From 1983, when the movie War Games told the story of a teenager who hacked into the Pentagon's nuclear weapons system and almost started World War III, the American public has been aware of the possibility of a catastrophic computer attack. However, there's no record of anyone having actually been killed by a terrorist using a computer. Subsequently, there has been some controversy over what constitutes cyberterrorism.
For the purposes of this article, we're going to stick with the definition proposed by the National Infrastructure Protection Center (now a part of the Department of Homeland Security) in 2002: Cyberterrorism is a criminal act perpetrated through computers resulting in violence, death and/or destruction and creating terror for the purpose of coercing a government to change its policies.
In 1996, Barry Collin, then a senior research fellow at the Institute for Security and Intelligence in California , released a paper called “The Future of CyberTerrorism” in which he described several possible cyberterror scenarios that fit the NIPC definition. In one scenario, cyberterrorists hack into an air control system and cause two commercial aircraft to collide. Another scenario involves cyberterrorists changing the iron supplement level in cereal and causing a nation of children to get sick and die. A third has cyberterrorists remotely altering the formulas of pharmaceutical manufacturers and wreaking havoc worldwide.
As you can see from these examples, cyberterror is not only an issue for federal and state entities; it can target private enterprise as well. In a sense, all the nation's businesses can consider themselves on the front lines in this battle, and they should all be prepared to fight it.
Why would terrorists turn to cyberterrorism? Because it has certain advantages over the traditional physical methods of terrorist attacks. The Internet is the instrument of a political power shift. A many-to-many communications system, the Internet is cheap, relatively safe (doesn't require any dangerous handling of explosive materials) and secretive (not even revealing the terrorist's location or identity). A cyberterror attack can be conducted from almost any locale in the world and is capable of worldwide impact. It's been hypothesized that the new, modern cyberterrorist can do more damage via the Internet than with a bomb.
But analysts and politicians have always thought that human involvement in computer systems would prevent anything disastrous from happening. The responsibility falls on mankind to make sure there is always sufficient human oversight and intervention to prevent a catastrophic occurrence.
Complex Enterprises Require Complex Security
Enterprise security is rapidly taking on new dimensions. While building a fortress model and protecting it with a firewall has been the norm, the expanding use of mobile devices and wireless networking exposes many shortcomings of that traditional approach. Multi-vendor security environments and hybrid offerings that combine security hardware and software create additional challenges in the manageability of security measures and solutions.
What's a security director to do to protect enterprise systems against cyberterrorism when faced with the broader scope of attacks and the increased complexity of managing the solutions? Security needs to take a holistic, proactive approach to this mission-critical concern. Although it won't provide total security, the best approach to protecting enterprise systems from cyberterrorism is layered network security that is accepted and practiced by all levels of management and staff.
Layering can consist of multiple applications of the same or similar technologies. The most cost-effective network security solutions are integrated, expandable systems capable of being upgraded. With that in mind I've compiled some basic guidelines encompassing six layers of necessary security that should be implemented in the corporate environment.