Pundits, the media, security directors and politicians disagree on the significance of the cyberterrorism threat. Immediately after 9/11, the public media and the industry seemed to consider it a high-stakes issue, but as time passed the tone of most articles reflected that the threat was being blown out of proportion.
It's not surprising there's no consensus, considering that many people don't even have a clear understanding of the term cyberterrorism. It refers to a politically motivated, computer-based attack that is designed to cause a catastrophic event resulting in physical harm, death and fear among a large population base.
Individuals have proposed numerous cyberterror scenarios, such as hacking into the control systems of a hydroelectric dam and releasing a flood on downstream communities, and hacking into air traffic control systems to cause the crash of a passenger jet. Are these real threats, or is the cyberterrorist just another bogeyman?
Is the Threat Overblown?
I have several friends who are cybercrime investigators for various law enforcement agencies. I conducted an informal survey with the promise of anonymity, asking if any of them was aware of true cyberterrorist attacks or investigations. They were all aware of numerous hacking attacks, but none were aware of any cyberterrorist attacks or investigations. This lends some credibility to the belief that the cyberterrorist threat has been blown out of proportion.
Industries may have proactively implemented practices to minimize such attacks. For instance, many have realized that interconnectivity, although convenient, is not necessarily a good idea. In the recently released U.S. Nuclear Regulatory Commission Draft Regulatory Guide DG-1130, “Criteria for Use of Computers in Safety Systems of Nuclear Power Plants,” remote connectivity is directly addressed. The draft states: “Remote access to the safety system software functions or data from outside the technical environment of the plant (e.g., from the administrative or engineering buildings or from outside the plant) that involves a potential security threat to safety functions should not be implemented.”
It should be noted that adherence to these guidelines is strictly voluntary. Still, even when critical infrastructure facilities are connected, they tend to be extremely difficult to get into. Hacking into the control center of a water treatment plant or power company requires a great deal more sophistication and expertise than hacking into a system to download R&D documents or credit card numbers.
Knocking on Your Door
Even though cyberterrorism appears to be a non-event, I think it is dangerous to let our guard down. Determined terrorists are still trying to find ways into the systems controlling our infrastructure, and they will keep knocking at the door in hopes that someday they can get in.
In a recent presentation, the security director of a large Midwestern utility company provided statistics showing the hits on the company’s firewalls from unfriendly foreign nations. The numbers were staggering. It appears that terrorists are not only knocking on the door of our infrastructure, they're pounding on it with hinge-shaking force. Sooner or later, they will break through, either as the result of a system malfunction or new knowledge and expertise that will allow them to bypass current security mechanisms.
In addition, despite the warnings, many organizations are throwing wide the door because they find the convenience of interconnectivity too alluring to ignore. Not only are they embracing the convenience of standard networking technologies, but they are even embracing the newer wireless technologies. I believe it is only a matter of time before a true cyberterrorism attack occurs within the United States.
Don’t Underestimate the Enemy
Perhaps the individuals who minimize the cyberterrorism threat underestimate the skill sets of our enemies. It is already understood that terrorists use computers on a regular basis for communication and research.