An Al Qaeda operative hacks into a network of a multinational company, grabs sensitive data about internal operations, floods its network with fake queries, and knocks out an information system linking 20 key suppliers. Whose problem is it?
Sure, there's a Department of Homeland Security. Secretary Michael Chertoff restructured the agency in July to better protect Internet infrastructure. But Chertoff's main interest is addressing threats with "catastrophic consequences."
Cyberterrorism, simply put, doesn't top Chertoff's list. There have been no known cases where Al Qaeda has tapped into the information systems controlling power supplies, factories or telecommunications networks. The likelihood of an attack is low because of the knowledge and skill required, says Tamara Makarenko, senior analyst at risk manager Global Strategies Group. Meanwhile, it's unclear what damage cyberterrorism would cause. Terrorists want a high death count and a big bang that results in gory video. Hacking into an oil refinery may produce casualties, but a bomb in Times Square would better achieve the gore goal.
For your business, however, cyberterrorism has to be a top priority. Lax security could result in public-relations woe at the least and the extinction of your business at the worst. "Cyberterrorism would result in lost dollars and disruption for businesses, but that's not a DHS issue because no one dies and no serious loss has happened yet," says Arthur Hulnick, a professor at Boston University and former agent of the Central Intelligence Agency.
So if cyberterrorism isn't priority one for Homeland Security, why should you worry about it? Companies collectively control 85% of the nation's critical infrastructure, such as power grids, telecommunications plants and water facilities. You're the first line of defense.
The good news? By following proper information security procedurescutting off passwords when employees leave, minimizing critical information connected to the Internet, monitoring your network and putting one person in charge of cybersecurityyou can hamper cyberterrorism, says Michael Gibbons, vice president for federal security solutions at Unisys and a former computer crime investigator for the Federal Bureau of Investigation.
"The protections are the same whether it's cyberterrorism, corporate and economic espionage or other external threats," Gibbons says.
But those protections are just a start. What's really required is some DHS-like thinking. According to Makarenko, companies need to identify potential enemies internally and externally. Do you truly know there isn't a terror cell in your technology department? Are you a target for an antiglobalization group? How do you know terrorists aren't studying you? "You can never eliminate 100% of the threats, but you need to remain cognizant of groups that may target you," Makarenko says.
First, look inside. Conduct background checks on your current staff. Look back at criminal, driving, education and credit records. Verify they are who they say they areand make sure there are no unexpected red flags such as a criminal record overseas. It won't come cheap. A background check based on public records and interviews would cost $4,000 to $5,000 per worker. If that check went beyond U.S. borders, the fee could run as high as $10,000 to $15,000.
Then, look outside. One way to monitor the activities of individuals you can't see is to hire a firm such as Counterpane, which monitors the safety of the Internet. A Fortune 500 company might pay roughly $100,000 a month to monitor outsiders probing your network, intrusion detection system and firewalls, depending on the scope of the devices covered, says Doug Howard, vice president of service delivery at Counterpane.
Those procedures can be complemented by a little paranoia. "It's a cultural change to ask 'who is an adversary of the company?'" Makarenko says. "But if you know the scenarios where you're most vulnerable, you'll be able to plan."
Larry Dignan is news editor of Baseline magazine. He can be reached at firstname.lastname@example.org.