In this period there is much talk of internet security to counter terrorism. Some suggest total blackout of the web in the event of an attack, while others reinforce the preventive controls. So how to stop the terrorism that runs on the web without causing damage to users and Italian companies that work online? To get to the head of the complex web world, Online Defense he asked for clarification from Corrado Giustozzi, one of the leading Italian cyber security experts, a consultant to the government structure entrusted with the cyber security of the Italian Public Administration (CERT-PA) and also appreciated abroad, so much so that he was now a member of three mandates of the Permanent Stakeholders' Group of ENISA, the European Union Agency for Network and Information Security.
Professor Giustozzi, what does web terrorism mean?
Let's start by doing a little 'clarity on terms and areas. The Web is not the Internet but only one of its components, to be precise the one that allows the "publication" of textual or multimedia information organized as a large hypertext (on so-called "sites") and the "browsing" of users between the related pages . The Internet is something different and more than the Web: it is the global system of networks and protocols that ensures the interconnection and the transport of information, and is therefore the "nervous tissue" that unites users, sites, devices and more. Internet travels the Web but also things that are not Web such as e-mail, instant messages (like Twitter), chats (type Whatsapp), phone calls (VoIP or other), interconnections by exchange of files or data , those for the remote control of equipment, etc. Therefore, talking about "Web terrorism" is imprecise or at least vague, and we need to better specify what we mean.
Therefore, speaking more properly of "Internet use for terrorist purposes" (as correctly defined by the definition adopted for example by the UNODC, the United Nations Office for Drug Control and Crime Prevention), we can highlight two different ways of using it. : one that sees the Internet as a medium, and the other who sees it as an end. In the first case it is exploited in two different ways: both as a simple communication tool, considered more secure and less interceptable than traditional ones, and as a means of diffusion, useful for conveying ideological propaganda and proselytizing for its cause. In the second case it is instead considered as a possible object of attacks, that is, as an objective of cybernetic attacks aimed at sabotaging those systems (critical infrastructures) on which depend important or vital services for the communities to be hit.
Is it true that playstation and skype, programs that use terrorists to communicate with each other, can not be monitored?
This is only partly true. First of all, it should be noted that the most desirable communication channels for terrorists are not those not interceptable but those not suspicious, which is not at all the same thing. The use of cryptography, for example, makes a channel not interceptable but at the same time can attract the attention of those who monitor its use and push it to investigate further. Usually then the terrorists, at least for strategic communications, try to use conventional channels, without attracting attention; and from this point of view a possible use of the chat used by players of the Playstation network, although to be confirmed, would effectively be an effective choice.
On a more technical level, there are certainly messaging systems that are intrinsically more difficult to intercept than others, as they are protected by forms of cryptography or based on distributed protocols of type peer to peer in which there are no central "nodes" that can be controlled. Skype once belonged to this second type, in addition to using particularly robust cryptography, and was therefore virtually impossible to intercept; but since the platform was purchased by Microsoft, its architecture has been transformed from decentralized to centralized, making it susceptible to interception with the collaboration of the manager (ie Microsoft).
How much damage can the terrorist doing via the internet do?
This is a very difficult estimate to make. Certainly we live in an increasingly populated world of automatisms, which manage increasingly critical functions and are increasingly accessible from the Internet: all of this, in general, constitutes a serious Achilles' heel for the Society as it is extremely difficult to guarantee that everyone these devices or systems are perfectly safe and inviolable.
In a scenario made of critical infrastructures interconnected to the Internet, the amount of damage theoretically provoked by a targeted and determined terrorist attack is therefore potentially enormous, as there are many possibilities that apparently offer: divert a train on a wrong track, open a dam , turn off the lights of a city, put out of use the ATMs, confuse the air traffic control systems ... Fortunately, not all these attacks are possible or even plausible, because of course the countermeasures of protection exist. But the complexity of the networks plays against us and therefore the risk that some critical system is not adequately defended, and can therefore be attacked successfully, is unfortunately not negligible.
Another issue should be made on entirely "logical" attacks, ie those aimed at affecting information of critical importance for the functioning of the Company. A sabotage aimed at altering the contents of interbank transactions or exchanges on the stock exchange could have far more devastating effects than those caused by a conventional attack, and be far more elusive and difficult to detect and correct.
One last type of considerations concerns "preparatory" attacks or support for conventional terrorist activities. For example, it is conceivable that in the imminence of an action the terrorists may think of preparing the ground by disarming the general communication systems of the target or those of the security forces, or perhaps spreading false alarms in order to confuse the analysis of the situation and slow down the reaction activities.
Is Italy safe?
