A Terrorist by Any Other Name

The E.U. finally decided to designate Hezbollah a terrorist organization. Why won't the U.N.?

It has now been a year since Hezbollah operatives blew up a tour bus in Burgas, Bulgaria, killing five Israeli tourists and their Bulgarian bus driver, including a pregnant woman. And after an erratic decision-making process, Europe has finally responded: On July 22, the European Union designated Hezbollah's "military wing" as a terrorist entity.

The terror designation ends years of European prevarication on Hezbollah's true nature -- and could pave the way for more international efforts to isolate the self-described "Party of God." Britain, which designated Hezbollah's military wing a terrorist group in 2008, spearheaded the E.U. sanctions measure. The new penalties -- if enforced aggressively -- could lead to travel bans on Hezbollah members and officials visibly connected to military activities, the freezing of its assets in Europe, and a crackdown on the Lebanese Shiite group's recruitment process among Europeans.

But the European Union, compared to many nations, is still going easy on Hezbollah. The party's entire organization is now outlawed by the United States, Canada, Israel, the Netherlands, and Bahrain. By only designating Hezbollah's military wing, the European Union stopped short of dismantling its entire apparatus within its territories. The E.U. decision is designed to stop further Hezbollah terrorist attacks on European turf -- but allow Europe to keep the lines open to Hezbollah politicians. Walking this line will be no easy task, and British Foreign Secretary William Hague tried to capture the dilemma on Monday in Brussels: "We have to distinguish as best we can."

France, which was skeptical about Hezbollah's involvement in the Burgas attack, took the lead in opposing the terror listing until late May. However, the political landscape in Syria triggered a dramatic change within France's foreign policy establishment: With Hezbollah deepening its intervention on behalf of President Bashar al-Assad, Paris was terribly worried about losing its diplomatic leverage in the Levant, where it was once a colonial power. French Foreign Minister Laurent Fabius directly linked French policy to Hezbollah's involvement in the bloody Syrian civil war, saying, "Given the decision that Hezbollah has taken and the fact that it has fought extremely hard against the Syrian population, I confirm that France will propose to place Hezbollah's military wing on the list of terrorist organizations."

The sea change in France's policy moved additional member states to jump on the sanctions train. Ireland and Austria were two of the more recalcitrant countries opposed to the terror listing, largely because both countries contribute troops to U.N. peacekeeping missions that monitor ceasefire agreements between Israel and its northern neighbors, Lebanon and Syria. But it wasn't only France that convinced them to change their tune: In one of the more interesting forms of lobbying, former California governor Arnold Schwarzenegger, who was born in Austria, reportedly helped persuade the Austrian chancellor to sanction Hezbollah. (Austrian Foreign Ministry spokesman Alexander Schallenberg, responding via Twitter, wrote, "A.Schwarzenegger did indeed send a letter arriving Saturday morning. Austria had taken it's [sic] position already.")

Between Europe and the United States, which outlawed Hezbollah in 1995, it is clear that the international community is tightening the noose around the Lebanese Islamists. But there is still one organization that has remained conspicuously silent about this international threat: the United Nations.

The global body has thus far limited itself to doling out ineffective wrist slaps and euphemisms in addressing Hezbollah's global terrorist reach. In a typical example, the U.N. Security Council on July 10 called for "all Lebanese parties" to refrain from involvement in the Syrian crisis -- a bland reference to Hezbollah's murderous role. (According to Reuters, the reference to Hezbollah was watered down due to objections from Russia.)

While the United Nations has a raft of counterterrorism bodies and resolutions, it has yet to come up with a viable definition of terrorism -- leaving individual states free to collaborate with any groups not specifically targeted by the international body. But when the United Nations wants to crack down on a specific group, it has shown the ability to do so: The U.N. Security Council imposed sanctions on al Qaeda, for instance, with a series of resolutions dating back to the late 1990s. In a similar vein, the Security Council has the authority, if its members are willing, to target Hezbollah.

