Cyber-Terrorism in Homeland Security Policy, Term Paper Example

Abstract

Since the precipitous events of 9/11 and the overall attention to the scope of terrorism internationally, a number of strategic commissions have been instrumental to configuration of security measures and attendant legal rules toward risk mitigation of cyberspace attack. The National Strategy for Securing Cyberspace released in February 2003 contains recommendations regarding critical infrastructure vulnerable to cyber invasion including industrial computer systems monitoring chemical, electrical, water and the various energy industries. The foregoing essay looks at the development of cyber law in the United States and subsequent uniform regulatory measures within Homeland Security protocol.

Introduction

Critical infrastructure  as defined in the U.S. PATRIOT Act of 2001 are those  “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters” (Shea, 2). Industries subject to significant scrutiny post 9/11 such as the chemical and arms manufacturing sectors, target dual risk management measures toward mitigation through: 1) Supervisory control; and 2) Data acquisition (SCADA) and distributive controls systems etc. The potential impacts of cyber-terrorism has made lessons learnt queries elaborated by both policy and risk subject matter experts central to combating the dangers of potential attack.

Much of the foregoing discussion looks at the impetus for advancement of systems of ‘standardization’ in light of emergency response, and reflection on the limitations that unique legacy systems once believed to be significant internal measures of security. In relation to those interpretations, are international recommendations toward furtherance of national security capacity, and especially in regard to fiscal oversight of energy infrastructure grid management systems as articulated in the Final Report of the Counter-Terrorism International Conference, Riyadh, February 5-8, 2005 toward development of Financial Intelligence Units (FIUs) in cooperation with private entities in the oil industry, and energy sources.

Primary conduits for remote sensing of raw data and commands out of control centers, SCADA systems are software  building blocks to industrial control systems. Utilized for monitoring and sending commands to valves and switches, the data managed by these systems controls regulate flow rates and pressures in oil and water distribution. Analysis is generally conducted at a centralized location in multi-scaled networks which makes the SCADA systems highly vulnerable to implantation of faulty data by way of remote access; particularly dial-up modem connections employed for systems maintenance.  Chemical targets would be the most viable site of attack in this case as reactors might be tampered with by improper leverage of control rate of mixing; hence raising the temperature of the flow to explosion level.

Other vulnerable targets assessed within the PATRIOT Act and The National Strategy for Securing Cyberspace released in February 2003 are industrial control systems architecture that include supervisory control and data acquisition systems such as Distributed Control Systems (DCS) and Programmable Logic Controllers (PLC). PLC devices are automated monitoring switched for control of industrial plants, and are generally used for manufacturing facilities. Internal command data is calculated process, with little provision of external data. The PLC offer flexibility in that they can control from one machine to an entire system of manufacturing technologies. Networked PLC also control channel manufacturing relationships, and an industry might use the infrastructure to link refinement and processing to holding and distribution as seen in oil and gas, so that all operations and logistics are controlled and managed through one information sharing database. The incorporation of DCS into a PLC network is common, as the DCS allow accurate control of steps within processes like refinement. SCADA systems are implemented at the decoupling point, and further the PLC industrial channel at time of holding and distribution.

Given the fact that industrial control systems may be vulnerable to infiltration by varied channels, yet most likely offsite, including wireless transmission, direct access networks, maintenance of dial-up modems, and of course the internet, remote systems architectures have been cited as the core concern of infrastructure risk reviews. Many infrastructural networks were updated in response to the Y2K crisis, and the events of 9/11 increased the level of state involvement in public-private partnered energy reserves. Exponential information systems are of key concern, as SCADA systems provide a ready target for destabilization of shared knowledge networks that have the potential to sabotage an entire range of business and operational control relationships.

One of the biggest challenges to monitoring and regulating industrial infrastructure control systems is the persistence of ‘legacy systems’ or older propriety architectures that are non-standard to command syntax. Seemingly intended as measures of security and custom operational efficiency meant to serve the companies and those industries that they were originally built for, counter-intuitive logics implemented into unique secured networks have at times made emergency response difficult as legacy systems may have employed several authors at time of codification.  The downside of continuity in highly unique systems architecture also may add to degradation of performance as new technological inputs within a particular industry are made standard. Open source software optimizes programming competency and ensures apt protective measures; despite the dangers of universal source code accessibility. Enforceability of federal or extra-territorial security specifications is lauded by the cyber-security community both domestically and internationally, and security analysts argue that obscuring knowledge of industrial control systems is less pertinent than ten to twenty years ago, if nothing else due to the sheer magnitude of the population of IT engineers globally. Still systems specification should be modeled on control system architecture type, and platforms must be met with adequate firewalls, intrusion detection, encryption and the like.

Opponents of the The National Strategy to Secure Cyberspace state that the framework exaggerates the need for infrastructural control policy as the impact precisely for the aforementioned fact that policy, and even criminal statute are subject to temporal lapse comparatively with advancements in technological capacity across the board. The propensity of hackers to deploy infrastructural terrorism with minimal resource other than some training in computer systems architecture and coding leaves open an entire array of opportunities for catastrophe through fairly simple attacks on national public-private energy grid systems.

Much of what the U.S. Federal government has done in response to 9/11 and the jurisdictional oversight of the Department of Homeland Security (DHS) formed by President Bush in 2002 is predicated upon law enforcement of regulated systems mechanisms. Forensic analyses constitute a large part of the Department’s administrative activities, and allocation of Congressional monies toward joint partnership with private expertise in the cyber-security sector encourages new innovations in research and development toward this end.

