Resource Authority (MWRA), is showing off the crescent-shaped bank of computers that control the flow of water pumped into 2.5 million faucets across eastern Massachusetts every day.

These are the computers that would have to be hacked in order to carry out a cyberattack. And these days, most of Kempe’s job involves planning against such an eventuality. But he is not particularly worried about it.

"You’re talking about ridiculous barriers," says Kempe, who is a 25-year veteran of the MWRA and oversees its computer infrastructure. "Could a computer attack get us to a high-consequence event? Probably not."

First, Kempe says, a hacker would have to worm into the IT infrastructure. Then, he’d have to hop over a firewall and slip into the MWRA’s SCADA (supervisory control and data acquisition) system (the crescent-shaped bank of computers) through one of two very narrow access points. Finally, he would have to plant surreptitious code that would allow remote control of the chemical distribution or even the flow of water itself. (To learn more about the obstacles a hacker would have to hurdle at the MWRA, read "Debunking the Cyberterrorist Threat to Water Utilities," at www.cio.com/printlinks.)

"You’re talking about three hacks," says Kempe. "To us, cyberterrorism is a lower-level threat."

Since Sept. 11, it’s been almost unpatriotic to suggest that the threat of cyberterrorism is anything other than dire. But CIOs and security experts are beginning to challenge the assumption that a hack on the nation’s critical infrastructure will be the next big terrorist outrage. In fact, cyberterrorism may not be nearly as worrisome as some would make it. That’s because it is utterly defensible. And CIOs can play a crucial role in the defense.

DEFINING THE THREAT

As was the case with so many New Yorkers, Sept. 11 inspired Ed Cannon to get involved. Within a couple of weeks of the attack, Cannon, executive vice president and CIO of the global marketing communications company Grey Global Group in New York City, had formed the Information Civil Defense Group (ICDG). He envisions ICDG as a sort of neighborhood watch group, where the neighborhood is the private sector’s critical infrastructure and the residents are concerned CIOs. ICDG will stage seminars for CIOs and work with Washington on security standards around critical infrastructure.