Roads gridlocked, trains colliding, power outages - these are the images that spring to mind when one envisages the threat of cyberterrorism.
The prefix "cyber" generally refers to the internet and the web, while "terrorism" can be defined succinctly as acts of violence, real or threatened, designed to coerce government policy or serve ideological ends.
In truth, we have witnessed neither any verified acts of cyberterrorism nor any credible conspiracy to commit acts of real cyberterror. Is this purely fortuitous, or is it the case that the cyberterror threat is simply not a realistic one?
Although the network architectures, operating systems and technical details behind gas pipelines, air traffic control systems and stock exchanges may differ, all share common, sound security design elements:
- No external network connectivity
- No TCP/IP stack
- Proprietary operating systems, but arcane applications
- They are subject to software and human monitoring/audit
- In utilities, they are subject to failsafe override by mechanical governors and standby engineering response.
Those technically in the know agree that threats of cyberterrorism, as hyped in the popular media, are wildly unrealistic.
Despite the media frenzy following every major virus outbreak, a virus or worm in the hands of a terrorist should have no impact on critical infrastructure systems. Therefore, we should exclude from our cyberterror list the indiscriminate release of viruses and worms on the internet, website defacements and distributed denial of service attacks.
Website defacements are often referred to naively as cyberattacks, particularly where the perpetrator has made some political gesture. However, defacing a web page is the online equivalent of spraying graffiti on the external wall of a building or a shop window. Such minor acts of vandalism are the handiwork of adolescent crackers and by no stretch of the imagination do they rank as acts of terrorism.
Distributed denial of service attacks against Yahoo!, Amazon and eBay in early 2000 interrupted trading for several days. Similar attacks include a low-tech denial of service attack that interrupted HSBC online banking for about four hours during the May Day anti-globalisation demonstrations of 2001. The affected systems were very much peripheral to the core banking systems, and such nuisance would hardly qualify as cyberterrorism.
Although cyberterrorist attacks on the UK's critical infrastructure systems do not appear to be technically feasible, a low-cost e-mail/network worm could be designed to mount an effective, broad, low-level attack against a target nation. Non-critical systems could be exposed to wholesale loss of documents, spreadsheets and databases: not a mortal blow, but certainly a bloodied nose.
Such an attack could be carried out faster than anti-virus updates could be deployed. For this reason, it is essential to apply the security-in-depth principle. Anti-virus software should be augmented by generic e-mail content filters to block the progress of an unknown worm on the basis of its prima facie properties, ahead of any viral signature update.
Cyberterror is an idea implanted in the popular imagination, to the extent that anti-virus company Symantec reported that it "detected no verifiable cases of cyberterrorism during the last six months [of 2002]" and said, "Attacks from countries included in the Cyber Terrorist Watch List accounted for less than 1% of all activity."
However, the prospect of war has increased the threat of cyberattacks by extremist groups, and the UK's National Infrastructure Security Co-ordination Centre has recommended that organisations review the security of their systems.
Top priorities remain the prosaic hacker and the mass-mailing/network-aware worm against which an organisation must deploy multi-layered defences - firewalls and intrusion detection; content filtering and anti-virus applications at mail gateways; and diligent application of software patches, as new vulnerabilities come to light.
What do you think?
Do you agree the concept of cyberterrorism is little more than media hype? Tell us in an e-mail >> CW360.com reserves the right to edit and publish answers on the Web site. Please state if your answer is not for publication.
Pete Simpson is head of the Threatlab service at e-security specialist Clearswift
This was first published in March 2003