Tuesday, January 20, 2004

Antiterrorism Taxonomy

By Peter L. Higgins

A common taxonomy was developed years ago for the antiterrorism terms of the computer and network incident domain. Now we need to make sure we all understand what we mean when we say anti-terrorism policy as it pertains to the non-digital world. Or better yet, maybe we could get the two to converge.

As an example, in the context of the digital attacker we have Sandia Labs Taxonomy:

Hacker
Spies
Terrorists
Corporate Raiders
Professional Criminals
Vandals
Voyeurs


Each is unique and has its own domain or category. I'm sure that the same could be used for the context of attackers in the non-digital world, possibly with the execption of Hacker. However, the definition of corporate raider in the off line domains may not be synonymous with the on line domain of cyber incidents.

If we look at the categories that make up the entire "Incident" that Sandia Labs has utilized, we see the following:

Attackers
Tool
Vulnerability
Action
Target
Unauthorized Results
Objectives


Without combining the context under each category, we lose the impact of what we are trying to make contextual with regard to an "Incident". We need to make sure that the antiterrorism taxonomies of the off line and on line domains can be utilized together to describe the attributes of an "Incident". We need to break down the sub-categories as well. For instance, in the Sandia Labs Taxonomy for the Objectives category we have:

Challenge, Status, Thrill
Political Gain
Financial Gain
Damage

When we move to the off line domain and are doing risk mitigation and preparedness exercises for antiterrorism we utilize another set of words to describe and evaluate infrastructure threats and hazards. Five factors here are:

Existence addresses the question of who is hostile to the assets of concern?

Capability
addresses the question of what weapons have been used in carrying out past attacks?

History addresses the question of what has the potential threat element (aggressor) done in the past and how many times?

Intention addresses the question of what does the potential threat element hope to achieve?

Targeting
addresses the question of do we know if an aggressor is performing surveillance on our assets?

We believe that as our cultures, countries, agencies, and professionals work together on antiterrorism and counterterrorism initiatives we are going to have to develop a solid taxonomy. It will provide the foundation for our clear and accurate risk management methodologies and incident managment systems.

To accelerate our focus here, please see: SemioSkyline