Cyber-Terrorism Barks, But Probably Won't Bite

Welcome Guest. | Log In| Register | Membership Benefits

March 07, 2003 (10:48 AM EST)

Cyber-Terrorism Barks, But Probably Won't Bite

Although the dogs of war bark louder every day, corporate IT leaders and executives should take a deep breath and relax: Cyber-terrorism, a natural fear whenever international events reach the boiling point, is overstated, said consulting firm ContingenZ Corporation on Friday.

ContingenZ, a California firm that offers threat and attack analysis, training, and consulting, sees cyber-terrorism as far-fetched.

"People are talking about [cyber-terrorism] as if it is a likely event," said Michael Miora, the founder of ContingenZ, and a security expert with 25 years experience. "But the probability of such an attack is not nearly as likely as discussed in the media."

The main reason for this take, said Miora, is that a concerted attack -- which is what's meant by cyber-terrorism, as opposed to run-of-the-mill attacks and hacks on networks and the Internet -- is tough to pull off.

"It requires a simultaneous attack on many, many systems while eluding detection," he said. "You can't do that from the mountains of Afghanistan."

The "Digital Pearl Harbor" war game conducted at the Navy War College last summer backs up Miora's view. The three-day war game explored the effects of cyber-terrorism against energy grids, telecommunications systems, financial institutions, and the Internet itself. At the end, the game concluded that attackers would need $200 million in funding, deep intelligence information, and years of preparation to significantly disrupt the country's information infrastructure.

The built-in resilience -- or as Miora put it, the "disconnectedness" -- of networks and the Internet makes is what mitigates against a successful cyber-terrorism attack.

If attacks do occur, said Miora, the biggest danger isn't the actual disruption of a company's network. "Even if someone was able to bring down the NASDAQ for 15 minutes, what's the long term effect?" Miora asked.

But the public-relations disaster could follow. "If an incident occurs, and your company's network goes down, you make the news because you're the example," he said. "You don't want to be the headline. The reason to protect yourself is so you're not the one on the front page."

Most recommendations on preventing cyber-terrorism attacks and what to do if they happen end up with suggesting that enterprises engage in security best practices. Research firm Gartner, which co-sponsored the Digital Pearl Harbor war game, said research indicates that the best defense against any threat is to manage known vulnerabilities, such as unpatched or misconfigured software. Gartner estimates that 90 percent of cyber-attacks take advantage of known security flaws or problems. "The same steps we take to protect ourselves from common criminals will help protect us from cyber-terrorism," said Gartner in a statement on its Web site.

Miora agreed, to a point. "What we're really talking about is incident management and incident response, which includes security, but only a piece of security. There are a lot of things often outside the scope of security, like data recovery, that need to be addressed," he said, to put a proper incident response plan in place.

He recommended that companies go through a formal business impact analysis on what may happen if an attack brings the enterprise's infrastructure down, develop capabilities to mitigate the effects and recovery quickly, and then test these capabilities rigorously.

ContingenZ offers a range of white papers on its Web site on how to deal with such incidents. Other resources include a Weblog that Gartner has recently introduced -- called "Emerging Storm" -- that catalogs advice on what companies can do to minimize potential disruptions as global tempers climb. And the Web site of the National Infrastructure Protection Center, now part of Homeland Security, can be regularly checked for threat advisories, including those that may be linked to cyber-terrorism.