For the last year or so, business managers have been pounded with the rallying cry to protect their data and controls from possible cyber crime. Now, several Information Technology experts are asking the question: Has the threat of cyberterrorism been overstated?
At the recent CeBIT show, a panel of IT experts concluded that it has. The general consensus was that a bomb would strike more terror into a people or country than a temporary shutdown of the Internet. The Internet is great for communication, and terrorists are probably using it for such purposes. But the idea that a shutdown of the Internet would frighten people, in the U.S. for example, into widespread panic has less credibility, said the experts.
According to the panel, which included executives from software security vendors and representatives from NATO, most critical systems don’t run on the Internet. They run on secure networks, making it far less likely that terrorist hackers would get in. (If you’re like most businesses, you too have an independent site that accesses the Internet, but doesn’t completely and solely rely on it.)
One reason for all the focus on the possibility of cyberterrorism, claimed those experts, is that the U.S. government wanted a broader front to use in its attack on terrorism. Companies and others willingly jumped on that bandwagon, touting the benefits of making sure your controls and systems are secure and safe.
This is not to say that cyber attacks won’t happen. Recent news reports show that communication and computer attacks are happening.
For example, Al-Jazeera, the Arab satellite television network, experienced denial of service attacks shortly after it showed U.S. solders held as POWs by Iraq, and for a few weeks afterward. The attacks pretty much shut down the network during the last few weeks of this past March.
In another high-profile example, the Web site for 10 Downing Street also experienced problems; it was hacked by antiwar protesters.
While the risk of a catastrophic cyber terrorist attack may be more realistically viewed as low, that doesn’t mean we shouldn’t protect our controls and systems. After all, the threat of viruses and worms continues. According to a survey conducted by ICSA Labs, a division of TruSecure Corp., the number of virus attacks is down, but the ones that occur are more virulent. The survey analyzed incidents reported on more than 900,000 desktop computers, servers and gateways. Based on the analysis, for every 1,000 machines operating, there are about 113 virus attacks a month. That number is not an indication that the problem is going away. The ICSA Labs noted that it takes about 23 staff days to clean up systems after an attack, at an average cost of about $81,000.
The next areas you may want to secure and protect are your domain name and dot-com servers. And experts are thinking that the next attacks from hackers will involve forgery and identity theft more than denial of service or viruses.
Therefore, while we will probably not face many of the more exaggerated scenarios of business catastrophe due to cyber crime, there are worthwhile reasons to protect your controls and systems. The good news is that you have some breathing space. Make sure your firewalls are properly configured and that you routinely install patches and fixes as software vendors announce them, That will go a long way toward preventing a cyber attack. As budgets permit, you can install more rugged and secure solutions.
But there is more good news on the cyber crime front. Colleges and universities are finally taking steps to teach future programmers how to write secure code and detect hacking. Microsoft Corporation is helping with this endeavor. The company is working with a number of universities to develop programming curriculua that teach students the skills necessary to handle these issues. In some of the courses, students will be asked to hack into code, (which in a slightly warped way could mean that we are training future hackers). Nonetheless, it’s a good idea to train programmers in how to deal with these problems. By the way, these university programs will cover a range of software code, not just Microsoft code.
On the whole, industry’s efforts to fight cyber crime make good news. Leslie Langnau, senior technical editor [email protected]
