The Terrorist’s Choice: Nuclear, Biological, or Cyber Weapons Good afternoon. Thank you for the invitation to speak today, and thank you for the warm welcome and introduction. I was asked to present some ideas on terrorist choice of weapons of mass destruction. I have worked on the problem of terrorist activities for the past 11 years at Sandia National Labs. And while we understand some things in this area very well, we are also aware of gaps in our knowledge. Today, we will look at two choices that have a lot of similarities, and one area that is somewhat different. I don’t have all the answers for you, but I hope my discussion today will provide a framework to analyze these 3 choices, and other areas of terrorist activities. First, some things about me. William G. Rhodes III Senior Manager, Sandia National Laboratories Albuquerque, NM Sandia National Laboratories is a multi-program laboratory managed and operated by Sandia Corporation, a wholly owned subsidiary of Lockheed Martin Corporation, for the U.S. Department of Energy’s National Nuclear Security Administration under contract DE-AC04-94AL85000.

William Ury, “The walk from "no" to "yes," Ted.com, 11/30/2010 TERRORISM “Taking an innocent stranger and treating him as an enemy who you hurt or kill in order to create fear.” There are many definitions of terrorism, here is a definition of terrorism that I like, from William Ury a Harvard professor and best selling author. He mentioned this definition in a Ted talk. The outcome is much for the same for all definitions. It is to create fear. William Ury, “The walk from "no" to "yes," Ted.com, 11/30/2010

FBI: 100% Chance of WMD Attack Another thing to consider is the overall chance of a WMD attack, and when it will occur. Here is a recent quote from a person who is leading the FBI WMD Directorate. There are all sorts of ideas and pronouncements on this topic. I won’t add my own thoughts on this, but I’ll let you draw your own conclusions today about if and when this will happen. I will attempt to provide facts as we understand them today about this topic, and we will explore and consider these facts together. From Newsmax.com, 2/14/11. Quotation of former Los Alamos manager now leading the FBI WMD Directorate. Vahid Majidi, FBI Assistant Director, FBI WMD Directorate, 2/14/2011

3 Lets set the stage for the framework of the talk, three initial thoughts to guide my discussion and your thinking. IDEAS

Ideas of Terrorist Success 1 Risk Matrix 2 Ideas of Terrorist Success Here are the three initial building blocks for our consideration. First, what are the components of risk that we need to exam to form our opinion of terrorist choice. Second, what is the outcome of of event that a terrorist would consider to be a success? It that outcome the same as what we consider to be a success? How does the definition of sucess affect teh choice of terrorist weapons? Third, how do we anticipate “Black Swan Events,” or high consequence, low probability events. 3 Black Swan Events

Risk = Threat x Consequence At Sandia, we like to frame some terrorist activities with this simple risk formula. Risk is defined as the overall risk from a particular event given a particular threat and consequence. The following slide shows an example of how threat and consequence can be considered by an analyst. Motivation Materials & Tools Management Human Capital & Skills Planning & Execution OPSEC Economic Health Effects Psychological Effects Infrastructure

Risk = Threat x Consequence Review each block for threat and consequence components. Make sure to define OPSEC The threat block can actually be further simplified for today’s discussion, because we can are fairly certain that the terrorists are motivated to acquire a WMD [and the motivation to conduct terrorism is fairly similar each choice we are examining today]. The terrorists also have planning and execution talent, management capabilities, and can observe Operational Security. So in threat box, we left with two variables: materials and tools, and human capital and skills. This is very important to our discussion today. The consequences are the potentially same in each of the choices we are looking at today, but of course the degree of consequence in each of the factors can be different for each type of weapon. We’ll talk about some consequences today, but I’ll be mainly focused on the threat side of this equation as this is the main driver for terrorist decision making. Further, the terrorist may not be able to fully control the effects of the weapon once it is employed because of cascading effects and unforeseen circumstances. Motivation Economic Materials & Tools Human Capital & Skills Health Effects Management Psychological Effects Infrastructure Planning & Execution OPSEC

Ideas of Terrorist Success I’m not sure we always understand terrorists ideas of success. We know that the terrorist do not want to waste their lives. They also use cost-benefit analysis, for example, they want their operations to cost them just a little, but cost us a lot. Let’s look at an example.

