Last week’s Daily Telegraph reported concerns expressed by Home Secretary John Reid about the threat of cyber terrorism causing economic chaos or plane crashes through an electronic attack on critical national infrastructure. Just how worried should we be? Is the likelihood of such an attack an imminent danger? Or is it just political scaremongering?
My own views are well-established. Back in 1999 when many people were talking up the possibility of an electronic Pearl Harbour, I forecast it was unlikely to occur before 2006. But after this time we would enter a long “critical convergence period” characterised by a step change in corporate risk profiles, resulting from growing connectivity, loss of perimeter security and increased vulnerabilities in platforms. And by this time the capabilities of terrorist groups, as well as their interest in such targets, might be sufficiently mature for them to contemplate a serious attack.
The problem is that terrorism, like espionage, is a covert activity. We simply won’t know how much we are at risk until we get hit. Yet industry and government are still in reactive mode when it comes to security. Business and finance managers are naturally reluctant to spend money on new security measures until they’ve seen real evidence of a threat. And by that time it’s too late.
So what can we do to mitigate the risk? Well if you can’t afford the cost of hardening your critical systems and installing effective intrusion prevention systems, then at least be prepared to respond effectively to an incident. It doesn’t cost much to review and update crisis response procedures and organization, or to conduct a short crisis exercise. And at the very least that should provide some much needed awareness amongst senior management of the seriousness of their exposure.