DHS strategic responsibilities in this area extend to federal crisis management response and entail ongoing development of an up-to-date: 1) comprehensive national plan for continued security in cyber-systems; 2) crisis management in response to attacks on critical information systems; 3) technical assistance to private sector and other government entities in regard to urgent recovery plans following emergencies; 4) coordination with other agencies in the federal government in design and education on protective countermeasures and warnings at the state, local and NGO organization levels; 5) performing and funding research with new scientific developments in security technologies as a goal; and 6) and serving the general public as a federal center for cyber-security (DHS).

In 2003, pursuant to section 994(p) of title 28, United States Code, the United States Sentencing Commission submitted to Congress amendments to the sentencing guidelines toward conviction of parties in violation of Section 225 of the Cyber Security Enhancement Act of the Homeland Security Act, 2002. The amendment:

“modifies §2B2.3, to which 18 U.S.C. § 1030(a)(3) (misdemeanor trespass on a government computer) offenses are referenced, and §2B3.2, to which 18 U.S.C. § 1030(a)(7) (extortionate demand to damage protected computer) offenses are referenced to provide enhancements relating to computer systems used to maintain or operate a critical infrastructure, or by or for a government entity in furtherance of the administration of justice, national defense, or national security. The amendment expands the scope of existing enhancements to ensure that trespasses and extortions involving these types of important computer systems are addressed” (Homeland Security Act, Amendment).

Although ‘government entity’ is defined as any infrastructure having to with state administration, and crimes in this regarding including things like fraud, the major emphasis on enhancements to convictions are stipulated to be in support of sentencing for 18 U.S.C. § 1030(e)(9).Section 2B3.2(b)(3)(B)(V) offers provision in the area of infrastructure, and violation of the rule as “damage to a computer system used to maintain or operate a critical infrastructure, or by or for a government entity in furtherance of the administration of justice, national defense, or national security” (Homeland Security Act, Amendment 2003).

Nearly a decade after the shocking and seemingly random catastrophes that resulted in response to the actualized terrorist threats of 9/11 the United States works actively toward results in the area of counter-terrorism. As scholars on the topic often argue, the two most prolific and potentially disastrous threats to national security are probably in the fields of bio-terrorism and cyber-terrorism of key energy grid systems infrastructures. In consideration of the topic of cyber-terrorism the preceding discussion has examined the history of systems architecture security in the United States, and the presented a summary of concerns in administration of federal oversight and emergency systems response. Specialists in the field of IT security contribute parallel insights into the legislative policy dialogue, as they share the transformations in control systems technologies, and methods of standardization of risk mitigation controls into industrial systems that contain a number of platforms for operations integration of channel manufacturing and distribution flows. Practical lessons learnt from those insights include dual human/IT procedures toward gatekeeper functions that allow for standardization of networks with retention of unique internal controls.

In the context of new market energy alternatives that require distinct refinement and logistics data controls and information sharing networks, it is likely that there will be a continued expansion of IT systems network options within industrial control systems management, rather than greater restriction toward universal standardization – at least industry by industry. As most alt.energy sources are industry responsive products to the Kyoto Accord and subsequent global greenhouse gas emissions reductions legislation within international trade law, those markets are forging new inroads outside of the Homeland Security Act’s original vision. What this means for the DHS and other national regulatory commissions only time will tell. However, what is not mentioned in depth within the Cyber-Security Enhancement Act of 2002, its amendments nor the other Acts discussed in the essay is the proliferation of nuclear energy reconfigured as a ‘clean energy’ strategy to emissions reductions; and with it a partial blind side in total cyber-security control.

References

Antal, J. Counter-terrorism multipliers needed for 2010. Military Technology, 34(4), 2010: 4.

CTIC Final Report. Counter Terrorism International Conference, Riyadh, February 5-8. 2005. Web.

Cyber Defense Technology Networking and Evaluation. Association for Computing Machinery. Communications of the ACM, 47(3), 2004: 58-61.

Dakin, R., Newman, R., & Groves, D. The Case for Cyber Security in the Water Sector. American Water Works Association. Journal, 101(12), 2009: 30-32.

Davis, B. J. Prepare: seeking systemic solutions for technological crisis management. Knowledge and Process Management, 12(2), 2005: 123-131.

Gorman, S. U.S. news: Electricity industry to scan grid for spies. Wall Street Journal (Eastern Edition), 2010: A3.

Amendments to Section 225 Cyber Security Enhancement Act ,2002, 2003. Washington, D.C.: Department of Homeland Security. House panel advances bill giving FERC new grid protection powers. Energy Daily, 4, 2010.

Kingsbury, A. A national power grid that thinks. U.S. News & World Report, 147(4), 2010: 37-38.

Lozowski, D. Securing chemical process facilities. Chemical Engineering, 114(1), 2007: 16-19.

McCollum, T. Report targets U.S. cyber-security. The Internal Auditor, 60(1), 2003: 18-19

Shea, D.A. Critical Infrastructure: Control Systems and Terrorist Threat. Report for Congress. Congressional Research Service, 2003. Washington, D.C.: U.S. Congress.

Stephens, B. Hiroshima, 2.0. Wall Street Journal (Eastern Edition), p. A.13, 2009.

Stone, A. Gatekeepers. Federal Times, 46(9), 2010: 11-13.

U.S. Department of Homeland Security, 2010. Web.

U.S. PATRIOT Act, 2001. HR 3162 RDS 107th Congress 1st Session, H. R. 3162. U.S. Senate, 24 October, 2001. Washington D.C.: U.S. Senate.

Wright, D. P. et al. A survey of operations research models and applications in homeland security. Interfaces, 36(6), 2006: 514-529,617-618.