New York Post, “Cargo-jet plot was a cheap thrill” POST WIRE SERVICES, Nov. 21, 2010 Al-qaeda claims that security procedures which have caused concerns in the US are in keeping with their their ideas of success. After the “underwear bomber” and the printer cartridge explosive plots were uncovered, the Transportation Security Agency implemented new passenger screening procedures. Inspire magazine, a Yemini based publication (which has links to Al-qaeda in Yemen) claims that big strikes are no longer needed to harm the US. The magazine states: “We do not need t strike big. In such an environment of security phobia that is sweeping America, is more feasible to state smaller attacks that involve less players in less time to launch and thus circumvent the security barriers America worked so hard to erect.” Terrorist cost to launch this operation, $4200, US costs for countermeasures? TSA promptly banned the shipment of laser printer toner cartridges after the toner cartridge plot was uncovered.. This is basically the idea of death by 1,000 small cuts, which we now Operation Hemorrhage by Al Qaeda. Operation Hemorrhage

Range of Possibilities The terrorists have a range of possible scenarios that they may consider. Banning toner cartridges doesn’t not address the system of weakness nor the range of possibilities that the terrorist may employ. If we’re going to stay ahead of the terrorists, we must take a total systems view of the problem and address systemic weaknesses. Taking incremental steps is not helpful to improving global security. photo: from Sandia-owned photo database

Terrorists are Failure Adverse Repeating the idea...3 thoughts... The terrorists don’t want to waste money or waste lives. They do apply a type of cost-benefit analysis to their plans. They also don’t want to lose face in front of their colleagues.

Explain the thesis of the book, The Black Swan, by Nicholas Taleb Before many areas of the new world were discovered, Europeans thought that there were only white swans in the world. That was all that they ever saw in their lovely parks and in the country side. Their frame of reference was very limited, but their beliefs were fairly strong that there were no black swans. We humans tend to only believe in what we observe, we don’t venture into ideas of the unseen very often. When the first Europeans ventured to Australia, the were surprised to see black swans. They had never been seen by Europeans previously, so how could they exist? What does this story teach us about human nature and certain high consequence, but low probability events? Lets discuss for a moment, these types of events as described by Taleb. Their characteristics are as follows: photo: from Sandia-owned photo database Black Swan Events

Retrospective Explainability Unpredictable Large Consequences Attributes of Black Swan events 1. These events are very unpredictable and very rare. For example, no one had flown jet liners into buildings before 9/11. 2. There are large consequences. For example, the stock market crash of 1987. 3. After the event is over, and we have time to think about what occurred, there is retrospective explainability. The Three Mile Accident is a good example of this, we now understand the root cause, supporting problems, and training problems that contributed to the accident. Before the accident, we would not have been able to explain this in terms that people could comprehend. Some human weakness as to why Black Swan events can occur: Error of confirmation-we focus on preselected segments of the seen and generalize to the unseen. Narrative fallacy-we fools ourselves with stories for our desire for distinct patterns. Distortion of silent evidence-we tend to ignore what we don’t see. What we see is not necessarily all that there is to see. ********************************************************************************************** Recap: There are the three initial building blocks for our consideration. First, what are the components of risk that we need to exam to form our opinion of terrorist choice. Second, what is the outcome of of event that a terrorist would consider to be a success? It that outcome the same as what we consider to be a success? How does the definition of success affect the choice of terrorist weapons? Third, how do we anticipate “Black Swan Events,” or high consequence, very low probability events. **************************************************************************************************** Will all this in mind, let’s exam the terrorist’s choices. Retrospective Explainability

Nuclear Weapons Let’s look at three terrorists choices to employ a WMD attack. Nuclear weapons, biological weapons and cyber attacks. First, nuclear weapons.

There are two basic types of nuclear weapons, gun type and implosion types weapons. Here is a model of a nuclear weapon, the “Little Boy” weapon used in WWII. It used highly enriched uranium to produce the nuclear explosion. It is an example of a “gun type” device, meaning that two pieces of highly enriched uranium quickly using a gun to fire one piece into the other. photo: This image is a work of a United States Department of Energy (or predecessor organization) employee, taken or made during the course of an employee's official duties. As a work of the U.S. federal government, the image is in the public domain.

