrorists Could Easily Employ to Raise Money Boy in the Browser Click Fraud Evil Twin Wi-Fi hotspot

Sample Suite: Karmetasploit

- Government should push industry to increase transparency on attacks and exploits - Monitor hacker community exploits and sites; ideally in multiple languages. - Encourage closer cooperation between governments to facilitate information exchange on cyber-crime and terrorism. Don't leave it up to industry. - Keep pursuing international efforts to increase cybercrime legislation and prosecute criminals. - Pursue greater governmental oversight, not just for critical infrastructure but for private companies that rely on big data. - For businesses, continuous monitoring and data analytics to flag suspicious activities. - Sponsor simulations for hackers to raise fast cash for a terrorist attack given openly available tools on the Web. - Generate awareness that cyber attack is unavoidable, and that security is a process, not a product. Recommendations

“Industry and private sector companies have a vested interest in maintaining adequate security and that regulation should be kept at a minimum. But companies have always had that interest, and to date it has not translated into adequate security.” -- William Jackson, Government Computer News Most of my working life has been in CID and counter-terrorism. I don't think that in the future detectives will be equipped to be able to deal with these things if they don't understand the nature of cybercrime and I think that multinational organisations, public and private organisations, need to ensure that they understand the threats to their organisation." -- Janet Williams, Lead on cybercrime at the Association of Chief Police Officers …The media narrative du jour: The digital sky is falling! Hackers are causing internet Armageddon! Wait, never mind, not quite yet! Also: The Justice Department thinks all hackers are cyber terrorists! And: Homeland Security loves hackers and wants to hire them! It can't be all of those things at once. Though somehow it is. -- Simon Dumenco, AdAge.com