CNET también está disponible en español.

Ir a español

Don't show this again

Tech Industry

Are companies really ready for e-terrorism?

E-terrorism may be only an extension of computer attacks, writes security expert Ira Winkler, but he wonders whether companies are ready to seriously value computer security and take minimum needed precautions.

    Since Sept. 11, anything related to terrorism has grabbed headlines. The computer world says that incidents of cyberterrorism are just waiting to happen. It would appear to be a natural progression. I take the contrarian perspective and do not believe that traditional terrorists will go on to attack the electronic world.

    The primary reason is that computers are not good traditional terrorist targets. Terrorists intend to create fear and visual images of fear. While I do not want to downplay even a single death, traditional acts of terrorism create relatively few deaths, but the acts leave images in our mind and give us pause to do things we would normally do.

    If I mention Oklahoma City, the images of buildings blown away come to mind. With Pan Am flight 103, the image of a side of a 747 comes to mind. TWA flight 847 created the image of a terrorist in a mask holding a gun to the head of a pilot through a cockpit window. But planes slamming into the side of the World Trade Center and the resulting collapse bring to mind self-evident images. Again, while any death is deplorable, the terrorist acts resulted in fewer deaths than normally happen on a given day.

    They do, however, cause us to change how we think.

    When I look at computer incidents that could possibly equate to e-terrorism, they are merely footnotes. The crash of the AT&T telephone network in 1991, the power outage in the Pacific Northwest in 1998, the denial of service attacks in 2000, the Chinese "info war" and the Code Red and Nimda worms of 2001 were all serious computer incidents. However, they did nothing to change the way people act.

    Consider what the following mean to you personally: Code Red and anthrax. Clearly, anthrax creates a whole different level of fear.

    Traditional terrorists appreciate the Internet and the resources that it offers. It provides a ready way to exchange information. Sites like the Federation of American Scientists provided detailed information that terrorists could use to target U.S. government people and facilities. Companies provide detailed information about personnel, projects and facilities.

    Even military units have been known to provide lots of information on the Internet. The last thing a terrorist would want is to damage the Internet in any way. The only exception might be computer attacks against companies supporting military attacks.

    However, there is a threat of nontraditional terrorism. These are terrorists that are anarchistic in nature, similar to the Unabomber, or have political agendas to intimidate companies, such as extreme animal-rights advocates. (These are only examples of groups that might create extremists.) These are people or groups who want to damage technology or create negative effects on companies for specific reasons.

    For example, if someone could take down McDonald's shipping computers that are involved in getting stock to McDonald's restaurants, they could cause damage to its revenue. Any company with an international presence is a possible target for one obscure reason or another.

    This is the type of e-terrorism that is most likely. Turning to the question as to whether companies are vulnerable to these types of attacks, I would refer the reader to recent history. Code Red and Nimda were examples of preventable problems that created billions of dollars in damage throughout the corporate world. Millions of credit cards a year are compromised on the Internet.

    General Marsh, the head of the now disbanded President's Commission on Critical Infrastructure Protection, declared that banks lose billions of dollars a year to electronic thefts. Statistics about computer crimes continue to climb.

    Just about all computer-related crimes are completely preventable through proper configuration and maintenance. Specifics about this would be a separate column. E-terrorism is only an extension of computer attacks. If you can steal money from a bank's computers, you can take them down. If a worm like Code Red can be created, it is a slight modification to make it create devastating damage to computers. Again, when you see what crimes are occurring now, you can see that an e-terrorist attack would be extremely successful.

    This doesn't have to be the case. However, computer security, despite tens of billions of dollars in annual losses, is a low priority for most companies. There are exceptions in some industries, however they are the exceptions. Companies must begin to value computer security and take at least basic precautions, or else they are easy victims to anyone with intent. The fact that the perpetrator is not Osama bin Laden is inconsequential.