Here is a model of the “Fat Man” device, also used in WWII Here is a model of the “Fat Man” device, also used in WWII. You can see the shape is different from the gun type weapon. The nuclear fuel for this weapon is plutonium 239. The basic principle is to implode a piece of plutonium very quickly to produce a nuclear explosion. photo: This work is in the public domain in the United States because it is a work of the United States Federal Government under the terms of Title 17, Chapter 1, Section 105 of the US Code.

Materials + Knowledge As I noted in the risk matrix, the terrorist needs two things to produce a nuclear weapon. Materials and knowledge. The key is the material, and why the President has an important goal in his agenda to secure all nuclear materials in 4 years. Around the world, there is approximately 2,000 metric tons of HEU, and 500 metric tons of Pu. Seven countries have 99% of the HEU: US, Russian Federation, China, UK, France, India and Pakistan. The world’s inventory continues to increase as India and Pakistan continue to produce HEU. The remaining 1% of the HEU inventory is spread across 40 countries in roughly 100 sites mostly in research reactors. So, if a terrorist wants HEU, he will need to steal it or buy. I’d like to note that these weapons are extremely difficult to make. Even having the material does not guarantee that the terrorist can make an effective nuclear weapon. Knowledge is a much harder problem to deal with...

Let’s look at the material needs for a nuclear weapon, either uranium or plutonium. Here is what U ore looks like. The U oxide is the yellow material. It has to be mined, milled, chemically processed, chemically converted, enriched to high levels of one isotope of U, U-235, and then converted into a metallic form of uranium in just the right configuration. The process is exactly in that order. This is why the IAEA and most of the world is concerned about Iranian enrichment activities, it is another link in the process to possibly produce highly enriched U for a weapon. A terrorist could not produce enriched U to make a nuclear weapon from mined U. This process really requires state sponsorship and resources. photo: I, [Jędrzej Pełka] the copyright holder of this work, release this work into the public domain. This applies worldwide. http://commons.wikimedia.org/wiki/File:Blenda_smolista.jpg

Here is an ingot of metallic uranium after it has been chemically processed. It is not very radioactive, but the technician is wearing protective gloves to prevent accidental contamination and ingestion of the contamination. photo: This work is in the public domain in the United States because it is a work of the United States Federal Government under the terms of Title 17, Chapter 1, Section 105 of the US Code. See Copyright.

Pu 94 Plutonium (239) Here is a photo of plutonium-239. It is a man-made material, and is extremely difficult to deal with from all perspectives. It is relatively radiotoxic (but not the most toxic material in the world), it is chemically difficult to process, and it behaves in many strange ways. For example, It can burn and it can quickly convert from a metal to a powder. There is about 250 metric tons of Pu world wide in military stockpiles. There is also about 250 metric tons of Pu in civilian hands, mostly in nuclear power reactors. 12 countries have most of the Pu: US, UK, France, Germany, Belgium, China, India, Japan, North Korea, Pakistan and Switzerland. [one country is omitted] photo: Plutonium-gallium alloy ingot reclaimed from weapon pit (LLNL). Plutonium Manufacture [ http://nuclearweaponarchive.org/Library/Plutonium/index.html ]

Here is a photo of glovebox, because handling plutonium that can burn in air requires this type of protection. Photo: LANL Credit: Paul Moniz, PU238 Science and Technology

TIME Magazine cover, “Merchant of Menace”, Feb. 14, 2005 Now for the knowledge part of the risk matrix. Recently you have been reading that some countries like North Korea, Syria and Libya have either produced or were close to producing a nuclear weapon. Where did they get the knowledge to proceed with a nuclear program? Many sources have identified the Pakistani A.Q Khan as the source of this information. photo: TIME Magazine cover, Merchant of Menace, Feb. 14, 2005 TIME Magazine cover, “Merchant of Menace”, Feb. 14, 2005

top photo: Urs Tinner, World Radio Switzerland Khan also had accomplices. These accomplices either helped Khan intentionally for idealogical reasons or were just proliferating for money. Here is a picture of the Tinner brothers who provided special needed materials for uranium enrichment to Khan. top photo: Urs Tinner, World Radio Switzerland bottom photo: Marco Tinner, Associated Press Marco Tinner, Associated Press

Changes Since 9/11 USG Position on Terrorist Capability KSM Warning USG Nuclear Security Programs USG Position: Knowledge has been disseminated through various means, so US must help protect nuclear materials around the world Contact with former nuclear scientists from Russian and Pakistan KSM has said the US would face a nuclear hellstorm if UBL is ever captured or killed. The US has developed Nuclear Security Programs and is working with other countries to help secure their nuclear materials.

