Cyberterrorism is an Increasingly Real Threat

Security executives are scrambling to find ways to combat cyberterrorists, whose targets have included the Nasdaq Stock Market, PayPal and the CIA.

cyber-terr-big.jpg

Terrorism, as currently defined and recognized, is a weapon of political or religious fanatics who threaten havoc and destruction at unpredictable intervals without regard for the safety of civilian populations. For all the fear and damage they have wrought, al-Qaeda and other active terrorist groups have focused on physical targets; they have not been linked conclusively to the ever-growing volume of Internet hacking and malware attacks — what those who monitor such activity would label cyberterrorism.

But that is not preventing experts in data security from invoking the “T” word. They say the most appropriate response to the alarming increase in Internet insecurity is to treat it like terrorism and respond in kind.

“The mind-set for data protection needs to change,” asserts Jose Granado, consulting firm Ernst & Young’s practice leader for information security in the Americas. “Today one has to assume that at any given time there is something in the network that shouldn’t be there.” As a recent report by a group of executives in the field, the Security for Business Innovation Council, starkly warned, “Assume you are compromised.” Council member Roland Cloutier, chief security officer of Automatic Data Processing, describes the adversaries as “very intelligent, well armed and effective.”

E&Y’s Granado draws a direct parallel to the counterterrorism principle that “we have to assume there are people in the country intending to do us harm.” That requires “constant monitoring to detect, isolate and eradicate” the threat, he says.

Regardless of the labeling, cybersecurity is an issue of mounting corporate, military and national security concern, in part because the reported targets have included the Nasdaq Stock Market, PayPal, Sony Corp., the U.S. Senate and Central Intelligence Agency, and even RSA, a leading provider of online security technology. There are probably many more such attacks that have not been publicly disclosed. Meanwhile, the white noise of web malware gets louder by the day, affecting businesses of all sizes around the world. The number of identified malware instances more than doubled between the first and second quarters of this year, to 287,289, an average of 335 per enterprise per month, according to Cisco Systems.

The high-profile hacktivists associated with publicized attacks, such as the politically motivated Anonymous and LulzSec, may not be cyberterrorists in the literal sense, but they are contributing to the proliferation of advanced persistent threats, or APTs, which have come to preoccupy security professionals. The Security for Business Innovation Council, which was organized by RSA, a division of Hopkinton, Massachusetts–based EMC Corp., describes APT-style attacks as highly targeted, well funded and designed to avoid detection. Like terrorist cells, perpetrators may stay dormant for long periods and act opportunistically; if a planned attack is thwarted, they have the time, patience and resources to regroup and plan another.

Sponsored

“To counter a conventional threat such as a virus, you deploy an antivirus system,” notes Sam Curry, RSA’s chief technology officer for global marketing. “But there is no such thing as an anti-APT.”

The countermeasures have to be as big, bold and encompassing as the threats. Much like the mobilizations against terrorism in the wake of the 9/11 attacks, they involve intelligence gathering and analysis, risk management calculations to determine data-protection priorities, and sharing of threat information within and across industries and with law enforcement agencies. Elements of such collaboration are in place. They include the Information Sharing and Analysis Centers for financial services and other critical infrastructures in North America, and the global Forum of Incident Response and Security Teams, which has more than 200 members, including major banks and high-tech companies.

The security executives’ report on APTs calls for “new models for information sharing” that are “more real-time” to keep pace with the highly nimble attackers. There is a recognition of the dynamic and complex nature of the threats and a desire on the part of the data security experts to improve the effectiveness of information exchanges.

Even if such measures make headway against APTs, there will be no end to cyberthreats. Steven Spear, a senior lecturer on engineering systems at the Massachusetts Institute of Technology, warns that they are likely to get worse because the Internet’s growth and complexity have outpaced its ability to be comprehensively secured. Spear sees a parallel in the April 2010 Gulf of Mexico oil spill: a breakdown of “complex and dynamic systems” that was not an isolated anomaly but rather a leading indicator of disasters to come, absent new management approaches and controls. • •

Jeffrey Kutler is editor-in-chief of Risk Professional magazine, published by the Global Association of Risk Professionals.

Related