How Real is the Threat of Cyber Terrorism?

Last week’s Daily Telegraph reported concerns expressed by Home Secretary John Reid about the threat of cyber terrorism causing economic chaos or plane crashes through an electronic attack on critical national infrastructure. Just how worried should we be? Is the likelihood of such an attack an imminent danger? Or is it just political scaremongering?

My own views are well-established. Back in 1999 when many people were talking up the possibility of an electronic Pearl Harbour, I forecast it was unlikely to occur before 2006. But after this time we would enter a long “critical convergence period” characterised by a step change in corporate risk profiles, resulting from growing connectivity, loss of perimeter security and increased vulnerabilities in platforms. And by this time the capabilities of terrorist groups, as well as their interest in such targets, might be sufficiently mature for them to contemplate a serious attack.

The problem is that terrorism, like espionage, is a covert activity. We simply won’t know how much we are at risk until we get hit. Yet industry and government are still in reactive mode when it comes to security. Business and finance managers are naturally reluctant to spend money on new security measures until they’ve seen real evidence of a threat. And by that time it’s too late.

So what can we do to mitigate the risk? Well if you can’t afford the cost of hardening your critical systems and installing effective intrusion prevention systems, then at least be prepared to respond effectively to an incident. It doesn’t cost much to review and update crisis response procedures and organization, or to conduct a short crisis exercise. And at the very least that should provide some much needed awareness amongst senior management of the seriousness of their exposure.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

It's an interesting issue regarding the protection of organisations and of course the people that work for them. A rather disturbing article following the InfoSecurity show in London last week at Can it be true that the provision of security services at the Olympics will be based on bribery and corruption potentially. Surely the risk analysis for this decision must be interesting viewing?
I feel that the community needs to approach the issue of terrorism & higher technology attacks with a sense of proportion and realism, rather than perpetuating the 'cyber terrorism' bandwagon/circus (I'm not saying that you are David, I just see so much of it at the moment and it bugs me). I see a lot of commercial vendors/technology integrators peddling security theatre based on weak evidence or skewed risk assessments for their own commercial agenda/gain/hype. I was visiting a very venerable academic institution recently (in my academic capacity) only to find that defence & security contractors were approaching the institution to validate the existence of their products! Lets just say that they left rather empty handed. Nevertheless, I think it is absolutely right to point out the vulnerabilities that we're creating in our (technological) environment. This is a fascinating area of study and one in which we're creating more and more problems for ourselves as society wants/creates greater interconnection and greater interdependency upon networks (networks in the widest sense) which were originally separate and distinct - basically I think we're stoking problems up for ourselves and as society becomes even more dependent upon the systems of systems the problems will just be compounded.
Like all forms of terrorism, cyber-terrorism is VASTLY over inflated because it catches the imagination of the public and creates catchy headlines in papers. Whilst shocking and devastating for those involved, terrorism is a long way down in the list of causes of death, injury, and hardship particularly in the UK. Similarly in the computing world more money is lost and problems caused through bugs, poor design, and/or incorrect documentation than will be caused through terrorism. If we get security right in the first place by ensuring that the mechanisms for securing systems are thoroughly reviewed, tested, and documented, then terrorism ceases to be a problem, because unlike the real world we are dealing with finite state machines and we can predict all of the potential attack vectors and protect against their exploitation.