Nuclear Weapons Final thoughts on Would probably have to steal or buy, building one from scratch would be exceedingly difficult.

Biological Weapons Now we’ll look at potential terrorist use of biological agents. There is quite a history with these agents.

Siege of Caffa The Siege of Caffa from Mark Wheelis* *University of California, Davis, California USA http://www.cdc.gov/ncidod/eid/vol8no9/01-0536.htm Caffa (now Feodosija, Ukraine) was established by Genoa in 1266 by agreement with the Kahn of the Golden Horde (15). It was the main port for the great Genoese merchant ships (16–20), which connected there to a coastal shipping industry to Tana (now Azov, Russia) on the Don River. Trade along the Don connected Tana to Central Russia, and overland caravan routes linked it to Sarai and thence to the Far East In 1343 the Mongols under Janibeg (who succeeded Özbeg in 1340) besieged Caffa and the Italian enclave at Tana (12), following a brawl between Italians and Muslims in Tana. The Italian merchants in Tana fled to Caffa (which, by virtue of its location directly on the coast, maintained maritime access despite the siege). The siege of Caffa lasted until February 1344, when it was lifted after an Italian relief force killed 15,000 Mongol troops and destroyed their siege machines (21). Janibeg renewed the siege in 1345 but was again forced to lift it after a year, this time by an epidemic of plague that devastated his forces. In 1345, diseased cadavers hurled into the city could easily have transmitted plague, as defenders handled the cadavers during disposal. Contact with infected material is a known mechanism of transmission. Defending forces retreated to Venice, caused an outbreak of plague in Italy. photo: This media file is in the public domain in the United States. This applies to U.S. works where the copyright has expired, often because its first publication occurred prior to January 1, 1923 [ http://commons.wikimedia.org/wiki/File:Gr eek_Fire_Catapult_(Harper%27s_Engravi ng).png ]

Spread of Bubonic Plague in Europe The spread of plague from the Crimea throughout Europe. The Genoese fled back to Sicily from Caffa, and carried the plague back to Europe, where it decimated 1/3 of the population. An interesting side story is that there was an inexplicable period of cold in following the outbreak of plague. A theory put forward by William Ruddiman (Professor Emeritus, University of Virginia) was that so many people died, there was fewer farmers. This led to a reforestation of the farming areas and increased CO2 uptake by the tress, thereby causing a decrease in the temperature. There were other side effects, rejection of religious principles, blaming the Jews for the plague and subsequent genocide, and the start of scientific labs to discover the cause of plague. The cause of the plague was actually fleas carried by rodents.

A photo of the “black death,” plague [God’s Tokens] Photo: This image is in the public domain and thus free of any copyright restrictions. Centers for Disease Control and Prevention's Public Health Image Library (PHIL), with identification number #1957.

NOVA Science Now, History of Bio Warfare Another example of bioweapons. Centuries later, the British gave smallpox laden blankets to native americans as gifts resulting in a deliberate outbreak of smallpox and widespread death. The Germans used biological weapons in WWI. Namely, anthrax and glanders to destroy animals so they could not be used for food. photo: NOVA Science Now, History of Bio Warfare [ http://www.pbs.org/wgbh/nova/sciencenow/0401/02-hist-03.html ] NOVA Science Now, History of Bio Warfare

Anthrax photo: This image is a work of the Centers for Disease Control and Prevention, part of the United States Department of Health and Human Services, taken or made during the course of an employee's official duties. As a work of the U.S. federal government, the image is in the public domain.

Glanders photo: This image is a work of the Centers for Disease Control and Prevention, part of the United States Department of Health and Human Services, taken or made during the course of an employee's official duties. As a work of the U.S. federal government, the image is in the public domain.

NOVA Science Now, History of Bio Warfare The Japanese in WWII developed biological weapons at Unit 731 in Harbin. They produced anthrax, botulism, plague and typhoid, and tested their toxins on Chinese test subjects. By 1945, the Japanese had produced 500 million disease-carrying fleas with plague and 400 kg of anthrax. Last, the Soviets had the largest biological weapon know to exist. The program was halted in 1992 with the fall of the Soviet Union. photo: NOVA Science Now, History of Bio Warfare [ http://www.pbs.org/wgbh/nova/sciencenow/0401/02-hist-04.html ] NOVA Science Now, History of Bio Warfare

Terrorist Use of Biological Agents There have been a handful of incidents with biological agents.

