Monday, March 30, 2015

Hackers, Crackers and Cyberterrorism

Eric J. Gates


Hello Everyone!  This morning on 911 we have the mysterious thriller-writer Eric Gates as our guest on Author 911. Eric is the author of the highly acclaimed Cull Series and Outsourced, Full Disclosure and How Not to be An Aspiring Author. His books are amazing and so is his wealth of information about things most of us don’t know about!  So, move over Patricia Arquette, we’ve got the real deal.

Hi Eric, many, many thanks for joining us this morning on Author 911 to talk about cyber terrorism. Authors have been writing about this fear for years, particularly Tom Clancy in Clear and Present Danger, The Sum of All Fears, and Patriots Games and you have done extensive development with SANTA in The Cull Series and other systems in your other books.  Can you talk about them for us and how you used information in the development of these systems?  But first, for the purposes of our discussion can you offer a definition of cyberterrorism?


Steering away from a standard dictionary definition, I think it’s better if we turn back the clock a little and explain some of the basics.  Back in the day when I first became involved with Information Technology Security (note, we don’t say Computers as this somewhat prophetic phrase foresaw the use of IT in many other manifestations, some of which we now call smartphones, tablets, cars, traffic systems, hospital systems and a long list of etcs), those who wanted unauthorized access fell into two camps: the hackers and the crackers.  The former treated their exploits as puzzle-solving – a game mentality pervaded and it was all about circumventing the controls over access and either leaving a mark (Kilroy was here) or taking a copy of something to prove they had succeeded.  The cracker, on the other hand, used the same methods but to steal information or destroy it or the systems that managed it.  They were motivated by their beliefs or by money (industrial espionage).  Cyberwarfare (the use of IT as a means to wage war) was born more from the crackers than the hackers, although covert cyberspying follows many of the tenets of the hacker (success is not leaving any trace of your exploit).

As in conventional warfare, the cyber battlespace (military term for where the war is fought) came into its own once the Internet and the World Wide Web became prevalent.  Prior to this, to successfully ‘hack’ and target a system you had to be in the same room as the machine or find a way to interface with that machine by introducing code into it (Trojan Horse anyone?).  This doesn’t necessarily imply that all cyberwarfare is done by people sitting in secure rooms behind rows and rows of computer monitors.  I still recall a couple of really innovative instances where the internal chips of photocopiers and printers were modified to store images of everything that passed through them; then they were sold on the Black Market to countries considered enemies.  That’s cyberwarfare too.

So, where do these neat ‘hacking’ tools come from?  Well, believe it or not, there’s a supermarket of sorts.  By now just about everyone has heard of the Dark (or Deep) Web, Darth Vader’s version of the Internet.  Let’s digress a minute and I’ll explain this.  Imagine the largest shopping mall in the World has just opened in your city.  You visit it for the first time and the very first thing you do, after walking through the doors, is consult the layout plan which tells you where every store is and what they sell.  That’s the Internet, made up of millions of individual computers and servers full of all kinds of information and INDEXED by the Search Engines we use every day.  Now, outside the mall, a huge chunk of the car park is taken over by a mish-mash of stalls selling all kinds of stuff.  There’s no real order to this flea market; no easy way to locate where a given product is being sold – in short NO INDEXING.  This is the thing that gives us that Aladdin’s Cave thrill of discovery as we wander the aisles and encounter the unexpected.  That’s the Dark Web.  Those stalls are invisible as far as the mall’s layout plan is concerned and they use this very factor to sell everything from drugs to weapons to… you name it.  They also sell ‘hacking’ tools: bits of code or keys that have the specific purpose to break into IT systems and to steal and/or destroy the information held there.  And this may come as a surprise to you: our Governments shop there too!  In fact, they are one of the major buyers on a regular basis – that’s the equivalent of an Army buying from an Arms Dealer, so nothing new there.  As a Brit by birth living in a Spanish-speaking country, I used to be asked frequently who won the war in the Falklands/Malvinas?  My response was always the same: the French.  Once the look of bewilderment settled on the face of my questioner, I pointed out they were the ones selling weapons and support to both sides.

Now you don’t have to be a nation state to buy stuff in this supermarket, just know how to access the Dark Web and where the appropriate stalls can be found.  Then it’s just a case of finance.  When individuals or terrorist cells purchase their ‘weapons’ there, that’s when you have ‘cyberterrorism’.  Mainly their goals and motivations are similar to those of the aforementioned crackers.  They attack what we call Critical Infrastructures, the backbone of our way of life.  This could be the electrical grid, power stations, communications, hospitals, and another long list of etcs.  The recent attack on Sony was not a Critical Infrastructure attack, rather a Critical Asset attack (in that only Sony and its competitors were affected – there was no domino effect on US Infrastructure).  The retaliatory (?) dysfunction of the Internet on several occasions in North Korea, however, was a Critical Infrastructure attack.   

Now specifically, the IT systems I refer to in my novels are either generic (ie. Invented by me as a device for the novel but based upon existing technology – such as the SANTA system in ‘the CULL’ series) or real (the systems mentioned in ‘Outsourced’, although I tasked them to novel-specific  targets).  SANTA is basically a surveillance system powered by Artificial Intelligence which allowed me to permit its ‘growth’ as the novel series progressed – it changed in the same way as the two protagonists changed, acquiring (revealing) new skills that helped it, and the tale, evolve. Does SANTA exist? Probably, and that’s scary: imagine you find yourself on a no-fly list because a computer system didn’t like the websites you visited. If you really want to blow your mind, read Book 3 (the CULL – Blood Feud) then follow the clues using my website as Katie’s writer friend’s site. I’ve left a nice Easter Egg there for fans of the series… or is it?
Sorry about the long answer but it’s a complex subject and difficult to summarize in a couple of paragraphs.


