By Rob Strayer
It is an unfortunate modern reality that cyber attacks are commonly used to steal money from businesses and individuals. Cyber attacks that disrupt or destroy physical assets, on the other hand, have been rare up to this time. And attempts by terrorists in particular to use a cyber attack to destroy critical infrastructure or cause the loss of life have remained largely speculative in nature. The news over the weekend that a terrorist organization was able to finance its activities by hacking AT&T business customers’ telecommunications accounts represents a new and disturbing development in the use of cyber attacks by terrorists. The hackers gained access to the customer telephone accounts and used them to make calls to illegitimate toll-telephone numbers they controlled, which caused payments to be made to them.
Government officials have identified the terrorist group that benefited from this attack as one that was also involved in financing the November 2008 Mumbai, India, terrorist attacks. In total, the authorities believe $2 million was pilfered through this fraud. That level of funding could have gone a long way to financing the Mumbai attacks, and the fraud was committed between 2005 and 2008 – the years leading up to those attacks.
It is not surprising that terrorists have begun to use these criminal cyber schemes to finance their activities as the regular banking system has become a less susceptible conduit for terrorist financing. It is also a logical step for terrorists to pay criminal hackers for their assistance, as was done in this case, to exploit the fraudulent methods that they already engage in on a regular basis.
These types of fraud require a much lower level of sophistication compared to accomplishing a destructive attack on an industrial control system for critical infrastructure, of which the Stuxnet malware designed to destroy Iranian nuclear centrifuges is an example. Stuxnet’s development is suspected to have required the resources of a nation state. A better financed terrorist enterprise might one day be able to produce malware on the level of Stuxnet or indeed a much simpler virus that could have a destructive effect on infrastructure. In the meantime, terrorism financing through Internet fraud presents a serious cyber threat.
Rob Strayer is the Director of the National Security Preparedness Group at the Bipartisan Policy Center. Previously, Strayer served as the Republican Deputy Staff Director for Senator Susan Collins on the U.S. Senate Homeland Security and Governmental Affairs Committee, where he managed the drafting and mark-up of cyber security and bioterrorism legislation.