The Dalles, Oregon http://columbiariverimages.com/Images04/mount_hood_the_dalles_2004.jpg In 1984 in The Dalles, Oregon member of the Rajneeshee cult poisoned salad bars with Salmonella, sickening 751 people. The motivation for this attack was to influence an upcoming election. restaurant photos: Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License. http://en.wikipedia.org/wiki/File:DallesRestaurantsCombined.jpg landscape photo: I, [John-Mark Gilhousen (en:User:Jgilhousen)] the copyright holder of this work, release this work into the public domain. This applies worldwide. In some countries this may not be legally possible; if so: I grant anyone the right to use this work for any purpose, without any conditions, unless such conditions are required by law. http://en.wikipedia.org/wiki/File:TDViewpoint.png

TIME Magazine cover, “Cult of Doom”, Apr. 3, 1995 Cult leader Shoko Asahara experimented with biological agents (anthrax), but was not successful in dispersing the agents photo: TIME Magazine cover, Cult of Doom, Apr. 3, 1995 TIME Magazine cover, “Cult of Doom”, Apr. 3, 1995

Materials + Knowledge Recent advances in genetic engineering, biotechnology, vaccine production and other life sciences is rapidly diffusing knowledge, equipment and and materials around the world.

The Graham-Talent Report on WMD concluded that unless the world community acts quickly, a WMD could be used by 2013. Important conclusions: “…. terrorists are more likely to be able to obtain and use a biological weapon than a nuclear weapon” “…should be less concerned that terrorists will become biologists and far more concerned that biologists will become terrorists” “promote a culture of security awareness in the life sciences community”

Bacteria Toxins The material groups of bio weapons Rickettsia Viruses

Changes Since 9/11 2009 Rumors of Plots USG Bio-security Initiatives Other Activities Smuggling of anthrax into the US from Mexico via tunnels. Team up with right-wing terrorists and hate groups. Plague accident at an AQIM site in Algeria killed 40 members of AQIM? DoS and DOD Bio-security initiatives Bio-watch program by DHS

Bio Weapons Final thoughts on Let’s go back to our ideas on the risk matrix. Knowledge and materials. The knowledge to use bio agents is relatively widespread, and the materials are also available to some degree. In the past, there has been some difficulty at making an effective terrorist bio weapon because the bio agents are somewhat fragile. There is also some risk that an unknown bio agent could be developed by terrorist.

Cyber Weapons We now compare the use of cyber weapons to nuclear and biological weapons. Theoretically, it would only take a single knowledgeable person and a single computer to launch a cyber attack. Because effective countermeasures have been developed, this is not really a reasoned idea. There are hundreds to thousands attacks each month on our personal and work computers according to computer security firms. These are not the really effective type of attacks, but are a nuisance.

We rely on our cyber infrastructure for so much! However, things we don’t think much about are also under attack. We rely on computers and other types of programmable devices, called SCADA devices (supervisory control and data acquisition devices) to make our infrastructure work properly. These devices help properly control offshore drill rigs, help us load and unload container ships, control refinery and nuclear power operations, and are widely used in electrical power distribution systems. photos: from Sandia-owned photo database

Why are Cyber Threats Different? Must depend on the private sector, not the government, for security. Security costs money, and expenditures are balanced against profits. 85% of the networks in use are privately owned. Only private sector employees understand private sector infrastructure. This is a rapidly evolving threat that is dynamic in nature. photo: from Sandia-owned photo database Why are Cyber Threats Different?

Viruses Spyware Spam Phishing Trojan Horse Source: http://home.mcafee.com/VirusInfo/ Virus-a manmade program or piece of code that causes an unexpected usually negative event. Often disguised as games or images with clever marketing titles such as “me nude.” Spyware-wide range of unwanted programs that exploit computers for commercial gain, e.g., pop-ups, monitor web browsing, stealing personal information. Spam-unsolicited email. Phishing-criminal activity using social engineering techniques through email or instant messaging. Trojan Horse-a malicious program that pertends to be benign then does something unexpected. Doesn’t replicate like a virus.