Difficult to say who is safe and who's not in this game. Certainly Italy, like all industrialized Western countries, is aware of the problem and is preparing to increase the level of prevention, detection and repression of threats. For example, our country already has a formal strategy for the protection of national cybernetic space in the 2013, and participates from the very beginning in the specific periodic exercises carried out both in the military (NATO) and civil sectors, aimed precisely at verifying the crisis response capacity through simulation of cybernetic attacks on critical infrastructures. I also remember that just a few days ago the Government announced the extraordinary allocation of funds for 150 millions of euros for the intelligence sector and aimed at strengthening the systems of analysis and prevention of threats. So much has been done, and probably still remains to be done; the important thing is not to lower your guard and think you are safe: threats change and evolve every day, and those who defend themselves can never stand still.
How is the web monitored by security?
There are many ways to do this, and the institutions delegated to do so are different. Naturally, it is not possible to monitor and control everything, both for technological and legal reasons; and therefore "shortcuts" are usually chosen, which allow to obtain, in any case, equally significant results in the face of a relatively reduced technological effort.
A technique increasingly used as considered promising at the strategic level is based on the analysis of the so-called "open sources", a term which identifies targeted sets of freely accessible information such as public websites, open discussion forums, blogs and so on. By employing both automated text analysis systems and human analysts to filter and correlate the information collected, you are able to obtain a good knowledge of what is said and done in certain user communities or in selected areas, geographical or otherwise.
At a more tactical level, traffic anomalies and safety incidents are continuously analyzed, reported to the institutional CERTs by the appropriate network service management structures present in large companies and public administrations, to obtain an overall and timely picture of the vulnerabilities and threats in place, as well as their location and dissemination. This allows a more effective action of alert and reaction to possible attacks in progress, as well as of general prevention.
How much staff would you need to have an adequate level of security?
Certainly much more than that currently used in our country in both civil and military.
The Prime Minister Renzi would be for the total blockage of the Internet in the event of an attack. What do you think?
It does not seem like a great idea for various reasons.
First of all it is technically difficult, if not impossible, to "turn off" the Internet even for short periods and on a limited scale. Let us remember that the Internet is born to be a resilient, pervasive network, able to function even if some of its nodes are turned off. Especially in a country like ours, where communications are not centralized under the direct control of a single scheme provider, to block the Internet, the active collaboration of countless large and small operators, both public and private, of landlines and mobile networks is required. ... it's really complicated, it's not enough just to pull down a switch somewhere.
Secondly, it is said that blocking the Internet makes terrorists more difficult. In the case of a kinetic attack, ie addressed in physical terms against material or human targets, there is little chance that the components of the commandos in action on the field use the Internet to communicate and coordinate with each other: it is much more plausible that they use normal cell phones if not Low-power PMR transceivers (walkie-talkies), and therefore blocking the Internet would not be useless. In the case instead of cybernetic attack, therefore addressed to systems or services on the Net, then a possible blocking of the Internet would even play the enemy: in fact, since the aim of the attackers is to prevent the provision of certain critical services to the public, a possible blocking of the Internet would get exactly the same purpose and therefore would be nothing but a resounding own goal!
In any case, the blockade of the Internet would have the very serious side effect of preventing the dissemination of news to the public and the coordination of relief, and thus significantly worsen the management of the crisis.
Why, if the services underline its importance for a long time (v. interview), Renzi only decides it now?
Probably at the time the political evaluations were different and maybe even the time was not ripe. Today, with the increased credibility of the international threat and the proliferation of situations at risk (also linked to the current Jubilee), the need to provide an adequate response has become no longer expiring.
Can the backwardness and slowness of the national computer network, compared to other European nations, be an advantage or a disadvantage in the war against cyber terrorism?
Although it may seem ironic, in certain situations being less technologically advanced can actually constitute an advantage in terms of resilience. It is clear that, just to give a trivial example, if the control system of a dam is only accessible locally and not through the Internet, what is a disadvantage in terms of management efficiency is repayable in terms of safety because that dam does not it may never be operated unduly remotely as a result of a cybernetic intrusion.
This does not mean that we must be proud or brag about a certain technological backwardness that may still be afflicting some of our country's infrastructures, or automatically consider ourselves safer only for this reason. The technological development that implies a strong rate of industrial automation is inevitable and must be pursued, on this there is no doubt. Some countries have come a long way before us on this road, and perhaps a little too quickly and in a non-prudent way, and today they find themselves with highly efficient but rather vulnerable automated infrastructures, as their development has not been held in debt. consideration of the inclusion of security measures specifically designed to protect against deliberate attacks and sabotage. In other words, it has been seen that some critical infrastructures are safe but not ax, ie they are protected against errors and malfunctions, but not against malicious actions intentionally directed to damage or alter their functioning. Fortunately, today there is much more awareness on this issue than some years ago, and so the new developments have treasured the mistakes of the past.