The Lebanese Shiite group could also be shoehorned in under the existing U.N. sanctions resolutions targeting the party's patron, Iran. The U.S. government has long stressed the intimate ties between the two actors: Assistant Treasury Secretary Daniel Glaser, for instance, testified before Congress in 2011 that Hezbollah was "Iran's primary terrorist proxy and foothold in the Arab world" and "a global organization with unparalleled financial and commercial resources." Reeling off a list of places where Hezbollah-affiliated individuals or commercial operations had been targeted by the Treasury Department -- from Lebanon to Latin America to Africa -- Glaser stressed, "the real power behind Hezbollah lies in Tehran."

Why should this be of urgent concern to the United Nations? Because, as Glaser highlighted, Hezbollah is no mere parochial threat. Since it was created in the early 1980s as a Lebanese offshoot of Iran's Islamic revolution, its networks, fund-raising rackets, terrorist plots, and killings have long been global -- earning it the nickname in Washington, "the A-team of terrorism."

Today, Hezbollah infests every continent -- with the possible exception of Antarctica. And its lethal schemes are only growing more frequent: Just this May, the U.S. State Department reported that "Iran's state sponsorship of terrorism and Hizballah's terrorist activity have reached a tempo unseen since the 1990s, with attacks plotted in Southeast Asia, Europe and Africa."

Hezbollah's bloody trail stretches back three decades and reaches from the Middle East, to Africa, to Latin America. The party cut its teeth with the 1983 U.S. embassy and Marine barracks bombings in Beirut, and then the 1985 hijacking of TWA Flight 847. It has also been implicated in terrorist attacks on the Israeli embassy and a Jewish community center in Argentina in 1992 and 1994, as well as the horrific 2005 bombing in Beirut that killed former Lebanese Prime Minister Rafik Hariri and 21 others. In Nigeria, the arrest of three dual Lebanese-Nigerian nationals armed with everything from land mines to anti-tank rocket launchers -- enough weaponry "to sustain a civil war," according to the public prosecutor -- prompted a member of the country's security services to label Hezbollah's military wing a terrorist organization.

The Burgas bus bombing was the latest example of Hezbollah's terrorist bona fides -- and also its global reach. The planning and execution of the attack straddled four continents. It was conducted in Europe and masterminded from the group's base in Lebanon, but the Bulgarian investigation found that the plot was led by a cell that included citizens of Australia and Canada.

Hezbollah makes no secret of its anti-Semitic aims. Just weeks before the lethal attacks in Burgas, Cypriot authorities arrested Hossam Taleb Yaacoub, a dual Lebanese-Swedish citizen, for plotting to kill Israelis and Jews on the island. In March, a Cypriot court sentenced him to four years in prison, though the court chose to describe his acts as criminal, rather than terrorist. Yaacoub offered police officials a neat summary of Hezbollah's global reach, telling them that Hezbollah "was just collecting information about the Jews. And that is what my organization does everywhere in the world."

Slapping a U.N. terror designation on Hezbollah will be no easy task: Washington would have to make a big push for the United Nations to seriously consider acting. But nobody can know whether it's possible -- so far, the United States has barely raised the issue. It has limited itself to the occasional grumble, such as Acting Permanent Representative Rosemary DiCarlo's comment at the Security Council on July 23 that "Iranian and Hezbollah-backed fighters and advisers" have supported the Syrian regime's assault on its own people. U.S. diplomats have been unwilling to comment publicly on this omission, and a spokesman for the U.S. mission to the United Nations declined to comment for this article.

The United States may be reluctant to campaign for sanctions on Hezbollah for fear that such a bid would not get past veto-wielding Security Council members Russia and China. Witness China's continued business dealings with Iran, Russia's backroom dilution of the recent condemnation alluding to Hezbollah, as well as both nations' refusal to allow U.N. sanctions on Syria.

But the free world invests billions of dollars in the United Nations every year -- not to mention its credibility in the name of promoting international peace and security. Should the U.N. Security Council prove simply too craven or morally crooked to take actions against Hezbollah, there would still be benefits to airing the case against the "Party of God." This is surely a debate worth having at the United Nations -- and soon.


National Security

Cyber-Sabotage Is Easy

So why aren't hackers crashing the grid?