Stuxnet Reference w32_stuxnet_dossier from Symantec 11/2010 Lets explore the details of a recent cyber attack against a SCADA system that is used in Iranian nuclear activities. Name is from keywords in the code. Amazing, groundbreaking impressive cyber missile. Reprogrammed industrial control systems (like those systems used to control pipelines and power plants), likely produced by well-funded experts. Exploits flaws in Microsoft Windows via memory sticks. Targeted a piece of Siemans software call WINCC. Connects to the internet, other USB devices and local networks if it can. Stuxnet used 2 compromised security certificates and 4 previously unknown holes in Windows. It infected 45,000 computers, 60% in Iran, 18% in Indonesia, 8% in India. According to a report by Symantec Corporation, they judged this attack as “one of the most complex threats analyzed. It is able to make control systems operate in a manner the attacker intended and to hide changes.” Symantec concluded that this was sabotage of the systems. Stuxnet has 8 distinct features including anti-virus evasion, updating ability, and timing exploits. Is this the attack of the decade or a sign of things to come? This highlights the concern that attacks on infrastructure are possible, and not a fantasy of movie plotlines. photo: from Sandia-owned photo database

Changes Since 9/11 National Cyber Security Division, US CERT DHS Cyber Command, DoD US Cyber Security Coordinator Strategic Objectives To protect the cyber infrastructure, NCSD has identified two overarching objectives: To build and maintain an effective national cyberspace response system To implement a cyber-risk management program for protection of critical infrastructure. Organization and Functions NCSD works to achieve its strategic objectives through the following programs: National Cyberspace Response System The National Cyber Security Division seeks to protect the critical cyber infrastructure 24 hours a day, 7 days a week. The National Cyberspace Response System coordinates the cyber leadership, processes, and protocols that will determine when and what action(s) need to be taken as cyber incidents arise. Examples of current cyber preparedness and response programs include: Cybersecurity Preparedness and the National Cyber Alert System - Cyber threats are constantly changing. Both technical and non-technical computer users can stay prepared for these threats by receiving current information by signing up for the National Cyber Alert System. US-CERT Operations - US-CERT is responsible for analyzing and reducing cyber threats and vulnerabilities, disseminating cyber threat warning information, and coordinating incident response activities. National Cyber Response Coordination Group - Made up of 13 federal agencies, this is the principal federal agency mechanism for cyber incident response. In the event of a nationally significant cyber-related incident, the NCRCG will help to coordinate the federal response, including US-CERT, law enforcement and the intelligence community. Cyber Cop Portal – Coordination with law enforcement helps capture and convict those responsible for cyber attacks. The Cyber Cop Portal is an information sharing and collaboration tool accessed by over 5,300 investigators worldwide who are involved in electronic crimes cases. Federal Network Security (FNS) The Federal Network Security branch serves as the single, accountable focal point for achieving an enterprise model dedicated to federal cyber infrastructure security. FNS is driving change across federal executive civilian departments and agencies that will enhance the cybersecurity posture of the federal government. Cyber-Risk Management Programs Through Cyber Risk Management, the National Cyber Security Division seeks to assess risk, prioritize resources, and execute protective measures critical to securing our cyber infrastructure. Examples of current cyber risk management programs include: Cyber Exercises: Cyber Storm - Cyber Storm is an international cybersecurity exercise series that takes place every two years (February 2006, March 2008, Fall 2010) to assess preparedness capabilities in response to a cyber incident of national significance. Cyber Storm was the Department of Homeland Security’s first cyber exercise testing response across the private sector as well as international, federal and state governments. National Cybersecurity Awareness Month - Every October the National Cyber Security Division coordinates with multiple states, universities and the private sector to produce National Cybersecurity Awareness month. Software Assurance Program - This program seeks to reduce software vulnerabilities, minimize exploitation, and address ways to improve the routine development and deployment of trustworthy software products. Together, these activities will enable more secure and reliable software that supports mission requirements across enterprises and the critical infrastructure. DoD To prepare our military for emerging cyber threats, we have developed a DoD Cyber Strategy. This strategy holds that our posture in cyberspace must mirror the posture we assume to provide security for our nation overall. Namely, our first goal is to prevent war. We do this in part by preparing for it. And we do so while acknowledging and protecting the basic freedoms of our citizens." President Obama has declared that the “cyber threat is one of the most serious economic and national security challenges we face as a nation” and that “America's economic prosperity in the 21st century will depend on cybersecurity.” As a result, the President directed a top-to-bottom review of the Federal Government's efforts to defend our information and communications infrastructure, which resulted in a report titled the Cyberspace Policy Review.   To implement the results of this review, the President has appointed Howard Schmidt to serve at the U.S. Cybersecurity Coordinator and created the Cybersecurity Office within the National Security Staff, which works closely with the Federal Chief Information Officer Vivek Kundra, the Federal Chief Technology ,Officer Aneesh Chopra and the National Economic Council.  Near Term Actions The President’s Cyberspace Policy Review identifies 10 near term actions to support our cybersecurity strategy: Appoint a cybersecurity policy official responsible for coordinating the Nation’s cybersecurity policies and activities.  Prepare for the President’s approval an updated national strategy to secure the information and communications infrastructure. Designate cybersecurity as one of the President’s key management priorities and establish performance metrics Designate a privacy and civil liberties official to the NSC cybersecurity directorate. Conduct interagency-cleared legal analyses of priority cybersecurity-related issues. Initiate a national awareness and education campaign to promote cybersecurity. Develop an international cybersecurity policy framework and strengthen our international partnerships. Prepare a cybersecurity incident response plan and initiate a dialog to enhance public-private partnerships. Develop a framework for research and development strategies that focus on game- changing technologies that have the potential to enhance the security, reliability, resilience, and trustworthiness of digital infrastructure. Build a cybersecurity-based identity management vision and strategy, leveraging privacy-enhancing technologies for the Nation.

