The Foreign Service Journal, December 2005

sulates can be vulnerable to cyber- exploitation. As physical security measures continue to improve — first after the 1998 embassy bombings in Nairobi and Dar es Salaam and then again following the 9/11 attacks — cyber-attacks may be a preferred modus operandi for those bent on caus- ing harm, stealing information or gaining access. The armed guards, ballistic glass and vehicle set-backs found in virtually every U.S. diplomatic facility are of little value if the attacker’s weapons are ones and zeros. Combination attacks are now a legitimate concern. A suicide attack on an embassy, combined with a simultaneous cyber-attack, could incapacitate communications, impair the emer- gency response and even prime the facility for a follow- on assault minutes later. Thus, a complete security strat- egy must embrace not only robust physical safeguards but also complementary cybersecurity measures, rang- ing from password management to intrusion detection systems. Not Just for Crooks Cyberthreats to State Department systems originate from three primary sources: terrorists, criminals and for- eign governments. While their motivations may be dif- ferent, all three groups view State’s computers as trea- sure troves of information about personnel, policy, intel- ligence and local operations. Adversaries value such information both for its specific value and as a comple- ment to data gleaned from open-source surveillance and reconnaissance. And all three types of opponents use well-known hacking methods to tap into U.S. govern- ment computers. Consequently, distinguishing the criminal hacker seeking economic gain from a terrorist or foreign government bent on attack or espionage is a challenge. Commenting that terrorists are now using many of the same tech- niques as hackers, a branch chief from the State Department’s Anti- terrorism Assistance Program re- cently stated that “the same tech- nique that a hacker would use … will be utilized by somebody with a different political motivation.” The inference is that common hacking tools are not simply for high-tech crooks but are also used by more potent adversaries for a variety of nefarious ends. For example, when terrorists struck in Bali, Indonesia, in October 2002, killing over 200 people, authorities traced the attacks — which tar- geted nightclubs packed with foreign tourists — to the South Asian terrorist group Jemaah Islamiya, linked to al-Qaida and designated as a foreign terrorist organiza- tion by the State Department. JI is also believed to be responsible for the Bali bombings that killed more than two dozen people this past October. Although some of JI’s terrorist-members, including 2002 bombing mastermind Samudra (like some Indonesians, he only uses one name), have been arrest- ed and sentenced to death by Indonesian courts, the danger posed by such figures extends beyond the physi- cal world and into cyberspace. From his prison cell, Samudra has authored an autobiography in which one chapter encourages followers to use the Internet to com- mit fraud and money laundering as a means to finance terror operations. The chapter titled “Hacking, Why Not?” underscores the growing threat of terrorists who are as adept with a mouse and keyboard as they are with a satchel of plastic explosives. As a user of the Internet, the State Department is also vulnerable to the “normal” perils of the World Wide Web. Spam, phishing schemes, viruses and worms cir- culate in cyberspace, indiscriminately targeting unpro- tected systems. In September 2003, the Welchia worm infected some State Department networks. The infec- tions forced technicians to shut down some computers, temporarily disrupting the functionality of the depart- ment’s Consular Lookout and Support System, a data- base used to screen visa applicants for potential criminal or terror-related ties. F O C U S 44 F O R E I G N S E R V I C E J O U R N A L / D E C E M B E R 2 0 0 5 Steven Roberts writes and speaks frequently on home- land security issues, with a special emphasis on critical infrastructure protection, cybersecurity and terrorism. His recent audiences have included the Departments of Defense, Justice and Homeland Security. The armed guards, ballistic glass and vehicle set-backs found in virtually every U.S. diplomatic facility are of little value if the attacker’s weapons are ones and zeros.