I know you have an extensive and impressive background in information systems and information security.  Can you tell me about your experiences in this area?


For over forty years I was a Consultant specializing in IT Security Internationally. My clients were as varied as you could imagine and most of the projects I worked on are as classified and secret today as they were they were live. And yes, there have been hidden microphones, car chases, people following, threats, and all manner of things I cannot go into – let’s just say my martial arts skill came in handy more than once. It was exciting work… and boring work – there never seemed to be any middle ground. I’ve broken cryptographic systems with pencil and paper in a room full of ‘interested parties’ in a very Agatha Christie moment, broken into systems and buildings to test their security (got shot at once too), even jumped from one rooftop to another between a couple of skyscrapers (not something I wish to repeat). No, I’m not Jason Bourne! Nowadays, I just write about that stuff – it’s much harder!


I have always heard the some of the most vulnerable areas of attack in the US and anywhere else for that matter, would be any military system infrastructure the power grid, water storage defenses such as dams that can be manipulated to cause massive flooding etc.  What systems do you view as our most vulnerable?  How do you assess the risk of cyber terrorism against the West?


Going back to my first answer, Critical Infrastructure is a concept we have been talking about for over thirty years.  It’s not a question of which is the most vulnerable system, but which system is made most vulnerable because of the lack of effort put into protecting it. When an army, or individual, attacks a fortress, they will always attack the weakest point. With Critical Infrastructure, any weak points, through the domino effect, will always lead to indirect damage in associated systems. A simple example in your terrain, Judith: an attack takes place on the electricity grid. This doesn’t have to be a logic bomb; it could be something as simple as a major blackout caused by a physical device taking out a power station (explosives or ElectroMagnetic Pulse weapon). Result: no power. Now Judith’s hospital has Uninterrupted Power Supplies for its critical systems, and in-house generators that kick in to allow the hospital to keep functioning.  But, whilst management have spent millions on ensuring their tech keeps working, no one has given any thought to maintaining communication with staff. No power means cellphone relay towers are down, phone batteries die and cannot be recharged. Key staff, off-site when the emergency occurs cannot be located. They become the critical infrastructure.

To factor in the plausibles and possibles you need professionals with peculiar mindsets to produce effective Critical Infrastructure Recovery and/or Disaster Recovery Plans and most organizations do not have these people on staff as they are too specialized for most business structures especially in times of financial crises such as we have all experienced. This is defensive Cyberwarfare and unless your Fortress is protected, you shouldn’t be going all-out offensive.


Wow, Eric, that example is so likely to happen someday. Nothing good can happen in a hospital, or any complex system without communication. Perhaps some of this content should be integrated into their Disaster Plans and operating documents. 

What are your thoughts about cyberterrorism and surveillance systems.  How are they used in counter terrorism or terrorist activities?


There’s an on-going battle between the need to protect our liberties and the need to retain our privacy. In all ‘business’ ventures (and the military and Intelligence circles are just that albeit using different terminology), exaggeration of potential threats (crying ‘wolf’) is a tried and trusted tactic to obtain a larger share of the budget. Yet, it’s been my experience that most of the measures undertaken happen AFTER the risk materializes. I remember once being asked to perform a risk analysis on the probability of a Financial Institution’s Data Centre being taken out by a flood (it was in the basement of a building). I pointed out the flood in question had occurred the previous month! All they were looking for was a chunk of paper to justify a bigger budget. That’s the wrong mindset, and that’s why far more money is allocated to FEMA (in the States) than to effective Critical Infrastructure protection and education. There’s an old saying about an ‘ounce of prevention’, right?
Surveillance systems are a part of our lives now. The question isn’t, should we allow more to be installed, but how can we ensure those who use them don’t abuse them. I remarked to my wife last week as we watched the news from France regarding the terrorist attacks how I expected most EU countries to announce measures to facilitate Internet surveillance by Law Enforcement and Intelligence Agencies within two days – I was wrong: France, the UK, and Spain announced new laws the very next day.
Will this be effective? There’s another adage called Information Saturation (better known as not being able to see the wood for the trees) – if the results of surveillance produce far more data than we can process, what’s the point of adding more data gathering? Surely we should concentrate on improving how efficiently we utilize what we have. Currently it seems we collect info only to cover our backs when post-incident investigations are under way.

Do you think al Qaeda, ISIS, Taliban, and other extremist groups have the skill sets needed to damage the west?  How about other areas of the world?


The concept of small cells or ‘lone wolves’ can easily be applied to the battlespace of Cyberwarfare. Keep in mind that ‘hacking’ and ‘cracking’ predated the Internet era – don’t believe me? Look up Phone Phreaking on Google. Remember, as long as you have the cash, the stalls of the Dark Net are open to all.


Eric, many thanks! This information, while more than scary, can give us many ideas in our thrill writing.  We’ll see you again soon back on Author 911.


Thanks, Judith, as always for having me!

Latest: Outsourced

What's the deadliest gift a fan could send to a
novelist? And if that fan was a professional assassin?

the CULL- Bloodline, the CULL - Bloodstone, the CULL - Blood Feud (the CULL series books 1-3)

FULL DISCLOSURE, Leaving Shadows and 2012,

and the non-fiction
How NOT to be an ASPIRING Writer

AMAZON (paper & e-book) and bookstores worldwide.

check out Eric Gates Website
 to read extracts and discover the inside secrets...

follow me on Twitter:
@eThrillerWriter  and on my Blog

No comments:

Post a Comment