Hacking power plants and chemical factories is easy. I learned just how easy during a 5-day workshop at Idaho National Labs last month. Every month the Department of Homeland Security is training the nation's asset owners -- the people who run so-called Industrial Control Systems at your local wastewater plant, at the electrical power station down the road, or at the refinery in the state next door -- to hack and attack their own systems. The systems, called ICS in the trade, control stuff that moves around, from sewage to trains to oil. They're also alarmingly simply to break into. Now the Department of Homeland Security reportedly wants to cut funding for ICS-CERT, the Cyber Emergency Response Team for the nation's most critical systems.

ICS-CERT's monthly training sessions in Idaho Falls put 42 operators at a time into an offensive mindset. For the first three days in last June's workshop, we learned basic hacking techniques, first in theory, then in practice: how to spot vulnerabilities, how to use exploits to breach a network, scan it, sniff traffic, analyse it, penetrate deeper into the bowels of the control network, and ultimately to bring down a mock chemical plant's operations. There was something ironic about Department of Homeland Security staff teaching us how to use Wireshark, an open-source packet analyzer; Metasploit, a tool for executing exploit code; man-in-the-middle attacks; buffer overflow; and SQL-injection -- all common hacking techniques -- and then adding, only half-jokingly: "Don't try this on your hotel's Wi-Fi!"

So it may come as a surprise to learn that attackers have never been able to engage in cyber-sabotage against America's critical infrastructure -- not once. ICS-CERT has never witnessed a successful sabotage attack in the United States, they told me. Sure, there have been network infiltrations. But those were instances of espionage, not destructive sabotage. Which raises two questions: one obvious, and one uncomfortable. If it's so easy, why has nobody crashed America's critical infrastructure yet? And why isn't the Defense Department doing more to protect the grid?

The questions only loomed large on the fourth day of the training -- a 10-hour exercise. We split into two groups, a large blue team and a small red team. The blue team's task was to defend a fake chemical company, with a life-sized control network complete with large tanks and pumps that would run production batches, a real human-machine interface, a so-called "demilitarized zone," even simulated paperwork and a mock management with executives that didn't understand what's really happening on the factory floor -- just like in real life. The red team's task was to breach the network and wreak havoc on the production process. By 5 pm they got us: toxic chemicals spilled on the floor, panic spread in the control room. Good thing for us this was only an exercise, and the gushing liquid was just water.

That exercise in Idaho was not unrealistic -- control system-related incidents can have serious consequences. In March 1997, a teenager in Worcester, Massachusetts, used a dial-up modem to disable controls systems at the airport control tower. In June 1999, 237,000 gallons of gasoline spilled out of a 16-inch pipeline in Bellingham, Washington, killing three people when it ignited. An ICS performance failure limited the controller's ability to understand what was happening and react swiftly. In August 2006, two disgruntled transit engineers sabotaged the traffic light controls at four busy L.A. corners for four days, causing major traffic jams. One of the most serious accidents happened in 2009 at the Sayano-Shushenskaya hydroelectric dam and power station in Russia, when a remote load increase caused a 940-ton turbine to be ripped out of its seat. The accident killed 75 people, pushed up energy prices, and caused damage in excess of $1.3 billion. In Idaho I heard two more stories from participants: one maintenance issue paralysed 600 ATM machines for 6 hours, and one innocent network scan in a manufacturing plant caused a large and powerful robotic arm to swirl around as if in rage, potentially injuring anybody near it.

Attacking such systems just got easier, for a number of reasons. One is that vulnerabilities are easier to spot. The search engine Shodan, dubbed the "Google for hackers," has made it easy to find turbines and breweries and large AC-systems that shouldn't be connected to the Internet but actually are. One project at the Freie Universität Berlin has enriched the Shodan data and put them on a map. The rationale of this "war map," as project leader Volker Roth called it tongue-in-cheek, is visualizing the threat landscape with colored dots, yellow for building management systems, orange for monitoring systems, and so on. The U.S. eastern sea board looks like a butt on a paintball range after a busy shooting session.

But so far, attackers have lacked either the necessary skill, intelligence, or malicious intention to use that map as a shooting range. That may be changing. While the more sophisticated ICS attacks are actually harder than meets the eye, many nation states as well as hackers are honing their skills. Some are also busy gathering intelligence; earlier this year, for example, the U.S. Army Corps of Engineers' National Inventory of Dams was breached, possibly from China. And any political crisis may change an attacker's intention and rationale to strike by cyber attack.

