Handling Threats of Cyberterrorism

When it comes to threats of cyberterrorism and attempts to wreak havoc with the world’s computer networks, there are two schools of thought.

There’s the Chicken Little school that says the sky is falling: An attack on the Internet, in conjunction with a physical attack, constitutes a terrorist act; physical installations such as utilities show a real vulnerability in their communications networks.

Then there’s the Crying Wolf camp, which discounts such warnings: Whatever computing infrastructure exists that would create terror if it were down (utilities, nuclear plants, financial markets) isn’t all that vulnerable to attack.

You might believe a version of either, but you can’t believe both. And chances are, you’re not on the fence.

Cyberterrorism has been held up as the next battlefront (see “The Truth About Cyberterrorism” at www.cio.com/printlinks). Now come the not-so-veiled threats from two men sympathetic to the al-Qaida terror network, both speaking recently in the pages of Computerworld about their desire to use IT to harm the United States and its allies. (The publishers of Computerworld and CIO share the same parent company.)

One, known as Melhacker, threatened to launch a “three-in-one megaworm” if and when the United States attacks Iraq. He even gave a code name for the virus, Scezda, and announced the basic structure of the thing (which is not a very good hacker technique; less warning is better from that viewpoint). The second man, Sheikh Omar Bakri Muhammad, described as a London-based Islamic fundamentalist “with known ties to Osama bin Laden,” said that “in a matter of time you will see attacks on the stock market.”

These are explicit threats, make no mistake. But while they generate talk about how serious they are, they are not really new. CIOs and other IT executives would be wise to remain focused on what a specific threat means to their organization so that they can address any vulnerabilities that may exist. You don’t need to hear the words of a terror threat to sustain such a focus.

Take the recent, highly publicized attack on the Internet’s root domain name system (DNS) servers. In that attack, an unknown hacker flooded the Internet’s main servers that translate URLs into their numerical IP addresses. The attempt was to stop the Internet from working. The attack was largely unsuccessful because of DNS’s distributed architecture.

Both camps got their say. “This is a success story for the good guys,” says Bruce Schneier, founder of Counterpane Internet Security and a Crying Wolf camper. “As terrorism goes, this isn’t it.”

There’s still room for Chicken Little, though. John Snyder, vice president of IT at Bretheren Mutual Insurance Company in Hagerstown, Md., says plainly on the DNS attack and on cyberterrorism in general: “Let’s take the position that the sky is falling so we’re prepared for the worst.”

Dan Verton, the Computerworld reporter who talked to the would-be cyberterrorists, says the Crying Wolf camp is in denial. “The Internet security community, particularly in the private sector, has a real problem on its hands,” he adds.

If that’s the case, that poses a challenge. In a recent interview at CIO’s offices, federal cybersecurity czar Richard Clarke reiterated that the nation is counting on people in the private sector to combat threats to its critical infrastructure. But before they can do that, the wolves and the chickens are going to have to gather round the fence so that they can talk.