Cyber Terrorism – is it a Serious Threat to Commercial Organizations?
Cyber Terrorism is a hot topic in the popular press and on general Computer industry web sites. Unfortunately, the “hype’ surrounding the topic is actually doing a disservice to the application of sensible security defences in the commercial and industrial sectors. Not many years ago, the preferred method of selling IT Security was to exaggerate the threat and thus the risk to systems without the more professional rigour of making a business case for the application of security to the specific business requirement. Selling by “Fear’ never did work well. From the less sophisticated sectors of the industry, the same discredited method of selling Cyber terrorism protection is now in evidence. However, decision making in corporate protection is now moving from the IT Department to the Boardroom and, in general, Directors will not authorize expenditure on protection without the presence of a sound business proposal.
Similarly, there are several analyst companies who are forwarding ‘evidence’ to the general IT industry of large scale intrusions, the explosion of cyber crime, cyber espionage and cyber terrorism without any real evidence to support their wilder prognostications. Unfortunately, the general current climate of fear is leading to an atmosphere where credibility is assigned to these unsubstantiated reports. From the particular analysts perspective, this wide scale reporting and subsequent television appearances serve only to increase their revenue from an industrial and commercial audience that is normally not so unusually gullible. There has never been a time when one should exercise more caution on unsubstantiated intelligence – reading it on the Web does not make it fact!
What is the problem then with the current statistics that show precise exponential rises in all aspects of cyber crime? It is because the components of the UK industry have no precise way of measuring the scale of attacks and, in the majority of cases, still no capability to determine that an attack has taken place that such reports have to be viewed with real scepticism. Using such statistics to extrapolate future trends in threat is intellectually unsustainable.
Until the formulation of the National High Tech Crime Unit (NHTCU) some three years ago, there was little police expertise in this area. However, the explosion in the use of the computer for all aspects of eBusiness has forced the UK Government to more proactive measures and the first real survey of cyber crime in the UK has now been conducted under the auspices of the NHTCU. The results announced at the Government Cyber Crime Conference in early December give a much better picture of the threats we face as a cyber trading nation. That some £38,000,000,000 of trade was conducted on the Internet in the UK in 2002 with some £18,500,000,000 in the financial sector alone gives us an indication of what has become a very tempting target for Cyber criminals and, moreover, an indication on the reliance we are now beginning to place on conducting our business and personal lives on the Internet. It is this very reliance on this medium of business that now makes an attractive target for the Cyber Terrorist.
Information Warfare, the generic title that includes Cyber terrorism covers a spectrum ranging from full scale attack by one state on another (to cripple the communications and computing capabilities of an adversary) to concerted action by a group of individuals to attack a particular Web site to express disapproval or to disrupt the smooth functioning of the target. The formation of the Nation State millenniums ago, saw the rise of standing armies the role of whom was to protect the state against attack. The ultimate goal of taking control of such a nation state entailed the destruction or elimination of the standing army that provided protection. This model has lasted over the centuries through all aspects of modern warfare until the late twentieth century. What has changed? Whilst the military have the responsibility for protecting their own resources, they have no such responsibility for the general assets of the state. Consequently an Information Warfare attack, of which Cyber terrorism is a manifestation, does not necessitate the defeat of the standing army as a precondition of the attack on the state. Such attacks by pass the military and can be directed on the State with no warning.
Whist most responsible Western governments have taken steps to protect their Critical National Infrastructure (the aspects of modern living essential to modern urban life including communications, utilities, transport, national and local government) typically some 85% of the ownership of such infrastructure is owned by the private sector and not by the State. Does this matter? Yes it does when expenditure is required over and above the perceived level to protect the shareholders investment to give a supra level of protection to the well being of the state. Does this matter? Yes, when the threat exists of such a group who’s interest is inimical to the State itself.
The £64,000 question then is does such a threat exist today. Whilst we have not yet seen any such manifestation, the effects of such an attack could at the least seriously inconvenience us and, at the worst, be catastrophic to our Western style of life. We must not make the mistake of over estimating the capability or intention of potential foes but, on the other hand, must recognize that al Qaeda has threatened attack by all means on the capitalist West; there is no doubt that they are sufficiently sophisticated as an organization to have the capability of mounting such an attack. In that Cyber terrorism is relatively easy and inexpensive to mount, we must of course expect that other organizations may also have such a capability.
How do we protect ourselves? As with any other aspect of IT security protection, the basis of adequate protection is a sound understanding of the value of the systems, the value of the data contained on such systems and an appreciation of the consequences of any such disruption. In the main, it is the organizations defined as part of the Critical National Infrastructure who are most risk but, whilst it may not affect the running of the state, the paralysis or destruction of the data for an individual company will give no joy to the owners or employees of even small scale enterprises. A good sophisticated and integrated protection strategy, especially one containing elements of artificial intelligence to spot previously unknown weapons, will adequately protect against cyber crime in all aspects, including Cyber terrorism.
Computer Associates are exhibiting at Infosecurity Europe, Europe’s largest and most important information security event. Now in its 8th year, the show features Europe’smost comprehensive FREE education programme, and over 200 exhibitors at the Grand Hall at Olympia from 29th April – 1st May 2003.