This article appeared in a very abbreviated form in SC Magazine’s January 2003 issue and is presented here in full.
Cyberterrorism is a hot topic in the popular press and on general computer industry web sites. Unfortunately, the 'hype' surrounding the topic is actually doing a disservice to the application of sensible security defenses in the commercial and industrial sectors.
Not many years ago, the preferred method of selling IT security was to exaggerate the threat, and thus the risk to systems, without the more professional rigor of making a business case for the application of security to the specific business requirement. Selling by fear never did work well. From the less sophisticated sectors of the industry, the same discredited method of selling cyberterrorism protection is now in evidence. However, decision making in corporate protection is now moving from the IT department to the boardroom and, in general, directors will not authorize expenditure on protection without the presence of a sound business proposal.
Similarly, there are several analyst companies who are forwarding 'evidence' to the general IT industry of large-scale intrusions, the explosion of cybercrime, cyberespionage and cyberterrorism, without any real evidence to support their wilder prognostications. Unfortunately, the general current climate of fear is leading to an atmosphere where credibility is assigned to these unsubstantiated reports. From the particular analysts' perspective, this wide-scale reporting and subsequent television appearances serve only to increase their revenue from an industrial and commercial audience that is normally not so unusually gullible. There has never been a time when one should exercise more caution on unsubstantiated intelligence - reading it on the web does not make it fact.
What is the problem then with the current statistics that show precise exponential rises in all aspects of cybercrime? From a U.K. perspective it is because the components of British industry have no precise way of measuring the scale of attacks and, in the majority of cases, still no capability to determine that an attack has taken place, that such reports have to be viewed with real skepticism. Using such statistics to extrapolate future trends is intellectually unsustainable.
Until the formulation of the National High Tech Crime Unit (NHTCU) some three years ago, there was little police expertise in this area. However, the explosion in the use of the computer for all aspects of e-business has forced the U.K. Government to more proactive measures and the first real survey of cybercrime in the U.K. has now been conducted under the auspices of the NHTCU. The results announced at the Government Cyber Crime Conference in early December last year give a much better picture of the threats the U.K. faces as a cybertrading nation. That some £38,000,000,000 of trade was conducted on the internet in the U.K. in 2002, with some £18,500,000,000 in the financial sector alone, gives us an indication of what has become a very tempting target for cybercriminals. Moreover, it is an indication of the reliance we are now beginning to place on conducting our business and personal lives on the internet. It is this very reliance on this medium of business that now makes an attractive target for the cyberterrorist.
Information warfare, the generic title that includes cyberterrorism, covers a spectrum ranging from full scale attack by one state on another (to cripple the communications and computing capabilities of an adversary), to concerted action by a group of individuals to attack a particular web site to express disapproval or to disrupt the smooth functioning of the target.
The formation of the nation state, millenniums ago, saw the rise of standing armies, the role of which was to protect the state from attack. The ultimate goal of taking control of such a nation state entailed the destruction or elimination of the standing army that provided protection. This model has lasted over the centuries through all aspects of modern warfare until the late twentieth century. What has changed? While the military have the responsibility for protecting their own resources, they have no such responsibility for the general assets of the state. Consequently an information warfare attack, of which cyberterrorism is a manifestation, does not necessitate the defeat of the standing army as a precondition of the attack on the state. Such attacks bypass the military and can be directed on the state with no warning.
Whist most responsible governments have taken steps to protect their critical national infrastructure (the aspects of modern living essential to modern urban life, including communications, utilities, transport, national and local government), typically in the Western world some 85 per cent of the ownership of such infrastructure is owned by the private sector and not by the state. Does this matter? Yes, when expenditure is required over and above the perceived level to protect the shareholders' investment to give a supra level of protection to the well being of the state. Does this matter? Yes, when the threat exists of a group whose interest is inimical to the state itself.
The billion dollar question then is, does such a threat exist today? While we have not yet seen any such manifestation, the effects of such an attack could at the least seriously inconvenience us and, at the worst, be catastrophic to the Western of life. We must not make the mistake of overestimating the capability or intention of potential foes but, on the other hand, we must recognize that al-Qaeda has threatened attack by all means on the capitalist West; there is no doubt that it sufficiently sophisticated as an organization to have the capability of mounting such an attack. In that cyberterrorism is relatively easy and inexpensive to mount, we must of course expect that other organizations may also have such a capability.
How do we protect ourselves? As with any other aspect of IT security protection, the basis of adequate protection is a sound understanding of the value of the systems, the value of the data contained on such systems and an appreciation of the consequences of any such disruption. In the main, it is the organizations defined as part of the critical national infrastructure that are most risk but, while it may not affect the running of the state, the paralysis or destruction of the data for an individual company will give no joy to the owners or employees of even small-scale enterprises. A good sophisticated and integrated protection strategy, especially one containing elements of artificial intelligence to spot previously unknown weapons, will adequately protect against cybercrime in all aspects, including cyberterrorism.
David Love is head of security strategy, EMEA, for Computer Associates (www.ca.com).
Computer Associates are exhibiting at Infosecurity Europe, Europe's largest and most important information security event. Now in its 8th year, the show features Europe's largest FREE education program, and over 200 exhibitors at the Grand Hall at Olympia, London, April 29 - May 1, 2003 (www.infosec.co.uk).