Cyberterrorism a matter of when, not if: expert

Conditions are ripe for a digital terrorist attack in Canada, and prudent organizations should plan for the worst, according to one security expert.

Adel Melek, national leader of Deloitte & Touche’s secure e-business consulting services in Toronto, said the tense atmosphere in the wake of the Sept. 11 U.S. terrorist attacks is justified. With incidents of industrial espionage on the increase the criminal use of digital technology reaching “alarming proportions,” Melek said it’s conceivable the next terrorist attack might take place in cyberspace.

“The rate of (attack) occurrence is actually much higher, the probability rate is also higher and the impact is constantly getting higher,” he said.

“The threat is real, and the question of whether an organized group of people can put this together – it’s already happened. You look at the distributed denial-of-service attacks that have already happened. So we are not talking about science fiction.”

He pointed to the sophistication of the Sept. 11 terrorists, who used online travel sites to book airline tickets, and effectively covered their financial tracks during the planning phase, as proof that the organization required to launch cyberattacks already exists.

“We believe the capability exists. It’s very self-evident,” Melek said.

Public institutions, government agencies, health care providers and hydro facilities, particularly nuclear plants, are all connected to networks and, as such, are attractive, high-profile targets, Melek said.

During his 11-year career Melek has focused primarily on corporate spying, where hired guns work as quietly as possible to steal information. However, political actions will likely be designed to cause destruction for destruction’s sake, and be as high profile as possible.

Although his clients include the “elite” of Canada’s corporate community, all need some level of help securing their assets, he added. Interest in security issues has risen dramatically since Sept 11. “Many of them are starting to get paranoid,” he said.

He stressed the importance of not just prevention, but also detection – a process companies often overlook. “It’s the difference between locking the door and a motion detector,” Melek said.

In a report released on Sept. 12, Joel C. Willemssen, managing director of information technology issues for the U.S. General Accounting Office, a watchdog committee in Washington, D.C., outlined what steps companies should take to protect their IT infrastructure. They include:

– Assess risks and determine protection needs based on that assessment;

– Select and implement policies and controls to meet those needs;

– Promote awareness of policies and procedures, and make employees aware of the risks that necessitated them; and

– Routinely test and examine the effectiveness of policies. Make sure the results are available to those with the power to take immediate corrective action, if necessary.