All of which keeps the federal government's main organization in charge of critical infrastructure protection busy. ICS-CERT employs between 80 and 100 staff, depending on contractors. Three of its activities stand out.

The first is incident response. At the request of asset owners, ICS-CERT can deploy so-called fly-away teams to meet with the affected organization. They'll review network topology, identify infected systems, image drives for analysis, and collect other forensic data. Last year, the government's control system experts responded to 177 incidents. That included 89 site visits and, in the most extreme cases, 15 deployments of on-site teams to respond to advanced persistent threat incidents in the private sector, the DHS told me. The fly-aways are controversial, with some critics pointing to a lack of focus and a waste of scarce government resources. One prominent critic is Dale Peterson of Digital Bond, a leading consultancy on critical infrastructure protection. "It doesn't scale," he says about the fly-away teams, "It's a band-aid." Still, a band-aid is better than no treatment at all.

The second main activity is keeping the operators vigilant and informed. ICS-CERT is doing this through vulnerability alerts and advisories: one recent alert, for instance, warned about a range of 300 medical devices that had hard-coded passwords, which could enable an attacker to gain remote access to surgical and anaesthesia devices or drug infusion pumps.

But for some, the warnings don't come fast enough, or don't produce a strong enough response. So more and more independent security researchers publish information on faulty design without notifying vendors and their clients first. Many at the Department of Homeland Security think some of these revelations are irresponsible or premature -- Digital Bond disagrees. The consultancy organizes a leading industry event, the S4 conference, where devices get hacked for good effect. A lot of people in the ICS community, Peterson tells me, "are getting gradually more aggressive because there has been so little progress."

Then there are those five-day-training sessions for those who are really at the front line of potential cyber attacks: the plant and factory owners and operators. That program is the least controversial. After three days of lectures and hands-on practice, and after one day of spilling chemicals by cyber attack, the participants in my class had a chance to discuss lessons learned on the fifth day. One or two may have expected a slightly different technical focus, yes, but the rest loved it. The Department of Homeland Security understood a crucial thing: if the asset owners understand the offense, they are able to improve -- and better invest in -- their network defense.

The reverse does not apply. The National Security Agency and its military twin, U.S. Cyber Command, are investing in all kinds of offensive measures that do nothing to make the nation's critical infrastructure more secure: They're discovering and buying previously unknown zero-day vulnerabilities -- holes in software that hackers can use to wiggle their way into a system. They're gathering target intelligence on foreign infrastructure, and clandestinely developing bespoke cyber weapons for high-profile attacks from Fort Meade. All of this may have theoretical benefits at some point. But such offensive investments do not translate into more efficient information-sharing at home, into safer logic controllers, or into better-trained asset owners. To the contrary: the offense can suck up skills needed on the defense. And while it would make all of us more secure to close up those software holes, the NSA and CYBERCOM would rather they stay open as avenues of espionage and attack.

One reason why, perhaps, is that, so far, there's only been one publicly-acknowledged destructive ICS attack anywhere, ever. The only successful cyber-sabotage strike that targeted control systems (and that was not an insider attack) was an American intelligence operation: the famous Stuxnet worm that targeted Iran's nuclear enrichment program in Natanz -- without achieving its goal. The White House, it seems, has learned some lessons from this episode. In a recently leaked secret document, the administration highlighted the "unintended or collateral consequences" of offensive cyber operations that may affect U.S. national interests. Apparently the White House sensed that Stuxnet had a counterproductive effect on "values, principles, and norms for state behavior." Cyber sabotage, they fear, could come back to haunt them.

In cyber security, it seems, a good offense is bad defense -- certainly made worse by sequestering the critical training of those who really keep the nation's infrastructure safe: the asset owners, engineers, and operators who make the monthly trek to Idaho Falls from all fifty states. Idaho National Labs has its own "war map" with red and blue and green and white pins: it's a large chart of the entire United States (and a smaller with allied nations), up in the first floor lunch area of the training facility. Every participant of the ICS training places a pin into their home town by sector: white if they come from the government, red for energy, blue for water, and so on. This is the map that really counts. The more dots and the more color, the better. But unless there's a radical change in how the U.S. secures its power plants and factories, there's never going to be enough push pins to stave off calamity.