Cyber Attacks Final thoughts on Widespread knowledge and materials. However, few attackers are capable of producing a Stuxnet attack. This took a dedicated, well funded and talented team to launch this attack. Many attackers are capable of producing other, less sophisticated attacks.

“Prediction is very difficult, especially about the future.” Niels Bohr. (n.d.). BrainyQuote.com. Retrieved February 27, 2011, from BrainyQuote.com Web site: http://www.brainyquote.com/quotes/quotes/n/nielsbohr130288.html Lets think about each of the different attacks now and try to figure out what a terrorist might do. Niels Bohr, 1922 Nobel Prize Winning Physicist

3 Terrorists must weigh cost benefit options available to advance the cause of the organization. Some additional factors include: tactical, strategic, ideological, and psychological. CHOICES

Delphi Survey Rank Weapon Type Average Rank 1 Chemical Weapon 1.3 2 Radiological Weapon 3 Biological Weapon 2.7 4 Nuclear Weapon Expert elicitation of 20 experts Ranking of weapon type from most likely to to be used by jihadists in a WMD attack within the next 5 years. This analysis is consistent for a the same question for the next 10 years, but changes for the same question for the next 25 years. In that time period, biological weapons trade places with radiological weapons.

Delphi Survey Results Citation: Jihadists and Weapons of Mass Destruction, Eds. Ackerman and Tamsett, CRC Press, 2009, pp. 379-395 The experts believe that the probability of a WMD attack increases with time, in this case the graph shows the probability increasing by a factor of 4 between the years 2013 and 2033. The survey was completed in 2008. Source: Jihadists and Weapons of Mass Destruction, Eds. Ackerman and Tamsett, CRC Press, 2009, pp. 379-395

Final Thoughts Cyber is not included in the comparisons because it is usually not regarded as a WMD. But, it you consider the potential consequences of a major cyber attack, I think that most people would agree that could be used as a WMD agent. Given that bio weapons have been used by relatively unsophisticated terrorist, it seems to me that this is most likely weapon of choice. The material and knowledge are widespread. Nuclear weapons are much harder to imagine for me. While some people say that the knowledge can be obtained through hard work, and the materials are could be purchased on the black market, the only entities that have produced a nuclear weapon thus far have been nation states. I feel much the same way about a cyber attack. To mount a truly effective WMD style attack, a well funded, knowledgable team would have to work many months to pull off a STUXNET type attack. Well, we have spent a lot of time exploring some very depressing topics. Let’s conclude todays talk on a positive note. Let’s go back to our definition of terrorism.

“Thank You”