Calculating Cyber Attack Threats
Hackers, terrorists and nations all use computers, but who really is capable of damaging the critical infrastructure of the United States? The University of New Hampshire has unveiled the UNH Cyber Threat Calculator, which assesses the level of threat any attacker poses to specific sectors in the country that rely on information technology. The UNH Cyber Threat Calculator was unveiled Thursday, January 25, 2007, at the Department of Defense Cyber Crime Conference 2007 in St. Louis, Missouri. The UNH Cyber Threat Calculator was developed by researchers at UNH Justiceworks and students, and offers a new method to identify and quantify the threats posed to the United States’ cyber infrastructure. “Nation states potentially pose the greatest threat with regard to cyber security to the United States. Clearly Russia and China are two of the top countries because they have more developed capabilities, but it may not be in their interest to use cyber attacks for strategic attacks ends. Both countries have worked on doctrine and there is some evidence that they are incorporating it into their military training as well. However, individuals, political groups, religious groups and organized crime groups also pose ongoing risks and should be considered cyber threats, as well,” says Andrew Macpherson, director of the technical analysis group at Justiceworks and research assistant professor of justice studies. A cyber attack could have a significant impact in the United States. Targets could include the energy sector; emergency response and preparedness systems; financial services; and telecommunications; or even the agricultural sector. “There are increased risks as computer networks become more integrated with all aspects of our lives and infrastructure,” Macpherson says. “What we won’t see is a ‘digital Pearl Harbor.’ Using cyber attacks to take some type of infrastructure, military, or civilian out of commission is, over the long run, problematic.” To determine the overall threat level, analysts enter data for a particular organization or country into the calculator, which assigns a value to variables that measure the actor’s intent and technological capabilities. These variables assess the actor’s intent to use cyber warfare means, as well as its technical capabilities to put such means into practice. The higher number assigned to a possible attacker by the calculator, the greater the threat. For example, does the country have an interest in attacking the United States? What has been its behavior historically toward the United States? Does it have the organizational structure and operational environment to launch an attack? Does it have the economic and operational means to do it? Macpherson says it’s difficult to quantify the amount of damage that could be caused by or estimate the economic loss possible as a result of a cyber attack. An attacker may want to impact certain sectors quietly over a period of time or may seek to carry out widespread multiple sector attacks. “What is known is that the threat of a cyber attack is a real and growing concern for industry and the government alike. With approximately 85 percent of the cyber infrastructure owned by the private sector, it’s not just a government problem,” Macpherson says. To help private cyber security experts limit their exposure, UNH expects to make the calculator available to private industry security experts later this year. “These are the people who really need this information and tool to limit their risk,” Macpherson says. In June 2006 UNH staff and students presented the calculator and an analysis of cyber threats to the U.S. Department of Homeland Security’s National Cyber Security Division; and members of the intelligence community. Macpherson advises the New Hampshire Department of Justice on cyber crime. He has worked with the Department of Homeland Security National Cyber Security Division and the Internet Crimes Against research Training and Technical Assistance Program. He has served at the United Nations Criminal Tribunal for the Former Yugoslavia and Cognos. He is a graduate of the London School of Economics and Mercyhurst College. He was featured in a Discovery Channel docudrama, “Future 2057,” which aired Sunday, January 28, 2007. The three-hour show was about what life might be like 50 years from now, including changes in technology. Macpherson was sought out because of his expertise with cyber security.